New Update VoodooShield CyberLock 7.0

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
@danb ,

How do I create a rule to block the Windows exe \windows\system32\drvinst.exe ? When I choose block by signature, it doesn't seem to work by the file name, but all files signed by MS ?
There is currently no way to do this within the Rules feature, you can only block the entire folder for now. We probably should add a way to block a specific path. Thank you!
 
F

ForgottenSeer 100397

I am not sure when we are going to update the gui, probably within a year or so.
The VS interface appears outdated and requires an update. It looks like it belongs to the XP era.
There is currently no way to do this within the Rules feature, you can only block the entire folder for now. We probably should add a way to block a specific path. Thank you!
Consider adding a section that lets you allow or block a file.
 
  • Like
Reactions: Dave Russo and danb

blueblackwow65

Level 23
Verified
Well-known
Dec 19, 2012
1,256
I am guessing that since you triggered the troubleshooter, CL blocked the event. If you were not at the computer, you would not be triggering the event, so I think we are good.

You can always check the User Log or Developer Log for unwanted blocks that occur when you are not at the computer, but we have not seen a block like this for quite some time, especially after adding the Antimalware Contextual Engine a couple of years ago. But if anyone does see an unwanted block, please let me know and we will fix it. Thank you!
Hi Dan Thanks for the reply.I was at the computer to start the windows update troubleshooter ,the troubleshooter ran and was doind its scanning and that is when I seen CL popup with the auto BITS registry allow or deny ,so i allowed it but what would Cl do in this case when it is obvious that the popup was unneeded.
 
F

ForgottenSeer 100397

@danb, remove the line in the middle from the "Allow False Positive" box.

2023-09-20_185104.png
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
@danb, remove the line in the middle from the "Allow False Positive" box.

View attachment 278708
Yeah, I am not quite sure what to do about that yet. I tried removing the line, but it looked funny, and we do not want it to be a prominent as the Block and Quarantine buttons for Suspicious and Unsafe prompts. We will figure something out, thank you!
 
F

ForgottenSeer 100397

Yeah, I am not quite sure what to do about that yet. I tried removing the line, but it looked funny, and we do not want it to be a prominent as the Block and Quarantine buttons for Suspicious and Unsafe prompts. We will figure something out, thank you!
You can label Allow False Positive as "Caution" or something similar, just like how you label Block as "Recommended".
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
Hey Guys!

Here is the latest version of CyberLock! There were some pretty serious changes under the hood, but it should be perfectly stable.

CyberLock has always been focused on preventing malware in the context of Web Apps (since that is where most malware originates), and keeping the user safe while engaging in risky activities. We are adding new security mechaanisms to further strengthen CyberLock’s efficacy, especially as it relates to attacks not associated with Web Apps (e.g. LOLBins, vulnerable processes, etc.). This will increase our efficacy, but should not produce too many unwanted blocks, simply because these types of attacks are not common. But if you experience any unwanted blocks, please let me know!

CyberLock 7.51
SHA-256: 1eb9ad548633bcfeb7e55d4e14c77cf6ce31e6a40b60900828376f59517fcffe

Have a great weekend, thank you guys!
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
Hey Guys!

Here is CyberLock 7.52. There were a couple of minor bug fixes from the changes, and we also tweaked the way CyberLock starts up and shuts down. So if it starts up or shuts down funny, please let me know!

CyberLock 7.52
SHA-256: 1a206a565c2c4f75e26670ffcd7f68decd289fa85accce0d39575b1ee95e2029

Thank you guys!
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415
Hey Guys!

Here is CyberLock 7.52. There were a couple of minor bug fixes from the changes, and we also tweaked the way CyberLock starts up and shuts down. So if it starts up or shuts down funny, please let me know!

CyberLock 7.52
SHA-256: 1a206a565c2c4f75e26670ffcd7f68decd289fa85accce0d39575b1ee95e2029

Thank you guys!
Hi @danb With this new version I had 2 command line blocks that I did not have before:
"c:\windows\system32\sc.exe" start pushtoinstall registration
"c:\windows\system32\sc.exe" start inventorysvc
No issues with the way CyberLock starts up and shuts down.
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
Hi @danb With this new version I had 2 command line blocks that I did not have before:


No issues with the way CyberLock starts up and shuts down.
Very cool, thank you for letting me know! Yeah, the only block that I have had was from sc.exe as well. We might end up excluding sc.exe from this new protection because it is protected in other ways.

I am also working on a mechanism that will detect great grandparents, and great, great grandparents, all the way to 7 or so levels. This might fix the issue with sc.exe as well because it might be a block that is a .bat script in the appdata folder, but CyberLock does not know that your legit app was the one that actually spawned it. Anyway, this should also make software installs even smoother. This feature should be ready in a few days. Thank you!
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
Cyberlock blocks repeatedly Lenovo Vantage processes, commands and scripts.
If you have been using CyberLock for a long time, it might help to reset your whitelist, especially if you have been through a lot of upgrades. You might see a few block the first day or two, but after that, CyberLock will run a lot better. Better yet, you can perform a clean install...

1) Exit out of CyberLock
2) Uninstall CyberLock and click Yes when asked if you want to delete the settings and logs
3) Restart the computer
4) Install the latest version of CyberLock and register the software

Moving forward this will not be that much of an issue because there are mainly small changes with each release. But long time CyberLock users who have been through tons of upgrades should perform a clean install.

Having said that, I am wrapping up a new feature called "Attack Chains" that will probably help with these blocks. I have believed for a very long time that one of the most important concepts in cybersecurity is the attack chain and parent processes, because this is what provides context to help determine if the process execution flow is malicious or not. For example, powershell can be used for good or bad, and it all depends on the attack chain. The hardwired rules in CyberLock have always done a pretty good job of tracking the attack chain and providing context, but the new Attack Chain feature tracks the entire attack chain, from the initial origin process, all the way to the final process, and there is no limit to the number of items in the attack chain.

As an example, one of the issues this new feature solves is when a script or binary is dropped into AppData from a legit whitelisted app, and the attack chain was lost, so CyberLock was not aware that it was the legit whitelisted app that actually spawned this new script or binary a couple of chains back. But with this new feature, CyberLock will know the entire attack chain from start to finish, and will be able to properly auto allow or block an item because it has the full context.

Here is an example of what one of the attack chains look like...

c:\windows\system32\svchost.exe >> c:\program files (x86)\microsoft visual studio\installer\resources\app\servicehub\services\microsoft.visualstudio.setup.service\vsixconfigurationupdater.exe >> c:\windows\system32\lsass.exe >> c:\windows\system32\efsui.exe >> 1632 >> 12780 >> 12876 >> 12876 >>

Another example of an issue that will be solved is when randomly named folders or files are used, CyberLock can still track the attack chain and auto allow the file because it is aware that the parent process id is a legit whitelisted app, in this case "c:\users\username\desktop\configuredefender.exe".

c:\windows\explorer.exe >> c:\users\username\desktop\configuredefender.exe >> c:\windows\temp\052009150559020213\2\configuredefender_x64.exe >> 9544 >> 2800 >> 6388 >>

Of course we have to be super careful to not let web or vulnerable apps auto allow something they shouldn't, but that is actually pretty simiple with the way CyberLock is coded.

This new feature is also pretty cool because it logs and describes in detail everything that is executing on your system, and I am sure there are tons of other things we can do with this new feature.

This new feature should be ready in a couple of days. Thank you guys!
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top