Battle Best Anti-EXE/App Whitelisting 2015

Status
Not open for further replies.
Sort by date Sort by votes
H

hjlbx

Solarquest said:
I m usi g Voodoshield 2.75 and I like it as its ability to scan with 56 VT scanner when something unknown is detected.:D
I asked the above because I didn't know if Voodoshield worked at kernel level (thanks Hjlb for the info that v. 3 will be!:)) and exactly what kind of files are controlled.
I don't think they have a memory or folder, registry protection.

I read a lot about AG, but I'm still not sure what files are guarded.

NVT is where I have no infos. Does it wotk at kernel mode, what files does it guard, does it have memory protection?
Click to expand...

VooDooShield is a pure anti-executable; it provides no folder, memory or registry protection. Not sure if it will ever be added.

Basically, AppGuard protects everything except ProgramData and User Profiles (by blocking writes, memory injection into processes) ... however, you can customize it to get softs to work.

NVT ERP is a pure anti-executable; it provides no folder, memory or registry protection. Andreas the developer isn't going to add it. I know NVT ERP can block installation of kernel mode drivers. NVT ERP has nice feature where use can white-list command lines - like control panel command lines that use rundll32.exe. Can block\regulate any interpreter and vulnerable processes too.

If you want maximum security, then combine AppGuard and NVT ERP... or VooDooShield when stable v. 3 is released.

On top of anti-executable add virtualization and outbound firewall notifications and that is about as good as it gets. It isn't 100 % bullet proof but it is as close as you can get without turning your system into a tank - in which case it would be so loaded down that it won't work unless you have a Xeon core.
 
  • Like
Reactions: Overkill, trhd03twth, Solarquest and 4 others
Upvote 0 Downvote
Solarquest

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
hjlbx said:
VooDooShield is a pure anti-executable; it provides no folder, memory or registry protection. Not sure if it will ever be added.

Basically, AppGuard protects everything except ProgramData and User Profiles (by blocking writes, memory injection into processes) ... however, you can customize it to get softs to work.

NVT ERP is a pure anti-executable; it provides no folder, memory or registry protection. Andreas the developer isn't going to add it. I know NVT ERP can block installation of kernel mode drivers. NVT ERP has nice feature where use can white-list command lines - like control panel command lines that use rundll32.exe. Can block\regulate any interpreter and vulnerable processes too.

If you want maximum security, then combine AppGuard and NVT ERP... or VooDooShield when stable v. 3 is released.

On top of anti-executable add virtualization and outbound firewall notifications and that is about as good as it gets. It isn't 100 % bullet proof but it is as close as you can get without turning your system into a tank - in which case it would be so loaded down that it won't work unless you have a Xeon core.
Click to expand...
Hjlbx,
Thank you for the clear and informative answer!
My last question is, do they all check the same files(exe, script, dll, scr, ...) or what program covers more types?
In advance, nice weekend to all!:D
 
Upvote 0 Downvote
Online_Sword

Online_Sword

Level 12
Verified
Honorary Member
Top Poster
Well-known
Mar 23, 2015
555
Solarquest said:
Hjlbx,
Thank you for the clear and informative answer!
My last question is, do they all check the same files(exe, script, dll, scr, ...) or what program covers more types?
In advance, nice weekend to all!:D
Click to expand...

Hi, as far as I know, all of the four anti-exe program take effective approaches to monitor the interpreters of scripts, such as cmd, java, csript, wscript, powershell, etc.
So they are all able to block scripts.
Regarding dlls, AppGuard, Exe Radar Pro, and VoodooShield also monitor rundll32, so they can also prevents rundll32 from running unknown dlls.
We cannot infer from the setting panel of SecureAPlus that whether it monitors rundll32 or not. But according to some posts in wilderssecurity, it can also blocks unknown dlls.

Regarding the exact file types that are monitored by these four...sorry, I do not know.
But it seems easy to find the file types that are monitored by Bouncer.:D
I think Bouncer would look at the file types in the following screenshot:

Bouncer File Type.png


As far as I know, this is not a full list of files that would be blocked by Bouncer.
According to the user manual, in fact, Bouncer does not scan for file extension.
Its driver will monitor any process that tries to load executable code into memory.
So it can also block things like "evil.exe.png".:D
 
Last edited:
  • Like
Reactions: reyes, frogboy and Solarquest
Upvote 0 Downvote
M

Moose

Level 22
Jun 14, 2011
2,271
Salutations, Friends!

> Opinions on VooDooShield?
> And will Bouncer work with Sandboxie?
> And what about ReHIPS?

Making today a great day, and tomorrow a better one!
 
  • Like
Reactions: frogboy
Upvote 0 Downvote
FleischmannTV

FleischmannTV

Level 7
Verified
Honorary Member
Well-known
Jun 12, 2014
314
Scrutiny from an Inquisitive mind: "POC or didn't happen" for AppCert Bypass

In case some of you missed the discussion on Wilders.

