Voodooshield and vulnerable windows processes

Status
Not open for further replies.
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
the dev recently revealed a little bit about how VS handles this.
This is the gist of it:
"the way vulnerable processes are handled in VS is ... every executable file in windows was considered a vulnerable process (along with the other standard vulnerable processes, like java and flash), and these vulnerable process are only blocked when they are child processes of web apps. "
(bold is from me, not from original quote)
VoodooShield ?
second link is the dev's further clarifications:
VoodooShield ?
I would be interested to hear what people think about this approach.
I personally am a little concerned, as it seems that VS is not protecting these processes as vigilantly as other anti-exe programs do. I am interested in your thoughts.
 
  • Like
Reactions: FrFc1908, silversurfer, Av Gurus and 7 others
_CyberGhosT_

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
I would point out that, this early in VoodooShield's development its doing just fine.
There is room for Dan to adjust and tweak VS's approach to protecting "vulnerable processes" and seeing that it is still being "Actively" developed things will only get better.
VoodooShield is still young, and note that Dan does not say this approach is written in concrete, I am confident that as new approaches become available they will be implemented
and integrated into this awesome new software. That's the beauty of it.
Being concerned at this point in its early development is unwarranted. I would worry if Dan said, "yep this is how its going to be and I'm not changing it" then it would be worry time.
 
  • Like
Reactions: safe1st, silversurfer, Deleted Member 3a5v73x and 6 others
Solarquest

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
shmu26 said:
the dev recently revealed a little bit about how VS handles this.
This is the gist of it:
"the way vulnerable processes are handled in VS is ... every executable file in windows was considered a vulnerable process (along with the other standard vulnerable processes, like java and flash), and these vulnerable process are only blocked when they are child processes of web apps. "
(bold is from me, not from original quote)
VoodooShield ?
second link is the dev's further clarifications:
VoodooShield ?
I would be interested to hear what people think about this approach.
I personally am a little concerned, as it seems that VS is not protecting these processes as vigilantly as other anti-exe programs do. I am interested in your thoughts.
Click to expand...

Thanks for asking Dan to add a "second chance"..I agree with you, better safe (with 2nd warning) than sorry!;)
 
  • Like
Reactions: _CyberGhosT_, Deleted Member 3a5v73x, Logethica and 1 other person
H

hjlbx

shmu26 said:
the dev recently revealed a little bit about how VS handles this.
This is the gist of it:
"the way vulnerable processes are handled in VS is ... every executable file in windows was considered a vulnerable process (along with the other standard vulnerable processes, like java and flash), and these vulnerable process are only blocked when they are child processes of web apps. "
(bold is from me, not from original quote)
VoodooShield ?
second link is the dev's further clarifications:
VoodooShield ?
I would be interested to hear what people think about this approach.
I personally am a little concerned, as it seems that VS is not protecting these processes as vigilantly as other anti-exe programs do. I am interested in your thoughts.
Click to expand...

VS will block a malicious file located on the desktop that - if it were allowed to run - would go on to abuse vulnerable processes.
VS will block when an web app exploit permits a process to abuse a vulnerable process.
Also, you can set VS to alert when all Windows processes are executed; if powershell, cmd, wscript, etc is executed - do not allow them always (white-list); that's why there should be an Allow Always, Allow Once, Block, Block Always in the alert - or something similar.

Those are the two most common mechanisms.

What the developer has done:

1. Eliminate the need for a typical user from configuring a vulnerable process list
2. Strike balance between usability and security

If you want absolute control, then you will have to look at a different soft.
 
  • Like
Reactions: Logethica, _CyberGhosT_, Lucent Warrior and 4 others
DardiM

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
1.jpg


Sans titre.jpg Sans titre 2.jpg

Solarquest said:
Now I got confused... in other words, when are powershell, windows script host and cmd.exe not blocked by Voodoshield?
Click to expand...

Depending on what setting you choose :

- You can be warned to select a choice :

The unknown/unsafe program/malware are temporarily blocked, your are asked for a decision (block, allow, quarantine, sandbox, etc) with what VoodooShield "thinks" / knows about the file (Virus Total, etc) :
=> the decision concerns the program that try to run, but this is not directly linked to these vulnerable processes, so they are "not blocked" because they are "not run"

- But you can choose to make VoodooShield learns : white-list, blocks, etc, and it will remember the programs / malware choices you made.

=> It can also make the choices itself.

- About Web Apps just read on the screen below :)

Vulnerable processes (powershell, cmd, wscript, etc...) are blocked if they are child of web apps.

2.jpg
 
Last edited:
  • Like
Reactions: Logethica, _CyberGhosT_, harlan4096 and 6 others
Solarquest

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Thank you.
This is how I was expecting VS to work...in the discussion on Wilders I understood it doesn't protect always...I think shmu26 was also concerned about this...
 
  • Like
Reactions: Logethica, _CyberGhosT_ and DardiM
DardiM

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Solarquest said:
Thank you.
This is how I was expecting VS to work...in the discussion on Wilders I understood it doesn't protect always...I think shmu26 was also concerned about this...
Click to expand...

in the discussion on Wilders I understood it doesn't protect always
It doesn't always directly block them.

Vulnerable processes are blocked if they are child of web apps.

But you are always warned for all unknown / unsafe programs that try to run (or VoodooShield automatically reacts depending on the settings)

If you allow the program / malware to run, it won't block any vulnerable processes, because you "allowed the program". Or the vulnerable processes you definitely don't want to be run have to be blacklisted :)

For example, I always know when cmd is used.

A very interesting video

Video Review - VoodooShield Review
 
Last edited:
  • Like
Reactions: Logethica, _CyberGhosT_, harlan4096 and 1 other person
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
DardiM said:
If you allow the program / malware to run, it won't block any vulnerable processes, because you "allowed the program". Or the vulnerable processes you definitely don't want to be run have to be blacklisted :)

For example, I always know when cmd is used.
Click to expand...
so what happens if you blacklist your favorite vulnerable processes?
will you get a prompt, or will they be silently blocked?
 
  • Like
Reactions: Logethica
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
v. 3.36 beefed up the protection for powershell and script interpreters (with the exception of cmd.exe, which is still allowed even when VS is active).
 
Status
Not open for further replies.

Similar threads

danb
    • Like
    • +Reputation
Serious Discussion WDAC vs Kernel Mode Drivers
Replies
19
Views
1,033
General Security Discussions
danb
danb
Andy Ful
    • Like
Serious Discussion Inside Microsoft's plan to kill PPLFault
Replies
21
Views
1,836
General Security Discussions
Andy Ful
Andy Ful
Bot
    • Like
Security News APIs Drive the Majority of Internet Traffic and Cybercriminals are Taking Advantage
Replies
0
Views
831
Security News
Bot
Bot

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top