VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    Is there going to be a forum ? :eek:
     
  2. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hehehe, not a chance ;).
     
  3. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,007
    :thumb: Good, I hate joining [new] forums. ;)
     
  4. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    The tread here gives ample support, feedback and offer suggestions for development, Dan has more than proved he listens...Its a shame that individuals can run riot and contribute nothing other than abuse.
     
  5. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    Agree 100% that's why I asked him if he was going to add a forum to his new VoodooShield site.
    I tend to not say too much about it though clubhouse1, because it does serve to show the true colors of those individuals
    and an informed reader learns a lot by watching it play out. PeAcE
    But your right, I see Dan and his kindness to the communities he participates in, and it is hard for me not to reply in the manner
    that I want to. If nothing else it teaches me patience and tolerance.
     
  6. M3gatron

    M3gatron Registered Member

    Joined:
    Oct 3, 2016
    Posts:
    41
    Location:
    ::1
    Thanks Dan, as the vulnerability currently exists on the client I trust the client would be updated as well right?
     
  7. Iangh

    Iangh Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    842
    Location:
    Melbourne, Australia
    I didn't think it was that bad. I saw a lot of back and forth (not that I understood it all) that was typical of a bunch of techies banging heads. Anybody that has worked in the technology industry will recognise it as par for the course. It's usually followed by the marketing guy asking whether they have heard of Betamax.

    It was Meghan's elephant on a Spring night in NY that set me right. She has a gift.

    I do agree that it's better if people inform and demonstrate, i.e. video reviews, please. I would love to see more VS reviews on MT. CFW has a fan-base because of CS and her videos (Meghan definitely deserves an emerald bracelet from Melih). As I said before, VS could do with a Nastybrother equivalent ripping a video every month.
     
  8. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    Completely agree with that, all I found disgraceful was the name calling, Dan has proved time after time that he welcomes challenges from others that have a good if not profound understanding of Windows systems and its inherent weak spots that may lead to VS covering those too..Anyway, its seems to be more peaceful now, I hope it stays this way because I did find it ugly and pretty uninformative for a few days at least.
     
  9. gery

    gery Registered Member

    Joined:
    Mar 8, 2008
    Posts:
    2,151
    i have a question . maybe someone has asked or even answered . Can VS replace traditional AV ? Is it ok if i run it alongside AVG and AdGuard ? or is it overkill
     
  10. guest

    guest Guest

    An AV is recommended to be used alongside VS , but this is not necessary; so if you use it alongside AVG and Adguard, it is fine.
     
  11. plat1098

    plat1098 Guest

    Has everyone seen the new VoodooShield webpage? Very professional-looking! VS is on its way to the mainsteam market, you can tell. The thing is, if you've been using VS for a while, you kind of miss the "old-fashioned" web-page that had a more personal atmosphere about it. :'(
     
  12. gorblimey

    gorblimey Registered Member

    Joined:
    Jan 19, 2017
    Posts:
    157
    Location:
    West Oz
    No... it's still the same one I've been checking out for several months. OTOH, my today is actually your tomorrow if your'e in the USA. It's 2-6-2017@20:23 here.
     
  13. plat1098

    plat1098 Guest

    This one?
    https://voodooshield.com/
    I guess I rely exclusively on this thread for all the essential info so I must be seriously behind the times. :)
     
  14. gorblimey

    gorblimey Registered Member

    Joined:
    Jan 19, 2017
    Posts:
    157
    Location:
    West Oz
    Da.

    Nyet. Only 24 hours :p
     
  15. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Looks same as old one to me too. What has changed?
     
  16. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hehehe, yeah, the site on our main domain is still the same... the new site is on a different temporary domain until we move it over, but there is still some more work we need to do.

    But even after we move it, it is still going to look the same ;). For now anyway.

    Have a great weekend guys, thank you for all of your help!
     
  17. guest

    guest Guest

    @VoodooShield the new site look good, especially the picture :p
     
  18. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Thank you, that is a killer monitor huh? It even has magical wireless cables ;).
     
  19. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    18,805
    Location:
    UK
    Bottom of the webpage still says 2016 :)
     
  20. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hehehe, I might as well just wait until 2018 now ;). Kind of like when I do not adjust any of my clocks for daylight savings time, hehehe.
     
  21. oZone

    oZone Registered Member

    Joined:
    Jan 18, 2017
    Posts:
    33
    Location:
    Earth
    you may want to delete older pages from 2011 :)
     
  22. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, the new site is ALL cleaned up and secure (so these old pages will go away)... we just have to finish up a few things.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,224
    Location:
    The Netherlands
    Well, that's the thing what's not 100% clear. Some say that VS didn't block DP in the video, but VS blocked the payload it tried load. In order to load the payload, it had to apparently spawn rundll32.exe and that's what VS blocked. Basically, security tools had 3 opportunities to block this attack, they could block either EternalBlue or DoublePulsar or WannaCry. VS and ERP would have probably blocked WannaCry.

    I just see MRG has updated their article, now HMPA and SentinelOne are also included. I wish they publicized a list of all tools that passed and failed to block this attack, because there is no excuse for failing to protect, especially for security suites and next gen AV's.

    But they mention that in the future these attacks might involve the usage of an "in-memory Meterpreter", I assume that all encryption would then be done from inside a system process like lsass.exe, and that would be hard to stop. Perhaps only a dedicated anti-ransom tool that watches for suspicious file modification would be able to tackle this.
     
  24. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    VS blocked the exploit EB from spawning the malicious payload DP. I did not even include WannaCry in the test... that was not the point of the test. The point of the test was to duplicate the MRG test as closely as possible, to see if the malicious payload DP was in fact blocked.

    Since VS blocked the exploit EB from spawning DP in this attack, there is a high probability that our mechanism is sound, and we have nothing to worry about... but if you find a sample, I would be happy to test.

    I am assuming that if someone wanted to enhance this attack, they would include the encryption code in DP, and have their way with a lot of systems. Probably what happened with WannaCry is that the malware authors were lazy, and it was easier for them to just use DP's built in tools to execute WannaCry, instead of building it into DP itself... but this is just a guess.

    It looks like everyone understands what happened now... here is an extended discussion if you are interested: https://malwaretips.com/threads/ete...on-whitelisting-test.72049/page-7#post-636492

    Where is anyone saying that VS did not block DP?
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,224
    Location:
    The Netherlands
    OK so you're saying that in order to load DP, it had to run rundll32.exe? I assumed exploits didn't necessarily have to spawn child processes in order to load a backdoor that runs inside the exploited process, which in this case was lssas.exe.

    Yes, this is what wasn't clear to me, because there is a lot of talk about file-less malware, but apparently it's a lot easier to simply run malware from disk, instead of from in-memory.

    I believe that is what guest and mWave claimed, and it's also not really clear to me. But it's not a big deal to me, as long as the WannaCry payload was blocked in the end. And thanks for the link.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.