VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. guest

    guest Guest

    VS isn't SRP but enhanced anti-exe; because SRP just block everything not whitelisted without prompts. ;)
     
  2. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    I'm not so sure about that. VS is using policies just like SRP uses. I think VS gives the option to auto-block in the settings, or prompt the user. I still consider it SRP, or a type of hybrid. It could also be considered a sort of HIPS in some ways.
     
  3. guest

    guest Guest

    you may have some points, maybe Dan can tell (better than anyone) in what category he think VS is. because VS does lot of things , originally it was an anti-exe but with the addition of the sandbox, VT rep scan and lately the Ai, it becomes difficult to categorize it :p

    definition of SRP : https://technet.microsoft.com/en-us/library/cc782792(v=ws.10).aspx

    i still don't believe it is SRP, more enhanced Anti-exe.

    anti-exe and SRP look very similar but are different in term of mechanism.
     
  4. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    No, I can make it say anything we want it to say in the script... that is just logging.

    What really, really, really, really, really, really, really counts is if a session is created and we can get shell.

    When I can get shell on the AG test, but cannot get shell on the VS test, then you know.
     
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    I recommended several SRP policies to Dan by email when he started adding the Web Apps, and Anti-Exploit Feature. He did a lot of Brain Storming, and took it a lot further. I'm sure he has some very effective SRP going on under the hood.
     
  6. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    VS is certainly unique ;). That is a good thing though.

    I just think that every web connected device should be locked when it is at risk... that the lock should be made as user-friendly as possible, with as few dangerous affirmative user prompts as possible, and that relevant file insight should be provided to the user in case of a block. That is VS in a nutshell.
     
  7. guest

    guest Guest

    and you use the shell for what? just look at it ?
    uploading a malicious file and make it run is the endgame, the purpose of the whole attack.
    you break in a bank to stole the money , not just making a hole in the vault.
    And i told you SRP and AG is post-exploit mechanism. you can prevent it earlier, but at the end , the system will not be infected, just breached, this is a big difference.
     
  8. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I have no idea what you mean, but yeah, VS's code that determines whether a file should be allowed or not is quite complex... it took a while to get it right ;). It is well organized I might add ;).
     
  9. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Basically to prove that there is a connection with DP. If you cannot get shell, the attack totally failed.

    You guys seriously just need to test the damn thing for yourself. Seriously. ;).

    White Cipher gets upset when people ask to many questions without taking the time to test for themselves ;).
     
  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    I guess VS has changed a lot since then. This was around 2 years ago. Are you saying SRP only plays a small roll in the Anti-Exploit feature now?
     
  11. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Do not forget the fact that if a new DP instance was created, ANYTHING can be created.
     
  12. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I am confused when you refer to SRP as it relates to our code. Please give me 2 examples of:

    1). AE code / functions
    2). SRP code / functions

    Do you see what I mean? If not, I might have to respond tomorrow, I am extremely tired. Thank you guys!
     
  13. guest

    guest Guest

    BRN did already , they won't care because uploaded malicious file still can't run. do you understand what i mean?

    but everything uploaded and run will be blocked... doing several hole in a building to put a bomb in, is different than successfully make the bomb explode.
    i understand where you come from, you believe that AG should prevent the hole to be made , but it is not , AG is designed to only stop the bomb to explode.
    (However AG Business would stop the holes being made, from what i heard)

    ok i think people get the idea of the what and how, we can move on. to some more VS related stuff.
     
  14. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Then how was DP installed on the machine?

    Let's just pretend for a second that only one new malicious process (DP) can be created on a machine... that machine is still a zombie and infecting other endpoints. Either way, there is not an excuse for this issue to not be fixed... it really is a BFD.

    That is why MRG made such a big deal out of it... and why after reading the MRG article, I started to worry about it... so I googled it, and found the MT discussion, and no one was testing, so I tested myself. Do not quote me on the exact sequence of events, but it was something like that ;).
     
  15. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    18,795
    Location:
    UK
    Guys seriously, take a break and stop talking about the testing stuff.
     
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    I will have to go back, and look at our emails when I have time. There's so.... many to look through. These emails are from like 2 years ago, or maybe even longer.

    You mentioned several SRP policies that you was thinking about integrating into VS after I mentioned policies like not allowing Web Facing Apps to spawn child processes, or write to the system space.

    I'm not trying to take any credit for VS design. I was just trying to come up with a name, and description of the Anti-Exploit feature that would prevent future arguments. That was my only intention.

    Dan, i'm sure you are worn out, and tired of explaining the same thing over, and over. Get some rest man!
     
    Last edited: Jun 1, 2017
  17. Alexhousek

    Alexhousek Registered Member

    Joined:
    Jul 25, 2009
    Posts:
    640
    Location:
    USA--Colorado
    +1

    It's making my head hurt.... ;)
     
  18. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,410
    Dan posted a video not that long ago. Of course people are gonna talk about it.
     
  19. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    18,795
    Location:
    UK
    We know all about the video. You obviously missed all the 'heated remarks' that had to be removed.

    So this thread would be better suited to discussions, questions and answers about VS itself, and not that testing video.
     
  20. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Darn it... I missed the heated remarks ;).
     
  21. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hopefully CS or MRG can explain to guest what is up.
     
  22. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you, but I do not know what you mean by SRP policies... can you please give me an example so that I know what you mean, and so we are on the same page?

    VS is quite unique, so it is difficult for me to distinguish what is an AE feature and what is a SRP feature.

    You and all of the wilders users have been a heck of a lot of help in making VS what it is, and for that I thank you!

    The only thing that I can tell you is that there are a lot of people that are impressed with OUR work. ;).
     
    Last edited: Jun 1, 2017
  23. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    Honestly Dan, you and I both know it wont make a difference :p
    Get some rest brother.
     
  24. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,538
    Question about VS default settings, which "automatically allow all files from the Programs files folders".
    There are lots of illegal downloads that contain instructions such as the following, and I quote:

    1. Install Program & Close it completely
    2. Copy patch to program's installation folder
    3. Right click on Patch, Click "Run as administrator" & apply it!
    4. Enjoy & Share!

    This is a typical set of instructions for illegal cracks.

    VS at default settings will not protect a user who is stupid enough and criminal enough to follow instructions. Is this by design?
     
  25. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Correct, but why wouldn't they scan the crack with VS first... it would probably have tons of blacklist hits, and VoodooAi is typically off the charts for cracks.

    If they are stupid enough to ignore the blacklist and VoodooAi, there is no helping them.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.