VoodooShield ?

So that is the main job of SRP, correct? SRP is supposed to control the ability of programs to run... like DP, right?

 

on your video it is EB (the SMB worm attack) that you used. About DP i don't know its specificity enough to give you an adequate answer.

 

I am certain that a lot of users will be interested on how to tailor it to stop this attack.

EB is the exploit that installs the kernel level backdoor DP. When you see the rundll32.exe being fully spawned as a child process of lsass.exe, then you know the computer is pwned. You will see rundll32.exe briefly appear at 88kb in the VS video, but after the prompt is closed, the process is denied from being executed. You do not see this with ERP since it is in lockdown mode, and just automatically denies execution.

Anyway, that is not the point... the point is that the main goal of SRP is to not allow new processes, such as DP, to run on your computer, right?

I am going to bed... its been a long weekend .

 

I think that's a good attitude to have as a developer. It will be interesting to see if someone bypasses VS soon. What will you consider as an actual bypass? CS might give it a shot if she gets bored lol

 

nope still does not work for me on win 10

but I tried it on other OS (win 7) and it worked so I don't know what went wrong

 

Cutting Edge- Perhaps. But although I'm a virtualization type of a Girl I still find VS to be very elegantly coded and certainly worthy of use (and no, we aren't dating),

Also consider that there are typically two types of Security applications- the first can be quite easily bypassed by any riff-raffy zero day swill that shows up daily, and the other something that in order to bypass it you must spend significant time and reach down into the depths of bizarro-land in order to do so. Just on this basis alone, which should a user prefer to employ?

 

When a popups appears and I click on accept is normal for the exe to appear in the log as a blocked action?

On the other hand
I am in auto pilot and sometimes I get files blocked in the whitelist without interaction (I have it configured to show a popup) and I am sure those files have no detections on VT. Why?

 

When there is a true bypass of VS, I am impressed and thankful. The only time I get annoyed is when people claim that they can easily bypass a product, without even trying to do so. It is really funny when they start trying, and figure out that it is a lot more difficult then they thought it would be.

I actually had no intention of talking about the test video at all... which is why I did not include any conclusions / results. But when someone claims that your test is invalid, you have the right and the obligation to demonstrate that it is valid.

 

Yeah, it will first appear as a block event, then an allow event. We could actually change this so that it lists it just once... but it is helpful later on so that you can tell that first something was blocked, then the user allowed it.

If you post a screenshot of the prompt, I can probably tell you... but it is hard to say without seeing the prompt. Thank you!

 

Maybe it would be better for this actions to appear in the log as "allowed by user" or something similar.

I will sent you an screenshot once I get another file silently blocked in the white list

 

can someone test Cent portable (https://www.centbrowser.com/history.html) in ImDisk RAMdisk (https://sourceforge.net/projects/imdisk-toolkit/) with VS,
to make sure if it's related to win 10 or only my system which is strange because it's clean install

 

True, good point, I might change that at some point... it would be nice to know what was auto allowed and what was manually allowed by the user, thank you!

 

I probably will not have time for a while to look at it... but what error are you having on windows 10?

 

Ahhh, I see, thank you that helps. After seeing that error message... I highly doubt you are going to get that exact combo to work on Windows 10. That really is a very specialized combo with unique requirements .

At some point in the next month or two, I can possibly look to see if I can fix that in the code... but I suspect it will be difficult or impossible to do so.

 

don't worry I am patient,
if it will be impossible I can always run it from HDD

 

Yeah, I agree, this topic is very old. Besides, I am not sure how I ended up arguing both sides of the argument. If you ask me...mWave and and Peter2150 / guest should debate this topic.

I am going to rely on MRG's definition.

 

Dan is that a post I missed here? I must have missed that one.

 

Yeah, the test that MRG performed and the wild speculation on what products block what, is what encouraged me to run the test for myself.

https://www.mrg-effitas.com/eternalblue-vs-internet-security-suites-and-nextgen-protections/

If you read it very carefully, it truly explains EVERYTHING.

 

Exactly, there is no debate. Watch the video and see the result.

And test more. Lots more.

 

Okay there is something wrong with the path. Possibly the way you mounted the drive.

I get:
[05-29-2017 22:40:46] [INFO ] - Allowed: chrome.exe, v:\centbrowserportable\chrome.exe
where V is the drive letter.

You get:
[ERROR] - Exception in GetSHA256b (file does not exist or access denied): \Device\ImDisk0\Cent\chrome.exe

Your drive path as seen by VS
C:\Device

Well it should show up in explorer as a separate drive.

Example:


Suggest uninstall ImDisk Toolkit and reboot. Run the ImDisk Toolkit setup file (installer) as administrator (right click then run as admin to reinstall)

Test and see if you get the same results.

 

Will be testing this again on my laptop, I no longer use those scripts which caused some problems, so I suspect it will work 100% this time.