VoodooShield ?

I have problem running multiprocess applications in RAMdisk created by ImDisk (https://sourceforge.net/projects/imdisk-toolkit/)
VS cannot find child processes which will caused these child processes to be blocked

 

I see... yeah, we already do something kind of similar, and I think it actually works better for VS to leave it the way it is. Let me think through it though... if it makes sense to do that, then we certainly will... it would be super easy to implement. Thank you!

 

I installed ImDisk, but there were at least 3 different components, and I was not sure what to test. But basically, if VS is not working correctly with ImDisk, I would figure out the path that is causing the issue, and add that to Custom Folders. I hope that makes sense, if not, please let me know!

 

You probably just made it block process execution coming from lsass.exe.

If I am wrong then I will actually inject into it myself to test this?

 

Try it and find out. Ask Black Cipher how difficult VS is to bypass... he knows. It is not impossible, I am sure everyone is curious if you can... so just do it.

BTW, I would be happy to rename our Exploit feature if someone has a better suggestion. I just figured that since that feature was designed to block malicious code from exploits, that the name I gave it was appropriate.

While you are testing... you might as well test the specialized anti exploit products and see how they did against this attack. Then we will know what should be labeled anti-exploit and what should not.

 

I am using only RAMdisk component, so I run RamDisk Configuration (RamDiskUI.exe), then I create RAMdisk with specified size (e.g. 2 GB) and drive letter (e.g. R:\), I also enable "Use AWE physical memory" in Advanced Tab, everything other is default

after creating RAMdisk I copy folder with application (e.g. cent portable https://www.centbrowser.com/) and run it, parent process will run but some child processes will be blocked
only disabling VS will allow me run it normally

in VS log are errors saying that VS cannot find exe in question, because it tries to find it in native NT path name
this is because ImDisk is designed to run on all version of Windows NT

can you find some workaround, because ImDisk is only free RAMdisk that doesn't have size limitation when creating RAMdisk
tia

 

What happens when you uncheck the RAM disk in Custom Folders, for both the ON and OFF (left / right) drive trees?

 

I am using free VS so no settings for me

 

pm me your email address and I will set you up an account.

 

Actually, the more I think about it... you probably do not want to run a browser unprotected like that... let me see what other workarounds we can come up with. There may be a chance that ImDisk is not going to work properly with VS the way you want it to.

 

Sounds good... let's move all of the testing comments to the YouTube test video.

 

Maybe they should take it over to Malwaretips were they can battle it out lol I don't think Mwave is going to stop voicing his view about the exploit feature.

If I can think of a better name for the exploit feature that is not misleading then I will let Dan know in a post here. I can't think of anything right off hand. I do know a little about how VS exploit mitigation works, and it seems to be working quite well for it's intended purpose.

 

That or Malwaretips, they seem happy to allow A versus B and any test results.

 

I am actually pretty much over this whole thing... it is really getting old. There is no point in arguing about any of this. There will either be a bypass or there will not be.

Anyway, this feature has really worked out well for VS. VS is not originally intended to be an anti-exploit security software... but as I was saying... in order to stay relevant, you must adapt. Besides, if my method achieves the exact same result and does not allow for any bypasses, I would actually prefer this method. Mainly because new exploitation methods will be created, and it will always be a cat an mouse game. Simplicity is the final achievement.

BTW, CET, would you agree that if VS blocked EternalBlue from installing DoublePulsar and specialty anti exploit products did not, that it is appropriate to leave that feature's name as it is? Either way, I am happy to change the name if someone can think of something more fitting.

 

I've used ImDisk in the past to create RAMdisks but currently I use an alternative. VoodooShield does see the RAMdisk. (Drive lette is V on my machine)







I reckon you'd need to add any browser path to web apps.

 

cent is already detected by VS (as chrome), also firefox e10s is also affected

ok this is interesting after little testing it seems that it affect multiprocess apps which create child processes with same name as parent

 

And that should be the goal for all security softwares, not multiple GUI's with 1/2 dozen options on each window..Download, install, job done. I know its not as easy as that but it shouldn't be tougher than unravelling the gordian knot

 

I'm going to download that browser and launch it from RAMdisk and see what happens.

