VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,538
    So just uninstall the AV component, and use something lighter and more effective, instead. Go with the free AV of your choice + Comodo Firewall.
     
  2. guest

    guest Guest

    No ! an exploit is an exploit, a malware is a malware. different things. now binaries can delivers exploits.
     
  3. guest

    guest Guest

    what you mean by that?
     
  4. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,538
    1 Fileless malware, unpatched vulnerabilities, exploits, LOL bins -- these terms are often mentioned in the same breath. But they are not identical.
    Fileless malware is very happy when it finds an unpatched vulnerability in a program, because then it can exploit that vulnerability in order to do things such as run a LOL bin.

    2 If you have Voodooshield, you don't need to enhance Comodo's embedded code detection. Embedded code detection works better for some processes than for others. For certain processes, it might not work at all. It needs proper testing, which has never been done as far as I know, I can only comment based on my own very limited experiences with it.
    Comodo is built to protect against file-based attacks. Embedded code detection attempts to catch the command lines in fileless attacks and turn them into files, so Comodo can handle them.
     
  5. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    417
    Location:
    VPN city
    I've seen a handful of videos where comodo firewall was tested against fileless malware with HIPS enabled, nothing got through, at least not without the tester purposefully clicking "allow" LOTS of times. That was with the default settings as far as I know.

    Comodo firewall and CIS on proactive security with all of the options to "do not show popup alerts" enabled and set to "block requests" with the container settings set to block instead of sandbox has never failed to stop malware in any testing I've done on my own VM's either. It really is the best free security suite. And if you enable embedded code detection for everything that's there by default in the script settings, the HIPS is even beefier than before.

    Still, VoodooShield is easier to figure out if you're not an advanced user. The prompts it gives you are much easier for a normal user to understand, but with CIS and CFW you kind of need to know quite a few things in advance if you expect it to work well for you. You have to research things about it on comodo's forums and read up on their FAQ thing on their site.

    Like I said previously in this thread, I primarily use comodo to force my VPN upon my daily used applications, but the application whitelisting, behavioral analysis from its virusscope component and the HIPS are all just a plus on top of VoodooShield.
     
  6. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    417
    Location:
    VPN city
    I entered in the MAC address of my VPN into comodo's list of networks and created a ruleset that forces any applications I label with that ruleset to only be able to connect to the internet through my VPN. That way, if my VPN client crashes, or doesn't open on system startup for some reason, I don't accidentally connect and start browsing without my VPN turned on.
     
  7. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    417
    Location:
    VPN city
    Yeah, comodo's virus database kinda sucks, Usually only gets a 60% to 70% detection of 7 to 14 day old malware. The whitelisting, HIPS, firewall, web filter and behavioral analysis from their virusscope component is the main reason why people use it.
    their web filter is pretty good though.
     
  8. guest

    guest Guest

    I see, my VPN does that automatically, auto killswitch
     
  9. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    417
    Location:
    VPN city
    Yes, My VPN has a killswitch too, but killswitch features in VPN clients only work when the client is still running while it's disconnected from one of its servers. I've set up Comodo's firewall to be a secondary killswitch that will work even when my VPN's client isn't running. So on the slim chance of the VPN client crashing or failing to start at system startup, I have a little bit of anti-idiot protection on my PC.
     
  10. guest

    guest Guest

    Mine cut internet until the client run properly. I guess it depends the VPN.
     
  11. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,192
    I'm using Windscribe and its killswitch (or firewall, as it calls it) blocks all internet traffic when disconnected, regardless of whether their client is running or not. But with some VPNs, the killswitch only works when the client software is running, making it close to useless in my opinion.
     
  12. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,538
    How does one test fileless malware? It's hard to find, and even harder to define. Most Youtube testers are testing script files, that is what Comodo is good at blocking, and in truth, that is the common variety that the average user should be worried about. In real life, Comodo will protect. I was talking more about the virtues of Voodooshield regarding the "what if" type of scenario, where the system is attacked by an advanced fileless malware.
     
    Last edited: May 28, 2019
  13. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    417
    Location:
    VPN city
    Oh...Well, I also...almost compulsively run everything I use inside of the supervision of sandboxie, basically everything except for my games. Which would certainly protect from fileless malware, even if it only contains it.
     
