A
Azazel
What are the benefits of enabling WhitelistCloud if I have Cyberlock in Autopilot?
VoodooShield CyberLock 7.0
- Thread starter danb
- Start date
F
ForgottenSeer 100397
@danb When will you replace VS with CL on the GUI? I’m just curious.
The main benefit is that WLC will alert you when a file that is not known as Safe is detected. This can be useful in supply chain attacks for example. Thank you!
Great question
. I am not sure... I think CL would look funny so it would probably be best to replace the VS with a lock or something.
Please don't do it. VoodooSoft is still your trademarked or copyrighted name behind CL, I suppose, so good reason to keep the VS shield. I'll never like CL.Great question
@danb
Hi I recently had an encounter with some custom / obfuscated malware. I was doing a Windows Update, Cyber Locked detected it, it said it was almost safe (around 70%) but I blocked it. Apparently it must have re-tried downloading while I was looking at the CL dialog, because it was installed. ( I remembered the package name and went looking for it in Data Store \ Repositories ) The thing was signed by a RealTek cert. So anyways I uploaded it to VirusTotal. It said no AV vendor detected it, but upon clicking on the Behavior tab, it revealed Log Key Strokes and Anti-VM . That is enough to prove to me that it was malicious. I had long known that my red team is capable of inserting stuff into Windows Update. Perhaps the capability is due to their presence in my LAN using a Bell modem exploit.
Anyways, I just want to notify you that the malware successfully downloaded and installed while I was pondering over one CL dialog. Perhaps some multi-threading is needed.
Hi I recently had an encounter with some custom / obfuscated malware. I was doing a Windows Update, Cyber Locked detected it, it said it was almost safe (around 70%) but I blocked it. Apparently it must have re-tried downloading while I was looking at the CL dialog, because it was installed. ( I remembered the package name and went looking for it in Data Store \ Repositories ) The thing was signed by a RealTek cert. So anyways I uploaded it to VirusTotal. It said no AV vendor detected it, but upon clicking on the Behavior tab, it revealed Log Key Strokes and Anti-VM . That is enough to prove to me that it was malicious. I had long known that my red team is capable of inserting stuff into Windows Update. Perhaps the capability is due to their presence in my LAN using a Bell modem exploit.
Anyways, I just want to notify you that the malware successfully downloaded and installed while I was pondering over one CL dialog. Perhaps some multi-threading is needed.
Actually, VS / CL is multithreaded and each block / prompt is handled independently, so there is no chance this is what happened.
Can you please send me your C:\ProgramData\CyberLock\DeveloperLog.log? It should tell us why that file was allowed.
I promise you... nothing "snuck past" VS / CL
. Something else happened and the log might tell us.
BTW, I just thought of a scenario that might have happened to you. If there was another item on the whitelist that matched the same Realtek certificate, then it could have auto executed, but only if the certificate was verified, and only if it matched a certificate from an item in the whitelist. If this is the case, and if the file is malware, then we need to remove Realtek from the list of certificates that can be auto allowed if already whitelisted. I do not think this is the case though... I bet something else happened.
@danb Sorry I can't provide the CL log file. The machine was re-imaged. But I have the CL rule I made . Rule file for danb
Stupid temp site provides only 1 download limit. See your inbox, I provided another link.
Stupid temp site provides only 1 download limit. See your inbox, I provided another link.
Last edited:
Thank you for the logs… I looked at each and every Realtek event and everything behaved exactly how it was designed to, and I do not believe there was an infection on your machine.
The RealTek Cert probably is a real but pilfered cert. I was relying on VirusTotal's behavior page. The anti-VM finding is most unusual.
A
Azazel
Is it possible to disable Action: Auto Allowed and have only Action: Rule Allowed from Autopilot.
For example, Auto allow only binaries of Windows System (C;//Windows) signed by Microsoft,
But everything else be subject of Autopilot checks?
For example, Auto allow only binaries of Windows System (C;//Windows) signed by Microsoft,
But everything else be subject of Autopilot checks?
F
ForgottenSeer 100397
Would VS / CL notify me of any new or unknown files? I've tested it and found it helpful. I want to use it without an antivirus as a standalone program. (All I care about is being alerted to every unknown file.)I promise you... nothing "snuck past" VS / CL
Last edited by a moderator:
You may consider activating the "whitelistcloud" in CL. It's whole purpose is to make sure that only safe files are running. // Atleast to my understanding that's the point of it
Yes, as @Freki123 suggested. You certainly can use it alone as long as you have some type of web protection for you browsers.
F
ForgottenSeer 100397
You may consider activating the "whitelistcloud" in CL. It's whole purpose is to make sure that only safe files are running. // Atleast to my understanding that's the point of it
I have enabled WC and prefer browser protection. Will CyberLock notify me of any unknown software or malware? Also, are there any known legitimate bypasses?
Yes, as to unkown if you have WLC notifications enabled, but not as to malware. It's not an AV scanner. VS will give the Voodoo AI score, check sigs, etc to make a determination as to safe/not safe.
F
ForgottenSeer 100397
Yes, I tested CL and looked at the user guide. Thank you!
Last edited by a moderator:
is there a website with the historic changelog of voodooshield?
You may also like...
-
-
Old Norton vs New Norton - Engine Comparatif- Started by Shadowra
- Replies: 51
-
-
SOpera One R3 arrives with new AI, Google integrations, and more
- Started by Santiago Benavides García
- Replies: 0