 

this is what I get in VS DeveloperLog.log

[ERROR] - Exception in GetSHA256b (file does not exist or access denied): \Device\ImDisk0\Cent\chrome.exe
[ERROR] - Exception in NewProcessHandler_HandleProcess: File C:\Device\ImDisk0\Cent\chrome.exe cannot be found.. in System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
in System.IO.FileInfo.get_Length()
in VoodooShield.NewProcessHandler.HandleProcess(ProcessInfo processInfo, String& title)

 

I'm not trying to bypass VoodooShield so I can brag about it, I just want to see if I can understand what you are actually talking about because I would feel really bad if you have really had some interesting stuff in your product after I spent time saying it was nothing more than process white listing with an Ai checkup.

I am going to test VoodooShield with dynamic aspects and see what I can find, see if it will flag anything. For example, I will inject into a process like lsass.exe to execute some code and then see if VoodooShield does something? Or have I misunderstood you?

From what I knew, all VS is, is an anti-exe... But now after reading your posts it is also an Anti-Exploit now? Bearing in mind that process blocking is not the same as exploit mitigation. So before I potentially waste my time how do I approach this?

For example... I make a program to do something like suggested above, I let VoodooShield run the program and then VS will block exploit-related behavior? Or something different?

 

Seems to work fine for me using VS Pro.







I suppose I should point out that I changed Environment Variables for TMP and TEMP.

Code:

[Process Creation]

05/29/2017 22:39:50
Process: [4100] V:\CentBrowserPortable\chrome.exe
Username/Domain: Chris/PC
CommandLine: "V:\CentBrowserPortable\chrome.exe"
MD5 Hash: 50078763865FC8403B8439D2FDF84073
Bitness: 32-bit
Publisher: Cent Studio
Description: Cent Browser
Version: 2.1.9.50
Integrity Level: High
Signer: Dan Deng
System Process: False
Protected Process: False
Parent: [2436] C:\Windows\explorer.exe
Parent CommandLine: C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding




[Process Creation]

05/29/2017 22:40:48
Process: [5096] V:\CentBrowserPortable\chrome.exe
Username/Domain: Chris/PC
CommandLine: V:\CentBrowserPortable\chrome.exe --type=crashpad-handler /prefetch:7 --no-rate-limit "--database=C:\Users\Chris\AppData\Local\CentBrowser\User Data\Crashpad" --annotation=channel=unknown --annotation=plat=Win32 "--annotation=prod=Cent Browser" --annotation=ver=2.1.9.50 --handshake-handle=0x1a4
MD5 Hash: 50078763865FC8403B8439D2FDF84073
Bitness: 32-bit
Publisher: Cent Studio
Description: Cent Browser
Version: 2.1.9.50
Integrity Level: High
Signer: Dan Deng
System Process: False
Protected Process: False
Parent: [4100] V:\CentBrowserPortable\chrome.exe
Parent CommandLine: "V:\CentBrowserPortable\chrome.exe"


[Process Creation]

05/29/2017 22:40:56
Process: [4776] V:\CentBrowserPortable\chrome.exe
Username/Domain: Chris/PC
CommandLine: "V:\CentBrowserPortable\chrome.exe" --type=gpu-process --channel="4100.0.1059119733\1501156167" --mojo-application-channel-token=4361859307DBAE71D961A4F6BC97FB65 --enable-features=enable-password-force-saving --disable-features=AutomaticTabDiscarding --disable-direct-composition --supports-dual-gpus=false --gpu-driver-bug-workarounds=5,13,14,15,16,18,31,56 --gpu-vendor-id=0x1002 --gpu-device-id=0x9807 --gpu-driver-vendor="Advanced Micro Devices, Inc." --gpu-driver-version=13.251.0.0 --gpu-driver-date=12-6-2013 --mojo-platform-channel-handle=1140 --ignored=" --type=renderer " /prefetch:2
MD5 Hash: 50078763865FC8403B8439D2FDF84073
Bitness: 32-bit
Publisher: Cent Studio
Description: Cent Browser
Version: 2.1.9.50
Integrity Level: Low
Signer: Dan Deng
System Process: False
Protected Process: False
Parent: [4100] V:\CentBrowserPortable\chrome.exe
Parent CommandLine: "V:\CentBrowserPortable\chrome.exe"


