VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, I will send you a link after I zip it up and upload it.
     
  2. guest

    guest Guest

    Cool thanks ;)
     
  3. Iangh

    Iangh Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    835
    Location:
    Melbourne, Australia
    Too late to be Cruelsister, and wrong sex.:) But Premier League just like her.:thumb: I have been waiting months for a Nastybrother to appear to complement Meghan.
     
  4. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    The alternative is that people are infected.
     
  5. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Developers who are presented with a true bypass, appreciate the hard work it took to figure out a flaw in their software.

    Developers, however, are generally annoyed when script kiddies cry wolf and brag... mainly because it is a massive waste of time.

    Developers who do not appreciate Meghan's thankless work, should not be developers.

    That is my first haiku, so I probably mangled it ;). Either way, thank you Meghan!
     
  6. pablozi

    pablozi Registered Member

    Joined:
    Oct 24, 2010
    Posts:
    215
    Location:
    nowhere
    So basically HMP.A is kind of obsolete app while using VS...?
     
  7. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I would not say that ;). HMP.A is much more focused around blocking the exploit, whereas VS is centered around blocking the payload.

    I would be shocked if HMP.A missed this one... I will try it right now and let you know.
     
    Last edited: May 28, 2017
  8. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    i just tried to test, but it did not go so well... it is getting late and I am tired ;). The last time I tested HMP.A, I remember there was a component that I needed to activate, otherwise the protection was on enabled... something like that? Anyway, I will play with it tomorrow, it has been a long day ;).
     
  9. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    And that is the root of it right there, and if adaptation is not possible relevance becomes a serious issue.
     
  10. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yep. Everything can be bypassed... just ask Adam with his VS bypass. The funny thing is, Black Cipher demonstrated a lot of bypasses, but no one was shocked until White Cipher ;) did the same ;).

    The question is... are these bypasses something that actually puts you at risk?
     
  11. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    229
    Hey Dan,
    Can you test Comodo FW with Cruelsister's settings? I'm curious how it will do. Thanks!
     
  12. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, can you send me her settings? I tested with default settings and it was not an optimal result ;). Maybe Comodo should use CS's settings for everyone.
     
  13. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    229
    Dan,
    Sent you a PM with the settings.
     
  14. guest

    guest Guest

  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Exactly. plus, if this was a test of anti exe's with whitelists, then Appguard isn't that. No whitelist. Dan be sure you really understand the software you are testing, as anything that blocks rundll32.exe would also have it's system protected by appguard.

    Note when I did all the testing against malware VS caught everything, so did ERP and so did Appguard. In fact to have anything get to VS, I had to turn off Appguard. Your test results in this case were totally misleading. Be careful how you test.
     
  16. khanyash

    khanyash Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    2,204
    You have already tested with Comodo default settings & the result was not optimal.
    If possible, test with Comodo Cloud Antivirus (Dev say, CCAV defaults are restricted than CIS defaults).

    In short -
    CIS Defaults - Less restricted than CCAV defaults
    CCAV Defaults - More restricted than CIS defaults (CCAV has Defaults only i.e no other configs)

    cruelsister Settings - Proactive Config (HIPS Disabled) + AutoSandbox set to "Restricted" + Firewall set to "Block" unknown connections.
    CCAV Settings (compared to cruelsister Settings) - By default, Kinda Proactive Config + More Restricted AutoSandbox (defaults are more restricted compared to CIS defaults) + You can "Block" unknown conections (options in the settings to block connections for programs running in the "Sandbox")

    You can test CCAV defaults & we can see if it does any better & protects any better compared to CIS defaults
    CCAV defaults are More Restricted + You can enable "Block" connections for sandboxed programs in the settings & do a test to see how CCAV by default More Restricted approach + Unknown Connections blocked in the settings fares comparatively with cruelsister settings protection for CFW/CIS.
     
    Last edited: May 28, 2017
  17. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,464
    Location:
    Land of the Light
    @Dan


    https://www.youtube.com/watch?v=FoIu3Z2ImO8
     
  18. Houley456

    Houley456 Registered Member

    Joined:
    Feb 9, 2007
    Posts:
    186
    Absolutely correct
     
  19. pablozi

    pablozi Registered Member

    Joined:
    Oct 24, 2010
    Posts:
    215
    Location:
    nowhere
    Thank you Dan!
     
  20. guest

    guest Guest

    indeed AG is SRP, mean you don't use it with default settings, you must tailored its policy to the system it is placed in.
    It is why SRP (like Appguuard or Applocker) are made principally for corporate environment.

    The issue in Dan's test is that he tested the network abuse (aka "1st stage" of the attack), which isn't supposed to be covered by AG (or any anti-exe) but by Firewalls, network IDS, etc...
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Let me correct something I said here. I used the word bogus, which imply intentional. that is not the case, and proper wording would be invalid. I do not think there was any intention here, just an invalid conclusion.
     
  22. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    No, in the test, the machine was fully pwned... guest and Jeff have everything they need to test.

    I was just really tired of everyone speculating on whether this attack would be blocked or not by various security products... so I took the time to perform the tests, so everyone can see.

    When someone demonstrates a legitimate bypass of VS, I thank them and fix the issue. When someone brags that they can bypass VS, without demonstrating a proper bypass, then I get irritated because it is a massive waste of time.

    There was absolutely nothing misleading about this test at all... if you feel there was, please feel free to explain further. You said "In fact to have anything get to VS, I had to turn off Appguard."... yeah, different security products block at different times (some block before VS and some block after), but this is completely irrelevant, especially when the only thing that matters is if the attack is blocked or not.
     
  23. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hehehe, guest... this was a worm attack inside the firewall, which is the responsibility of the endpoint software to block.
     
  24. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    This was a valid test of a worm attack inside the firewall. Please feel free to test for yourself and demonstrate how I did not perform a proper test.
     
  25. guest

    guest Guest

    indeed if the endpoint software was made to protect the network traffic. if you tested Symantec EP and it failed, then you are right , but AG doesn't monitor network exchanges, it only block exe/dll from user-space to modify system space. Appguard is not a suite like SEP made to protect from all attack vectors, it is a specialized tool doing only one thing : lock the system space and it does it perfectly as @Peter2150 demonstrated.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.