New Update VoodooShield CyberLock 7.0

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,698
Not using CL now but if I recall correctly around a minute, or slightly less, for 200-300 items.
I tested it recently and the first scan on a clean install was ~ 18s with hardly very few 3rd party software installed.

BTW: VS does not autostart with Smart App Control enabled on machine restart, one reason I don't use it.
 
F

ForgottenSeer 100397

As far as the allow by parent process feature goes, I just tested it and so far it is working as expected, but I will look into this more to be sure, especially since the new attack chain feature is integrated into the parent process feature. But please keep in mind, the allow by parent process feature is a feature that is designed to reduce unnecessary blocks. It is not a feature that is designed to block all child processes. In other words, if one of the other CyberLock features auto allows an item, disabling the allow by parent process feature will not automatically block the child process. You can look in the C:\ProgramData\CyberLock\DeveloperLog.log to see why an item was auto allowed, when you were not expecting that item to be auto allowed. CyberLock has many different "usability features" that automatically and safely allow items, to reduce unnecessary blocks as much as possible, and this includes the allow by parent process feature.

I hope this makes sense, if not, please let me know and I can think of another way to explain it. And if anyone is still having an issue with this feature, please let me know.
The "allow by parent process" works as intended, but disabling it does not have the desired effect. I turned off the settings that would automatically permit things such as digital sign matching, auto-scanning child processes, WhitelistCloud, and set CL in ON mode. Disabling the "allow by parent process" setting in CL does not trigger alerts for child processes. This setting seems to be ineffective or faulty.

CL is a security I really like. The stated issue may not be significant when you run CL alongside an antivirus. The setting's effectiveness is crucial for me, as I don't use any antivirus. Another reason to disable the "allow by parent process" setting is to avoid manual effort, which is adding a vulnerable app to the list.

I removed CL because of the issue mentioned and the WhitelistCloud problem discussed in the thread. I plan to install CL on my test system and give feedback.
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
The "allow by parent process" works as intended, but disabling it does not have the desired effect. I turned off the settings that would automatically permit things such as digital sign matching, auto-scanning child processes, WhitelistCloud, and set CL in ON mode. Disabling the "allow by parent process" setting in CL does not trigger alerts for child processes. This setting seems to be ineffective or faulty.

CL is a security I really like. The stated issue may not be significant when you run CL alongside an antivirus. The setting's effectiveness is crucial for me, as I don't use any antivirus. Another reason to disable the "allow by parent process" setting is to avoid manual effort, which is adding a vulnerable app to the list.

I removed CL because of the issue mentioned and the WhitelistCloud problem discussed in the thread. I plan to install CL on my test system and give feedback.
Here is another way to explain "allow by parent process" feature. The "allow by parent process" does not actively block child processes... it only auto allows items when it is able to do so safely. If another CyberLock feature auto allows a child process, the "allow by parent process" will not block the item if the "allow by parent process" feature is disabled.

In other words, you said "Disabling the "allow by parent process" setting in CL does not trigger alerts for child processes.", which is correct... disabling this feature will not automatically block all child processes. If CyberLock blocked all child processes, there would be WAY too many blocks, and honestly the system probably would not boot.

CyberLock is deny-by-default. So we lock down the system, and then have the features and rules decide what to allow. And in a deny-by-default system, you can easily create rules and features that allow items, but it is difficult or impossible to create useful rules that block items. The main reason is that all items are blocked by default... and then the features and rules decide what to allow.

A feature to block child processes might work for allow-by-default products, but honestly, that would not make a lot of sense either because the system would not function properly and probably would not even boot.

What WhitelistCloud issue are you referring to?
 

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,784
I tested it recently and the first scan on a clean install was ~ 18s with hardly very few 3rd party software installed.

BTW: VS does not autostart with Smart App Control enabled on machine restart, one reason I don't use it.
18 seconds is more or less what I recall.
VS/CL not auto-starting w/SAC is above my "techie-license" :ROFLMAO: but seems like an issue @danb might be able to correct -- don't know... :unsure:
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,698
VS/CL not auto-starting w/SAC is above my "techie-license" :ROFLMAO: but seems like an issue @danb might be able to correct -- don't know... :unsure:
I've emailed him twice about it and his replies verged on indifference, "I'll have to look into it". Well, it's been a while now since the first one and ....
 
  • Wow
Reactions: simmerskool

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,784
I've emailed him twice about it and his replies verged on indifference, "I'll have to look into it". Well, it's been a while now since the first one and ....
most likely deep problem he needs to research. In that vein, I was working with Settings | Advanced tab (anti-exploit list) and discovered that ESET NOD32 HIPS was blocking an aspect of VS/CL at first without a HIPS alert, but then finally got HIPS alert. I think I created Rules to fix that, ie, it is now working as expected for me. v7.62 No doubt VS/CL is complex under the hood.
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
I've emailed him twice about it and his replies verged on indifference, "I'll have to look into it". Well, it's been a while now since the first one and ....
Hey OS, here is the email I sent you on September 16th, I don't believe you replied, so you must not have received my email, sorry about that.