[Process Creation]

05/29/2017 22:40:58
Process: [2404] V:\CentBrowserPortable\chrome.exe
Username/Domain: Chris/PC
CommandLine: "V:\CentBrowserPortable\chrome.exe" --type=renderer --enable-features=enable-password-force-saving --disable-features=AutomaticTabDiscarding --primordial-pipe-token=57C0D51898271D083F1D9626BFB8B807 --lang=en-US --extension-process --enable-webrtc-hw-h264-encoding --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --mojo-channel-token=70150C18395CCEF827613B2FE3BCC00C --mojo-application-channel-token=57C0D51898271D083F1D9626BFB8B807 --channel="4100.1.460237381\1422646543" --mojo-platform-channel-handle=1736 /prefetch:1
MD5 Hash: 50078763865FC8403B8439D2FDF84073
Bitness: 32-bit
Publisher: Cent Studio
Description: Cent Browser
Version: 2.1.9.50
Integrity Level: Low
Signer: Dan Deng
System Process: False
Protected Process: False
Parent: [4100] V:\CentBrowserPortable\chrome.exe
Parent CommandLine: "V:\CentBrowserPortable\chrome.exe"


[Process Creation]

05/29/2017 22:40:58
Process: [5040] V:\CentBrowserPortable\chrome.exe
Username/Domain: Chris/PC
CommandLine: "V:\CentBrowserPortable\chrome.exe" --type=utility --mojo-channel-token=E264157905A7DECB60594F94E0762FD7 --lang=en-US --no-sandbox --mojo-application-channel-token=7A9C631697347350493B35F28DFAF07E --mojo-platform-channel-handle=1748 /prefetch:8
MD5 Hash: 50078763865FC8403B8439D2FDF84073
Bitness: 32-bit
Publisher: Cent Studio
Description: Cent Browser
Version: 2.1.9.50
Integrity Level: High
Signer: Dan Deng
System Process: False
Protected Process: False
Parent: [4100] V:\CentBrowserPortable\chrome.exe
Parent CommandLine: "V:\CentBrowserPortable\chrome.exe"


[Process Creation]

05/29/2017 22:41:02
Process: [1132] V:\CentBrowserPortable\chrome.exe
Username/Domain: Chris/PC
CommandLine: "V:\CentBrowserPortable\chrome.exe" --type=renderer --enable-features=enable-password-force-saving --disable-features=AutomaticTabDiscarding --primordial-pipe-token=7DC0E65B451C18D462CB7A88C6E74E53 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --mojo-channel-token=6404E8E3301D80038B4D5EDCEBD6F1DD --mojo-application-channel-token=7DC0E65B451C18D462CB7A88C6E74E53 --channel="4100.2.1941023831\363451609" --mojo-platform-channel-handle=2380 /prefetch:1
MD5 Hash: 50078763865FC8403B8439D2FDF84073
Bitness: 32-bit
Publisher: Cent Studio
Description: Cent Browser
Version: 2.1.9.50
Integrity Level: Low
Signer: Dan Deng
System Process: False
Protected Process: False
Parent: [4100] V:\CentBrowserPortable\chrome.exe
Parent CommandLine: "V:\CentBrowserPortable\chrome.exe"


[Process Termination]

05/29/2017 22:41:02
Process: [5040] V:\CentBrowserPortable\chrome.exe
Uptime: ~00:00:04
Exit Status: 0x0


[Process Creation]

