VoodooShield discussion

[mekelek]

I'd be really interested how VoodooShield/Comodo Firewall/etc. would work when used by a bunch of novice users. The coming of Windows 10 S and Chromebooks would already tell what happens when all app installations are blocked.

put VS on Autopilot, and it will do it's job just fine.
not sure about Comodo tho.

 

[Handsome Recluse]

put VS on Autopilot, and it will do it's job just fine.
not sure about Comodo tho.

Yeah. But I meant empirical evidence because right now, only nerds are aware of it. And most vendors don't want to be too aggressive and choose the more conservative route. Smartscreen only works for downloaded files, Avast doesn't have Hardened Mode by default, Comodo Firewall's not Proactive without HIPS by default, Malwarebytes only implemented non-intrusive anti-exploit and anti-ransomware.

 

[TheMalwareMaster]

The usual problem about beginners is that they don't tweak security software, because they don't know how and think that default settings are ok. On the other side, vendors doesn't provide maximum settings by default. I believe that, if Avast had hardened mode and PUPs enabled by default, we would have much less infections. VodooShield free is the only product I know which provides an excellent protection at default settings (you can't even tweak it)

 

[Handsome Recluse]

On the other side, vendors doesn't provide maximum settings by default. I believe that, if Avast had hardened mode and PUPs enabled by default, we would have much less infections.)

I wonder why they're not using maximum settings though. I don't know probably because I'm not them. But it could be their incompetence or the fear of the consequences of such a drastic change when no other mainstream does it.

 

[XhenEd]

I wonder why they're not using maximum settings though. I don't know probably because I'm not them. But it could be their incompetence or the fear of the consequences of such a drastic change when no other mainstream does it.

I think it's slightly the latter. Enabling Hardened mode by default may cause users to be annoyed by the blocking of safe software, and thus may unnecessarily increase support inquiries. And also, enabling PUP detection by default may make Avast face suits from companies developing those so-called PUPs.

 

[danb]

@danb I was wondering if it could be an option to add a forced cloud upload function to VS (under the restore settings in about section for example)?
Somehow I've removed my computer from my online account and I wasn't able to upload my whitelist to the cloud until I confirmed my registration again.

Yeah, actually Alex surprised me and added that on the web end... it is pretty cool. Like if you reinstall your OS, you do not even have to register VS when you install it again, or rebuild your whitelist (I am assuming)... it will just download automatically.

He did a lot of really cool things in the web management console... I hope to have it all wrapped up for testing within a week.

BTW, the old whitelist cloud backup is probably not working too well, if at all. Thank you!

 

[danb]

yeah, that's a common problem of VS. Sometimes, after a big update, it becomes incompatible with the previous data files and creates random bugs. we may try to backup the settings to VS cloud if we have the pro version, there is an option. If it doesn't work we have to reset the programdata folder

I was under the impression that this was taken care of... but if not, please send me your DeveloperLogs if this happens again I can take look. Thank you!

 

[TheMalwareMaster]

I wonder why they're not using maximum settings though. I don't know probably because I'm not them. But it could be their incompetence or the fear of the consequences of such a drastic change when no other mainstream does it.

As said by @XhenEd developers usually believe that users would uninstall their software if it's blocking a legitimate program they want to install. They tend to reduce false positives instead of maximising security. And yeah, there are always those lawsuits

 

[TheMalwareMaster]

Beginners need to learn first, but if some of them are stubborn (they don't want to learn), or really can't understand, you can put VoodooShield on their PC, and it's like replacing their mind with a program (it's really cruel to say, but it's true). I thought VS can also be used as a sort of "tool of knowledge" for beginners, while learning about malware. Let's say I've just trained a beginner to recognise malware on his own (always check the file on VirusTotal, use Hybrid Analysis if still you are not sure, check if it has a digital signature, don't execute javascript files). If he is right, he will be able to recognise the malware and delete it before execution. If he's wrong, well, he will execute the file and VoodooShield will probably block it, and the user will understand his mistake

 

[TheMalwareMaster]

Hey VoodooShield users!
1: How would VS handle fileless malware? Let's take, for example, the one that was targetting restaurants some time ago. In this case, the document opening is blocked because of the high detection ration on VirusTotal. If I remember well, VS blocks the opening of documents only if they had a detection on VirusTotal. What if it was unknown to VirusTotal? https://malwaretips.com/threads/filess-malware.72648/#post-642303


2: How would VoodooShield handle the new version of Petya (non-petya), which is a dll file? If I'm not wrong, VS doesn't monitor dll files

 

[enaph]

Hey VoodooShield users!
1: How would VS handle fileless malware? Let's take, for example, the one that was targetting restaurants some time ago. In this case, the document opening is blocked because of the high detection ration on VirusTotal. If I remember well, VS blocks the opening of documents only if they had a detection on VirusTotal. What if it was unknown to VirusTotal? https://malwaretips.com/threads/filess-malware.72648/#post-642303
View attachment 158380

2: How would VoodooShield handle the new version of Petya (non-petya), which is a dll file? If I'm not wrong, VS doesn't monitor dll files

If I am correct both types of infections need some kind of dropper (malicious payload, script etc.) and it should be detected and blocked by VS.
@danb correct me please if I am wrong.

