Q&A Does voodooshield monitor parent-child process relationships?

notabot

Level 15
Oct 31, 2018
735
Does voodooshield monitor parent-child process relationships?

I’m interested eg in a post exploit situation where Firefox has been compromised, can it detect & block a compromised Firefox from eg running cmd or rundll32 ( or any other lolbin ) ? - without entirely blocking cmd.exe ofc , just based on parent-child relationships
 

lThinkFreel

Level 2
Jun 24, 2019
67
You mean something like this?
Unbenannt.PNG
 

notabot

Level 15
Oct 31, 2018
735
You mean something like this? View attachment 223054

Can Voodooshield be made to ignore signatures ?

If so, that looks great actually. So fully hardened Windows native security combined with Voodooshield ( as WDAG lacks a useable UI.. ) would pretty much stop most attack vectors, assuming the user uses UWP/Sandboxed apps.

I can only see
1. Kernel-level exploits
2. Scenarios where the exploited app is trusted and instead of leveraging child processes, leverages dlls

1. Can’t be stopped anyhow and while 2. is an attack that would not be stopped, it is a reasonable hole to leave open for a home system.
 

oldschool

Level 59
Verified
Mar 29, 2018
4,807
Can Voodooshield be made to ignore signatures ?

You may un-check "Automatically allow items that match a digital signature in the whitelist snapshot". Just be ready for a much more vocal VS. :eek:

So fully hardened Windows native security combined with Voodooshield ( as WDAG lacks a useable UI.. ) would pretty much stop most attack vectors, assuming the user uses UWP/Sandboxed apps.

Yes, most attack vectors. There are definitely users who use only VS and OS hardening, including firewall hardening. ;) It all depends on the user. And depending on your browser setup (which browser, extensions, etc.) your browsing speed will be lightening fast!(y)
 

lThinkFreel

Level 2
Jun 24, 2019
67
Can Voodooshield be made to ignore signatures ?
I did some screenshots. You can see the functions there. I left "quarantine(obvl what it is) and Register" page.Nothing special there only my key for the pro version to see there :D
 

Attachments

  • Unbenannt.PNG
    Unbenannt.PNG
    51.6 KB · Views: 435
  • Unbenannt1.PNG
    Unbenannt1.PNG
    44 KB · Views: 438
  • Unbenannt3.PNG
    Unbenannt3.PNG
    78.8 KB · Views: 491
  • Unbenannt4.PNG
    Unbenannt4.PNG
    32.4 KB · Views: 420
  • Unbenannt5.PNG
    Unbenannt5.PNG
    27.7 KB · Views: 424
  • Unbenannt6.PNG
    Unbenannt6.PNG
    32.2 KB · Views: 426
  • Unbenannt7.PNG
    Unbenannt7.PNG
    57.4 KB · Views: 422
  • Unbenannt8.PNG
    Unbenannt8.PNG
    64.5 KB · Views: 437
  • Unbenannt9.PNG
    Unbenannt9.PNG
    37.3 KB · Views: 447
  • Unbenann10t.PNG
    Unbenann10t.PNG
    27.4 KB · Views: 440
  • Unbenannt11.PNG
    Unbenannt11.PNG
    39.6 KB · Views: 419

notabot

Level 15
Oct 31, 2018
735
I did some screenshots. You can see the functions there. I left "quarantine(obvl what it is) and Register" page.Nothing special there only my key for the pro version to see there :D

Thanks ! I like that it centers security around web apps which are tightly controlled, this is the setup to wanted do with WDAG alas without a reasonable UI, this will take a lot of time and it won’t be maintainable
 

notabot

Level 15
Oct 31, 2018
735
It pretty much ticks all the boxes as a WDAG replacement, only worry is the kernel driver and the supply chain risk that comes with a small vendor . I’ll think about it and maybe I’ll give it a go.

Stability-wise how has it managed so far with Windows updates and releases ?
 

notabot

Level 15
Oct 31, 2018
735
You are most welcome. One need not be a fanboy to experiment with or use VS. Just realize its strengths and weaknesses. It should be getting stronger protection in an upcoming update which will add the new Whitelist Cloud feature. It will be that much stronger out-of-the-box.

Have they said when they’ll release this feature ?
 

oldschool

Level 59
Verified
Mar 29, 2018
4,807
Have they said when they’ll release this feature ?

It's being finished now and should be out fairly soon, except Dan has his sense of time (only kidding Dan! :)) :

This was his post:

"Hey guys, sorry I have been away, things have been crazy.

I will catch up on the posts and emails asap.

Hopefully VS 5.02 will be ready in a couple of days. There are no major new features, just a couple of small bug fixes and the Web Management Console integration should be fully working."


Have they said when they’ll release this feature ?

I was too hasty copying above. Here is his post on WLC:

"...This vulnerability was first disclosed by a competitor here: mbr encrypt test short - Streamable, which is what started the wheels in my head turning for WhitelistCloud, which turned out amazing, and will be implemented into VS soon. I sincerely thank the people responsible for the streamable video, you only made VS stronger… as you have done many, many, many times in the past. ..."
 
Top