VoodooShield/Cyberlock

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. guest

    guest Guest

    Can't you do the whitelisting base on VT results?
    • IE: files 2 weeks old and with 1 or no detections on VT are safe
    • Whitelisting based on signatures, you can take as an example Comodo cert list.
     
  2. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Not sure I understood you right, but adopting the entire Comodo cert list is going to result in some unhappy customers, because people complain about greyware bearing Comodo-certified sigs.
     
  3. guest

    guest Guest

    Well, probably replicate exactly the same list won't be a good idea but take it as a sample list and clean it up a little bit would be.
    The problem might be the maintenance I guess
     
  4. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Okay, I figured out which nutty program of mine is running a vbs script at startup, and it isn't VoodooShield.
    But the weird thing is, I don't get the error message unless:
    VS is installed + wscript is disabled by registry hack.
     
  5. WarGames

    WarGames Registered Member

    Joined:
    Mar 13, 2017
    Posts:
    20
    Location:
    UK
    HI Dan,
    Was having an issue with explorer.exe in syswow64 triggering voodooshield to allow which I did.
    I had a quick look in the devolopers log and found stuff being blocked, without being asked.
    Can you tell me why process is being blocked by CleanupWindowsPathsAndCommandLines and how I can unblock it?
    Code:
    
    [05-15-2017 12:04:48] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\system32\rundll32.exe
    [05-15-2017 12:05:13] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
    [05-15-2017 12:05:14] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe
    [05-15-2017 12:05:15] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\system32\sppsvc.exe
    [05-15-2017 12:08:47] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\system32\rundll32.exe
    [05-15-2017 12:09:19] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\system32\rundll32.exe
    [05-15-2017 12:09:21] [INFO ] - Blocked: c:\windows\system32\rundll32.exe
    [05-15-2017 12:09:21] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe
    [05-15-2017 12:09:21] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe
    [05-15-2017 12:09:26] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\rundll32.exe
    [05-15-2017 12:25:39] [INFO ] - Blocked: c:\windows\syswow64\explorer.exe
    [05-15-2017 12:25:45] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\explorer.exe
    [05-15-2017 12:25:48] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\system32\vssvc.exe
    [05-15-2017 12:27:00] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe
    [05-15-2017 12:27:00] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe
    [05-15-2017 12:27:25] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\\system32\taskkill.exe
    [05-15-2017 12:27:26] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\taskkill.exe
    [05-15-2017 12:27:36] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\cmd.exe
    [05-15-2017 12:30:29] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\\system32\taskkill.exe
    [05-15-2017 12:30:29] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\taskkill.exe
    [05-15-2017 12:30:36] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\cmd.exe
    [05-15-2017 12:38:18] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\regedit.exe
    [05-15-2017 12:38:27] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\regedit.exe
    [05-15-2017 12:38:30] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\regedit.exe
    [05-15-2017 12:38:31] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\regedit.exe
    [05-15-2017 12:38:33] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\regsvr32.exe
    [05-15-2017 12:38:34] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\regsvr32.exe
    [05-15-2017 12:38:35] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\regsvr32.exe
    [05-15-2017 12:38:35] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\regsvr32.exe
    [05-15-2017 12:38:43] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\system32\taskhost.exe
    [05-15-2017 12:40:47] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\regedit.exe
    [05-15-2017 12:40:48] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\regedit.exe
    [05-15-2017 12:40:48] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\regedit.exe
    [05-15-2017 12:40:49] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\regedit.exe
    [05-15-2017 12:40:49] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\regedit.exe
    [05-15-2017 12:40:49] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\regedit.exe
    [05-15-2017 12:40:50] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\regedit.exe
    [05-15-2017 12:40:50] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\regedit.exe
    [05-15-2017 12:40:50] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\regsvr32.exe
    [05-15-2017 12:40:51] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\regsvr32.exe
    [05-15-2017 12:40:51] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\regsvr32.exe
    [05-15-2017 12:40:51] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\regsvr32.exe
    [05-15-2017 14:15:09] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\system32\wbem\wmiapsrv.exe
    [05-15-2017 14:20:35] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\cscript.exe
    [05-15-2017 15:53:54] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\cscript.exe
    [05-15-2017 15:54:46] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\servicing\trustedinstaller.exe
    [05-15-2017 16:00:49] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\system32\rundll32.exe
    [05-15-2017 16:02:00] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\system32\vssvc.exe
    [05-15-2017 16:27:00] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe
    [05-15-2017 16:27:00] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe
    [05-15-2017 16:28:47] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\system32\vssvc.exe
    [05-15-2017 16:41:32] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\system32\vssvc.exe
    [05-15-2017 16:42:45] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\cmd.exe
    [05-15-2017 16:48:32] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\system32\vssvc.exe
    [05-15-2017 17:06:17] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\servicing\trustedinstaller.exe
    [05-15-2017 17:13:41] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\system32\vssvc.exe
    [05-15-2017 17:13:46] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\\system32\taskkill.exe
    [05-15-2017 17:13:46] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\taskkill.exe
    [05-15-2017 17:13:55] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\cmd.exe
    [05-15-2017 17:27:00] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe
    [05-15-2017 17:27:00] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe
    [05-15-2017 17:32:02] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\system32\vssvc.exe
    [05-15-2017 17:32:06] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\\system32\taskkill.exe
    [05-15-2017 17:32:07] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\taskkill.exe
    [05-15-2017 17:32:14] [INFO ] - Process blocked by CleanupWindowsPathsAndCommandLines: c:\windows\syswow64\cmd.exe
    
    I'm probably being really dumb, but cant find a CleanupWindowsPathsAndCommandLines anywhere.
     
