Voodooshield and vulnerable windows processes

Status
Not open for further replies.
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
Jul 3, 2015
8,148
1
31,237
8,388
Middle Earth
the dev recently revealed a little bit about how VS handles this.
This is the gist of it:
"the way vulnerable processes are handled in VS is ... every executable file in windows was considered a vulnerable process (along with the other standard vulnerable processes, like java and flash), and these vulnerable process are only blocked when they are child processes of web apps. "
(bold is from me, not from original quote)
VoodooShield ?
second link is the dev's further clarifications:
VoodooShield ?
I would be interested to hear what people think about this approach.
I personally am a little concerned, as it seems that VS is not protecting these processes as vigilantly as other anti-exe programs do. I am interested in your thoughts.
 
  • Like
Reactions: FrFc1908, silversurfer, Av Gurus and 7 others
I would point out that, this early in VoodooShield's development its doing just fine.
There is room for Dan to adjust and tweak VS's approach to protecting "vulnerable processes" and seeing that it is still being "Actively" developed things will only get better.
VoodooShield is still young, and note that Dan does not say this approach is written in concrete, I am confident that as new approaches become available they will be implemented
and integrated into this awesome new software. That's the beauty of it.
Being concerned at this point in its early development is unwarranted. I would worry if Dan said, "yep this is how its going to be and I'm not changing it" then it would be worry time.
 
  • Like
Reactions: safe1st, silversurfer, Deleted Member 3a5v73x and 6 others
shmu26 said:
the dev recently revealed a little bit about how VS handles this.
This is the gist of it:
"the way vulnerable processes are handled in VS is ... every executable file in windows was considered a vulnerable process (along with the other standard vulnerable processes, like java and flash), and these vulnerable process are only blocked when they are child processes of web apps. "
(bold is from me, not from original quote)
VoodooShield ?
second link is the dev's further clarifications:
VoodooShield ?
I would be interested to hear what people think about this approach.
I personally am a little concerned, as it seems that VS is not protecting these processes as vigilantly as other anti-exe programs do. I am interested in your thoughts.
Click to expand...

Thanks for asking Dan to add a "second chance"..I agree with you, better safe (with 2nd warning) than sorry!;)
 
  • Like
Reactions: _CyberGhosT_, Deleted Member 3a5v73x, Logethica and 1 other person
shmu26 said:
the dev recently revealed a little bit about how VS handles this.
This is the gist of it:
"the way vulnerable processes are handled in VS is ... every executable file in windows was considered a vulnerable process (along with the other standard vulnerable processes, like java and flash), and these vulnerable process are only blocked when they are child processes of web apps. "
(bold is from me, not from original quote)
VoodooShield ?
second link is the dev's further clarifications:
VoodooShield ?
I would be interested to hear what people think about this approach.
I personally am a little concerned, as it seems that VS is not protecting these processes as vigilantly as other anti-exe programs do. I am interested in your thoughts.
Click to expand...

VS will block a malicious file located on the desktop that - if it were allowed to run - would go on to abuse vulnerable processes.
VS will block when an web app exploit permits a process to abuse a vulnerable process.
Also, you can set VS to alert when all Windows processes are executed; if powershell, cmd, wscript, etc is executed - do not allow them always (white-list); that's why there should be an Allow Always, Allow Once, Block, Block Always in the alert - or something similar.

Those are the two most common mechanisms.

What the developer has done:

1. Eliminate the need for a typical user from configuring a vulnerable process list
2. Strike balance between usability and security

If you want absolute control, then you will have to look at a different soft.
 
  • Like
Reactions: Logethica, _CyberGhosT_, Lucent Warrior and 4 others
1.jpg


Sans titre.jpg Sans titre 2.jpg

Solarquest said:
Now I got confused... in other words, when are powershell, windows script host and cmd.exe not blocked by Voodoshield?
Click to expand...

Depending on what setting you choose :

- You can be warned to select a choice :

The unknown/unsafe program/malware are temporarily blocked, your are asked for a decision (block, allow, quarantine, sandbox, etc) with what VoodooShield "thinks" / knows about the file (Virus Total, etc) :
=> the decision concerns the program that try to run, but this is not directly linked to these vulnerable processes, so they are "not blocked" because they are "not run"

- But you can choose to make VoodooShield learns : white-list, blocks, etc, and it will remember the programs / malware choices you made.

=> It can also make the choices itself.

- About Web Apps just read on the screen below :)

Vulnerable processes (powershell, cmd, wscript, etc...) are blocked if they are child of web apps.

2.jpg
 
Last edited:
  • Like
Reactions: Logethica, _CyberGhosT_, harlan4096 and 6 others
Thank you.
This is how I was expecting VS to work...in the discussion on Wilders I understood it doesn't protect always...I think shmu26 was also concerned about this...
 
  • Like
Reactions: Logethica, _CyberGhosT_ and DardiM
Solarquest said:
Thank you.
This is how I was expecting VS to work...in the discussion on Wilders I understood it doesn't protect always...I think shmu26 was also concerned about this...
Click to expand...

in the discussion on Wilders I understood it doesn't protect always
It doesn't always directly block them.

Vulnerable processes are blocked if they are child of web apps.

But you are always warned for all unknown / unsafe programs that try to run (or VoodooShield automatically reacts depending on the settings)

If you allow the program / malware to run, it won't block any vulnerable processes, because you "allowed the program". Or the vulnerable processes you definitely don't want to be run have to be blacklisted :)

For example, I always know when cmd is used.

A very interesting video

Video Review - VoodooShield Review
 
Last edited:
  • Like
Reactions: Logethica, _CyberGhosT_, harlan4096 and 1 other person
DardiM said:
If you allow the program / malware to run, it won't block any vulnerable processes, because you "allowed the program". Or the vulnerable processes you definitely don't want to be run have to be blacklisted :)

For example, I always know when cmd is used.
Click to expand...
so what happens if you blacklist your favorite vulnerable processes?
will you get a prompt, or will they be silently blocked?
 
  • Like
Reactions: Logethica
v. 3.36 beefed up the protection for powershell and script interpreters (with the exception of cmd.exe, which is still allowed even when VS is active).
 
Status
Not open for further replies.

You may also like...