New Update VoodooShield CyberLock 7.0

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
windows defender develop a sandbox around it so it could not be exploited. It is possible.
It might be possible, but that would be a massive undertaking. I can see where an allow-by-default product would benefit from this, but there would not be as much of a benefit for a deny-by-default product, simply because the malicious code should never even run.

Out of curiosity, what other security software runs in a sandbox?
 

Victor M

Level 13
Verified
Top Poster
Well-known
Oct 3, 2022
645
Hey Danb,

Does CyberLock check the validity of an exe's signature, just like going to a file's properties > signature to see if the it gives the OK? The reason I ask is because I am using WDAC at the moment, and my hacker has crafted a malware that has an MS Signature inserted, but of course it is not valid. But WDAC did not detect it. So I need something that actually verifies that the signature is valid.
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
Hey Danb,

Does CyberLock check the validity of an exe's signature, just like going to a file's properties > signature to see if the it gives the OK? The reason I ask is because I am using WDAC at the moment, and my hacker has crafted a malware that has an MS Signature inserted, but of course it is not valid. But WDAC did not detect it. So I need something that actually verifies that the signature is valid.
Yes, VoodooShield / CyberLock includes comprehensive and robust handling of digital signatures, and it will let you know if there is an issue with the signature. And if there is an issue with the signature, the user recommendation will be to block the file (please see the Block and Allow buttons).

It is actually quite a complex feature of VS/CL now. Here are a couple of examples, thank you!
 

Attachments

  • Bad.PNG
    Bad.PNG
    23.9 KB · Views: 115
  • Good.PNG
    Good.PNG
    22.7 KB · Views: 110

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
Hi Danb,

Does it perform the signature check even with WIndows Update downloaded files? The hacker was able to insert his malware into Windows Update. Protocol mis-use I think.
I am not familiar with this, do you have a link that I can check out? It is hard to say for sure, but my best guess is that VS/CL would block the malware before it could be inserted into the Windows Updates.
 

Victor M

Level 13
Verified
Top Poster
Well-known
Oct 3, 2022
645
The malware is not detected by Kaspersky. Could be modified malware/custom made. I was only able to detect this because of it's RAT like capabilities of interfering with what I do, like editing of WDAC rules.
What is VS/CL ?
 

Victor M

Level 13
Verified
Top Poster
Well-known
Oct 3, 2022
645
I did a test with the hacker. I installed a fresh Windows 11, installed VoodooShield and while I was registering Voodoo , and Windows Update does it's preliminary update downloading some drivers as it always does for a new Windows install upon going online. Voodoo poped up a diaglog about a Realtek thing signed and verified. And so I OK'd that dialog. Imeadiately the malware RAT interfered with my keyboard, and I wasn't able to use some keys.

So, I had no choice but to reinstall Windows 11. Installed Voodoo and OSArmor. Went online to register Voodoo. And Windows Update was at it again as usual. Then the Realtek thing dialog by Voodoo poped up again. This time I Blocked it, even though Voodoo said it was Safe. Then I encountered no more trouble.

2 things I gathered out of this episode. Hackers have access to a Realtek cert and can sign apps using it.
The Windows Update protocol is broken. The attacker was inserting his ware into the downloads and making it run.
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
I did a test with the hacker. I installed a fresh Windows 11, installed VoodooShield and while I was registering Voodoo , and Windows Update does it's preliminary update downloading some drivers as it always does for a new Windows install upon going online. Voodoo poped up a diaglog about a Realtek thing signed and verified. And so I OK'd that dialog. Imeadiately the malware RAT interfered with my keyboard, and I wasn't able to use some keys.

So, I had no choice but to reinstall Windows 11. Installed Voodoo and OSArmor. Went online to register Voodoo. And Windows Update was at it again as usual. Then the Realtek thing dialog by Voodoo poped up again. This time I Blocked it, even though Voodoo said it was Safe. Then I encountered no more trouble.

2 things I gathered out of this episode. Hackers have access to a Realtek cert and can sign apps using it.
The Windows Update protocol is broken. The attacker was inserting his ware into the downloads and making it run.
Hmmm, it is impossible to say what is happening here. Are you saying that after you reinstall Windows, the malware keeps coming back? If I can think of anything you can try I will let you know.
 

Victor M

Level 13
Verified
Top Poster
Well-known
Oct 3, 2022
645
Hmmm, it is impossible to say what is happening here. Are you saying that after you reinstall Windows, the malware keeps coming back? If I can think of anything you can try I will let you know.
That hacker is my 'friend'. We've been adversaries for a while. It's a long story.
 

Victor M

Level 13
Verified
Top Poster
Well-known
Oct 3, 2022
645
@danb . I can't find the user block in CL's logs. So I re-installed Windows and CL and OSArmor again, hoping that I would get the same thing as before. But the Realtek prompt didn't reappear this time.

Question: In what circumstance would CL prompt me about a Signed and Verified file ?
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
@danb . I can't find the user block in CL's logs. So I re-installed Windows and CL and OSArmor again, hoping that I would get the same thing as before. But the Realtek prompt didn't reappear this time.

Question: In what circumstance would CL prompt me about a Signed and Verified file ?
The short answer is... When it is ON and the file is not on VS's tiny, customized whitelist. Although there are a few small caveats. For example, VS might be OFF, and the file might be signed and verified, but VS will still block it if there is an unsafe VoodooAi or WhitelistCloud verdict.
 

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,784
Maybe I should not be changing the subject, but when I use LibreWolf CL does seem to be aware of it as it stays in the OFF position. Why?
Could be LibreWolf is not seen as a default web app by CL. Try going to CL settings Web app, have LW online and hit the button about show web connected apps, and it should / may add it.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top