VoodooShield discussion

Status
Not open for further replies.

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
i have try it and dint work (or my win xp have an issue and need format or VoodooShield have stop support of win xp)
have somebody here have install latest version of VoodooShield on an XP ?

thank i have send the email, but i dont know if they answer.
Dan the dev will most probably answer you, but you are in luck, because somebody just asked your exact question on the official VS thread. Follow that thread, and I am sure you will see your answer:
VoodooShield ?
 

askmark

Level 12
Verified
Top Poster
Well-known
Aug 31, 2016
578
Dan the dev will most probably answer you, but you are in luck, because somebody just asked your exact question on the official VS thread. Follow that thread, and I am sure you will see your answer:
VoodooShield ?
That was me! I was curious to know the answer as well. Unfortunately not good news as only version 2 is compatible and that version will expire soon.
 

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Does anyone know if the EternalBlue exploit (msft-cve-2017-0143) used in the WannaCry attack abuses vulnerable windows processes, and what all processes / services are involved? I have researched this some, but so far have come up with nothing. I am quite sure that VS has this covered, since it treats all Windows processes as vulnerable processes, but I was extremely interested if there is a new vulnerable file that the malware authors are abusing. Any info would be appreciated, thank you!

BTW, I am behind on replying to the posts, sorry about that, I will catch up asap, thank you guys!

he said VS can protect against eternalblue and other exploits but he was not so sure because he didn't simulate the exploit
by the way. it's good to hear ;)
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
On Friday, I removed Babylon translation software from automatic startup, and rebooted.
BSOD.
Rebooted again, and Windows could not finish loading.
Rebooted into safe mode, uninstalled VS, rebooted.
Windows loaded properly.

I reinstalled VS, put it in training mode, and rebooted, and then switched to alert mode, rebooted.
Windows loaded properly.

VS has some more work to do with whitelisting command lines. When VS can't read a command line, for whatever reason, this can bork the system.

In fact, the whole reason why I removed Babylon from automatic startup in the first place was to try and solve a VS command line problem. VS was intermittently prompting me for a certain Babylon dll that loads relatively early after system startup. Sometimes it precedes VS, and sometimes not.
 
Last edited:

Terry Ganzi

Level 26
Verified
Top Poster
Well-known
Feb 7, 2014
1,540
I think this is a very interesting post by Dan on Wilders Forum.

There has been a lot of speculation how the various application whitelisting utilities handled EternalBlue and DoublePulsar as they wormed their way through networks.

Instead of speculating, let's test and see!

At first, I was just going to test VS, because there are a lot of people talking about how AE's are worthless against this type of attack, while conveniently forgetting that traditional security software allows for many more bypasses. But since I went through all of the work, I figured it would be a good idea to test the other AE's as well.

If anyone would like to reproduce my test and post a video, please do!



- Call me White Cipher ;).
 

enaph

Level 28
Verified
Honorary Member
Top Poster
Well-known
Jun 14, 2011
1,787
If your running HMP.A then no, don't worry about adding them brother. If you remove HMP.A then you may want to add them.
PeAcE
Thanks Ghostie.
Dan has already addressed my questions on WS so I know enough ;)

upload_2017-5-28_10-21-0.png


upload_2017-5-28_10-21-50.png
 
5

509322

...,because there are a lot of people talking about how AE's are worthless against this type of attack,...

"AEs are worthless against this type of attack" - as a generalization, that is a patently false statement.

"AEs probably won't stop the exploit itself, but on the other hand they probably will block the execution of the payload" is more accurate.

A block that stops an attack counts as a block regardless of how early or how late the block occurs. The defining factor is that the attack is stopped at some point before it trashes a system. At the same time there is always some small indeterminate gray-zone. Quantifying that gray-zone is an exercise in futility - sort of like counting freckles.
 
Last edited by a moderator:

mekelek

Level 28
Verified
Well-known
Feb 24, 2017
1,661
I think this is a very interesting post by Dan on Wilders Forum.

There has been a lot of speculation how the various application whitelisting utilities handled EternalBlue and DoublePulsar as they wormed their way through networks.

Instead of speculating, let's test and see!

At first, I was just going to test VS, because there are a lot of people talking about how AE's are worthless against this type of attack, while conveniently forgetting that traditional security software allows for many more bypasses. But since I went through all of the work, I figured it would be a good idea to test the other AE's as well.

If anyone would like to reproduce my test and post a video, please do!



- Call me White Cipher ;).

i guess VS isn't only for "novice/beginner" users after all.
 
5

509322

I think this is a very interesting post by Dan on Wilders Forum.

There has been a lot of speculation how the various application whitelisting utilities handled EternalBlue and DoublePulsar as they wormed their way through networks.

Instead of speculating, let's test and see!

At first, I was just going to test VS, because there are a lot of people talking about how AE's are worthless against this type of attack, while conveniently forgetting that traditional security software allows for many more bypasses. But since I went through all of the work, I figured it would be a good idea to test the other AE's as well.

If anyone would like to reproduce my test and post a video, please do!



- Call me White Cipher ;).


Some AEs parse command lines for rundll32 and alert the user\auto-block dependent upon settings - like VS and NVT ERP. AppGuard remains a simple software restriction policy solution with memory protections; it does not parse command lines.

The code injection is noted. Thanks for the video.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Some AEs parse command lines for rundll32 and alert the user\auto-block dependent upon settings - like VS and NVT ERP. AppGuard remains a simple software restriction policy solution with memory protections; it does not parse command lines.

The code injection is noted. Thanks for the video.
So AppGuard would block the malware action at a later stage?
 

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
what about Comodo?
Comodo 10 has protection for rundll32, the embedded code detection should stop it, if it is enabled for rundll32. Can't remember if it is enabled by default, though.

VoodooShield said:
Yeah, can you send me her settings? I tested with default settings and it was not an optimal result ;). Maybe Comodo should use CS's settings for everyone.

also HMPA failed, according to him (if I don't misunderstand)
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top