What are the benefits of enabling WhitelistCloud if I have Cyberlock in Autopilot?
VoodooShield CyberLock 7.0
- Thread starter danb
- Start date
@danb When will you replace VS with CL on the GUI? I’m just curious.
- May 31, 2017
- 1,719
The main benefit is that WLC will alert you when a file that is not known as Safe is detected. This can be useful in supply chain attacks for example. Thank you!
- May 31, 2017
- 1,719
Great question
. I am not sure... I think CL would look funny so it would probably be best to replace the VS with a lock or something.
- Mar 29, 2018
- 7,613
Please don't do it. VoodooSoft is still your trademarked or copyrighted name behind CL, I suppose, so good reason to keep the VS shield. I'll never like CL.Great question
- Oct 3, 2022
- 589
@danb
Hi I recently had an encounter with some custom / obfuscated malware. I was doing a Windows Update, Cyber Locked detected it, it said it was almost safe (around 70%) but I blocked it. Apparently it must have re-tried downloading while I was looking at the CL dialog, because it was installed. ( I remembered the package name and went looking for it in Data Store \ Repositories ) The thing was signed by a RealTek cert. So anyways I uploaded it to VirusTotal. It said no AV vendor detected it, but upon clicking on the Behavior tab, it revealed Log Key Strokes and Anti-VM . That is enough to prove to me that it was malicious. I had long known that my red team is capable of inserting stuff into Windows Update. Perhaps the capability is due to their presence in my LAN using a Bell modem exploit.
Anyways, I just want to notify you that the malware successfully downloaded and installed while I was pondering over one CL dialog. Perhaps some multi-threading is needed.
Hi I recently had an encounter with some custom / obfuscated malware. I was doing a Windows Update, Cyber Locked detected it, it said it was almost safe (around 70%) but I blocked it. Apparently it must have re-tried downloading while I was looking at the CL dialog, because it was installed. ( I remembered the package name and went looking for it in Data Store \ Repositories ) The thing was signed by a RealTek cert. So anyways I uploaded it to VirusTotal. It said no AV vendor detected it, but upon clicking on the Behavior tab, it revealed Log Key Strokes and Anti-VM . That is enough to prove to me that it was malicious. I had long known that my red team is capable of inserting stuff into Windows Update. Perhaps the capability is due to their presence in my LAN using a Bell modem exploit.
Anyways, I just want to notify you that the malware successfully downloaded and installed while I was pondering over one CL dialog. Perhaps some multi-threading is needed.
- May 31, 2017
- 1,719
Actually, VS / CL is multithreaded and each block / prompt is handled independently, so there is no chance this is what happened.
Can you please send me your C:\ProgramData\CyberLock\DeveloperLog.log? It should tell us why that file was allowed.
I promise you... nothing "snuck past" VS / CL
. Something else happened and the log might tell us.
- May 31, 2017
- 1,719
BTW, I just thought of a scenario that might have happened to you. If there was another item on the whitelist that matched the same Realtek certificate, then it could have auto executed, but only if the certificate was verified, and only if it matched a certificate from an item in the whitelist. If this is the case, and if the file is malware, then we need to remove Realtek from the list of certificates that can be auto allowed if already whitelisted. I do not think this is the case though... I bet something else happened.
- Oct 3, 2022
- 589
@danb Sorry I can't provide the CL log file. The machine was re-imaged. But I have the CL rule I made . Rule file for danb
Stupid temp site provides only 1 download limit. See your inbox, I provided another link.
Stupid temp site provides only 1 download limit. See your inbox, I provided another link.
Last edited:
- May 31, 2017
- 1,719
Thank you for the logs… I looked at each and every Realtek event and everything behaved exactly how it was designed to, and I do not believe there was an infection on your machine.
- Oct 3, 2022
- 589
The RealTek Cert probably is a real but pilfered cert. I was relying on VirusTotal's behavior page. The anti-VM finding is most unusual.
Is it possible to disable Action: Auto Allowed and have only Action: Rule Allowed from Autopilot.
For example, Auto allow only binaries of Windows System (C;//Windows) signed by Microsoft,
But everything else be subject of Autopilot checks?
For example, Auto allow only binaries of Windows System (C;//Windows) signed by Microsoft,
But everything else be subject of Autopilot checks?
Would VS / CL notify me of any new or unknown files? I've tested it and found it helpful. I want to use it without an antivirus as a standalone program. (All I care about is being alerted to every unknown file.)I promise you... nothing "snuck past" VS / CL
Last edited by a moderator:
You may consider activating the "whitelistcloud" in CL. It's whole purpose is to make sure that only safe files are running. // Atleast to my understanding that's the point of it
- Mar 29, 2018
- 7,613
Yes, as @Freki123 suggested. You certainly can use it alone as long as you have some type of web protection for you browsers.
You may consider activating the "whitelistcloud" in CL. It's whole purpose is to make sure that only safe files are running. // Atleast to my understanding that's the point of it
I have enabled WC and prefer browser protection. Will CyberLock notify me of any unknown software or malware? Also, are there any known legitimate bypasses?
- Mar 29, 2018
- 7,613
Yes, as to unkown if you have WLC notifications enabled, but not as to malware. It's not an AV scanner. VS will give the Voodoo AI score, check sigs, etc to make a determination as to safe/not safe.
Yes, I tested CL and looked at the user guide. Thank you!
Last edited by a moderator:
is there a website with the historic changelog of voodooshield?
- Mar 29, 2018
- 7,613
Similar threads
