How would one get passed voodoo shield?

[hjlbx]

Yes and Yes, like I said before you exploit the confusing alerts It's like any other security product (you don't even know what you install or what you allow).

Once you allow something, that is a bypass.

A user mistake or social engineering is not considered a bypass in the technical sense.

Technically, a bypass is when malware can defeat a security soft's protections without requiring user decision making. For example, when the user navigates a browser to a malicious URL that successfully exploits the browser and obtains escalation of privilege.

Your meaning of the term "bypass" is different than that established and acknowledged by the security soft industry. Yes, it is a form of bypass, but not one that
counts against the soft protections. Improperly used software - which includes unknowledgeable use that leads to mistakes - is not a technical bypass.

 

[ExoGen CyberSecurity]

Can you provide a video demonstration? I'd be interested and it would help the Dev's too

Yes, I need to set the VirtualBox and install the free version. VoodooShield has the same issues as Comodo
The way I will test is the same I did before, with Free Version and the Auto-Pilot.

A user mistake or social engineering is not considered a bypass in the technical sense.

Technically, a bypass is when malware can defeat a security soft's protections without requiring user decision making. For example, when the user navigates a browser to a malicious URL that successfully exploits the browser and obtains escalation of privilege.

Your meaning of the term "bypass" is different than that established and acknowledged by the security soft industry. Yes, it is a form of bypass, but not one that
counts against the soft protections. Improperly used software - which includes unknowledgeable use that leads to mistakes - is not a technical bypass.

I think you didn't understand me, I said you use social engineering to make the user allow the file since VoodooShield / Comodo will block the file by default and you use a safe file to trick the user to install the malware. This is what I said, about the confusing alerts is the same if you use it as I tested, VoodooShield will block everything and the user needs to install the malware.

 

[_CyberGhosT_]

Your meaning of the term "bypass" is different than that established and acknowledged by the security soft industry. Yes, it is a form of bypass, but not one that
counts against the soft protections. Improperly used software - which includes unknowledgeable use that leads to mistakes - is not a technical bypass.

Good luck hjlbx convincing him, I see this for what it is and am steering clear

 

[ExoGen CyberSecurity]

Yes you guys are right, It's not a technical bypass, I just see it as a bypass (as my point of view). I'm sorry for misleading

 

[Wave]

Without manual analysis/testing I cannot guarantee that these suggestions would actually work but...

1. The most obvious method would be malware stealing a digital signature so it appears to be from a trusted publisher, which is white-listed within VDS. This cannot always be predictable since the users may toggle with white-list settings and re-configure things, however it can definitely be done.
2. The second method would be the malicious sample exploiting a vulnerability in the OS itself which allows it to continue to execute without the notification being sent to VDS itself. I believe that VDS uses a kernel-mode driver for process monitoring which would make this task more difficult (probably via a kernel-mode callback to receive a notification upon process creation - but hey ho, nothing is bulletproof). But this task would require extensive knowledge on how Windows itself works (both kernel-mode, user-mode, and other categories such as the PE Loader/memory management, etc), and experience with developing and handling exploits.

For example, someone who works for a trusted company (e.g. Adobe) may get hold of the code signing certificates and leak these to a friend who is developing malware who then uses this to sign their malware so it appears as clean by many AV products which automatically white-list Adobe as trusted (and thus bypassing any anti-exe which have the publisher for Adobe trusted to run).

The behaviour in the above example is much more common than you'd think, it happens all the time to many companies and thus causes them a lot of stress since their certificates then become revoked to prevent further damage. I'll leave some link references below if you want to read more about it:

Kaspersky Lab spots malware signed with stolen digital certificate
Hackers raid Adobe, compromise certificate to sign malware
Hackers Breached Adobe Server in Order to Sign Their Malware
Adobe Revoking Code Signing Certificate Used To Sign Malware | SecurityWeek.Com

The articles above are actually from 2012, but it's still a good read and demonstrates how an attacker would go about doing something like this.

Hope this helped.

 

[_CyberGhosT_]

Without manual analysis/testing I cannot guarantee that these suggestions would actually work but...

