- Jul 3, 2015
- 8,153
Dan the dev will most probably answer you, but you are in luck, because somebody just asked your exact question on the official VS thread. Follow that thread, and I am sure you will see your answer:
VoodooShield ?
VoodooShield discussion
- Thread starter Evjl's Rain
- Start date
- Status
VoodooShield ?
- Aug 31, 2016
- 578
That was me! I was curious to know the answer as well. Unfortunately not good news as only version 2 is compatible and that version will expire soon.
he said VS can protect against eternalblue and other exploits but he was not so sure because he didn't simulate the exploit
by the way. it's good to hear
Last edited:
- Jun 14, 2011
- 1,858
Guys,
Is there any point in adding MS Office applications to Web Apps in VS?
I am running VS + HMP.A.
Is there any point in adding MS Office applications to Web Apps in VS?
I am running VS + HMP.A.
- Jul 3, 2015
- 8,153
On Friday, I removed Babylon translation software from automatic startup, and rebooted.
BSOD.
Rebooted again, and Windows could not finish loading.
Rebooted into safe mode, uninstalled VS, rebooted.
Windows loaded properly.
I reinstalled VS, put it in training mode, and rebooted, and then switched to alert mode, rebooted.
Windows loaded properly.
VS has some more work to do with whitelisting command lines. When VS can't read a command line, for whatever reason, this can bork the system.
In fact, the whole reason why I removed Babylon from automatic startup in the first place was to try and solve a VS command line problem. VS was intermittently prompting me for a certain Babylon dll that loads relatively early after system startup. Sometimes it precedes VS, and sometimes not.
BSOD.
Rebooted again, and Windows could not finish loading.
Rebooted into safe mode, uninstalled VS, rebooted.
Windows loaded properly.
I reinstalled VS, put it in training mode, and rebooted, and then switched to alert mode, rebooted.
Windows loaded properly.
VS has some more work to do with whitelisting command lines. When VS can't read a command line, for whatever reason, this can bork the system.
In fact, the whole reason why I removed Babylon from automatic startup in the first place was to try and solve a VS command line problem. VS was intermittently prompting me for a certain Babylon dll that loads relatively early after system startup. Sometimes it precedes VS, and sometimes not.
Last edited:
- Aug 2, 2015
- 4,286
If your running HMP.A then no, don't worry about adding them brother. If you remove HMP.A then you may want to add them.
PeAcE
- Feb 7, 2014
- 1,540
I think this is a very interesting post by Dan on Wilders Forum.
There has been a lot of speculation how the various application whitelisting utilities handled EternalBlue and DoublePulsar as they wormed their way through networks.
Instead of speculating, let's test and see!
At first, I was just going to test VS, because there are a lot of people talking about how AE's are worthless against this type of attack, while conveniently forgetting that traditional security software allows for many more bypasses. But since I went through all of the work, I figured it would be a good idea to test the other AE's as well.
If anyone would like to reproduce my test and post a video, please do!
- Call me White Cipher.
There has been a lot of speculation how the various application whitelisting utilities handled EternalBlue and DoublePulsar as they wormed their way through networks.
Instead of speculating, let's test and see!
At first, I was just going to test VS, because there are a lot of people talking about how AE's are worthless against this type of attack, while conveniently forgetting that traditional security software allows for many more bypasses. But since I went through all of the work, I figured it would be a good idea to test the other AE's as well.
If anyone would like to reproduce my test and post a video, please do!
- Call me White Cipher
.
- Jul 3, 2015
- 8,153
Beautiful.
So if I understood right, ERP and VS passed the test, but AG and SAP did not?
So if I understood right, ERP and VS passed the test, but AG and SAP did not?
- Jun 14, 2011
- 1,858
"AEs are worthless against this type of attack" - as a generalization, that is a patently false statement.
"AEs probably won't stop the exploit itself, but on the other hand they probably will block the execution of the payload" is more accurate.
A block that stops an attack counts as a block regardless of how early or how late the block occurs. The defining factor is that the attack is stopped at some point before it trashes a system. At the same time there is always some small indeterminate gray-zone. Quantifying that gray-zone is an exercise in futility - sort of like counting freckles.
Last edited by a moderator:
- Feb 24, 2017
- 1,661
I think this is a very interesting post by Dan on Wilders Forum.
There has been a lot of speculation how the various application whitelisting utilities handled EternalBlue and DoublePulsar as they wormed their way through networks.
Instead of speculating, let's test and see!
At first, I was just going to test VS, because there are a lot of people talking about how AE's are worthless against this type of attack, while conveniently forgetting that traditional security software allows for many more bypasses. But since I went through all of the work, I figured it would be a good idea to test the other AE's as well.
If anyone would like to reproduce my test and post a video, please do!
- Call me White Cipher
i guess VS isn't only for "novice/beginner" users after all.
- Jul 3, 2015
- 8,153
I agree with you 100%. It is deceptively simple, but pretty complex under the hood.
When they finally get the command line issues worked out, it will really be a killer app.
I think this is a very interesting post by Dan on Wilders Forum.
There has been a lot of speculation how the various application whitelisting utilities handled EternalBlue and DoublePulsar as they wormed their way through networks.
Instead of speculating, let's test and see!
At first, I was just going to test VS, because there are a lot of people talking about how AE's are worthless against this type of attack, while conveniently forgetting that traditional security software allows for many more bypasses. But since I went through all of the work, I figured it would be a good idea to test the other AE's as well.
If anyone would like to reproduce my test and post a video, please do!
- Call me White Cipher
Some AEs parse command lines for rundll32 and alert the user\auto-block dependent upon settings - like VS and NVT ERP. AppGuard remains a simple software restriction policy solution with memory protections; it does not parse command lines.
The code injection is noted. Thanks for the video.
- Jul 3, 2015
- 8,153
So AppGuard would block the malware action at a later stage?
- Apr 1, 2017
- 1,782
You mean something like WannaCry that used either the DoublePulsar or EternalBlue exploits ?
- Jul 3, 2015
- 8,153
- Jul 3, 2015
- 8,153
Comodo 10 has protection for rundll32, the embedded code detection should stop it, if it is enabled for rundll32. Can't remember if it is enabled by default, though.
VoodooShield said:Yeah, can you send me her settings? I tested with default settings and it was not an optimal result
also HMPA failed, according to him (if I don't misunderstand)
Yes. AppGuard will block execution.
- Status
Similar threads
