VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I just confirmed what Circuit reported. When Sandboxed VS does not alert on anything. Why would I want to....for the same reason I want it to even the process isn't sandboxed.

    That aside I have a question about the training. Does it only include samples of malware or does it have a mix of bad and good.
     
  2. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Kind of confused about the statement:
    " Why would I want to....for the same reason I want it to even the process isn't sandboxed."
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    To clarify, I want to run sandboxed, because I want to. I can do this with most competitors products.
     
  4. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Got it, Thanks.
     
  5. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    There were safe and unsafe files added to the training data sets... around 33% unsafe and 66% safe. The original training data sets had a lot more unsafe than safe, so this will balance it out a little better (hopefully).
     
  6. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    What happens when you uncheck the Automatically Allow by Parent Process feature in VS? Does SB and VS behave exactly how you would like?

    What happens when you uncheck the Automatically Allow by Parent Process feature (or similar feature) for the other AE's? ;)
     
  7. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Great to know, thank you! About half of the ML/Ai engines detected the file as Unsafe... I suspect the ones that detected it as safe whitelisted it.

    BTW, I think I have their phone number somewhere in case you need to call them to restore the file from quarantine ;).
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    I'll test that tomorrow. As for other AE's no options or no issues.
     
  9. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Here is SB and VS Free (default settings). From what I remember, I think Vlad made an exception for SB, so the sandboxed files were blocked (at the request of wilders users... my opinion was overruled ;)). We can look back through this thread to confirm this.

    Anyway, does everything look right here?

    https://voodooshield.com/artwork/Sandboxie.mp4

    Also, please keep in mind that the whole point of VS is to safely allow as many safe items as possible, and to reduce the dangerous affirmative user prompts as much as possible. Thank you!
     
  10. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,104
    Location:
    .
  11. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    @bjm_... I am not sure what your point is (please let me know). VS uses completely different drivers, so I am not even sure this would apply to us anyway.

    If I thought there were a lot of SB + VS combo users, then we would create an option in VS... but there simply are not enough users to add another option.
     
  12. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,104
    Location:
    .
    I thought you asked about other AE's?
    353.png
     
  13. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Ohhh, I see, that is why I am confused. Thank you for the info!
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Dan there are two issues. 1) Files that are created in the sandbox have to write to the folder c:\Sandbox so if anything blocks that sandboxie will fail. What BJM was showing you what is necessary so ERP can communicate with files in the sandbox. I just watched that video and don't see what the was being demonstrated. Tired now, will test in the morning.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay, I retested with the setting change Dan recommended. I made sure Leaktest was removed from the white list, and retested. As far as I can tell VS doesn't alert when something is run Sandboxed. How important that may be is up to users, but every other security program I use is compatible with SBIE. Just a couple of final points.

    1. Thinking about the if it walks like a duck and squawks like a duck it must be a duck in relation to leaktest just isn't valid. Leaktest is a valid test tool, with no malicious action whatever, and it being classified that way just shows a lot of tools that classify it as such are the failures. Nothing replaces the human brain for making judgements.

    2. To better explain why I feel strongly about SBIE. I've been using SBIE since before VS existed. It has never failed. It's power is shown by this example. I have a friend who used to get infected on average once every 6 months. I installed SBIE and set it up, and since then no infections. 2 years ago I installed EIS for her. I just checked this week and discovered, EIS wasn't renewed, and there were no windows updates (win 7) since 2014. Horrible. Only protection on the system has been SBIE. No infections. So SBIE really does protect. That's why I feel strongly about this.

    That said VS does indeed do an excellent job.

    Pete
     
  16. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I have a portal that I can sign into and waive the file. Thanks for offering.
     
