VoodooShield discussion

Status
Not open for further replies.
Parsh said:
A weak connection maybe? I've had a similar experience. It doesn't care to connect again.
You see there's a slight delay between when VDS blocks a file (in background) to obtain a scan result AND it displays the popup to you. If once it couldn't make a connection, it apparently doesn't retry!
Click to expand...
Probably I started chrome when VS hadn't still loaded properly, and it wasn't able to get the connection at that time
 
What happens if a user tries to run a malicious file (flagged on VirusTotal) when VoodooShield is in install mode? Will it execute or be blocked? I was thinking at the case when a beginner is thinking to install a program, but it was instead malware
 
  • Like
Reactions: Deleted member 2913
TheMalwareMaster said:
What happens if a user tries to run a malicious file (flagged on VirusTotal) when VoodooShield is in install mode? Will it execute or be blocked? I was thinking at the case when a beginner is thinking to install a program, but it was instead malware
Click to expand...
I think it would be allowed. From what I remember, its name is "Disable/Training Mode".
 
  • Like
Reactions: shukla44 and Deleted member 2913
TheMalwareMaster said:
A guy just told me that VoodooShield doesn't block malicious files opened directly by a WinRar archive for the parent process feature. I don't believe this is true. Can you confirm it?
Click to expand...
Just disable, auto allow for that and files in AppData location ;)
 
  • Like
Reactions: XhenEd
Ok, let's say we have an executable file (malicious) which has already been uploaded on VirusTotal but still has a detection of 0/57 because it's really new. VoodooShield would then rely only on Artificial Intelligence?
Case 2: we have a javascript file (Artificial intelligence not supported.) it has been uploaded on VirusTotal and has a detection of 0/57. It would be able to execute successfully and also the payload would, if parent process is enabled?
 
  • Like
Reactions: XhenEd
TheMalwareMaster said:
Ok, let's say we have an executable file (malicious) which has already been uploaded on VirusTotal but still has a detection of 0/57 because it's really new. VoodooShield would then rely only on Artificial Intelligence?
Case 2: we have a javascript file (Artificial intelligence not supported.) it has been uploaded on VirusTotal and has a detection of 0/57. It would be able to execute successfully and also the payload would, if parent process is enabled?
Click to expand...
are you asking about autopilot mode?
because in the other modes, you might get a recommendation that it is clean, but the final decision will be yours.
 
  • Like
Reactions: ZeroDay, BugCode and XhenEd
VirusTotal is not all that Voodoo shield look to for results, next I was following some people who have thrown everything they can thinks about at Voodoo shield in automatic mode haven't fail as yet.
 
  • Like
Reactions: frogboy, Solarlynx and askmark
TheMalwareMaster said:
Ok, let's say we have an executable file (malicious) which has already been uploaded on VirusTotal but still has a detection of 0/57 because it's really new. VoodooShield would then rely only on Artificial Intelligence?
Case 2: we have a javascript file (Artificial intelligence not supported.) it has been uploaded on VirusTotal and has a detection of 0/57. It would be able to execute successfully and also the payload would, if parent process is enabled?
Click to expand...
with the exe file, yes, autopilot will let it execute, if both VS and Ai judge it as clean.
with the java script file, it depends. If you have a web app running, then exploit protection kicks in, and windows script host will not run. If you have no web app running, and VS says its clean, then it will run.
 
  • Like
Reactions: TheMalwareMaster and XhenEd
Let's say one downlaods ransomware from his email (a zip file containing a js file). The js file has already been scanned and has a detection of 0/57 on VirusTotal, which drops an EXE payload (undetected, but already scanned this one also). After extraction, if we execute the sample, using VoodooShield free on autopilot mode, what would happen? The js file should be allowed, because it's not detected nor unknown on VirusTotal. And the EXE file? Blocked or allowed?
 
TheMalwareMaster said:
Let's say one downlaods ransomware from his email (a zip file containing a js file). The js file has already been scanned and has a detection of 0/57 on VirusTotal, which drops an EXE payload (undetected, but already scanned this one also). After extraction, if we execute the sample, using VoodooShield free on autopilot mode, what would happen? The js file should be allowed, because it's not detected nor unknown on VirusTotal. And the EXE file? Blocked or allowed?
Click to expand...

I think it will be block like in the picture.

1.png


Here is a script block:

8.png


Pictures taken from this test - Click
You can check other test by VoodooShield in the Malware Hub:
Malware Vault (Samples)
 
  • Like
Reactions: BugCode, XhenEd, silversurfer and 1 other person
Av Gurus said:
I think it will be block like in the picture.

View attachment 139737

Here is a script block:

View attachment 139738

Pictures taken from this test - Click
You can check other test by VoodooShield in the Malware Hub:
Malware Vault (Samples)
Click to expand...
Ok, this is an unknown scprit, which hasn't been uploaded on VirusTotal.com yet, so it's blocked. But let's say the script has already been scanned with VirusTotal.com and has a detection of 0/57.. Then, it should be allowed ro run in autopilot mode
 
Av Gurus said:
if, if, if,.....that is a lot of ififififif...
If girl have a....

That file should be find (somewhere) and tested, then we will know, everything else is fairytale.
Click to expand...
It's simple, you create a new js file and scan it with VirusTotal first. 0/57 detection. Then, you run it under VoodooShield and see what happens. The problem is that it's hard to find available for downlaod such a new file, if you don't code it by yourself
 
Please note the Version may not change from 3.52
it is updated, its something that Dan will address
later most likely seeing its not too serious.
VS_SS_4.png

I am still showing 3.52 after installing too ;)
If he has already addressed this please disregard.
 
  • Like
Reactions: silversurfer and Av Gurus
Status
Not open for further replies.

You may also like...