VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,522
    The thing is like this: VS gives the average user a high degree of confidence. He has probably clicked on lots of files, and observed how VS blocks or examines. So it probably will not occur to him that this time, VS will let it go by unchallenged.
     
  2. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    So your basically asking Dan if he (by design) set that up to facilitate software theft ?
    Surely you are smart enough to know the answer to that :cautious:
    Dan should not even dignify that with an answer:isay:
     
  3. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,522
    Well, the question I am raising is a little deeper: should security software be designed to protect the average user even when his action is probably violating copyright laws?
    The off-the-cuff answer is: he got what was coming to him.
    On the other hand, the user will claim there is a hole in VS protection, and perhaps he is right.
     
  4. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,351
    Location:
    Among the gum trees
    Hey Dan,

    What about the bug I emailed you about some time ago? Do you remember the "myharmony.exe" issue?
     
  5. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    However, that video concerns the product under discussion but, as has been said, parts of the dialog may be too technical for some to understand. It is for this reason why the concerned parties should take it to PM to discuss the more technical aspects of the program. Either that or create a new thread for such topics and leave this one for more general product support as suggested in #16487.
     
  6. gorblimey

    gorblimey Registered Member

    Joined:
    Jan 19, 2017
    Posts:
    157
    Location:
    West Oz
    An ancient proverb: "Against stupidity the gods themselves contend in vain." (Friedrich von Schiller)

    OTOH, the way things are going, more and more people with little or no tech. ed. using ever more powerful IT equipment, then pwned boxes will eventually be considered as self-inflicted damage, and users held liable. (I've--4 decades ago--seen exactly that applied to one moron by an ISP.) It's not a great step to statutary requirement for G-Ai IT protection, in exact alignment with (for example) Western Australia's requirement that all automobiles have a functional theft-prevention device fitted prior to sale (read: on-road registration), back in--IIRC--2001. As I see it, this would "naturally" be integral to the OS, and the only debateable point would be the successful tenderer chosen by the OS manufacturer.
     
  7. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    Ok, thats better, but the way you worded that, if you go back and read it, it looked like you were asking a very different question.
    Thanks for clarifying brother, I was scared there for a moment we had lost you to the dark side :p
     
  8. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,522
    Thanks Ghostie. Even my mother can't understand me sometimes...
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,894
    Location:
    The Netherlands
    I think I now understand it. Basically, the EternalBlue exploit hijacks lsass.exe which will load the DoublePulse kernel backdoor, but DP needs to load a payload like WannaCry. So in the video you can see that both VS and ERP blocked the payload (rundll32.exe + cmd.exe) from running. This means that both VS and ERP could have blocked the WannaCry ransomware or any other malware from running.

    Yes correct, but even HMPA and MBAE wouldn't have been able to block it, because they don't monitor lsass.exe. The newest version of HMPA does now have generic protection against the DB injection method.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,894
    Location:
    The Netherlands
    I don't think it would block in-memory payloads, because they don't spawn new child processes. So let's say hackers create ransomware or banking trojans that are truly in-memory based, all malicious activity would be done from inside the exploited process. So far I've never seen such malware, so it's probably hard to develop and it has another drawback, if you close the exploited process (like the browser), then the infection is gone.
     
  11. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK

    Agreed, to those that constantly challenge why not go and design a security software that is impregnable and show how it should be dome!
     
  12. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hey Krusty... yeah, I kind of remember that, but for some reason I thought it was taken care of. My search function in my Outlook is not working, do you mind posting the bug on here and I will take a look at it? Thank you!
     
  13. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,383
    I think the argument was more about understanding the strengths and weaknesses of the products.
    Both VS and Appguard are good products. But they work differently, like it was stated in this post
    https://malwaretips.com/threads/ete...on-whitelisting-test.72049/page-5#post-636085
     
  14. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK


    Then frankly leave that on malwaretips!...Why spread the contents of one site onto another, that assists no one and just creates FUD and besides this Appguard v Voodoshield is almost A v B that isn't tolerated on this site by its rules.
     
  15. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I have not found an example that fits your description, but if you find one, please let me know. I would love to test... VS only this time ;).

    Just keep in mind, you said "all malicious activity would be done from inside the exploited process". We can use the EB/DP example, since we are all extremely familiar with it by now. I see, you are curious about potential malicious activity inside of lsass. I am comforted by the fact that VS blocked lsass when it tried to spawn DP... but who knows what someone might think of next. I am not an expert on exploits, but I am certain that they are at least somewhat limited, and executing a malicious payload of some kind is pretty much a requirement... but I am just speculating.

    However, the bigger issue that I see at the present time is that the malicious payload DP is a generic backdoor payload... one would assume you can add pretty much whatever malicious code you want to it. And if a session is created and the hacker has shell, you could also probably safely assume that attack would not be blocked in any way.

    It is going to be extremely interesting because the genie is now out of the bottle... and the malware authors are aware of how effective this type of attack can be, since they witnessed firsthand how it spread like wildfire. I think that is why MRG is so concerned about it. And once we fully understand the initial attack vector, things could get pretty scary.
     
  16. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,383
    It appears the A vs B only apply to antiviruses.

    I found this thread that might be perfect if people want to continue discussing it.
    https://www.wilderssecurity.com/thr...shield-or-novirusthanks-exe-radar-pro.377372/
     
  17. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    The simple fact is as security software develops to prevent the current attack methods the authors of malwares etc up the game as well, its a never-ending battle and everything under discussion now will be old school by this time next year if not sooner.
     
  18. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,383
    I agree with that. But if there's no point of discussing it, then there wouldn't be a point to security forums like Wilders.

    Discussion/Opinions/Feedback/Negative or Positive Criticism can help a product grow and mature. Dan, knows very well how his product has grown thanks to feedback made by members in this forum.
     
  19. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK


    Agreed, I was referring to some of the hostile comments that were made with no substance to back them up.
     
  20. M3gatron

    M3gatron Registered Member

    Joined:
    Oct 3, 2016
    Posts:
    41
    Location:
    ::1
    @VoodooShield /Dan

    Any updates of the vulnerability reported via IM?
     
  21. danielson

    danielson Registered Member

    Joined:
    May 15, 2017
    Posts:
    20
    Location:
    AR
    Is VS still compatible with XP?
    Downloaded a file from my PC to install on someone who has XP and it did not work.
    Then i downloaded one directly from that persons' XP and it still would not install.
     
  22. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    The new website is finished... Alex just emailed me today to let me know. We will be deploying it asap... it is going to look exactly the same as it did before, but it is built on today's security standards, and not standards from 6 years ago ;).

    BTW, some hacker dude emailed me out of the blue and found a couple of other issues with our website... one that was on even on the new site, but it is fixed now. I think he did a pretty good job of testing the new site, so we should be good to go. It was worth the bug bounty ;).
     
  23. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Unfortunately VS's new driver does not work with XP, sorry about that.
     
  24. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,351
    Location:
    Among the gum trees
    My email:


    Your reply:
    I was trying to allow it because myharmony.exe won't run without internet access.

    Thanks,
    Dave
     
  25. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    +1 :thumb:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.