removed per rules
Last edited by a moderator:
Which threats are not prevented by Voodooshield ?
- Thread starter jetman
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
- Status
AppGuard and HitmanPro.Alert are the only two products I can think of that have dedicated memory protection. Any others you know of?
MemProtect - Products | Excubits
It is a driver. Windows_Security has been in contacts with developer but nothing yet about a unified interface.
It is a driver. Windows_Security has been in contacts with developer but nothing yet about a unified interface.
Appguard Solo only prevent a guarded process to read/write memory of another process and fully protect lsass.exe.
Appguard Enterprise can protect the memory of all processes.
Some AV suites have memory protection.
- Mar 29, 2018
- 7,711
I don't know much about it but maybe BlackFog? And as @Umbra said, some AV suites.
Yes, we know what Dan would say, and we know what Eddie Mora says.... so? I searched for Opc0de's video BTW! I couldn't find it here on the forum.
Once again we return to this issue: Whether home users will encounter these sneaky types of malware? I'm with @Andy Ful on this one!
- Dec 23, 2014
- 8,605
You will not see the true fileless threats in the home environment. You probably can see something like that:
(1) non-executable file with exploit --> (2) legal application exploited --> (3) legal Windows tool (EXE) used to download and run the payload from memory or from the Windows Registry.
(1) can be a weaponized document, media file, etc.
(2) is a legal application with vulnerability, like web browser, MS Office application, Adobe Acrobat Reader, media player, etc.
(3) can be PowerShell and some other Windows tools.
Anti-Exe application can break the infection chain at the point (3). The typical exploits can break the infection chain at the point (2).
The sophisticated threats, which do not use point (3), can be seen in the attacks on organizations - they are precious and very dangerous. After exposing them by AV vendors, they are pretty much useless in the attacks on the home users, because the vulnerability is already closed or the AV signature is created. They can be still used in attacks on organizations anyway, because some of them use unpatched systems and vulnerable software.
(1) non-executable file with exploit --> (2) legal application exploited --> (3) legal Windows tool (EXE) used to download and run the payload from memory or from the Windows Registry.
(1) can be a weaponized document, media file, etc.
(2) is a legal application with vulnerability, like web browser, MS Office application, Adobe Acrobat Reader, media player, etc.
(3) can be PowerShell and some other Windows tools.
Anti-Exe application can break the infection chain at the point (3). The typical exploits can break the infection chain at the point (2).
The sophisticated threats, which do not use point (3), can be seen in the attacks on organizations - they are precious and very dangerous. After exposing them by AV vendors, they are pretty much useless in the attacks on the home users, because the vulnerability is already closed or the AV signature is created. They can be still used in attacks on organizations anyway, because some of them use unpatched systems and vulnerable software.
Last edited:
- Mar 29, 2018
- 7,711
Do you remember where you saw the video?I don't know much about it but maybe BlackFog? And as @Umbra said, some AV suites.
Yes, we know what Dan would say, and we know what Eddie Mora says.... so? I searched for Opc0de's video BTW! I couldn't find it here on the forum.
Once again we return to this issue: Whether home users will encounter these sneaky types of malware? I'm with @Andy Ful on this one!
- Mar 29, 2018
- 7,711
I could not find such a video. I would like to see it if it exists, not that I doubt the possibility of a fileless exploit. I would like to see it for the fun of it!
- Jul 6, 2017
- 2,392
I do not know, what do you think but I think that in a virtualized environment like Sandboxie, or similar, it would be effective from an attack on memory. And to be used with VS or with any Anti-exe.
Last edited:
The real thing is so evaluate the scope of the software against the environment/behavior of the user.
No software does everything, so there is no reason to try defending or advertising the said software against something it is not designed to do.
No software does everything, so there is no reason to try defending or advertising the said software against something it is not designed to do.
Comodo HIPS also has a feature for monitoring the memory.
Interprocess Memory Access - Malware programs use memory space modification to inject malicious code for numerous types of attacks, including recording your keyboard strokes; modifying the behavior of the invaded application; stealing confidential data by sending confidential information from one process to another process etc. One of the most serious aspects of memory-space breaches is the ability of the offending malware to take the identity of the invaded process, or 'impersonate' the application under attack. This makes life harder for traditional virus scanning software and intrusion-detection systems. Leave this box checked and HIPS alerts you when an application attempts to modify the memory space allocated to another application.
Interprocess Memory Access - Malware programs use memory space modification to inject malicious code for numerous types of attacks, including recording your keyboard strokes; modifying the behavior of the invaded application; stealing confidential data by sending confidential information from one process to another process etc. One of the most serious aspects of memory-space breaches is the ability of the offending malware to take the identity of the invaded process, or 'impersonate' the application under attack. This makes life harder for traditional virus scanning software and intrusion-detection systems. Leave this box checked and HIPS alerts you when an application attempts to modify the memory space allocated to another application.