  6. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Does anyone know about the "specially crafted template", where I can find it?
     
  7. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    I remember that on the SBIE forum, there are templates available for certain security apps.

    But I am talking about a subject that I don't know firsthand, because I never ran SBIE with VS. If I was you, I would try downloading stuff in SBIE, and then executing it, and see how VS reacts. You should be able to tell right away whether VS knows that you are running installer files.
    If VS doesn't know what's going on, try disabling "allow by parent process", and see if that makes a difference.
     
  8. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Thanks. By 'disabling allow by parent process" does that lower VS protection?
     
  9. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    It actually increases protection, but you might get more alerts, too.
     
  10. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Does anyone know if the EternalBlue exploit (msft-cve-2017-0143) used in the WannaCry attack abuses vulnerable windows processes, and what all processes / services are involved? I have researched this some, but so far have come up with nothing. I am quite sure that VS has this covered, since it treats all Windows processes as vulnerable processes, but I was extremely interested if there is a new vulnerable file that the malware authors are abusing. Any info would be appreciated, thank you!

    BTW, I am behind on replying to the posts, sorry about that, I will catch up asap, thank you guys!
     
  11. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Posted way back, page 210 post 5241, I guess this is still true?


    "Test methodolgy

    1. I routinely run NVT's ERP. for this test I first removed the compatibility line in Sandboxie in the my Default Sandbox which is set to all everything to run with no internet access
    2. Downloaded GRC's Leaktest.exe to my desktop
    3. If I just run Leaktest from the desktop ERP intercepts and asks about allow/block
    4. If I Right click on the Leaktest exe and select run sandboxed, I then select the default sandbox. It runs with no challenge from ERP
    5. If I replace the ERP lines in SBIE, and repeat step 4. Then ERP does indeed challenge Leaktest and either allow or block based on my choice.

    Now I installed VS and let it initialize and rebooted. Then I checked the snapshot, to be sure leaktest wasn't there.

    Now the test.

    1. Right clicked on leaktest.exe and ran it Sandboxed. VS didn't make a peep. The leaktest ran and couldn't access the internet.
    2. Just ran Leaktest from the desktop. VS did indeed intercept it. Then disturbingly it found it to be malware, and of course the choice was block or quarantine.

    Conclusion.

    By default installation, VS does NOT work with Sandboxie

    Comment.

    I was very disturbed by it's action thinking Leaktest was bad. I had no choice to get to run, but by selecting train. So if I wanted to let it run, but have VS on to monitor anything else it did I couldn't. For me this would be unacceptable behaviour."
     
  12. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hehehe, how funny... that must be one of Peter2150's "false positives" ;).

    VoodooAi absolutely made the correct determination in calling Leaktest Unsafe... along with 13 other engines from VT. If it did not score this file as unsafe, there would be significant bypasses with other malware. Should Leaktest.exe be whitelisted on a global whitelist? Perhaps.

    If it walks like a duck, and acts like a duck, VoodooAi assumes it is a duck. If you do not do this, there will be bypasses... and this is exactly what is wrong with the security industry.

    As far as the option that makes VS work with SB not being available to Free Users... well, we already give free users way too much as it is for absolutely free. If they want the Pro version, they can purchase it.

    Thank you Circuit!!!
     
  13. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Does this mean that VS will in fact work properly in SBIE sandbox, if "allow by parent process" is disabled?
     
  14. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    If you ask me, VS Free works perfectly with SB out of the box, in default settings... I have always believed that VS should not block processes that are sandboxed by other security apps.
     
  15. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    Hi Dan
    Is there a version of VS that runs on XP?
    Thanks Mark
     
  16. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    I am just concerned with the Pro version.
    So, asked by Shmu26 and myself, does this mean that VS will in fact work properly in SBIE sandbox, if "allow by parent process" is disabled? Will this setting improve the security and compatibility?
    Thanks.
     
    Last edited: May 15, 2017
  17. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hey Mark, no sorry, the mini-filter driver that VS uses is the latest one, and it is not compatible with XP. I think there might be a hack to be able to get it to work, but we are not going to be implementing this anytime soon. Thank you!
     
  18. guest

    guest Guest

    VoodooShield v2.86 is the last version for XP.
    Edit: "2.86 is set to expire though" #16117
     
  19. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    As far as I know, yes. I still have not figured out why anyone would ever want to block a SB sandboxed process. But it should work either way. Thank you!
     
  20. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    2.86 is set to expire though ;(.
     
  21. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Cylance also does not like this file Leaktest.exe
     
  22. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
     
  23. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    No worries. Your forthcoming Enterprise Console piqued my interest for managing the protection of my POS pc based tills, but a good percentage are still on XP.
     
  24. danielson

    danielson Registered Member

    Joined:
    May 15, 2017
    Posts:
    21
    Location:
    AR
    I'd like to p.m. someone here but i don't see "start conversation" anywhere.
    Can VoodooShield protect against incoming downloads automatically?
     
  25. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    If "Allow by parent process" is disabled, is this blocking a Sandboxie process?:confused:
    Thanks.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.