VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    So that is the main job of SRP, correct? SRP is supposed to control the ability of programs to run... like DP, right?
     
  2. guest

    guest Guest

    on your video it is EB (the SMB worm attack) that you used. About DP i don't know its specificity enough to give you an adequate answer.
     
  3. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I am certain that a lot of users will be interested on how to tailor it to stop this attack.
    EB is the exploit that installs the kernel level backdoor DP. When you see the rundll32.exe being fully spawned as a child process of lsass.exe, then you know the computer is pwned. You will see rundll32.exe briefly appear at 88kb in the VS video, but after the prompt is closed, the process is denied from being executed. You do not see this with ERP since it is in lockdown mode, and just automatically denies execution.

    Anyway, that is not the point... the point is that the main goal of SRP is to not allow new processes, such as DP, to run on your computer, right?

    I am going to bed... its been a long weekend ;).
     
  4. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    I think that's a good attitude to have as a developer. It will be interesting to see if someone bypasses VS soon. What will you consider as an actual bypass? CS might give it a shot if she gets bored lol
     
  5. oZone

    oZone Registered Member

    Joined:
    Jan 18, 2017
    Posts:
    33
    Location:
    Earth
    nope still does not work for me on win 10

    but I tried it on other OS (win 7) and it worked so I don't know what went wrong
     
  6. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,542
    Location:
    Paris
    Cutting Edge- Perhaps. But although I'm a virtualization type of a Girl I still find VS to be very elegantly coded and certainly worthy of use (and no, we aren't dating),

    Also consider that there are typically two types of Security applications- the first can be quite easily bypassed by any riff-raffy zero day swill that shows up daily, and the other something that in order to bypass it you must spend significant time and reach down into the depths of bizarro-land in order to do so. Just on this basis alone, which should a user prefer to employ?
     
  7. guest

    guest Guest

    When a popups appears and I click on accept is normal for the exe to appear in the log as a blocked action?

    On the other hand
    I am in auto pilot and sometimes I get files blocked in the whitelist without interaction (I have it configured to show a popup) and I am sure those files have no detections on VT. Why?
     
  8. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    18,805
    Location:
    UK
    Off-topic posts removed .

    Please keep on topic instead of baiting each other.
     
  9. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    When there is a true bypass of VS, I am impressed and thankful. The only time I get annoyed is when people claim that they can easily bypass a product, without even trying to do so. It is really funny when they start trying, and figure out that it is a lot more difficult then they thought it would be.

    I actually had no intention of talking about the test video at all... which is why I did not include any conclusions / results. But when someone claims that your test is invalid, you have the right and the obligation to demonstrate that it is valid.
     
    Last edited: May 30, 2017
  10. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, it will first appear as a block event, then an allow event. We could actually change this so that it lists it just once... but it is helpful later on so that you can tell that first something was blocked, then the user allowed it.

    If you post a screenshot of the prompt, I can probably tell you... but it is hard to say without seeing the prompt. Thank you!
     
  11. guest

    guest Guest

    Maybe it would be better for this actions to appear in the log as "allowed by user" or something similar.

    I will sent you an screenshot once I get another file silently blocked in the white list
     
  12. oZone

    oZone Registered Member

    Joined:
    Jan 18, 2017
    Posts:
    33
    Location:
    Earth
  13. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    True, good point, I might change that at some point... it would be nice to know what was auto allowed and what was manually allowed by the user, thank you!
     
  14. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
  15. oZone

    oZone Registered Member

    Joined:
    Jan 18, 2017
    Posts:
    33
    Location:
    Earth
     
  16. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Ahhh, I see, thank you that helps. After seeing that error message... I highly doubt you are going to get that exact combo to work on Windows 10. That really is a very specialized combo with unique requirements ;).

    At some point in the next month or two, I can possibly look to see if I can fix that in the code... but I suspect it will be difficult or impossible to do so.
     
  17. oZone

    oZone Registered Member

    Joined:
    Jan 18, 2017
    Posts:
    33
    Location:
    Earth
    don't worry I am patient,
    if it will be impossible I can always run it from HDD
     
  18. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    18,805
    Location:
    UK
    Posts removed.
    The continuous back and forth about just one subject does nothing to enhance this VS support thread.

    Please take further discussion to PM's.

    Any further back and forth posts rehashing the same subject will also be removed.
     
  19. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, I agree, this topic is very old. Besides, I am not sure how I ended up arguing both sides of the argument. If you ask me...mWave and and Peter2150 / guest should debate this topic.

    I am going to rely on MRG's definition.
     
  20. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Dan is that a post I missed here? I must have missed that one.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    The only thing I'd debate is the value of the whole debate
     
  22. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
  23. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Exactly, there is no debate. Watch the video and see the result.

    And test more. Lots more.
     
  24. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    171
    Location:
    London UK
    Okay there is something wrong with the path. Possibly the way you mounted the drive.

    I get:
    [05-29-2017 22:40:46] [INFO ] - Allowed: chrome.exe, v:\centbrowserportable\chrome.exe
    where V is the drive letter.

    You get:
    [ERROR] - Exception in GetSHA256b (file does not exist or access denied): \Device\ImDisk0\Cent\chrome.exe

    Your drive path as seen by VS
    C:\Device

    Well it should show up in explorer as a separate drive.

    Example:
    ImDisk.jpg

    Suggest uninstall ImDisk Toolkit and reboot. Run the ImDisk Toolkit setup file (installer) as administrator (right click then run as admin to reinstall)

    Test and see if you get the same results.
     
  25. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    978
    Location:
    UK
    Will be testing this again on my laptop, I no longer use those scripts which caused some problems, so I suspect it will work 100% this time.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.