Hi
@danb I was not aware that VoodooShield will be disabled by its own after certain time. Can this expose user to EternalBluelike attack when he is AFK? I didn't change anything in the setting, and most options are grayed out anyway.
Hey Joe, I just realized you were with LOAV. I am assuming you are asking about how VS blocks the command line in the Eternal Blue / Double Pulsar attack, which interrupts the attack chain. There is no easy way to answer this question that covers all possible malware attack scenarios, but hopefully this will answer your question, if not, please let me know.
First, VS's Dynamic Security Posture feature is much more than just simply toggling VS's locking mechanism ON and OFF (depending on if the user is engaging in risky activities or not). See, even when VS is OFF, certain protections are still enabled, and I believe this command line would be blocked when VS is OFF, but I would have to test to make absolutely sure. On the other hand, background events that are considered safe or low risk are automatically allowed when VS toggles to OFF so that these items are not blocked when the user is later engaging in risky activities and VS is ON. The goal is to automatically build the whitelist for the end user and to reduce the number of unwanted user prompts as much as possible.
Traditional static deny-by-default tech is just not practical for most users and can be a true pain. For example, why block your backup software when you are not even using the computer? (Not a great example, but you get the point). Dynamic Security Postures allows VS to automatically fine tune the security posture so that it better fits the endpoint's current state.
As far as traditional antivirus goes... think of your favorite traditional antivirus, and just imagine how much better it would be if it utilized Dynamic Security Postures. It would be more aggressive when it needed to be and less aggressive when it was able to be. This would drastically increase malware blocking efficacy while also drastically reducing false positives.
Operating systems are not static environments. They are highly dynamic. So why would anyone ever believe they could be properly protected with static security software and a single security posture?
So while VS's toggling feature might seem simple on the surface, it does a lot more than people realize. And now that we have combined Dynamic Security Postures with our new Contextual Engine, things get even cooler (which I hope to be able to explain soon). The whole goal is to answer the question... "should this event be blocked or should it be auto allowed?", obviously based on context and the state of the machine.
I hope to be able to explain how it all works within the next week or two, and how the Contextual Engine synergizes with Dynamic Security Postures. It is incredibly difficult to describe in words, but I will do my best
.
These are just some of the reasons VS is incredibly difficult to test properly. Then again, VS was not designed to test, it was designed to lock the computer when the user is engaging in risky activities
.
Having said all that, you can always disable the auto deactivation feature if it is a concern
.
Thanks again for the test! If I can think of other malware testing tips I will let you know. Here is one... besides making sure that the malware pack samples are true malware, you might want to check the packs for duplicates as well. For some odd reason there are a lot of dups and benign samples in a lot of malware packs.
