New Update VoodooShield CyberLock 7.0

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
What are the benefits of enabling WhitelistCloud if I have Cyberlock in Autopilot?
The main benefit is that WLC will alert you when a file that is not known as Safe is detected. This can be useful in supply chain attacks for example. Thank you!
 
  • Like
Reactions: simmerskool

Victor M

Level 13
Verified
Top Poster
Well-known
Oct 3, 2022
645
@danb

Hi I recently had an encounter with some custom / obfuscated malware. I was doing a Windows Update, Cyber Locked detected it, it said it was almost safe (around 70%) but I blocked it. Apparently it must have re-tried downloading while I was looking at the CL dialog, because it was installed. ( I remembered the package name and went looking for it in Data Store \ Repositories ) The thing was signed by a RealTek cert. So anyways I uploaded it to VirusTotal. It said no AV vendor detected it, but upon clicking on the Behavior tab, it revealed Log Key Strokes and Anti-VM . That is enough to prove to me that it was malicious. I had long known that my red team is capable of inserting stuff into Windows Update. Perhaps the capability is due to their presence in my LAN using a Bell modem exploit.

Anyways, I just want to notify you that the malware successfully downloaded and installed while I was pondering over one CL dialog. Perhaps some multi-threading is needed.
 
  • Wow
Reactions: simmerskool

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
@danb

Hi I recently had an encounter with some custom / obfuscated malware. I was doing a Windows Update, Cyber Locked detected it, it said it was almost safe (around 70%) but I blocked it. Apparently it must have re-tried downloading while I was looking at the CL dialog, because it was installed. ( I remembered the package name and went looking for it in Data Store \ Repositories ) The thing was signed by a RealTek cert. So anyways I uploaded it to VirusTotal. It said no AV vendor detected it, but upon clicking on the Behavior tab, it revealed Log Key Strokes and Anti-VM . That is enough to prove to me that it was malicious. I had long known that my red team is capable of inserting stuff into Windows Update. Perhaps the capability is due to their presence in my LAN using a Bell modem exploit.

Anyways, I just want to notify you that the malware successfully downloaded and installed while I was pondering over one CL dialog. Perhaps some multi-threading is needed.
Actually, VS / CL is multithreaded and each block / prompt is handled independently, so there is no chance this is what happened.

Can you please send me your C:\ProgramData\CyberLock\DeveloperLog.log? It should tell us why that file was allowed.

I promise you... nothing "snuck past" VS / CL ;). Something else happened and the log might tell us.
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
BTW, I just thought of a scenario that might have happened to you. If there was another item on the whitelist that matched the same Realtek certificate, then it could have auto executed, but only if the certificate was verified, and only if it matched a certificate from an item in the whitelist. If this is the case, and if the file is malware, then we need to remove Realtek from the list of certificates that can be auto allowed if already whitelisted. I do not think this is the case though... I bet something else happened.
 
  • Like
Reactions: simmerskool

Victor M

Level 13
Verified
Top Poster
Well-known
Oct 3, 2022
645
@danb Sorry I can't provide the CL log file. The machine was re-imaged. But I have the CL rule I made . Rule file for danb
Stupid temp site provides only 1 download limit. See your inbox, I provided another link.
 
Last edited:
  • HaHa
Reactions: vtqhtr413

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
@danb Sorry I can't provide the CL log file. The machine was re-imaged. But I have the CL rule I made . Rule file for danb
Thank you for the logs… I looked at each and every Realtek event and everything behaved exactly how it was designed to, and I do not believe there was an infection on your machine.
 

Victor M

Level 13
Verified
Top Poster
Well-known
Oct 3, 2022
645
The RealTek Cert probably is a real but pilfered cert. I was relying on VirusTotal's behavior page. The anti-VM finding is most unusual.
 
  • Like
Reactions: [correlate]
A

Azazel

Is it possible to disable Action: Auto Allowed and have only Action: Rule Allowed from Autopilot.
For example, Auto allow only binaries of Windows System (C;//Windows) signed by Microsoft,
But everything else be subject of Autopilot checks?
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,698
Would VS / CL notify me of any new or unknown files? I've tested it and found it helpful. I want to use it without an antivirus as a standalone program. (All I care about is being alerted to every unknown file.)
Yes, as @Freki123 suggested. You certainly can use it alone as long as you have some type of web protection for you browsers.
 
F

ForgottenSeer 100397

You may consider activating the "whitelistcloud" in CL. It's whole purpose is to make sure that only safe files are running. // Atleast to my understanding that's the point of it :D
Yes, as @Freki123 suggested. You certainly can use it alone as long as you have some type of web protection for you browsers.
I have enabled WC and prefer browser protection. Will CyberLock notify me of any unknown software or malware? Also, are there any known legitimate bypasses?
 
F

ForgottenSeer 100397

but not as to malware. It's not an AV scanner. VS will give the Voodoo AI score, check sigs, etc to make a determination as to safe/not safe.
Yes, I tested CL and looked at the user guide. Thank you!
 
Last edited by a moderator:
  • Like
Reactions: simmerskool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top