App Review Voodooshield Beta 3.43 "local Sandbox"

Lucent Warrior · Oct 5, 2016

Containment: Vmware Workstation Pro, version 12.5.0 build-4352439
Guest/OS: Windows 10 Pro, Version 1607, build 14393.222
Product: Voodooshield Beta 3.43, Defualt settings/Smart Mode
Type of Test: Dynamic
Number of Samples: 7
End total: 7/7
Additional Notes: In this video i am executing and turning a few of these loose in the Local Sandbox.
These are samples from today at MT, courtesy of @silversurfer

Sample "scrwin.exe" is detected by Portable Voodooai as being safe even though a quick stop at VT shows otherwise. This did not matter when executed, Voodooai in VS deemed it suspicious as well as 12 of the blacklist engines detecting it,and of course a quick look in Cuckoo's confirms it. All 7 samples were stopped from infecting the test system.

config.exe - 11/56
crypt.exe - 6/56
m787877311.exe - 7/56
malware.exe - 13/56
scrwin.exe - 12/56
update.exe - 14/56
wf238.exe - 7/56

https://www.virustotal.com/en/file/...48c9409f6250d2c883c701f0/analysis/1475689110/
https://www.virustotal.com/en/file/...72e0af69c94204e23c8bd2ec/analysis/1475689124/
https://www.virustotal.com/en/file/...150bab510016c2bd72fde6c3/analysis/1475690416/
https://www.virustotal.com/en/file/...90bd6d07761e54fad956e41f/analysis/1475689368/
https://www.virustotal.com/en/file/...4de89769ca7869abecdf9043/analysis/1475689713/
https://www.virustotal.com/en/file/...8cb9e67622b92cd44a0b6bd3/analysis/1475689473/
https://www.virustotal.com/en/file/...d8578d143115a7c83010a1d0/analysis/1475689490/

https://www.hybrid-analysis.com/sam...b2248c9409f6250d2c883c701f0?environmentId=100
https://www.hybrid-analysis.com/sam...87272e0af69c94204e23c8bd2ec?environmentId=100
https://www.hybrid-analysis.com/sam...8b5150bab510016c2bd72fde6c3?environmentId=100
https://www.hybrid-analysis.com/sam...da990bd6d07761e54fad956e41f?environmentId=100
https://www.hybrid-analysis.com/sam...9cf4de89769ca7869abecdf9043?environmentId=100
https://www.hybrid-analysis.com/sam...2af8cb9e67622b92cd44a0b6bd3?environmentId=100
https://www.hybrid-analysis.com/sam...7e9d8578d143115a7c83010a1d0?environmentId=100

hjlbx · Oct 5, 2016

@Lucent Warrior what happens when you run safe files - like MS Office, browser, etc - in the VS Local Sandbox ?

The reason I ask...

Webroot has a local sandbox, but every time you try to run a legitimate, known safe program in its sandbox - 99.5 % of the time those programs won't run in the sandbox either. So there is no way for a user to distinguish a safe from an unsafe program by running it in the Webroot sandbox. The Webroot sandbox does not provide any meaningful, useful feedback to the user.

Using COMODO sandbox, most safe programs will run - but sometimes they will misbehave - or won't run at all due to the heavily restricted access rights within the sandbox. Once again, there is no meaningful feedback to the user that a program is safe or unsafe - other than if it does not execute or terminates and the user fully understands COMODO sandbox's access rights. In other words, if a program\file does not run or terminates in COMODO sandbox, then it is an indication that the program\file is suspicious - but how many users know that ?

LabZero · Oct 6, 2016

Awesome and technical review with a ton of details regarding the tested samples!

That's the professional review that I mean.
For sure we have an excellent and exhaustive presentation of the product, VS in this case, tested with ultrafresh and strong malware, ransomware & CO.
And at the end of the test, the system is clean!
IMO VS is a complete malware analysis lab, and I moved definitively towards it.
The Blacklist approach is obsolete, lateral thinking is the key, and VS runs this way.

Thanks @Lucent Warrior & @silversurfer.

frogboy · Oct 6, 2016

Thanks @Lucent Warrior for another great test and video not to mention the music brilliant.

Special mention to @silversurfer thanks.

_CyberGhosT_ · Oct 6, 2016

WoW, you knocked that one out of the park, and made me use my last rolling paper, bastage

Seriously though, now you see why in so many posts I declare that VS is on my system first and foremost.
It's not particularly based off of a "blind faith" but this small piece of software is, to put it simply "The Bee's Knees"
Thanks L'dub for a very educational video brother.
PeAcE

shukla44 · Oct 6, 2016

Awesome video review. Lovely background music as well.
Thanks @silversurfer for the samples.

