Advice Request Which threats are not prevented by Voodooshield ?

Please provide comments and solutions that are helpful to the author of this topic.
Status
Not open for further replies.
jetman

jetman

Level 10
Thread author
Verified
Well-known
Forum Veteran
Jun 6, 2017
482
2
1,794
868
Ire
There is a lot of praise on this form for Voodooshield. But surely it can't stop all threats !

If I only had Windows Defender and Voodooshield installed, what types of malware would my Windows PC still be vulnerable to ?

I suppose this is another way of asking what else is needed alongside Voodooshield to ensure a solid level of protection.
 
  • Like
Reactions: dinosaur07, RoboMan, oldschool and 6 others
Well asked! Of course no one security app will catch--or prevent--everything. One day VS will be bypassed. So it makes sense to spread the load.

My personal arrangement is VS and WF. I use Windows Firewall Control to easily access WF, and run a monthly on-demand scan with MBAM and EEK.

I use WF to ensure anything that VS misses will be unable to phone home. I could still suffer some damage, but compared to what could be called in by a sucessful phone message... And the cleanup will be easier.
 
  • Like
Reactions: jetman, oldschool, bribon77 and 3 others
Well it doesn't have any memory protection, so I'd imagine an in-memory fileless attack that doesn't use an interpreter might bypass it. Injecting into an active process and all that jazz.
Don't quote me on this though as I'm no expert and I've never seen something like this thrown at VoodooShield. Maybe VS has some hidden protection tricks I'm not aware of and I don't know how this type of attack would be executed in the first place.
 
Last edited:
  • Like
Reactions: Behold Eck, RoboMan, oldschool and 2 others
crezz said:
There is a lot of praise on this form for Voodooshield. But surely it can't stop all threats !

If I only had Windows Defender and Voodooshield installed, what types of malware would my Windows PC still be vulnerable to ?

I suppose this is another way of asking what else is needed alongside Voodooshield to ensure a solid level of protection.
Click to expand...

Voodoosheild is essentially an anti-exe. It's a very capable product, but doesn't mean it cannot be bypassed. One thing to remember is that VS may give you a pop up after which you will have to make a decision to allow it or not, so there will be instances that require user input on the matter. It will also depend what mode you put VS in. Auto-pilot can make the decisions for you, but it will probably more prone to missing things. Always-On mode is more secure by comparison, but you will have more pop ups to deal with.

WD has come along ways in-terms of protection, its a very capable product now. If you haven't already I would suggest you look into @Andy Ful's Configure defender to easily configure WD to make it stronger than what it is at default.

If you use both together, I think you will be fine. Combine the setup with good security habits and I don't think you should have an issue. One thing to keep in mind is that there's a lot of fear and paranoia on security forums in general. Don't get caught up in the "I need 100 extensions and 40 real-time programs to be safe." More is not always better and can actually decrease your overall security, not improve it. Not to mention it may also make your system far more unstable.

Every program/setup can be bypassed if you practice unsafe habits. There's no silver bullet that will protect you from everything. Despite the fear that is sometimes generated, home users are not subjected to the "advanced attacks" that businesses and governments are. Find the setup that works best for you, practice safe habits and chances are you will be more than safe.
 
Last edited by a moderator:
  • Like
Reactions: brod56, Smoke, RoboMan and 7 others
Arequire said:
Don't quote me on this though as I'm no expert and I've never seen something like this thrown at VoodooShield
Click to expand...
I will quote you on this because what you're saying is useful contribution - you're smarter than you think.

An attack which does not rely on process spawns will fly right past VoodooShield, because VoodooShield's monitoring scope is process spawning.

Here's an example scenario of where VoodooShield would fail.

John Doe is browsing the web and he gets a notification about an e-mail to do with his work-place, so he goes back to the Outlook tab and checks out the e-mail; the e-mail has been spoofed to appear as though it was coming from his manager, and has been sent to several other colleagues as well.

John decides to download the attachment from the e-mail - he's using an Anti-Virus product with real-time protection enabled as well as VoodooShield on the side. The Anti-Virus product scans the downloaded attachment, but the downloaded attachment was specifically crafted to exploit a previously unknown vulnerability in the Anti-Virus product's scanner engine.

As the Anti-Virus product's scanner engine is scanning the contents of the attachment after mapping the file into memory, it runs into a bug because of a logic flaw in the engine. However, this flaw has been exploited in a way that allows shell-code planted within the file being scanned to be executed under the context of the Windows Service which is scanning the data.

