App Review Appguard vs Voodooshield

[hjlbx]

once you whitelist a file in VS -- correct me if I am wrong -- it has no more restrictions and becomes a trusted installer. So the payload will have permission to execute.
That is not the case with AppGuard -- again, correct me if I am wrong.

You will have to confirm with the developer, but if I recall correctly, when using VS a child process does not inherit a "trusted" status from a parent process. In that case any "payload" should not be allowed to run automatically. VS' behavior - like NVT ERP's - is dependent upon the settings - for example automatically trust system processes.

Also, when programs are modified - for example via updates - VS will notify the user that the file has changed - do you want to allow it ?

 

[shmu26]

You will have to confirm with the developer, but if I recall correctly, when using VS a child process does not inherit a "trusted" status from a parent process. In that case any "payload" should not be allowed to run automatically. VS' behavior - like NVT ERP's - is dependent upon the settings - for example automatically trust system processes.

Also, when programs are modified - for example via updates - VS will notify the user that the file has changed - do you want to allow it ?

the dev has modified a lot of these inner workings as he moved from one build to another. I guess we would have to ask where things are holding at now.

 

[SHvFl]

the dev has modified a lot of these inner workings as he moved from one build to another. I guess we would have to ask where things are holding at now.

VS default setting give same access to child as parent. If you have premium you can change it though from options-advanced settings.

 

[hjlbx]

"Automatically allow by parent process (disable if you are using a web app that is not listed in the Web Apps tab)"

The way I interpret this setting is that - if enabled - an exploited browser that's included in the Web Apps tab is going to run riot on system; malware is going to inherit parent allowed status and execute.

That's the way it reads...

 

[shmu26]

"Automatically allow by parent process (disable if you are using a web app that is not listed in the Web Apps tab)"

The way I interpret this setting is that - if enabled - an exploited browser that's included in the Web Apps tab is going to run riot on system; malware is going to inherit parent allowed status and execute.

That's the way it reads...

I asked Dan over on the other forum for some clarification about parent/child processes.
the way he once explained it to me, it sounded like the whole protection hinged on blocking the dropper, which executes in "user land", as he calls it. But it could be things changed, and it could well be I never understood him right in the first place.

 

[Lucent Warrior]

I asked Dan over on the other forum for some clarification about parent/child processes.
the way he once explained it to me, it sounded like the whole protection hinged on blocking the dropper, which executes in "user land", as he calls it. But it could be things changed, and it could well be I never understood him right in the first place.

His response was something along these lines below.

1. Non-Whitelisted Processes: Let’s say for example you have a non-whitelisted app that needs to spawn powershell for some reason. Since it is not whitelisted, it will never get the chance to spawn powershell until it is whitelisted. So the way I see it, we can basically ignore this, and just assume that there is no reason to block powershell that is spawned from a non-whitelisted app, since it will never happen.

2. Whitelisted Processes: Let’s say for example you have a whitelisted app that needs to spawn powershell for some reason. I personally think that a whitelisted app should not be restricted in anyway, because bad things can happen. Yeah, I know, VS has a local sandbox feature, but that is beside the point. To me, if a whitelisted process needs to spawn powershell, it should be able to do so whenever it needs to, and should never be restricted in doing so.

3. Processes spawned by web apps: This is where it gets interesting. A lot of exploits run shellcode that spawn powershell as a child process of a web app… this is extremely common. The problem is… many security products auto allow everything in the windows folder, and as a result have to “patch” this issue by adding a vulnerable process feature. The new method that VS uses fixes this in an even more secure and user-friendly way because it blocks ALL child processes of web apps in the Windows folder (except for 2-3 files that are necessary and happen to be difficult to exploit). So 3 months from now, when all of the malware authors start exploiting a new windows process, it does not have to be added to the vulnerable process list… it is simply going to be blocked because it is a child process of a web app (that is in the windows folder). As I mentioned… there are a few others that are outside of the windows folder, like java, flash, Silverlight, etc, but those are easy to hardwire in.

 

[RmG152]

Appguard vs Voodooshield

And the winner is SmartScreen

 

[Lucent Warrior]

I hope everyone enjoyed and learned something from this video. The whole point to it, was that both products were tested in a standalone environment while both products are recommended to be run with other security. They were tested not only this way, but at complete default settings, other then tools for the video that were whitelisted. Both products stopped all samples from infecting this system in this environment, with the samples being launched from two different locations. What you take away from this test will be how you perceive it. For those interested i will have a Mod edit the original post and link the guide to voodooshield and appguard.

Thank you again for watching.