05/29/2017 22:41:04
Process: [3192] V:\CentBrowserPortable\chrome.exe
Username/Domain: Chris/PC
CommandLine: "V:\CentBrowserPortable\chrome.exe" --type=renderer --enable-features=enable-password-force-saving --disable-features=AutomaticTabDiscarding --primordial-pipe-token=54CD3E9B70F1E1A87E9BC8FCEECED037 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --mojo-channel-token=54E3A6EFD349483B321ED9113437F137 --mojo-application-channel-token=54CD3E9B70F1E1A87E9BC8FCEECED037 --channel="4100.3.644004309\211613404" --mojo-platform-channel-handle=2388 /prefetch:1
MD5 Hash: 50078763865FC8403B8439D2FDF84073
Bitness: 32-bit
Publisher: Cent Studio
Description: Cent Browser
Version: 2.1.9.50
Integrity Level: Low
Signer: Dan Deng
System Process: False
Protected Process: False
Parent: [4100] V:\CentBrowserPortable\chrome.exe
Parent CommandLine: "V:\CentBrowserPortable\chrome.exe"


[Process Creation]

05/29/2017 22:41:10
Process: [2480] V:\CentBrowserPortable\chrome.exe
Username/Domain: Chris/PC
CommandLine: "V:\CentBrowserPortable\chrome.exe" --type=renderer --enable-features=enable-password-force-saving --disable-features=AutomaticTabDiscarding --primordial-pipe-token=46701F3BC3751D7357AE1CC44156ABD7 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --mojo-channel-token=AE0CF9D22F4F385338050C11A5ADEBBF --mojo-application-channel-token=46701F3BC3751D7357AE1CC44156ABD7 --channel="4100.4.1956223588\1388812536" --mojo-platform-channel-handle=3168 /prefetch:1
MD5 Hash: 50078763865FC8403B8439D2FDF84073
Bitness: 32-bit
Publisher: Cent Studio
Description: Cent Browser
Version: 2.1.9.50
Integrity Level: Low
Signer: Dan Deng
System Process: False
Protected Process: False
Parent: [4100] V:\CentBrowserPortable\chrome.exe
Parent CommandLine: "V:\CentBrowserPortable\chrome.exe"


[Process Termination]

05/29/2017 22:42:08
Process: [2404] V:\CentBrowserPortable\chrome.exe
Uptime: ~00:01:10
Exit Status: 0x0


[Process Termination]

05/29/2017 22:42:32
Process: [3192] V:\CentBrowserPortable\chrome.exe
Uptime: ~00:01:28
Exit Status: 0x0


[Process Creation]

05/29/2017 22:42:36
Process: [5392] V:\CentBrowserPortable\chrome.exe
Username/Domain: Chris/PC
CommandLine: "V:\CentBrowserPortable\chrome.exe" --type=renderer --enable-features=enable-password-force-saving --disable-features=AutomaticTabDiscarding --primordial-pipe-token=DF45026943DA0AB993F93A7C6D8384FB --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --mojo-channel-token=A11AF4FE717C62BF720B5315AB98DB54 --mojo-application-channel-token=DF45026943DA0AB993F93A7C6D8384FB --channel="4100.5.997818431\1768256492" --mojo-platform-channel-handle=1984 /prefetch:1
MD5 Hash: 50078763865FC8403B8439D2FDF84073
Bitness: 32-bit
Publisher: Cent Studio
Description: Cent Browser
Version: 2.1.9.50
Integrity Level: Low
Signer: Dan Deng
System Process: False
Protected Process: False
Parent: [4100] V:\CentBrowserPortable\chrome.exe
Parent CommandLine: "V:\CentBrowserPortable\chrome.exe"


[Process Creation]

