VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    On VS thread at calendar of updates
     
  2. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    3,592
    dan confirmed it?
     
  3. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    https://calendarofupdates.org/index.php?topic=770.1275
    Reply 1279
    BTW, I have been away lately for several reasons. Some were personal reasons, and some had to do with VS. To make a very, very long story short… since the beginning, I have always wanted to try to make VS “Free” to everyone (this does not necessarily mean open-source, but then again it might… it depends on the scenario)
     
  4. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    3,592
    seems he did. thanks for the post. dan is a very good guy. appreciate his efforts.
     
  5. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    Yes, but no news since January.
    I thought he would have made VS free for everyone with v.5, but it seems he hasn't
     
    Last edited: May 25, 2019
  6. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,614
    Location:
    South Wales, UK
    There is and has always been a free version & a Pro version. Why should the features in the Pro version be free? Dan should get remuneration for all his hard work. :eek:

    Just saying ;)
     
  7. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    I kinda agree, I was just reporting Dan's own words...
     
  8. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,098
    Location:
    Ontario, Canada
    Dan would like to, but will it ever happen who knows? He has to keep his investors happy right?
     
  9. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    3,592
    whether or not vs goes free of charge, he deserves the support. :thumb:
     
  10. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    417
    Location:
    VPN city
    That would be awesome! Although, I personally hope that he just lowers the price a bit. It used to start at $20 USD a year, now it's about $30 USD a year...per device
     
  11. Bertazzone

    Bertazzone Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    455
    Location:
    Milan, Italia
    You may email Dan @ VS and ask him about multi-year pricing options as he may be flexible. ;)

    I agree with @imuade @Triple Helix and others who believe supporting a startup or small developer is a good thing. I'm a Pro user myself and feel it's more than worth it - especially compared to some other software.:thumb:
     
  12. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    417
    Location:
    VPN city
    Well yeah, VS was the only whitelisting security that could stop the eternal blue exploit kit. Of course, comodo was proven once again to be able to stop any payload delivered by any exploit kit, as was seen in the youtube video comodo linked to on their website when wannacry happened, but still, to stop something as nasty as eternal blue right when it starts, completely halting it from doing anything at all. That's well worth the $60 USD I pay every year.

    And unlike most antivirus companies, VS responds promptly to emails from their paid users with solutions to the problem.
     
  13. guest

    guest Guest

    Lol learn your facts, VS nor any anti-exe without pure anti-exploit component could stop Eternalblue, EB is a SMB1 network vulnerability which classic Anti-exe has no influence, (only a firewall or the system being patched stop EB propagation) nor they did with Doublepulsar, which exploit Lsass.exe to get System privileges, however what VS and other default-deny can do is being able to block the following reverse remote connection (using rundll32.exe) to the attacker system to prevent him to upload more offensive tools like wannacry, mimikatz and co.

    So to resume:

    Stage 1- eternalblue: blocked by system patch or firewalls.
    Stage 2- doublepulsar : blocked by pure anti-exploits or softs that can prevent memory code injection.
    Stage 3 - reverse remote connection or else: any post-exploitation softs (aka default-deny, like VS, ERP, etc...) that block executables.

    Attacks like EB/DP have attack chain that use several methods, it is not because you block the last method that you block the whole chain, previous damages were done, the only thing you did is to prevent further damages, but the system is already compromised.
    Using an analogy, It is not because your seatbelt prevented your head to hit your windshield that the car accident suddenly never happened.

    p.s: expecting some trashing now :argh::argh::argh::rolleyes:
     
    Last edited by a moderator: May 27, 2019
  14. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,538
    I have to agree with @guest that monitoring rundll32.exe and other vulnerable processes is not unique to Voodooshield. Most anti-exe programs do that.

    But I don't think most people care so much whether we call it exploit protection or post-exploit protection. Most folks just want protection, whatever you call it...
     
  15. guest

    guest Guest

    indeed, but by saying it stopped EternalBlue when EB is a network vulnerability is incorrect, i have no grudges against VS despite what Dan believes, i just like the correct infos being said, i did the same with AppGuard when people overerstimated what it does. Improving a software is by telling what it does, what it doesn't and what it needs to get better.
     
    Last edited by a moderator: May 27, 2019
  16. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    417
    Location:
    VPN city
    Well from what I understand. CIS's HIPS monitors and protects windows system files like all that were mentioned in those two posts just now...If that's even relevant.

    What I said was based off a video on voodooshield's youtube channel that has since been taken down of voodooshield and a few other whitelisting and anti-EXE typed deals were being tested in unpatched win7 VM's against the EB exploit that was being launched from a kali linux host OS.

    I guess the real problem is I don't really know the way an exploit kit really works. All I really know is that it's a means of dropping malware on a system without having to trick the user into clicking on a file.

    I've never been able to get a straight answer on what kind of process an exploit usually makes use of. Is it a command line? If so, are DLL injections and fileless malware under the umbrella of the definition of an exploit?
     
  17. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,538
    1 Comodo Firewall does not have strong monitoring for rundll32 unless you run it in paranoid mode, which would disturb the average user so deeply that he or she would never turn on their computer again. :)

    2 The term "exploit" means that malware finds a weakness in an otherwise innocent program or process, and "exploits" the vulnerability with malicious intent. For instance, you open a weaponized Word document, and the malware finds a hole in Word so it can break out and do damage. How exactly the malware now goes and perpetrates the damage could be in many different ways.
     
  18. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    417
    Location:
    VPN city
    Would it pay to add certain entries to the list of protected objects in CIS? Also, I guess it's good to have voodooshield on my system then, huh?

    and what's the definition of "strong monitoring" here?
     
  19. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,538
    In CIS, you can mark the two instances of rundll32 as "unrecognized", and if you have HIPS enabled, you will get prompts, and you can define the rules you prefer. But "protected objects" won't do what you are looking to do.

    Strong monitoring means that you will get prompts or blocks every time rundll32 runs, except for the whitelisted command lines.

    Strong monitoring means also that you can define which command lines are allowed. For instance, with other security programs (NVT EXE Radar Pro or Voodooshield or ReHIPS or Bouncer) I can allow Chrome to call rundll32 in order to load my HP print-to-fax driver, but if Chrome tries to run rundll32 for any other purpose, it will be blocked. That's good control, and it is very hard to do it with CIS.
     
    Last edited: May 27, 2019
  20. guest

    guest Guest

    EB is kernel exploit, no soft can stop it. Only a patch made by MS and it is what was done.
     
  21. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,538
    IMHO Voodooshield is much better than Comodo in vulnerable process protection. That's what you need to fight fileless malware.
     
  22. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,614
    Location:
    South Wales, UK
    Amen to that! +1 :thumb::thumb::thumb::thumb:
     
  23. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    417
    Location:
    VPN city
    So fileless malware IS an exploit...I always wondered about that.

    Also in CIS I enabled "embedded code detection" for all of the windows EXE's that CIS protects by default. I even added a few windows EXE's to that menu. Thanks for the information.
     
  24. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    417
    Location:
    VPN city
    Well I primarily have comodo to force my VPN upon all of my daily used applications. I like voodooshield because of how stupid-simple it is. There's no BS in it at all. I've been considering switching to comodo firewall, because the antivirus makes it into a resource hog and all I really want comodo for is for the application whitelisting and the virtual desktop mode for when my friend wants to use the PC.

    The instant that sandboxie implements a virtual desktop mode, comodo is gone.
     
  25. guest

    guest Guest

    Will never happen, however ReHIPS does, it is its main feature. Isolation via virtual desktop/users profiles.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.