 

[shmu26]

His response was something along these lines below.

the following quote does not apply to the most recent builds. He made it stricter. try to run powershell or wscript or cscript yourself, when protection is active, and you will see that it is blocked.
"2. Whitelisted Processes: Let’s say for example you have a whitelisted app that needs to spawn powershell for some reason. I personally think that a whitelisted app should not be restricted in anyway, because bad things can happen. Yeah, I know, VS has a local sandbox feature, but that is beside the point. To me, if a whitelisted process needs to spawn powershell, it should be able to do so whenever it needs to, and should never be restricted in doing so."

 

[King Alpha]

And the winner is SmartScreen

LOL. I agree. This is why SmartScreen is so important. It does help protect you from running/installing malicious files.

 

[Lucent Warrior]

the following quote does not apply to the most recent builds. He made it stricter. try to run powershell or wscript or cscript yourself, when protection is active, and you will see that it is blocked.
"2. Whitelisted Processes: Let’s say for example you have a whitelisted app that needs to spawn powershell for some reason. I personally think that a whitelisted app should not be restricted in anyway, because bad things can happen. Yeah, I know, VS has a local sandbox feature, but that is beside the point. To me, if a whitelisted process needs to spawn powershell, it should be able to do so whenever it needs to, and should never be restricted in doing so."

I just placed the once responded quote he said to you at one point, i am aware of the changes, they are reflected in my Voodooshield Autopilot mode video, where installing a legit application still triggers the command prompt alert from access.

 

[LabZero]

Thanks @Lucent Warrior for the clear and comprehensive review

Both do a great job between protection and flexibility.
Speaking of signatures, we all know what is the current situation and Appguard and Vodooshield add another safety concept and this concept works without a doubt!
The signatures are still great usefulness and they allow you to detect (if they can) malware in static mode, without running it and that's an advantage in terms of user security.
Obviously these tools are not install-and-forget programs, some configuration is required and the average Joe could have serious problems using them without know-how.
Criminals want to have many average Joe who just use Windows Defender because it is an antivirus and they have read on internet that it is very powerful and "my cousin told me that an antivirus fights all viruses".

The computer security isn't easy and it isn't a game, it requires skill and knowledge and "they" are very forward!
No average Joe anymore but skilled Joe who uses advanced tools with common sense, that's the answer.

 

[shmu26]

I asked Dan over on the other forum for some clarification about parent/child processes.
the way he once explained it to me, it sounded like the whole protection hinged on blocking the dropper, which executes in "user land", as he calls it. But it could be things changed, and it could well be I never understood him right in the first place.

Based on the behavior that I see from Voodooshield recently, it seems that a parent process can only run a child process if the child process is trusted in its own right. In other words, it does not look to me like there is inheritance of permissions.

 

[SHvFl]

Based on the behavior that I see from Voodooshield recently, it seems that a parent process can only run a child process if the child process is trusted in its own right. In other words, it does not look to me like there is inheritance of permissions.

There is a setting to trust any child if parent is trusted. It's selected by default. Maybe you disabled it.

 

[shmu26]

There is a setting to trust any child if parent is trusted. It's selected by default. Maybe you disabled it.

actually, I re-enabled it because it was causing silent blocking of processes. It looks to me like the main purpose of disabling it would be to prevent a fileless exploit that wants to run a trusted process.
Because even if you have it enabled, an untrusted child process will not be allowed to run.

 

[SHvFl]

actually, I re-enabled it because it was causing silent blocking of processes. It looks to me like the main purpose of disabling it would be to prevent a fileless exploit that wants to run a trusted process.
Because even if you have it enabled, an untrusted child process will not be allowed to run.

I don't use VS now to test but that was not the case. Some member actually made installers of legit program that launch malware and they were allowed. Maybe with all those changes he made recently he broke the feature hence the silent block issues that appeared. You might want to report the issue.

 

[shmu26]

I don't use VS now to test but that was not the case. Some member actually made installers of legit program that launch malware and they were allowed. Maybe with all those changes he made recently he broke the feature hence the silent block issues that appeared. You might want to report the issue.

I asked for clarification on this issue of parent/child about a month ago, on the other forum, but I never saw an answer.
Maybe someone with a direct line of communication with the Dev could clear it up for us...

 

[SHvFl]

I asked for clarification on this issue of parent/child about a month ago, on the other forum, but I never saw an answer.
Maybe someone with a direct line of communication with the Dev could clear it up for us...

Your comment probably got lost in the thousand replies about the freeze issue.

 

[ForgottenSeer 55474]

Thanks For The Video

 

[shmu26]

Your comment probably got lost in the thousand replies about the freeze issue.

I bumped my comment.