1. The most obvious method would be malware stealing a digital signature so it appears to be from a trusted publisher, which is white-listed within VDS. This cannot always be predictable since the users may toggle with white-list settings and re-configure things, however it can definitely be done.
2. The second method would be the malicious sample exploiting a vulnerability in the OS itself which allows it to continue to execute without the notification being sent to VDS itself. I believe that VDS uses a kernel-mode driver for process monitoring which would make this task more difficult (probably via a kernel-mode callback to receive a notification upon process creation - but hey ho, nothing is bulletproof).

For example, someone who works for a trusted company (e.g. Adobe) may get hold of the code signing certificates and leak these to a friend who is developing malware who then uses this to sign their malware so it appears as clean by many AV products which automatically white-list Adobe as trusted (and thus bypassing any anti-exe which have the publisher for Adobe trusted to run).

The behaviour in the above example is much more common than you'd think, it happens all the time to many companies and thus causes them a lot of stress since their certificates then become revoked to prevent further damage. I'll leave some link references below if you want to read more about it:

Kaspersky Lab spots malware signed with stolen digital certificate
Hackers raid Adobe, compromise certificate to sign malware
Hackers Breached Adobe Server in Order to Sign Their Malware
Adobe Revoking Code Signing Certificate Used To Sign Malware | SecurityWeek.Com

The articles above are actually from 2012, but it's still a good read and demonstrates how an attacker would go about doing something like this.

Hope this helped.

It may work if you first disable VS ability to use its AI scan function, and or disable the internet so the file is not scanned on VT which VS does.
Or pay the price for a ZeroDay, gonna be a much bigger chore than most would think.
I am imagining it would be easier to sandpaper a Lion's booty lol

 

[hjlbx]

I just love the way these VS discussions go. They're very typical.

When you start talking in absolutes that is where you get into trouble. To think VS - or anything else for that matter - like AppGuard, Sandboxie, ReHIPS, etc - cannot be bypassed by any means whatsoever =

That being said, if given the choice I would pick VS over the typical AV or internet security suite any day...

 

[Lucent Warrior]

Nothing is absolute in security when it comes to those with the knowledge, resources, skills seeking infiltration. That said, the chances of a home user being targeted by such, are quite slim. As for the rest of the theories in play, why debate these, why not fire up your VM's and set about finding tangible proof either way and sharing it if it can be done, so that the developers can do something about it, if indeed there is any merit.

 

[hjlbx]

What happened to the Voodooshield Challenge ?

Anything ever become of it ?

 

[Atlas147]

Definitely human error would be a huge factor in it.

 

[Deleted member 178]

VS doesn't monitor dlls , so i guess it doesn't protect against dll injections.

Also it doesn't protect the memory.

Remember, VS is an Anti-executable, not an AV.

and to put oil on the fire : Scrutiny from an Inquisitive mind: "POC or didn't happen" for AppCert Bypass

A huge drama at that time , the author was banned from Wilders because refusing to reveal the details for free, VS denied the bypass ,and other popcorn moments.

It is an old article , so now i can't tell if the "potential bypass" is still effective.

 

[TheMalwareMaster]

What happened to the Voodooshield Challenge ?

Anything ever become of it ?

Really few people joined that Challenge.
Very intresting thread, I'm now running VS on one computer so I'd like to keep up-to date.

 

[ExoGen CyberSecurity]

I tried to install VoodooShield to play with it and I get this

Spoiler: Crash

Description:
Stopped working

Problem signature:
Problem Event Name: CLR20r3
Problem Signature 01: voodooshieldservice.exe
Problem Signature 02: 3.10.108.0
Problem Signature 03: 57d2302d
Problem Signature 04: System.ServiceProcess
Problem Signature 05: 2.0.0.0
Problem Signature 06: 530f0542
Problem Signature 07: a3
Problem Signature 08: 2c
Problem Signature 09: System.ServiceProcess.Timeout
OS Version: 6.1.7601.2.1.0.256.1
Locale ID: 1033

 

[shmu26]

if you have the premium version disable allow by parent process in advance settings.

Al sometimes blocks things that I willfully installed on my system, and I know and trust. So I have override it sometimes. That makes room for being tricked.
that's why SHvFl's tweak is very important IMO, because if you got tricked into installing something bad (for instance, you downloaded a trusted program from a trusted website, but they were hacked!!) then this should help to stop the payload, because the permissions will not be inherited).

