How would one get passed voodoo shield?

[shmu26]

I must tell that I was afraid even about the fact that an AV company might change its "purposes" and instead of protecting me is spying on me or do anything else, that`s why another security product as anti-executable, anti-exploit or anti-malware is always a good option for any user.

that's an interesting point. I saw someone complaining about PUPs that came along with his LAVASOFT product. He commented that he thought LAVASOFT was supposed to be the good guys, not the bad guys.
However, I suspect that PUPs installed by an "official" security product would not be flagged as malware by another security product.

 

[_CyberGhosT_]

Guys, as far as I can say, being not a software geek, is that I learned a lot from these discussions and the more security software we use the better for us, never rely on a single security product. This is a healthy attitude irrespective of security product chosen. I must tell that I was afraid even about the fact that an AV company might change its "purposes" and instead of protecting me is spying on me or do anything else, that`s why another security product as anti-executable, anti-exploit or anti-malware is always a good option for any user. My saying is that better more secured than regret.

Sorry for my VoodooShield off-topic but it can apply even to this software.

Thanks for the input Ana, and your not off topic at all, while a layered defense is a smart option, we have to go a step further
and address "what we are layering" for example layering 2 anti-viruses is not recommended for good reason, layering 2 of similar
software can cause issues, but layering for "gap coverage" is a awesome way to bolster a security config.
Thanks for your feedback

 

[SHvFl]

Can you provide a video demonstration? I'd be interested and it would help the Dev's too

He is right in a way and Dan knows it. When you allow anything then it can do whatever it wishes if you don't disable parent-child access right inheritance which is on by default. A user on the other forum made a few examples and showed to Dan. If you check the VS topic you can probably find it. He even mentioned he will rethink if it will keep the setting as default but him having to deal with the freeze bug for a while now probably didn't help and forgot or left it for later.

 

[ExoGen CyberSecurity]

He is right in a way and Dan knows it. When you allow anything then it can do whatever it wishes if you don't disable parent-child access right inheritance which is on by default. A user on the other forum made a few examples and showed to Dan. If you check the VS topic you can probably find it. He even mentioned he will rethink if it will keep the setting as default but him having to deal with the freeze bug for a while now probably didn't help and forgot or left it for later.

Yes, you understand me very well. I'm interested in this topic because it's the same with Comodo. I said above and you or anyone can test it with portable apps. Comodo in a way fixed that with ViruScope, by default only checks the sandboxed apps and you need to modify so it will watch all the apps.

I can't test it now because of this, since Dan knows about this he can fix it by doing a lookup for all the running files on the PC (check it with the cloud). I think if you reset all the rules from time to time you can "check again". Even if I'm not a big fan of BitDefender Free if you use it with VoodooShield you will have the perfect combo since BitDefender Free has AVC.

So, in the end I think the user is a big part. Since NVT EXERadar Pro didn't update in ages, VoodooShield is a good replacement.

The only thing that I don't like about VoodooShield is in the UI the Black text on Gray background in the Options

 

[ZeroDay]

Yes, you understand me very well. I'm interested in this topic because it's the same with Comodo. I said above and you or anyone can test it with portable apps. Comodo in a way fixed that with ViruScope, by default only checks the sandboxed apps and you need to modify so it will watch all the apps.

I can't test it now because of this, since Dan knows about this he can fix it by doing a lookup for all the running files on the PC (check it with the cloud). I think if you reset all the rules from time to time you can "check again". Even if I'm not a big fan of BitDefender Free if you use it with VoodooShield you will have the perfect combo since BitDefender Free has AVC.

So, in the end I think the user is a big part. Since NVT EXERadar Pro didn't update in ages, VoodooShield is a good replacement.

The only thing that I don't like about VoodooShield is in the UI the Black text on Gray background in the Options

Thank you. I understand where you're coming from now.

 

[Wave]

The 64bit issue with Kernel Patch Protection is still a big issue and people ignore it and it's a permanent exploit (you can start with bcdedit.exe –set TESTSIGNING ON).

The malicious sample will need to be granted with administrative rights before it can execute bcdedit.exe with those parameters and for it to become active - the system will then need to be rebooted. This task would be relatively easy for someone who is experienced since they can work with social engineering techniques to trick a user into granting access thinking it's a safe file signed by a trusted publisher (or just exploit UAC altogether), however the chances of a typical home user being affected by such practises are very slim.

Spoiler

How can a security product solve this problem? Easy. Just hook the functions which bcdedit.exe calls once the parameters are given in for it's execution, and then alert the user asking if they grant permission for test mode to be enabled or not... On top of this, the security products can hook functions for service creation/NtLoadDriver/NtSetSystemInformation and ask for permission if a driver should be loaded or not (and auto-block if the driver isn't signed in case of Test Mode being maliciously enabled).

People who are serious about developing malicious software with kernel-mode components (for features such as getting rid of any security software running on the system (e.g. terminating it from memory and then blocking its execution), kernel-patching (not on x64 without a PatchGuard bypass) and so on) can most likely afford around $100 to buy a digital signature, meaning they won't even need to use such tricks or some PatchGuard bypass to have their driver loaded on x64.