  17. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hehehe, I am extremely confused at this point. In the video that I posted above (and below), VS is blocking a Sandboxie sandboxed processes at 0:50 and 0:59 (the file that I downloaded from majorgeeks.com)... and this is with VS Free / all default settings.

    https://voodooshield.com/artwork/Sandboxie.mp4

    1. Checkout the Cuckoo analysis of Leaktest and click on the "Behavioral Analysis" tab and you will clearly see the who's who of malicious actions.

    http://voodooshield.ddns.net:8080/analysis/6336/#

    ML/Ai is infinitely more adept at detecting malicious features of a file compared to almost all humans, including most seasoned professional malware analyst. ML/Ai examines roughly 300 features of the file, and can detect / spot malicious features that no human would ever be able to detect / spot. The average user does not even know how to check the digital signature, and a malware analysis would have to manually inspect the 300 or so features of the file with specialized PE tools... and even then the human mind cannot comprehend the inner relationships between the features, not to mention that over half of the features are not available in any of the PE tools. The absolute vast majority of users do not know how to inspect a file for maliciousness, and even the top malware analysts make mistakes... a lot more mistakes that a ML/Ai model ever would. The Cuckoo analysis of Leaktest confirms this. And this is why a file should never be blindly blocked without providing the user file insight.

    2. I agree, SBIE is very secure so I completely understand why you feel strongly about SBIE. This is exactly why I feel strongly about VS... we have quite a few users now, and they do not become infected either.

    Thank you!
     
  18. Gillor

    Gillor Registered Member

    Joined:
    Jul 12, 2013
    Posts:
    84
    Location:
    UK
    I am finding the Sandboxie/VS discussion somewhat convoluted so apologies if I am stating the “bl**ding” obvious.
    VS works with Sandboxie if “Automatically allow by parent process…” is disabled. Otherwise it doesn't.

    Totally agree.
     
  19. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,531
    In this discussion, I am hearing two eminently reliable people who are giving two very different reports. Just try it on your system, and see what works. It's a super easy test. Just download any installer file in SBIE, run it, and see if VS reacts or not.
     
  20. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    That is why I made the video... I do not know how to use SBIE properly, so I wanted to confirm that I was testing properly. From what I remember, I think Vlad made it so VS would block SBIE processes either way... whether the Parent Process setting was checked or not. I can look in VS's code to confirm this, but until I can understand what is not being blocked, it will not do any good to do so.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay Dan. The issue isn't whether Sandboxie's processes are blocked or not. Sandboxie's processes run absolutely fine. The issue is whether or not a sandboxed process is detected by VS. So for example when sandboxie is installed and all it's processes are whitelisted it runs fine. But then I put an exe or script file for that matter, I can double click and run them outside the sandbox. That is the mode you are familiar with. But the other thing I can do, is right click on the exe file, and select run Sandboxed. In that menu I can chose the sandbox. This way the program will run within the sandbox and be governed by any sandbox restrictions.

    The issue here is this. When I do it, even sandboxed ERP for example will catch it running in the sandbox. To do this ERP has be setup to talk with sandboxed programs.
    Under the same conditions VS will NOT alert on the sandboxed process as it can't communicate into the sandbox.

    Does this clarifiy?
     
  22. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Okay, we might be getting somewhere now. In the video I posted, it showed that executables that originate from a web app, that are sandboxed by Sandboxie, are blocked by VS... even though they are sandboxed by Sandboxie, right?

    What you are talking about is when the user right clicks on a file, and wants to execute that file sandboxed with Sandboxie, correct?

    If these two statements are true, then we are on the same page, and I have a response. Thank you!
     
  23. Gillor

    Gillor Registered Member

    Joined:
    Jul 12, 2013
    Posts:
    84
    Location:
    UK
    Hi Peter2150.

    The old grey matter isn't what it used to be so sorry if I am being obtuse.

    Say I download something like Freemake Video Convertor via a sandboxed web browser, Freemake is contained within that that sandbox and is harmless until such time as I decide to recover it or otherwise from the sandbox. Obviously VS doesn't need to react at this stage as there is no execution.

    Then let's say I decide to recover/release this programme from Sandboxie. It is now situated, for example, on the desktop.

    In respect of Sandboxie and VS I have three options:

    (1) run the programme and VS will check the programme automatically in either Autopilot, Smart Or Always On mode
    (2) right click on the programme and do a VS scan
    (3) right click on the programme and run it sandboxed

    In the latter scenario VS will activate in Sandboxie if “Automatically allow by parent process…” is disabled. Otherwise it doesn't and the programme will run sandboxed without any intervention from VS.

    Well that’s my experience anyway on my Windows7 64bit machine.
     
  24. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,531
    VS goes into action when a file is run. It doesn't prevent something from being downloaded.
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    I wasn't sure exactly what the video was showing but the last statement about right clicking is correct.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.