- Jan 27, 2018
- 1,266
VoodooShield CyberLock 7.0
- Thread starter danb
- Start date
- Feb 26, 2021
- 825
I swear I must be retarded. It seems like Cyberlock will allow me to run whatever application or script I want, and after that it asks me to whitelist it. I've tried this on things I know are bad and still Cyberlock lets me run it. I've tried using the "always on" and aggressive modes. It's like it asks for forgiveness rather than permission.
Edit - Maybe the new 7.72 will help?
Edit - Maybe the new 7.72 will help?
Last edited:
- Jan 27, 2018
- 1,266
- Feb 26, 2021
- 825
Well, I created a very basic script that aimed to just delete everything on c:\. It ran fine, then asked halfway through if I wanted to whitelist the script. I consider that bad.. The script deleted some stuff, that was not locked. But I quickly reimaged.
- Jan 27, 2018
- 1,266
Hmm, some security programs do have issues with scripts. Maybe Dan needs to comment on this.
@Digmor Crusher
When a user runs a script which does not has a MOTW, what should an AI engine do? The program executing the script is legitimate (probably Microsoft signed). The commands used in the script are all legitimate programs running from UAC protected folder. The parent program is File Explorer also a Microsoft signed legitimate program and the user has started the sequence of actions him/herself. What is suspicious about these sequence of events?
The only effective counter measure is blocking scripts originating from external source (but then you shift the Achilles heel to the MOTW). A better (more solid, but dumber) counter measure would be to block scripts running in user folders.
This is what old-SWH does, it blocks scripts in user folders and allows executable's to run. Old-SWH has as default setting to apply these rules for standard users. I have used old SWH trouble free for years. New WHHL also has a SWH part (blocking scripts using software restriction policies), but the new version applies these rules for all users. I am running WHHL problem free for I think for three months now.
I stopped counting, but the vast majority of Cruel Sister's home brewed samples would be blocked by old SWH.
When a user runs a script which does not has a MOTW, what should an AI engine do? The program executing the script is legitimate (probably Microsoft signed). The commands used in the script are all legitimate programs running from UAC protected folder. The parent program is File Explorer also a Microsoft signed legitimate program and the user has started the sequence of actions him/herself. What is suspicious about these sequence of events?
The only effective counter measure is blocking scripts originating from external source (but then you shift the Achilles heel to the MOTW). A better (more solid, but dumber) counter measure would be to block scripts running in user folders.
This is what old-SWH does, it blocks scripts in user folders and allows executable's to run. Old-SWH has as default setting to apply these rules for standard users. I have used old SWH trouble free for years. New WHHL also has a SWH part (blocking scripts using software restriction policies), but the new version applies these rules for all users. I am running WHHL problem free for I think for three months now.
I stopped counting, but the vast majority of Cruel Sister's home brewed samples would be blocked by old SWH.
Last edited:
- May 31, 2017
- 1,670
Since you are having this issue with both executables and scripts, my best guess is that you created a rule or custom folder that auto allows everything. It should tell you in the developer log why a file was allowed: C:\ProgramData\CyberLock\DeveloperLog.log
But if we are only considering scripts, you might be running the script from a text editor or IDE, in which case CyberLock is designed not to block these events, that way developers can use our software without it interfering with their workflow. That is, most novices and intermediate users do not use text editors or IDE's to write code.
CyberLock has always been very capable in blocking all common, and even many lesser known scripts. With the new File Type feature, it covers even more scripts, but honestly it will not make a huge difference because most users do not have the additional script hosts on their machines, so the script would never run in the first place. But I figured, why not add them anyway, just to be safe, especially since CyberLock has this capability now.
What are the file types of the scripts that are not being blocked? If the file type is not included in our new File Type feature, then I will probably add it. But I would be surprised if it is not already on the list. That is why I am thinking that you inadvertently wrote a rule that auto allows everything.
- May 31, 2017
- 1,670
- May 31, 2017
- 1,670
Actually, if you can parse the command line and also determine the primary parent process, there are some really cool things you can do, so that you do not have to block these file types globally, and you can allow what needs to be allowed, whether the script is in the user or system space.
I can go in to further detail at some point, but here is a quick overview.
When I run a .bat script from my desktop, here is the command line: c:\windows\system32\cxd.exe /c ""c:\users\user\desktop\test.bat" " (the cxd is actually cmd, but I could not post that.)
