Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.
Is there going to be a forum ?
Hehehe, not a chance .
Good, I hate joining [new] forums.
The tread here gives ample support, feedback and offer suggestions for development, Dan has more than proved he listens...Its a shame that individuals can run riot and contribute nothing other than abuse.
Agree 100% that's why I asked him if he was going to add a forum to his new VoodooShield site.
I tend to not say too much about it though clubhouse1, because it does serve to show the true colors of those individuals
and an informed reader learns a lot by watching it play out. PeAcE
But your right, I see Dan and his kindness to the communities he participates in, and it is hard for me not to reply in the manner
that I want to. If nothing else it teaches me patience and tolerance.
Thanks Dan, as the vulnerability currently exists on the client I trust the client would be updated as well right?
I didn't think it was that bad. I saw a lot of back and forth (not that I understood it all) that was typical of a bunch of techies banging heads. Anybody that has worked in the technology industry will recognise it as par for the course. It's usually followed by the marketing guy asking whether they have heard of Betamax.
It was Meghan's elephant on a Spring night in NY that set me right. She has a gift.
I do agree that it's better if people inform and demonstrate, i.e. video reviews, please. I would love to see more VS reviews on MT. CFW has a fan-base because of CS and her videos (Meghan definitely deserves an emerald bracelet from Melih). As I said before, VS could do with a Nastybrother equivalent ripping a video every month.
Completely agree with that, all I found disgraceful was the name calling, Dan has proved time after time that he welcomes challenges from others that have a good if not profound understanding of Windows systems and its inherent weak spots that may lead to VS covering those too..Anyway, its seems to be more peaceful now, I hope it stays this way because I did find it ugly and pretty uninformative for a few days at least.
i have a question . maybe someone has asked or even answered . Can VS replace traditional AV ? Is it ok if i run it alongside AVG and AdGuard ? or is it overkill
An AV is recommended to be used alongside VS , but this is not necessary; so if you use it alongside AVG and Adguard, it is fine.
Has everyone seen the new VoodooShield webpage? Very professional-looking! VS is on its way to the mainsteam market, you can tell. The thing is, if you've been using VS for a while, you kind of miss the "old-fashioned" web-page that had a more personal atmosphere about it.
No... it's still the same one I've been checking out for several months. OTOH, my today is actually your tomorrow if your'e in the USA. It's 2-6-2017@20:23 here.
I guess I rely exclusively on this thread for all the essential info so I must be seriously behind the times.
Nyet. Only 24 hours
Looks same as old one to me too. What has changed?
Hehehe, yeah, the site on our main domain is still the same... the new site is on a different temporary domain until we move it over, but there is still some more work we need to do.
But even after we move it, it is still going to look the same . For now anyway.
Have a great weekend guys, thank you for all of your help!
@VoodooShield the new site look good, especially the picture
Thank you, that is a killer monitor huh? It even has magical wireless cables .
Bottom of the webpage still says 2016
Hehehe, I might as well just wait until 2018 now . Kind of like when I do not adjust any of my clocks for daylight savings time, hehehe.
you may want to delete older pages from 2011
Yeah, the new site is ALL cleaned up and secure (so these old pages will go away)... we just have to finish up a few things.
Well, that's the thing what's not 100% clear. Some say that VS didn't block DP in the video, but VS blocked the payload it tried load. In order to load the payload, it had to apparently spawn rundll32.exe and that's what VS blocked. Basically, security tools had 3 opportunities to block this attack, they could block either EternalBlue or DoublePulsar or WannaCry. VS and ERP would have probably blocked WannaCry.
I just see MRG has updated their article, now HMPA and SentinelOne are also included. I wish they publicized a list of all tools that passed and failed to block this attack, because there is no excuse for failing to protect, especially for security suites and next gen AV's.
But they mention that in the future these attacks might involve the usage of an "in-memory Meterpreter", I assume that all encryption would then be done from inside a system process like lsass.exe, and that would be hard to stop. Perhaps only a dedicated anti-ransom tool that watches for suspicious file modification would be able to tackle this.
VS blocked the exploit EB from spawning the malicious payload DP. I did not even include WannaCry in the test... that was not the point of the test. The point of the test was to duplicate the MRG test as closely as possible, to see if the malicious payload DP was in fact blocked.
Since VS blocked the exploit EB from spawning DP in this attack, there is a high probability that our mechanism is sound, and we have nothing to worry about... but if you find a sample, I would be happy to test.
I am assuming that if someone wanted to enhance this attack, they would include the encryption code in DP, and have their way with a lot of systems. Probably what happened with WannaCry is that the malware authors were lazy, and it was easier for them to just use DP's built in tools to execute WannaCry, instead of building it into DP itself... but this is just a guess.
It looks like everyone understands what happened now... here is an extended discussion if you are interested: https://malwaretips.com/threads/ete...on-whitelisting-test.72049/page-7#post-636492
Where is anyone saying that VS did not block DP?
OK so you're saying that in order to load DP, it had to run rundll32.exe? I assumed exploits didn't necessarily have to spawn child processes in order to load a backdoor that runs inside the exploited process, which in this case was lssas.exe.
Yes, this is what wasn't clear to me, because there is a lot of talk about file-less malware, but apparently it's a lot easier to simply run malware from disk, instead of from in-memory.
I believe that is what guest and mWave claimed, and it's also not really clear to me. But it's not a big deal to me, as long as the WannaCry payload was blocked in the end. And thanks for the link.