 

[Parsh]

Hey VoodooShield users!
1: How would VS handle fileless malware? Let's take, for example, the one that was targetting restaurants some time ago. In this case, the document opening is blocked because of the high detection ration on VirusTotal. If I remember well, VS blocks the opening of documents only if they had a detection on VirusTotal. What if it was unknown to VirusTotal? https://malwaretips.com/threads/filess-malware.72648/#post-642303
View attachment 158380

When we talk about that .rtf document, on "enabling content" therein, it would ask to launch an ".lnk" file. These link files point to some executable and the executable loaded by the file during the exploit should then be blocked by VDS (since the type is covered by VDS).

2: How would VoodooShield handle the new version of Petya (non-petya), which is a dll file? If I'm not wrong, VS doesn't monitor dll files

The recent GoldenEye/NotPetya's payload was that ".dll" file delivered via the infamous ways. These dll files require to be executed by some process right?
The NotPetya dll was executed via rundll32.exe by passing necessary parameters (the perfc.dat flag file that some quick fix guides are talking about).

When I tried executing rundll32.exe on my system, VS blocks and alerts about it. And I think it will also state about the parameters passed in case of NotPetya. That alert looks suspicious? Block it.

 

[ElectricSheep]

If I am correct both types of infections need some kind of dropper (malicious payload, script etc.) and they should be detected and blocked by VS.

It's .exe's that it grabs, so it's all over them like a fat kid is with a burger!
VS stopped some kind of command line script on my machine yesterday - I have no idea what exactly the script was and don't care cause it doesn't affect me and VS stopped it

 

[TheMalwareMaster]

When we talk about that .rtf document, on "enabling content" therein, it would ask to launch an ".lnk" file. These link files point to some executable and the executable loaded by the file during the exploit should then be blocked by VDS (since the type is covered by VDS).
View attachment 158381

The recent GoldenEye/NotPetya's payload was that ".dll" file delivered via the infamous ways. These dll files require to be executed by some process right?
The NotPetya dll was executed via rundll32.exe by passing necessary parameters (the perfc.dat flag file that some quick fix guides are talking about).
View attachment 158382
When I tried executing rundll32.exe on my system, VS blocks and alerts about it. And I think it will also state about the parameters passed in case of NotPetya. That alert looks suspicious? Block it.

Thank you. I didn't know that .lnk files were monitored

 

[AtlBo]

How would VS handle fileless malware?

Just a theory, but it seems that VS alerts to some activity without the real option for whitelisting. In other words, you can select to whitelist, but the whitelist entry won't be enough to stop VS from alerting again. This appears to be based on memory operations involving some whitelisted application (Task Scheduler an example) and then a dropper. VS will issue an alert block based on the temporary existence of the dropper. User creates whitelist for the memory->script transaction, i.e. Task Scheduler runs a script->user whitelists, but next time it happens VS blocks again anyway.

I have a script that does this. It references another script and uses that script's contents to perform a generic search for a text string in an .ini file. Then it again uses the borrowed script to edit the .ini with a new string which is in the initialization script. However, the edit process requires creating a new text file (to replace the .ini) with all the contents of the old .ini but with the text string change and then save the new file by the name of the original. In the midst a dropper is dropped in the folder (a .tmp file) that will become the new file. This all happens in a single folder (scripts are there and the dropper drops there) but even unchecking the folder in VS "Custom Folders" won't stop the alert each time the script runs. It's been a problem for me running VS on some systems here, although I admit this is 1:1,000,000,000 systems that would ever have this issue.

Anyway, basically there isn't any way around the alert even with whitelisting, so maybe this is how VS handles this issue...hardcoding the alert when there is a dropper or script to script involved to guarantee the user to have the opportunity to block or the auto-block for those choosing that option. After all, even fileless must use command line at some point and usually it will require a dropper of some kind too or at least so far that I have seen, and I can't imagine how it could be possible to get around this.

EDIT: One thing about this. NVT ERP accepts the command-line whitelist exclusion for the above transaction with no problem, so this I suppose could be done another way. I don't sense any holes in ERP over this.

 

[Parsh]

Thank you. I didn't know that .lnk files were monitored

I don't think .lnk files are monitored, there's no need. But those .lnk files point to executables. So the executable being pointed will be detected (and blocked if it's not whitelisted) on execution.

 

[_CyberGhosT_]

@danb I was wondering if it could be an option to add a forced cloud upload function to VS (under the restore settings in about section for example)?
Somehow I've removed my computer from my online account and I wasn't able to upload my whitelist to the cloud until I confirmed my registration again.

He said to disable this feature for now, he is rebuilding it.
DO NOT upload your whitelist to the cloud, no syncing, it disappeared because he is improving the service.
I even put it here: Sig-Free And Where To Start in the Screen Shot, and I believe Dan posted it in this thread above.

 

[TheMalwareMaster]

I don't think .lnk files are monitored, there's no need. But those .lnk files point to executables. So the executable being pointed will be detected (and blocked if it's not whitelisted) on execution.

They will be blocked even in VodooShield free?

 

[Parsh]

They will be blocked even in VodooShield free?

Yes they should be. It would be a usual blocking of non-whitelisted executables. It is not a case of a parent process using the concerned exe file, it is a link/shortcut file calling the executable. Hence, the executable will be screened.

 

[blueblackwow65]

hi anyone latest version of voodoo? Ths