It doesn't matter, we don't pick a solution based on a malware prevalence.
I use an anti-malware, i hope it protects me against any kind of malware, old and new.
I don't care if the malware is destined to home users or enterprises.
If i fear exploits, I use true anti-exploits.
I don't expect an Anti-Malware to prevent exploits.
Its scope didn't changed, it still monitors only exe.
I'm looking for answers to the following questions before deciding whether I should recommend VoodooShield to a friend or not.
1. Does VoodooShield have any investors?
2. Are there any contracts between VoodooShield and any government agencies?
3. Do any third-party AV vendors license out VoodooShield technology?
4. How large is the VoodooShield team - are there any legally-employed staff or only freelance for hire, and is it mostly remote work or is there an official office building?
5. When was the last full source code audit and who performed it? If there was one, are there any public details which can be shared?
6. How is automated stress-testing performed before new releases to try and find previously undiscovered bugs? For example, are there any automation's to help test the robustness of various functionality when put under pressure?
I can't find much on the above questions, if anyone happens to know the answers and is willing to share, it'd definitely be handy.
1. Does VoodooShield have any investors?
2. Are there any contracts between VoodooShield and any government agencies?
3. Do any third-party AV vendors license out VoodooShield technology?
4. How large is the VoodooShield team - are there any legally-employed staff or only freelance for hire, and is it mostly remote work or is there an official office building?
5. When was the last full source code audit and who performed it? If there was one, are there any public details which can be shared?
6. How is automated stress-testing performed before new releases to try and find previously undiscovered bugs? For example, are there any automation's to help test the robustness of various functionality when put under pressure?
I can't find much on the above questions, if anyone happens to know the answers and is willing to share, it'd definitely be handy.
- Dec 23, 2014
- 8,605
It seems that VS checks scripts against a database in the cloud and Virus Total. If the script is not in the database unknown and it is not signed, then VS will block it unless the user will choose otherwise.
In the Auto Pilot mode, VS works as an anti-exe based on the cloud reputation service (VirusTotal + VoodooAi). If the reputation is good, then the executable is allowed. If not, then it will be blocked. Such setup will produce many false positives. The false positives for scripts are not important, because most users do not use scripts - they can always assume that the script is malicious, which will be usually true. Yet, too many false positives for the EXE files are dangerous in the long term, because the users tend to ignore VS alerts and seek the truth via on-demand scanners (not good for the fresh malware).
I know that the developer was thinking about the solution similar to RunBySmartScreen, but finally chose VT + VoodooAi only.
Anyway, VS is a good solution for the semi-locked systems, if the users consequently allow VS doing the default actions.
The users who think that they are smarter than VS, can have problems, unless they really know what they are doing.
Post edited - added "and Virus Total" in the first sentence. So, for scripts VS checks three factors (at least): known to the database, VirusTotal detections, and digital signature.
In the Auto Pilot mode, VS works as an anti-exe based on the cloud reputation service (VirusTotal + VoodooAi). If the reputation is good, then the executable is allowed. If not, then it will be blocked. Such setup will produce many false positives. The false positives for scripts are not important, because most users do not use scripts - they can always assume that the script is malicious, which will be usually true. Yet, too many false positives for the EXE files are dangerous in the long term, because the users tend to ignore VS alerts and seek the truth via on-demand scanners (not good for the fresh malware).
I know that the developer was thinking about the solution similar to RunBySmartScreen, but finally chose VT + VoodooAi only.
Anyway, VS is a good solution for the semi-locked systems, if the users consequently allow VS doing the default actions.
The users who think that they are smarter than VS, can have problems, unless they really know what they are doing.
Post edited - added "and Virus Total" in the first sentence. So, for scripts VS checks three factors (at least): known to the database, VirusTotal detections, and digital signature.
Last edited:
- Dec 23, 2014
- 8,605
That is a reasonable point of view, especially when VS is recommended to work in businesses and organizations. But, for many home users the sufficient criteria will be the digital signature and the good reputation. The developer put the information on his website, that VoodooShield was patented by US Patent No. 9,197,656.
I've created a thread to ask my questions now to prevent this thread from being hijacked further, and I apologise for derailing the thread. The questions I was interested in were not a good fit to be asked on this thread given the topic at hand, but a separate thread specifically focused on them is a lot more appropriate in my opinion.
- Oct 7, 2018
- 44
I keep hearing about using Auto-pilot for VS. Well both the default mode (even for VS free) and the developer's recommendation is to use VS in Smart Mode, which is more secure than Auto-pilot because it locks down the system. Yes it does not remove the dumb user problem (who clicks "allow"), but Smart mode in VS, plus a good AV that updates regularly will be a decent combo for ordinary home users like me who don't have unsafe surfing habits. I think Andy Ful summed it up well.
- Status
Similar threads
-
- Locked
- thread_type.competition