  14. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,538
    You could get by with less security software. @guest's killswitch idea solves your VPN problem, so you can ditch Comodo. Your signature says you have SAP, which you also don't need because you have plenty of protection without it. I will not comment on Sandboxie because there are enough threads on that hotly debated issue already.
    All you need is Voodooshield + Windows Defender (tweaked by ConfigureDefender, if you want to be super-secure).
     
  15. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    417
    Location:
    VPN city
    Windows defender kind of sucks. It gets good detection, but it makes my boot time longer

    @guest didn't really have an idea for a killswitch other than to use the one built into my VPN client, I explained why I use comodo firewall to enforce my VPN.
     
  16. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,538
    Try it with only Defender + Voodoo, or only Defender + Comodo Firewall, and tell me if the boot time is still longer.
    I think it will be shorter. Practically speaking, you are well protected whether you choose Voodoo or you choose CF, since you obviously know how to configure CF.
     
    Last edited: May 29, 2019
  17. davisd

    davisd Registered Member

    Joined:
    Feb 2, 2016
    Posts:
    19
    Location:
    Latvia
    1. TRUE or FALSE

    The command line:

    RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 9909

    is safe or malicious ?

    2. TRUE or FALSE

    a kernel exploit led to the above rundll32 command line and is now persistent on the system ?

    3. TRUE or FALSE

    the system is compromised ?

    4. TRUE or FALSE

    The command line:

    "C:\\Windows\\system32\\rundll32.exe C:\\Windows\\infpub.dat,#1 15”

    is safe or malicious ?

    Same questions 2 and 3 above about the presence of an exploit and compromised system.

    Here is the answer for amateurs:

    "Just because a security software stops or blocks something does not mean that the system is not compromised (is not necessarily safe to use). Unless a security software completely prevents any exploit in and of itself, the system is compromised and now needs remediation. Exactly what remediation depends upon the nature of the exploit. In the case of Double Pulsar\Eternal Blue, by the time an alert for rundll32 appears, the system is compromised with a persistent kernel exploit. If you, as the user do not realize this, once you disable your security software, the system can be even further compromised. Alerts don't mean a thing if the user does not know what they mean (and does not take proper actions) or the user selects "Allow" or the user disables the protection at any point after the alert. By the time COMODO or Voodooshield throw alerts, the system is already compromised in the case of kernel exploits. Neither one prevents EB\DP; the system is compromised."
     
  18. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,538
    Good points.
    1 Any intelligent person who sees that malware is trying to run commands on his computer will clean his system, or reinstall it, or restore a system image, each according to his own tastes.

    2 Kernel exploits are rare, and we cannot realistically expect our security software to stop them. At best, security softs can mitigate damage until the system is cleaned up.
     
  19. davisd

    davisd Registered Member

    Joined:
    Feb 2, 2016
    Posts:
    19
    Location:
    Latvia
    How do you spot malicious commands being run?
     
  20. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,538
    Using the example you gave, our security soft is prompting us that rundll32 suddenly wants to do something strange and unexpected. Our security soft could be Voodooshield, ERP, ReHIPS, etc.
     
  21. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    417
    Location:
    VPN city
    I've done testing already. My boot time with my current setup (as is displayed in the signature on the timestamp of this post) is 12 seconds or less. When I was using windows defender with CFW, my boot time was anywhere between 17 to 25 seconds. WD's ram and CPU usage is piggish and clunky too and often caused slowdowns and temporary freezing of certain apps while they were loading things. My load times in online games were slightly longer when using WD too.

    With S.A.P. I can disable cloud uploading temporarily while I play games online, CFW doesn't auto-upload anything besides EXE, DLLs, scripts, SYS's and that sort of thing and Voodoo doesn't auto-upload anything at all. Sandboxie of course doesn't upload anything or use too many resources either.

    What I have might be ridiculous and overkill, but it works.
     
  22. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,538
    You know best what works on your system. :)
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    So it boots and runs, but does it really work?
     
  24. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    417
    Location:
    VPN city
    Again, I've done my own tests. It works.
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    What tests. Have you run malware against the setup. That is the only test that matters
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.