Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.
On VS thread at calendar of updates
dan confirmed it?
BTW, I have been away lately for several reasons. Some were personal reasons, and some had to do with VS. To make a very, very long story short… since the beginning, I have always wanted to try to make VS “Free” to everyone (this does not necessarily mean open-source, but then again it might… it depends on the scenario)
seems he did. thanks for the post. dan is a very good guy. appreciate his efforts.
Yes, but no news since January.
I thought he would have made VS free for everyone with v.5, but it seems he hasn't
There is and has always been a free version & a Pro version. Why should the features in the Pro version be free? Dan should get remuneration for all his hard work.
I kinda agree, I was just reporting Dan's own words...
Dan would like to, but will it ever happen who knows? He has to keep his investors happy right?
whether or not vs goes free of charge, he deserves the support.
That would be awesome! Although, I personally hope that he just lowers the price a bit. It used to start at $20 USD a year, now it's about $30 USD a year...per device
You may email Dan @ VS and ask him about multi-year pricing options as he may be flexible.
I agree with @imuade @Triple Helix and others who believe supporting a startup or small developer is a good thing. I'm a Pro user myself and feel it's more than worth it - especially compared to some other software.
Well yeah, VS was the only whitelisting security that could stop the eternal blue exploit kit. Of course, comodo was proven once again to be able to stop any payload delivered by any exploit kit, as was seen in the youtube video comodo linked to on their website when wannacry happened, but still, to stop something as nasty as eternal blue right when it starts, completely halting it from doing anything at all. That's well worth the $60 USD I pay every year.
And unlike most antivirus companies, VS responds promptly to emails from their paid users with solutions to the problem.
Lol learn your facts, VS nor any anti-exe without pure anti-exploit component could stop Eternalblue, EB is a SMB1 network vulnerability which classic Anti-exe has no influence, (only a firewall or the system being patched stop EB propagation) nor they did with Doublepulsar, which exploit Lsass.exe to get System privileges, however what VS and other default-deny can do is being able to block the following reverse remote connection (using rundll32.exe) to the attacker system to prevent him to upload more offensive tools like wannacry, mimikatz and co.
So to resume:
Stage 1- eternalblue: blocked by system patch or firewalls.
Stage 2- doublepulsar : blocked by pure anti-exploits or softs that can prevent memory code injection.
Stage 3 - reverse remote connection or else: any post-exploitation softs (aka default-deny, like VS, ERP, etc...) that block executables.
Attacks like EB/DP have attack chain that use several methods, it is not because you block the last method that you block the whole chain, previous damages were done, the only thing you did is to prevent further damages, but the system is already compromised.
Using an analogy, It is not because your seatbelt prevented your head to hit your windshield that the car accident suddenly never happened.
p.s: expecting some trashing now
I have to agree with @guest that monitoring rundll32.exe and other vulnerable processes is not unique to Voodooshield. Most anti-exe programs do that.
But I don't think most people care so much whether we call it exploit protection or post-exploit protection. Most folks just want protection, whatever you call it...
indeed, but by saying it stopped EternalBlue when EB is a network vulnerability is incorrect, i have no grudges against VS despite what Dan believes, i just like the correct infos being said, i did the same with AppGuard when people overerstimated what it does. Improving a software is by telling what it does, what it doesn't and what it needs to get better.
Well from what I understand. CIS's HIPS monitors and protects windows system files like all that were mentioned in those two posts just now...If that's even relevant.
What I said was based off a video on voodooshield's youtube channel that has since been taken down of voodooshield and a few other whitelisting and anti-EXE typed deals were being tested in unpatched win7 VM's against the EB exploit that was being launched from a kali linux host OS.
I guess the real problem is I don't really know the way an exploit kit really works. All I really know is that it's a means of dropping malware on a system without having to trick the user into clicking on a file.
I've never been able to get a straight answer on what kind of process an exploit usually makes use of. Is it a command line? If so, are DLL injections and fileless malware under the umbrella of the definition of an exploit?
1 Comodo Firewall does not have strong monitoring for rundll32 unless you run it in paranoid mode, which would disturb the average user so deeply that he or she would never turn on their computer again.
2 The term "exploit" means that malware finds a weakness in an otherwise innocent program or process, and "exploits" the vulnerability with malicious intent. For instance, you open a weaponized Word document, and the malware finds a hole in Word so it can break out and do damage. How exactly the malware now goes and perpetrates the damage could be in many different ways.
Would it pay to add certain entries to the list of protected objects in CIS? Also, I guess it's good to have voodooshield on my system then, huh?
and what's the definition of "strong monitoring" here?
In CIS, you can mark the two instances of rundll32 as "unrecognized", and if you have HIPS enabled, you will get prompts, and you can define the rules you prefer. But "protected objects" won't do what you are looking to do.
Strong monitoring means that you will get prompts or blocks every time rundll32 runs, except for the whitelisted command lines.
Strong monitoring means also that you can define which command lines are allowed. For instance, with other security programs (NVT EXE Radar Pro or Voodooshield or ReHIPS or Bouncer) I can allow Chrome to call rundll32 in order to load my HP print-to-fax driver, but if Chrome tries to run rundll32 for any other purpose, it will be blocked. That's good control, and it is very hard to do it with CIS.
EB is kernel exploit, no soft can stop it. Only a patch made by MS and it is what was done.
IMHO Voodooshield is much better than Comodo in vulnerable process protection. That's what you need to fight fileless malware.
Amen to that! +1
So fileless malware IS an exploit...I always wondered about that.
Also in CIS I enabled "embedded code detection" for all of the windows EXE's that CIS protects by default. I even added a few windows EXE's to that menu. Thanks for the information.
Well I primarily have comodo to force my VPN upon all of my daily used applications. I like voodooshield because of how stupid-simple it is. There's no BS in it at all. I've been considering switching to comodo firewall, because the antivirus makes it into a resource hog and all I really want comodo for is for the application whitelisting and the virtual desktop mode for when my friend wants to use the PC.
The instant that sandboxie implements a virtual desktop mode, comodo is gone.
Will never happen, however ReHIPS does, it is its main feature. Isolation via virtual desktop/users profiles.