Now, malicious shell-code can be executed under the context of something which is trusted and already in-memory (and thus, VoodooShield is not going to be blocking it, nor will it have any idea that process X has been compromised).

Obviously, even if a trusted running process were to start spawning other programs, that may trigger VoodooShield depending on the configuration (not guaranteed because it's configuration-dependent). Therefore, you'd preferably need to avoid doing this at all costs to prevent potential intervention from VoodooShield.

The example scenario is not something that a normal user should care about. Even for targeted attacks, such is incredibly rare because most of the time, it's found out by security researchers who report it and get it patched before a malicious actor can use it.

Microsoft recently added a sandbox container to Windows Defender (currently optional) to try and restrict what malicious code could do if it managed to compromise a user-mode Windows Defender process, like as a result of things like exploiting a flaw in the scanner engine.

For the record, if you do manage to compromise the local environment without triggering VoodooShield (e.g. as a result of exploiting an applicable vulnerability) and really need to cause a process spawn, process hollowing will work just fine, as long as the process being hollowed is already trusted by VoodooShield (or will fly past the auto-pilot for having a low-enough VoodooAi rating).

We can always go back to the part about how the auto-pilot is not full-proof and can be bypassed. The first clue is the fact that these implementations tend to work by flagging files which are more alike the trained data (e.g. trained with malicious samples) or less alike trained data (e.g. trained with safe samples). Note though, with VoodooShield, you'll probably need to make sure the sample is FUD to VirusTotal, or that there is no active internet connection for a VirusTotal look-up.

The developer or fan-boys may scream "Foul! Speculation! Show us a video!" but if you want to keep your IQ... I would recommend ignoring them.
 
  • Like
Reactions: catjc, Burrito, RoboMan and 13 others
VoodooShield is a very good piece of security. But, it can be easily bypassed (on Autopilot) by the user. That is a common thing in any security setup with many alerts.
The chances to bypass VS (paid), when respecting all its alerts, is very small in a home user environment. There is no need to cover VS by other software, unless the user is going to ignore VS alerts, and will intentionally run the unsafe programs.
I was a beta tester of VS and found a few bypasses, but they were quickly patched by the developer.
You can add some additional security layers at the expense of the system/software stability/compatibility to protect yourself against the threats which probably never happen.:emoji_pray:

Edit.
VD should be used alongside the AV. It is not supposed to work without AV.
 
Last edited:
  • Like
Reactions: Dave Russo, Tiny, catjc and 9 others
Nestor said:
So, it cannot block fileless malware and scripts?
Click to expand...
Depend how the fileless malware behave.
VS monitors all exes located on the disk.
However, some true fileless malware embark their own interpreters like using powershell without even using the powershell.exe of the target system, others uses python, etc...

VS doesn't have any memory monitoring/protection, so anything running in memory is free to act, however if the malware triggers an exe located on the system, VS will probably catch it.

It is why anti-exes must be ran alongside something monitoring the memory (anti-exploit, some AVs, etc...)
 
  • Like
Reactions: catjc, bribon77, Andy Ful and 3 others
bribon77 said:
I think the greatest danger of the Anti Exe. It would be the user. It gets tired of pop-ups and does not read, and gives permission.:giggle:
Click to expand...
To combat this, the best practice I've found is whenever VS throws up a prompt, click block immediately and investigate whether it was something malicious or legitimate afterwards. Better safe than sorry.
 
  • Like
Reactions: Tiny, codswollip, bribon77 and 4 others
Nestor said:
So, it cannot block fileless malware and scripts?
Click to expand...
Scripts are categorized as executable files, so yes it will block them. As for fileless attacks, VoodooShield isn't an anti-exploit and most fileless malware will exploit vulnerabilities. Just make sure to block interpretersand cover the exploit section.
 
  • Like
Reactions: KonradPL, _CyberGhosT_, oldschool and 2 others
RoboMan said:
VoodooShield isn't an anti-exploit and most fileless malware will exploit vulnerabilities
Click to expand...
Tell that to Dan.

You might end up being given a reply about how it can block the NSA's finest kernel exploits and a link to a YouTube video of VoodooShield blocking a user-mode payload post-kernel exploitation with Metasploit. Who knows, eh?

You might even be told to post a video to prove it isn't an anti-exploit tool as well.

You might even be told that many experienced professionals have failed to exploit VoodooShield and to stop speculating,

Stop speculating bro! Post a video!
 
  • Like
Reactions: upnorth, Sunshine-boy, oldschool and 3 others
Status
Not open for further replies.

You may also like...