The researcher was kind enough to register on the forum and explain things. That alone is a great thing, as it rarely ever happens. Because folks over there (including developers) didn't even understand what he was saying, he was constantly asked to proof his findings in a video, of course without being compensated for his time and work. When he initially refused, he was treated in a condescending way and then, and only then, responded in kind. Then his postings were being removed for being condescending o_O and his rights to post further were taken away as well, the thread was also locked.

He then responded with a POC on his blog. It turns out he was right from the beginning. The flaws he is pointing out are really embarrassing. I guess other researchers will take this as a reinforcement of their practice to abstain from active participation in forums like this.

So once again, we poor average home users have to rely on the promises of the industry only, because researches will either abstain or get censored, should they be so kind to share their findings with us.
 
  • Like
Reactions: bitbizket, Cch123, Cats-4_Owners-2 and 5 others
Upvote 0 Downvote
XhenEd

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
FleischmannTV said:
Scrutiny from an Inquisitive mind: "POC or didn't happen" for AppCert Bypass

In case some of you missed the discussion on Wilders.

The researcher was kind enough to register on the forum and explain things. That alone is a great thing, as it rarely ever happens. Because folks over there (including developers) didn't even understand what he was saying, he was constantly asked to proof his findings in a video, of course without being compensated for his time and work. When he initially refused, he was treated in a condescending way and then, and only then, responded in kind. Then his postings were being removed for being condescending o_O and his rights to post further were taken away as well, the thread was also locked.

He then responded with a POC on his blog. It turns out he was right from the beginning. The flaws he is pointing out are really embarrassing. I guess other researchers will take this as a reinforcement of their practice to abstain from active participation in forums like this.

So once again, we poor average home users have to rely on the promises of the industry only, because researches will either abstain or get censored, should they be so kind to share their findings with us.
Click to expand...
But I think talking to each other via PM might have been more successful. Then, if there was really a bypass against VS, then Dan or r41p41 could explain what happened. Then, the hole could have been patched without any dramas created.

There was really no need for attacks from both sides. If Dan doesn't want to create a bounty, then r41p41 could have just stopped responding since the bounty is more important to him.
 
  • Like
Reactions: porkpiehat, Cats-4_Owners-2 and frogboy
Upvote 0 Downvote
D

Deleted member 178

Finally he revealed himself again...

One reason i will never use VoodooShield is that his dev is an arrogant "i-think-im-da-best" type and is unable to take criticism positively. Long time ago he even harassed me via email, because i said here that his product was buggy and doesnt afford anything.

He has a grudge against me and @Littlebits because we were not fooled by his product (at the time we tested it)

Now i dont know how VS performed (and honestly i dont care) but with this affair seems things didnt changed. He seems still arrogant and his product still "buggy" (to be polite).

So that kind of reaction is not a surprise to me.

I dont say dont use VS , but you have many far better solutions.
 
Last edited by a moderator:
  • Like
Reactions: Hangtooth, CMLew, bitbizket and 7 others
Upvote 0 Downvote
Kate_L

Kate_L

in memoriam
Verified
Top Poster
Well-known
Jun 21, 2014
1,044
I hear people say that there is a free version of "NoVirusThanks Exe Radar Pro" but, I can't find it.
 
Upvote 0 Downvote
FleischmannTV

FleischmannTV

Level 7
Verified
Honorary Member
Well-known
Jun 12, 2014
314
XhenEd said:
But I think talking to each other via PM might have been more successful.
Click to expand...

For the vendor maybe, but definitely not for us. Besides, the researcher was asked in public and answered in public.

Thanks to the public discussion, the audience was able to learn several things, which never would have been revealed, if everything had been discussed behind closed doors. At best we would have been told there had been a hole and that it was fixed (after months maybe). The full scale of the technical incompetence of the people behind this "security software" would have remained well hidden.
 
  • Like
Reactions: Solarquest, XhenEd, Deleted member 178 and 1 other person
Upvote 0 Downvote
H

hjlbx

OpenSecLabs said:
I hear people say that there is a free version of "NoVirusThanks Exe Radar Pro" but, I can't find it.
Click to expand...

NVT ERP has been freeware for about 6 months. It is the beta versions for now, until the developer releases next stable version.

You can find it at Wilders > Other Anti-Malware Softs > A New Anti-Executable: NVT ERP. Search the thread in descending order, you will find the most recent beta posted...

Hee, hee... @OpenSecLabs beat me too it - AND - gave you the link !
 
  • Like
Reactions: Cats-4_Owners-2 and Moose
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

C
    • Like
  • Question
Question Why sudden prompt to choose default app
Replies
3
Views
240
Windows 10
Bot
Bot
Bot
    • Like
New in 2024.3: Ensuring you have the best protection and the best experience
Replies
0
Views
227
Emsisoft
Bot
Bot
Gandalf_The_Grey
    • Applause
    • Like
New Update Bitwarden's app is about to get a lot prettier
Replies
2
Views
394
Passwords and passkeys
Researchspace
Researchspace

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top