05/29/2017 22:42:46
Process: [5496] V:\CentBrowserPortable\chrome.exe
Username/Domain: Chris/PC
CommandLine: "V:\CentBrowserPortable\chrome.exe" --type=renderer --enable-features=enable-password-force-saving --disable-features=AutomaticTabDiscarding --primordial-pipe-token=D57404D8E4F191D45558DF3D4C3E45BA --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --mojo-channel-token=7B11892FD2B4030BFAC8190F4006AE67 --mojo-application-channel-token=D57404D8E4F191D45558DF3D4C3E45BA --channel="4100.6.1187171543\1045762808" --mojo-platform-channel-handle=2500 /prefetch:1
MD5 Hash: 50078763865FC8403B8439D2FDF84073
Bitness: 32-bit
Publisher: Cent Studio
Description: Cent Browser
Version: 2.1.9.50
Integrity Level: Low
Signer: Dan Deng
System Process: False
Protected Process: False
Parent: [4100] V:\CentBrowserPortable\chrome.exe
Parent CommandLine: "V:\CentBrowserPortable\chrome.exe"


[Process Termination]

05/29/2017 22:42:46
Process: [5392] V:\CentBrowserPortable\chrome.exe
Uptime: ~00:00:10
Exit Status: 0x0


[Process Termination]

05/29/2017 22:42:48
Process: [1132] V:\CentBrowserPortable\chrome.exe
Uptime: ~00:01:46
Exit Status: 0x0


[Process Creation]

05/29/2017 22:42:58
Process: [5584] V:\CentBrowserPortable\2.1.9.50\centbrowserupdater.exe
Username/Domain: Chris/PC
CommandLine: "V:\CentBrowserPortable\2.1.9.50\centbrowserupdater.exe" --portable --real-exe-path="V:\CentBrowserPortable\chrome.exe" --langid=en-US --installid=226a16d1-bfc5-4ea5-b932-e5b5228b9f96 --pepper-version=23.0.0.162 --current=2.1.9.50
MD5 Hash: E4E64453B536A81BEFA2DDC49279D82F
Bitness: 32-bit
Publisher: Cent Studio
Description: Cent Browser
Version: 2.1.9.50
Integrity Level: High
Signer: Dan Deng
System Process: False
Protected Process: False
Parent: [4100] V:\CentBrowserPortable\chrome.exe
Parent CommandLine: "V:\CentBrowserPortable\chrome.exe"


[Process Creation]

05/29/2017 22:46:14
Process: [5140] V:\AppData\Local\Temp\centbrowser_2.6.5.52_portable.exe
Username/Domain: Chris/PC
CommandLine: "V:\AppData\Local\Temp\centbrowser_2.6.5.52_portable.exe" -s -d"V:\AppData\Local\Temp\CB_63DA7_PORTABLE.tmp"
MD5 Hash: 361DF3125E15FE2E582A7057C8A017F9
Bitness: 32-bit
Integrity Level: High
Signer: Dan Deng
System Process: False
Protected Process: False
Parent: [5584] V:\CentBrowserPortable\2.1.9.50\centbrowserupdater.exe
Parent CommandLine: "V:\CentBrowserPortable\2.1.9.50\centbrowserupdater.exe" --portable --real-exe-path="V:\CentBrowserPortable\chrome.exe" --langid=en-US --installid=226a16d1-bfc5-4ea5-b932-e5b5228b9f96 --pepper-version=23.0.0.162 --current=2.1.9.50


[Process Termination]

05/29/2017 22:46:48
Process: [5140] V:\AppData\Local\Temp\centbrowser_2.6.5.52_portable.exe
Uptime: ~00:00:34
Exit Status: 0x0