The way CyberLock has always worked in this scenario (well, for at least 10 years), is that it parses the command line and "c:\users\user\desktop\test.bat" becomes the executable path, and from that path is where it determines whether it should block it or not... for example, if it has already been allowed / is whitelisted, then the file will allowed, otherwise it will be blocked. This is overly simplified explanation, but you get the point. But ultimately, instead of simply blocking globally by file type, CyberLock figures out the path of the script / file, then either blocks or allows it after it is evaluated by many different checks.
The new File Type feature works pretty much the same way, and it also made it super easy to add or remove file types / extensions from the list.
- May 31, 2017
- 1,670
CyberLock utilizes hand written algorithms that have been refined over 13 years that are quite similar to a decision tree that a ML/Ai would produce, but no, there is no machine learning model involved, so it is not ML/Ai. This feature is also known as our Antimalware Contextual Engine.
- May 31, 2017
- 1,670
You must have been reading my mind or have connections I do not know about
.Anyway, prior to 7.72, there was a dedicated script list that contained all of the common and many not so common file types. But keep in mind, CyberLock utilizes other modules, such as its anti-exploit and command line modules that are capable of blocking all kinds of things. So there was not a list that was written in stone, and even with 2.72 there still is not a list written in stone.
Starting with 7.72, in addition to the dedicated script list, we also have a dedicated BlockedFileType list. The BlockedFileType list in 7.72 is a quick and dirty list that needs to be refined a little. I need to add and remove types, and maybe move a few from the BlockedFileType to the Script list. There is also a dedicated Executable binary list.
The entire goal is to block each individual attack vector / file type as optimally as possible, and ultimately we will be able to refine the user prompts so they are dead on and super useful to the end user. We actually get a lot of compliments on our user prompt, but I am certain we can do even better.
Here is an one example of what I mean by an optimal block for a specific file type…
Just for the fun of it, I included .rtf in the BlockedFileType list for 7.72. The .rtf file type is best suited to be blocked by our Anti-Exploit module, and that way CyberLock only has to block a specific file if it is being utilized in an exploit. I have been reading a lot about .rtf file malware, so if we wanted to be even safer, we could keep it on the BlockedFileType, and that way each .rtf file has to be manually allowed. Sure, it might be slightly safer to block it this way, but it might interrupt end-users workflow too much.
So essentially, we need to take hard look at each file type and decide which module in CyberLock would be optimal to perform the block. Cybersecurity is all about striking the right balance between robust security and convenience, and each attack vector / file type is a little different, and should be handled optimally.
- May 31, 2017
- 1,670
Not sure, I can look into this at some point, I am quite busy as the moment though, but thank you for the suggestion!
- May 31, 2017
- 1,670
A while back there was a conflict between Startup Boost and CyberLock, so we disabled Startup Boost when CyberLock was installed, and then enabled it when CyberLock was uninstalled. The conflict is probably resolved by now, so we can probably remove this at some point.
The question is should we? I mean, Edge has a super small marketshare, yet when it starts on startup, it creates 20 or so new processes and uses about a half a gig of RAM. That is some pretty heavy resource usage, especially considering the marketshare. I could understand if 40% or so of users actually used Edge, but when it is as low as it is, it seems like a massive waste or resources. Anyway, that is why we have left it that way for now.
- May 31, 2017
- 1,670
Yeah, but they do physical security, and the name fit incredibly well, so we went with it.
- Feb 26, 2021
- 825
Sorry, but no. I'm using default settings. I've even reset the whitelist. Still, I'm not getting notified about anything running. Everything is active, and notifications are turn on. I'm just not being prompted about anything prior to it running. If there a way you recommend I test this?
- May 31, 2017
- 1,670
Can you please email me this log (support at cyberlock.global): C:\ProgramData\CyberLock\DeveloperLog.log
What script file types are not being blocked?
If you have multiple monitors, is the prompt being displayed on a different monitor?
- Feb 26, 2021
- 825
I can't send those logs because I reimaged to before I did any damage. But I can tell you that the script files were .bat and .vbs. I do have multiple monitors but the notifications have always been on monitor 1, never 2 or 3. I just find it odd that I'm never asked about anything, not so much that the commands in the script were able to run but that the script itself was able to run. I can't see a new file having a verifiable whitecloud hash.
- May 31, 2017
- 1,670
If you have issues in the future, please send me your logs and we can figure it out.
Similar threads