Without that being said, x64 is flawed altogether when it comes to security protection because the security software will be limited compared to what it can do on x86 systems.

 

[ExoGen CyberSecurity]

The malicious sample will need to be granted with administrative rights before it can execute bcdedit.exe with those parameters and for it to become active - the system will then need to be rebooted. This task would be relatively easy for someone who is experienced since they can work with social engineering techniques to trick a user into granting access thinking it's a safe file signed by a trusted publisher (or just exploit UAC altogether), however the chances of a typical home user being affected by such practises are very slim.

People who are serious about developing malicious software with kernel-mode components (for features such as getting rid of any security software running on the system (e.g. terminating it from memory and then blocking its execution), kernel-patching (not on x64 without a PatchGuard bypass) and so on) can most likely afford around $100 to buy a digital signature, meaning they won't even need to use such tricks or some PatchGuard bypass to have their driver loaded on x64.

Without that being said, x64 is flawed altogether when it comes to security protection because the security software will be limited compared to what it can do on x86 systems.

This is install on boot malware, I wanted to point out that you can use different ways and if you really wanna do it you can. The "how" you do it is your own choice. If you look at the most common infection are by allowing something (see the botnets infections in cracks or illegal stuff).

If you wanna do it is a great way to do it with install on boot (look at some videos done by cruelsister) and from there you start adding a fake digital signature some delay in execution and many more (use a hex editor to make everything 0-day).

 

[askmark]

Something I'd like to add is the author of Voodooshield, Dan, in no way claims his software is the only defense against malware you need to protect your PC. In fact he recommendeds you combine it with a quality AV suite such as Webroot SecureAnywhere.

If you follow his posts on Wilders you will know that he is very open about the effectiveness of VS and welcomes individuals such as Cruel Sister to find and reveal weaknesses in his software. This is very atypical of most security vendors whose usual stance is to ignore or deny such exploits exist because they aren't prepared to admit their software isn't perfect. Not good PR.

Now the freeze issue is almost resolved (since the latest beta I haven't had a single freeze for well over a week, when I used to get them almost daily) Dan will be able to to concentrate his efforts on further improving the functionality of the software and hardening the levels of security beyond what it already provides. His selfless aim is to make Voodooshield the best it can be.

With all of this in mind, If you have any suggestions on improvements or want to report specific weaknesses then please contact @VoodooShield on Wilders because one thing I can guarantee is Dan will listen.

 

[shmu26]

the dev has been tightening the right screws in his recent builds. I see more protection for vulnerable processes and for suspicious behavior.

 

[ExoGen CyberSecurity]

How would one get passed voodoo shield? I hope he can fix this (Windows 7 64x)

 

[askmark]

the dev has been tightening the right screws in his recent builds. I see more protection for vulnerable processes and for suspicious behavior.

Agreed. In fact he treats all Windows processes as vulnerable unlike most software that has to maintain a list. That way if new vulnerable Windows processes are discovered VS already has it covered

 

[askmark]

How would one get passed voodoo shield? I hope he can fix this (Windows 7 64x)

I had the same problem caused by a conflict with Zemana. If you dont have Zemana then maybe it's another security program.

 

[ExoGen CyberSecurity]

It's a clean install (VirtualBox).

 

[shmu26]

Agreed. In fact he treats all Windows processes as vulnerable unlike most software that has to maintain a list. That way if new vulnerable Windows processes are discovered VS already has it covered

that restriction applies only to the browser.
I am talking about new system-wide restrictions that were recently applied.

 

[askmark]

It's a clean install (VirtualBox).

Is .Net up to date in your VM?

 

[ExoGen CyberSecurity]

I don't think so, I need to check that (later).

 

[askmark]

that restriction applies only to the browser.
I am talking about new system-wide restrictions that were recently applied.

Yes you're right. I'd forgotten about the other changes to restrictions he's made.

 

[hjlbx]

The bottom line of it is that if any external code is introduced to the system and it can execute on the system then there is some risk - however small - that the executed code will be able to do something unwanted\malicious to the system. There are multiple ways to execute code on a system; it is not just limited to downloading a file to a desktop and executing it.

This is a fundamental principle that a lot of users cannot grasp, refuse to follow because it is perceived as "inconvenient," or just choose to ignore in the hopes that they will find a security soft or security config that will be "bullet-proof."

 

[Wave]

Is .Net up to date in your VM?

I doubt this has anything to do with the issue since if you check back at the screenshot he posted earlier it was the service process which crashed, which won't be based in a managed language (like .NET), but more likely a more lower-level language like C/C++.

VoodoShield uses the .NET Framework for it's GUI (I believe). Feel free to correct me on anything if I am wrong.

 

[adyblueboy]

I have never tested VS but when i hear words like:100% impenetrable,no chance etc. i just begin to smile I remember a young guy from my country TinKode just a kid,Red October attack,Lenovo laptops with preinstalled spyware ...if someone wants to steal data from your computer even you do not know with all antivirus in the world .