[05-29-2017 22:39:56] [INFO ] - Process blocked by Custom Folders: v:\centbrowserportable\chrome.exe
[05-29-2017 22:40:30] [INFO ] - Blocked: v:\centbrowserportable\chrome.exe
[05-29-2017 22:40:46] [INFO ] - Process allowed by User Clicking Allow or Install: v:\centbrowserportable\chrome.exe
[05-29-2017 22:40:46] [INFO ] - Allowed: chrome.exe, v:\centbrowserportable\chrome.exe
[05-29-2017 22:40:54] [INFO ] - Process allowed by Current Whitelist Snapshot: v:\centbrowserportable\chrome.exe
[05-29-2017 22:40:56] [INFO ] - Process allowed by Current Whitelist Snapshot: v:\centbrowserportable\chrome.exe
[05-29-2017 22:40:57] [INFO ] - Process allowed by Current Whitelist Snapshot: v:\centbrowserportable\chrome.exe
[05-29-2017 22:40:57] [INFO ] - Process allowed by Current Whitelist Snapshot: v:\centbrowserportable\chrome.exe
[05-29-2017 22:41:02] [INFO ] - Process allowed by Current Whitelist Snapshot: v:\centbrowserportable\chrome.exe
[05-29-2017 22:41:03] [INFO ] - Process allowed by Current Whitelist Snapshot: v:\centbrowserportable\chrome.exe
[05-29-2017 22:41:10] [INFO ] - Process allowed by Current Whitelist Snapshot: v:\centbrowserportable\chrome.exe
[05-29-2017 22:42:36] [INFO ] - Process allowed by Current Whitelist Snapshot: v:\centbrowserportable\chrome.exe
[05-29-2017 22:42:45] [INFO ] - Process allowed by Current Whitelist Snapshot: v:\centbrowserportable\chrome.exe
[05-29-2017 22:42:57] [INFO ] - Process blocked by Custom Folders: v:\centbrowserportable\2.1.9.50\centbrowserupdater.exe
[05-29-2017 22:43:37] [INFO ] - Blocked: v:\centbrowserportable\2.1.9.50\centbrowserupdater.exe
[05-29-2017 22:43:55] [INFO ] - Process allowed by User Clicking Allow or Install: v:\centbrowserportable\2.1.9.50\centbrowserupdater.exe
[05-29-2017 22:43:55] [INFO ] - Allowed: centbrowserupdater.exe, v:\centbrowserportable\2.1.9.50\centbrowserupdater.exe
[05-29-2017 22:46:23] [INFO ] - Process allowed by Parent Process: v:\appdata\local\temp\centbrowser_2.6.5.52_portable.exe
[\CODE]

 

Nike is fixing to sue you lol

 

I imagine your are. The discussion could be worth having if it was in a more productive way with constructive criticism, and offering solutions. I hate seeing the vulgar language, it's always unprofessional. Let's move on, and not be pulled back into a discussion like that.

I definitely agree with you on that point. I'm always looking for a simple method that will catch almost everything in the end. I believe simplicity is the key. It's like trying to monitor thousands of different doors which malware can use to enter the system, but they all have to go through one last door in the end to finish entering the system. Which is easier, and more effective, monitoring the thousands of doors, or the one door that they all have to go through in the end. This is a very rudimentary analogy, but it shows why products like VS work so well in method.

Since VS does not actually block the exploit in memory you could consider changing the name, but including exploit in the name while giving a self documenting description describing why VS increases protection against exploits. If it mitigates the damage from the exploit in the end then that's all that really counts. How well does VS mitigate payloads from exploits? It does well from what I have seen, but thorough testing is the only way to be for sure. My course of study will be focusing on exploits soon, I will see if I can do a capstone project on VS, and similar products to see how well they do against a variety of exploit attacks. I expect VS will do well in such a test.

I honestly can't think of a short name at the moment that would immediately give the user a reasonable understanding of what the feature does. Something like payload catcher comes to mind, but that's not a good name IMO. Maybe you could just leave the name the same, and include some literature describing why the feature increases protection against exploits if it's not too revealing. Anything that makes it clear that VS does not block the exploit in memory would work. I will have to think on this for a while. I honestly don't know if the name should be changed or not. I would prefer to discuss this in private. I don't want to feed the wolves in the thread lol

 

We were asked to not talk about this, so if we need to discuss anything further, please pm me.

But in general, to demonstrate a true bypass of VS, all one needs to do is to somehow infect the machine without clicking Allow. For example, you already have EternalBlue... why not do something with that, and see if you can infect the machine? I think it would be difficult though, simply because DoublePulsar was created by the NSA and is pretty nasty, and VS had no problem blocking it. But who knows, you might do something really cool.

VS does not do any behavior blocking at all... for a lot of reasons, but that is a totally different discussion.