VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I was actually surprised by the test as well. The problem is that the exploit injected code into lsass.exe, which is not in the user space.

    Here is a great overview of the attack: https://www.youtube.com/watch?v=agFgibQydzg
     
  2. guest

    guest Guest

    AG is SRP , SRP means tailored setup is mandatory, by default lsass.exe isn't blocked in home version of AG, but any user can do it in 3 clicks and i know that the next version will be far tighter.
    My Custom AG policy is extremely tight , a normal user will be irritated by it :p
     
  3. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I can try to do this... the problem is that I am not familiar with all of the settings, and I do not want to test improperly. Besides, security software should perform properly with default settings, since the vast majority of users run their software this way.
     
  4. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I could be wrong but I thought this setting covered rundll?
    All of us using Appguard have customized it. I know I could lock it down even more but why? I run Voodoo along side of it.
     

    Attached Files:

  5. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I thought it was too (0:41 in the video).
     
  6. khanyash

    khanyash Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    2,202
    Test only CCAV then, it has only default settings & by default comes more restricted compared to CIS defaults. Just enable network protection for Sandboxed programs in the settings.
    CCAV is only 8mb program.
    You can uninstall ISE or Internet Security Essential that gets automatically installed with CCAV. Its a small program too.
     
  7. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I could be wrong again Dan but Right after Powershell was being used for bad, I remember we were told to untick that one as shown in my screen shot above along with adding both Powershell 32 & 64 bit to Userspace marked yes.( screenshot in this post) Someone can correct me if I am wrong again.
     

    Attached Files:

  8. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I have no idea... but either way, this was not a powershell attack. Besides, all windows processes should be treated as vulnerable processes... hehehe, I think I have mentioned that a time or two on here ;).
     
  9. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I meant I think the Rundll box should be unticked.
     
  10. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I have no idea, but I would assume that unticking this box would be less optimal. Pete or guest should be able to tell you for sure.
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Remember AG is NOT and AE software. Yes Rundll32 is guarded. That means it is protected from harming the system not prevented from running. And now Rundll32 should be left ticked so it can't harm the system.
     
  12. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    Wow! AG isn't invicible afterall! But, hey, your test wasn't fair because you tested AG at default settings. Seriously, that's the best they can come up with. Regardless, great work, Dan. Appreciated :thumb:
     
  13. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Pete:
    Then why are we unticking powershell? and adding all it's exe's to userspace? at least that is what I was told to do on the Appguard forum. I would think same holds true for rundll?
    I guess I will never get the hang of Appguard. Just when I think I have a handle on it, someone shows me wrong. BUT when I asked about setting to no or yes for userspace Lockdown said one thing then came back and said the opposite. Guess he was having a bad hair day.:D
     
    Last edited: May 28, 2017
  14. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Fair enough... if security products are not designed to block this type of attack, then they are not designed to block this type of attack... it is that simple.

    Either way, you should not be mad at me for taking the time to test.

    The problem is that a lot of the security companies have jumped on the bandwagon, and claim that they block this attack.

    But very few, if any, provide proof that they do so. Be mad at them.
     
  15. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,484
    Isn't there an AppGuard thread, where the proper configuration of AG can be discussed in depth and in detail?
     
  16. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Yes for sure. But since this test was AppGuard included, I think opinions are still welcome in this thread? I understand Dan's point of view about default settings and all that and I understand guest and Pete's point of view. And so with my config I am in a happy place. I just need to add an anitikeylogger per Megans request while in Shadow Mode.
     
  17. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK

    So why isn't it set that way "Out Of The Box"...I have little time for any software that requires a diploma to operate, AG is probably more valuable to heads of IT depts, I just wanna cruise the net not fret about if I have set some software up correctly or not.
     
  18. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    WE are not bashing Voodoo, I use it along side my Appguard special settings. It is not that hard to set it up with current senior members that use it. Only problem is it went from a lifetime to a yearly and from what guest says , most will have to move to that for extra protection. When it get's to that stage I will uninstall it and just stick with Voodoo.
     
  19. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    I like AG and Jeff, but you have a point Mark, AG is not a "install and your protected software" like VS and a few others. AG is more for a business environment and that's just my opinion, and not for the average Joe.
    That test was done well and gave honest and accurate results weather anyone likes it or not.
     
  20. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    @boredog


    Fair enough, I think VS is more than adequate for senior and junior users (if we need to define users) I was just looking throiugh AG's thread, the developer in my opinion has a lofty attitude!...I'll stick with VS and Dan:thumb:


    Sorry Dan and others I'll pull out and not mention any more about AG
     
  21. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    @VoodooShield

    ...i would love to see Comodo Firewall @CS settings....please :-*

    Here are pictures for settings:

    1.png 2.png 3.png 4.png 5.png
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Boredog

    Simple With Powershell, I chose not to have it ever run, so I take it out of Guarded apps and put it in user space yes. That way it can never run

    Rundll32, on occasion needs to run, so in that case I guard it so it can run but protect the system

    If that doesn't make sense PM me.

    Pete
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Dan

    1. Not mad at you, just making the point you need to understand the software to test properly. I admit Appguard is a tough nut to crack.

    2. I understand what you are saying about a lot of companies, but they aren't your responsibility, so why worry about them Just be sure about VS, and let the other go.
     
  24. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    Exactly, and if you inject a modicum of honesty, or shine the flashlight a little too close, people start getting defensive instead of
    focusing on whats important. Great point Dan.
     
  25. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Pete, it was a proper test, as acknowledged here: https://malwaretips.com/threads/voodooshield-discussion.63827/page-12#post-634351

    The code injection is noted. Thanks for the video.

    Hopefully other devs will return the favor and find vulnerabilities in VS, so I can fix them.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.