Lucent Warrior · Oct 6, 2016

hjlbx said:
@Lucent Warrior what happens when you run safe files - like MS Office, browser, etc - in the VS Local Sandbox ?

Unlike CIS you can not just right click/drop/add an application and launch it in VS's Local Sandbox. With most of the prompts i have seen so far from testing legit applications the option to sandbox has not been present, just block/quarantine/allow, this being because voodooai and the blacklist generally deem the file safe but still leave it up to the user whether to proceed with it or block/quarantine it. I will test this further by trying to find legit applications with just enough factors to hopefully initiate the option to sandbox.

I do know from testing it, that one can not just terminate something running in the local sandbox without having to either kill the process manually via task manager/process explorer and or restarting the test system and or of course if the application self/auto terminates itself.. It is something i mentioned to the Developer and he stated that currently this is correct but at a later time he may make adjustments/additions to the local sandbox.

askmark · Oct 6, 2016

Lucent Warrior said:
Unlike CIS you can not just right click/drop/add an application and launch it in VS's Local Sandbox. With most of the prompts i have seen so far from testing legit applications the option to sandbox has not been present, just block/quarantine/allow, this being because voodooai and the blacklist generally deem the file safe but still leave it up to the user whether to proceed with it or block/quarantine it. I will test this further by trying to find legit applications with just enough factors to hopefully initiate the option to sandbox.

If you don't mind me asking but what legit applications are you testing? I'm getting the option to sandbox almost everything I test - trusted and untrusted.

Lucent Warrior · Oct 6, 2016

askmark said:
If you don't mind me asking but what legit applications are you testing? I'm getting the option to sandbox almost everything I test - trusted and untrusted.

Standard apps like Ccleaner ect. Im going to fire up the VM and do some more testing today, as i have focused mainly on stopping infections so far with my testing.

askmark · Oct 6, 2016

Lucent Warrior said:
Standard apps like Ccleaner ect. Im going to fire up the VM and do some more testing today, as i have focused mainly on stopping infections so far with my testing.

That's understandable as your focus is with malware. I do not test malware, only known and unknown, but legitimate applications.

This is what I get with CCleaner portable. The sandboxing itself didn't work in this instance because CCleaner wanted to elevate which was then blocked by VS.

Deleted member 178 · Oct 6, 2016

askmark said:
because CCleaner wanted to elevate which was then blocked by VS.

Surely because you run on admin account, if you run it on SUA (as everybody should

) , Ccleaner willnot ask for elevation.

askmark · Oct 6, 2016

Umbra said:
Surely because you run on admin account, if you run it on SUA (as everybody should ) , Ccleaner willnot ask for elevation.

Guilty as charged, @Umbra

. However the main point I was making was the Sandbox option was available.

Lucent Warrior · Oct 6, 2016

@askmark , you were correct, after revisiting some of those applications in earlier testing i did, the option was there to sandbox, as in your present Blue screenshot above this in Post #10, a mistake on my part information wise, as i did not recall seeing it there from testing different Modes and the different pop ups that can occur. I have not tested many Legit applications as stated, and when i do, mostly it is on the Host machine and only a few in the guest, and i utilized the disable/install mode in the right click tray icon of VS for the Host.
I ran a handful of Legit applications with VS in default "smart Mode" and did receive some Normal pop ups with options to do all.

@hjlbx Your question seems to be answered in these few samples i ran, it appears they will mainly break and crash.

A glimpse....

cruelsister · Oct 21, 2016

The one issue that I have about the VS sandbox is that it really seems to be too restrictive in trying things out- bu that may have been done deliberately by the developer- as the point is already made that the file may be dodgy he doesn't want it to be screwed around with. So maybe it's not that it is an issue, just that I'm overly critical.

Really nice production on the video, and Oh Man I wish I used that song before you did!!!!

FrFc1908 · Oct 21, 2016

cruelsister said:
The one issue that I have about the VS sandbox is that it really seems to be too restrictive in trying things out- bu that may have been done deliberately by the developer- as the point is already made that the file may be dodgy he doesn't want it to be screwed around with. So maybe it's not that it is an issue, just that I'm overly critical.

Really nice production on the video, and Oh Man I wish I used that song before you did!!!!

the music you use in your videos are ALWAYS epic sis!!!!

Search

App Review Voodooshield Beta 3.43 "local Sandbox"

Lucent Warrior

hjlbx

LabZero

frogboy

In memoriam 1961-2018

_CyberGhosT_

Level 53

shukla44

Level 13

Lucent Warrior

askmark

Level 12

Lucent Warrior

askmark

Level 12

Deleted member 178

askmark

Level 12

Lucent Warrior

cruelsister

Level 42

FrFc1908

Level 20

Similar threads