 

[ExoGen CyberSecurity]

VS doesn't monitor dlls , so i guess it doesn't protect against dll injections.

Also it doesn't protect the memory.

Remember, VS is an Anti-executable, not an AV.

and to put oil on the fire : Scrutiny from an Inquisitive mind: "POC or didn't happen" for AppCert Bypass

A huge drama at that time , the author was banned from Wilders because refusing to reveal the details for free, VS denied the bypass ,and other popcorn moments.

It is an old article , so now i can't tell if the "potential bypass" is still effective.

A lot of companies do that Comodo is very well known for that (I'm Comodo user). Also, if you just do a simple google search with bypass XXXX you can find it and there is a small chance that the author will help the company. Most people will not say anything because they sell RATs and other malware and people will deny the issue because there favorite product is bypassed (even I don't say what I find because it creates drama and I get a lot of hate).

The 64bit issue with Kernel Patch Protection is still a big issue and people ignore it and it's a permanent exploit (you can start with bcdedit.exe –set TESTSIGNING ON).

When the first exploit for Comodo's DDE Sandbox was out I denied, after two year I've seen it and I start using HIPS and ViruScope and configure Comodo to Deny everything and only allow what I say. This was because I started to be aware and not be in the ... my security product is the best and nobody can bypass it, I also seen how many exploits are out there and nobody says anything (you can see the last NSA Hack with 3-4 years old exploits).

The best way of testing any security product (and you can do it yourself) is, download a portable application, 7Zip+7Zip Theme manager if a pop-up appears and you allowed there is a high chance that you will be tricked and infect yourself, if you wanna ask why, it's easy, it's the behaviour of portable applications and the fact that is not well known (this way the cloud protection is tricked) and the behaivour (it modifies critical files and it drops DLL's and so on).

I think VooodooShield is a good product to use with your AV (BitDefender Free, Avira, Zemana, ... well, most security product).

 

[TheMalwareMaster]

I tried to install VoodooShield to play with it and I get this
View attachment 115777

Spoiler: Crash

Description:
Stopped working

Problem signature:
Problem Event Name: CLR20r3
Problem Signature 01: voodooshieldservice.exe
Problem Signature 02: 3.10.108.0
Problem Signature 03: 57d2302d
Problem Signature 04: System.ServiceProcess
Problem Signature 05: 2.0.0.0
Problem Signature 06: 530f0542
Problem Signature 07: a3
Problem Signature 08: 2c
Problem Signature 09: System.ServiceProcess.Timeout
OS Version: 6.1.7601.2.1.0.256.1
Locale ID: 1033

I also got that when installing it on my Windows 7 32-bit Virtual Machine, but after the product was working fine for me. On Windows 10 I didn't get that message

 

[shmu26]

So if I were very aware of what I allow, voodoo shield practically makes me near bullet-proof?

It's kind of a catch-22. If you are very aware of what you allow, you are already near bullet-proof, assuming your OS and programs are kept up to date.
VS can help you keep up your awareness, by challenging new processes that want to run on your system, and telling you whether it looks risky or not.

 

[Deleted member 178]

Most of the time, i used VS as "confirmation" of the legitimacy of the process i allow to run.

 

[_CyberGhosT_]

What happened to the Voodooshield Challenge ?

Anything ever become of it ?

I think most decided it was too much work, its easier to jaw about something they cant prove anyway.
I don't mind informed critics with opposing points of view, what gets me are the painfully obvious novice
critics who clearly haven't done any homework who are just reaching. But hey, patience is the key as is
acceptance, and a awesome cup of coffee

 

[Ana_Filiz]

Guys, as far as I can say, being not a software geek, is that I learned a lot from these discussions and the more security software we use the better for us, never rely on a single security product. This is a healthy attitude irrespective of security product chosen. I must tell that I was afraid even about the fact that an AV company might change its "purposes" and instead of protecting me is spying on me or do anything else, that`s why another security product as anti-executable, anti-exploit or anti-malware is always a good option for any user. My saying is that better more secured than regret.

Sorry for my VoodooShield off-topic but it can apply even to this software.