Yeah, all of the dll’s should be signed. It is definitely a SAC issue… SAC even blocks MS files. It is a work in progress and will probably have little bugs like this for quite some time. In fact, I noticed that MS rarely talks about SAC anymore, so I am guessing they are going to abandon it sooner than later. They are figuring out what I figured out a long time ago… it is not that easy to properly lock down a computer without breaking a bunch of stuff. And it takes years to fix the issues.

Anyway, I pinged their team and have not heard back from them, and I doubt that I do.
 
  • Like
Reactions: oldschool and tipo

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
Hey Guys,

Here is the latest version of CyberLock, we have integrated Windows Sandbox into CyberLock!

I am thinking we can replace both the current Local Sandbox and Cuckoo with Windows Sandbox, and there are some really cool things we can do with it in the future. This version should be working great, but we will refine it even more over time, but let me know how it goes.

For the users who are running Windows 10 or 11 Home, I think you can enable Windows Sandbox with the following link, but I have not tested this yet. I will test it soon and possibly integrate it into CyberLock so that it all happens automatically.

Edit: I played around with enabling Windows Sandbox on Home versions of Windows, and I was not able to get it to work, and I do not think it is going to work reliably moving forward. So we are not going to support the new Windows Sandbox feature for Windows Home versions. And honestly, I would not even try installing Windows Sandbox on Home editions of Windows… it takes forever to install and does not seem to work.

CyberLock 7.64
SHA-256: 1962f50e54a2b62bc2867c524c60f2c134a7410162cc40994e7a0c03a6818920
 
Last edited:

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,784
Hey Guys,

Here is the latest version of CyberLock, we have integrated Windows Sandbox into CyberLock!

I am thinking we can replace both the current Local Sandbox and Cuckoo with Windows Sandbox, and there are some really cool things we can do with it in the future. This version should be working great, but we will refine it even more over time, but let me know how it goes.

For the users who are running Windows 10 or 11 Home, I think you can enable Windows Sandbox with the following link, but I have not tested this yet. I will test it soon and possibly integrate it into CyberLock so that it all happens automatically.


CyberLock 7.64
SHA-256: 1962f50e54a2b62bc2867c524c60f2c134a7410162cc40994e7a0c03a6818920
running win10 in VMware: any issue with Windows Sandbox with VM? I very vaguely recall looking at WinSandbox earlier this year, and IIRC seemed either it was not running or running correctly, but I have to find my notes. Just wondering if I'll need to spend a lot of time on this... or is it so easy peasy... :D
 

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,784
update to last, installed 7.64, on win10pro_vm, then right clicked an exe to see what happens, CL screen said the exe was safe, and I clicked Sandbox, and got a popup advising to make sure everything was setup correctly for Sandbox, and Dan even has a link to a howto Sandbox webpage. Questions about Virtualization in BIOS, ok... I've looked at that before, but now forget how that interplays with VMware 16.2. Will update when I get Sandbox running or fail...
 

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,784
@danb when I go to task manager | performance | cpu -- "virtualization" is NOT list | again running VMware 16.2 win10pro_vm, see snip

1703049139664.png
 

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,784
installed 7.64 on hardware win10 also running DeepInstinct. So far so good... I tried the CL Windows Sandbox feature with a miscellaneous exe and CL said it was safe but I clicked Sandbox anyway, and WinSandbox opened ok wanting to run that exe. But still unclear how we'll use this for analysis. This was the first time I ran WinSandbox, so I'm sure there's stuff to learn...
 
F

ForgottenSeer 100397

installed 7.64 on hardware win10 also running DeepInstinct. So far so good... I tried the CL Windows Sandbox feature with a miscellaneous exe and CL said it was safe but I clicked Sandbox anyway, and WinSandbox opened ok wanting to run that exe. But still unclear how we'll use this for analysis. This was the first time I ran WinSandbox, so I'm sure there's stuff to learn...
I believe the Windows Sandbox feature is only for running apps in an isolated environment, but I haven't installed 7.64. I hope the default state does not have the option enabled. Personally, I disliked connecting CL to an OS feature.
 

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,784
I believe the Windows Sandbox feature is only for running apps in an isolated environment, but I haven't installed 7.64. I hope the default state does not have the option enabled. Personally, I disliked connecting CL to an OS feature.
@blueblackwow65 & @rhythm ... I've never run Windows Sandbox before yesterday and independently from CL 7.64, so I just tried to open an exe from explorer right click with "run sandboxed" option (ie not using CL) and I get a win10 popup: you'll need a new app (unnamed) to open this .exe.file Look for an app in the MS store...?? that seems like a snafu -- I'll ask Dan...
 

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,784
@blueblackwow65 & @rhythm ... update. my Windows Sandbox does open from the win10 OS using the search feature, I can open WinSandbox as user or administrator... but right clicking an app from Explorer seems not to be working with Run Sandboxed; however, using CL 7.64 and getting an alert and selecting Sandbox the WinSandbox opens ok with the intended app. I have sent an email to Dan to see if this as expected (I have no experience with Windows Sandbox before yesterday)...
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top