- Jan 27, 2018
- 1,396
CyberLockHi there is another company named CyberLock ,no big deal but just thought maybe people should know if they are googling that name
CyberLockHi there is another company named CyberLock ,no big deal but just thought maybe people should know if they are googling that name
Strange. Never had this issue. Just wondering, what do you define as "bad"?I swear I must be retarded. It seems like Cyberlock will allow me to run whatever application or script I want, and after that it asks me to whitelist it. I've tried this on things I know are bad and still Cyberlock lets me run it. I've tried using the "always on" and aggressive modes. It's like it asks for forgiveness rather than permission.
Edit - Maybe the new 7.72 will help?
Strange. Never had this issue. Just wondering, what do you define as "bad"?
Hmm, some security programs do have issues with scripts. Maybe Dan needs to comment on this.Well, I created a very basic script that aimed to just delete everything on c:\. It ran fine, then asked halfway through if I wanted to whitelist the script. I consider that bad.. The script deleted some stuff, that was not locked. But I quickly reimaged.
Since you are having this issue with both executables and scripts, my best guess is that you created a rule or custom folder that auto allows everything. It should tell you in the developer log why a file was allowed: C:\ProgramData\CyberLock\DeveloperLog.logI swear I must be retarded. It seems like Cyberlock will allow me to run whatever application or script I want, and after that it asks me to whitelist it. I've tried this on things I know are bad and still Cyberlock lets me run it. I've tried using the "always on" and aggressive modes. It's like it asks for forgiveness rather than permission.
Edit - Maybe the new 7.72 will help?
Actually, if you can parse the command line and also determine the primary parent process, there are some really cool things you can do, so that you do not have to block these file types globally, and you can allow what needs to be allowed, whether the script is in the user or system space.@Digmor Crusher
When a user runs a script which does not has a MOTW, what should an AI engine do? The program executing the script is legitimate (probably Microsoft signed). The commands used in the script are all legitimate programs running from UAC protected folder. The parent program is File Explorer also a Microsoft signed legitimate program and the user has started the sequence of actions him/herself. What is suspicious about these sequence of events?
The only effective counter measure is blocking scripts originating from external source (but then you shift the Achilles heel to the MOTW). A better (more solid, but dumber) counter measure would be to block scripts running in user folders.
This is what old-SWH does, it blocks scripts in user folders and allows executable's to run. Old-SWH has as default setting to apply these rules for standard users. I have used old SWH trouble free for years. New WHHL also has a SWH part (blocking scripts using software restriction policies), but the new version applies these rules for all users. I am running WHHL problem free for I think for three months now.
I stopped counting, but the vast majority of Cruel Sister's home brewed samples would be blocked by old SWH.
CyberLock utilizes hand written algorithms that have been refined over 13 years that are quite similar to a decision tree that a ML/Ai would produce, but no, there is no machine learning model involved, so it is not ML/Ai. This feature is also known as our Antimalware Contextual Engine.Do you use machine learning when analyzing parent-child process relationship to block a script.
You must have been reading my mind or have connections I do not know about .What are all the file types cyberlock protect against?
Not sure, I can look into this at some point, I am quite busy as the moment though, but thank you for the suggestion!Hi @danb ,
any chance adding, Control flow guard and Hardware-enforced Stack Protection on all cyberlock's processess.
A while back there was a conflict between Startup Boost and CyberLock, so we disabled Startup Boost when CyberLock was installed, and then enabled it when CyberLock was uninstalled. The conflict is probably resolved by now, so we can probably remove this at some point.Is there a way to stop Cyberlock from adding a registry that disables Edge's Startup boost every time I install/update the application.
Yeah, but they do physical security, and the name fit incredibly well, so we went with it.Hi there is another company named CyberLock ,no big deal but just thought maybe people should know if they are googling that name
Since you are having this issue with both executables and scripts, my best guess is that you created a rule or custom folder that auto allows everything. It should tell you in the developer log why a file was allowed: C:\ProgramData\CyberLock\DeveloperLog.log
But if we are only considering scripts, you might be running the script from a text editor or IDE, in which case CyberLock is designed not to block these events, that way developers can use our software without it interfering with their workflow. That is, most novices and intermediate users do not use text editors or IDE's to write code.
CyberLock has always been very capable in blocking all common, and even many lesser known scripts. With the new File Type feature, it covers even more scripts, but honestly it will not make a huge difference because most users do not have the additional script hosts on their machines, so the script would never run in the first place. But I figured, why not add them anyway, just to be safe, especially since CyberLock has this capability now.
What are the file types of the scripts that are not being blocked? If the file type is not included in our new File Type feature, then I will probably add it. But I would be surprised if it is not already on the list. That is why I am thinking that you inadvertently wrote a rule that auto allows everything.
Can you please email me this log (support at cyberlock.global): C:\ProgramData\CyberLock\DeveloperLog.logSorry, but no. I'm using default settings. I've even reset the whitelist. Still, I'm not getting notified about anything running. Everything is active, and notifications are turn on. I'm just not being prompted about anything prior to it running. If there a way you recommend I test this?
If you have issues in the future, please send me your logs and we can figure it out.I can't send those logs because I reimaged to before I did any damage. But I can tell you that the script files were .bat and .vbs. I do have multiple monitors but the notifications have always been on monitor 1, never 2 or 3. I just find it odd that I'm never asked about anything, not so much that the commands in the script were able to run but that the script itself was able to run. I can't see a new file having a verifiable whitecloud hash.