Advice Request Which threats are not prevented by Voodooshield ?

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
AppGuard and HitmanPro.Alert are the only two products I can think of that have dedicated memory protection. Any others you know of?

I don't know much about it but maybe BlackFog? And as @Umbra said, some AV suites.

Yes, we know what Dan would say, and we know what Eddie Mora says.... so? I searched for Opc0de's video BTW! I couldn't find it here on the forum.:LOL:

Once again we return to this issue: Whether home users will encounter these sneaky types of malware? I'm with @Andy Ful on this one!
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
You will not see the true fileless threats in the home environment. You probably can see something like that:
(1) non-executable file with exploit --> (2) legal application exploited --> (3) legal Windows tool (EXE) used to download and run the payload from memory or from the Windows Registry.

(1) can be a weaponized document, media file, etc.
(2) is a legal application with vulnerability, like web browser, MS Office application, Adobe Acrobat Reader, media player, etc.
(3) can be PowerShell and some other Windows tools.

Anti-Exe application can break the infection chain at the point (3). The typical exploits can break the infection chain at the point (2).

The sophisticated threats, which do not use point (3), can be seen in the attacks on organizations - they are precious and very dangerous. After exposing them by AV vendors, they are pretty much useless in the attacks on the home users, because the vulnerability is already closed or the AV signature is created. They can be still used in attacks on organizations anyway, because some of them use unpatched systems and vulnerable software.
 
Last edited:

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
You will not see the true fileless threats in the home environment. You probably can see something like that:
(1) non-executable file with exploit --> (2) legal application exploited --> (3) legal Windows tool (EXE) used to download and run the payload from memory or from the Windows Registry.

(1) can be a weaponized document, media file, etc.
(2) is a legal application with vulnerability, like web browser, MS Office application, Adobe Acrobat Reader, media player, etc.
(3) can be PowerShell and some other Windows tools.

VD can break the infection chain at the point (3). The typical exploits can break the infection chain at the point (2).

The sophisticated threats which do not use point (3) can be seen in the attacks on organizations, they are precious and very dangerous. After exposing them by AV vendors, they are pretty much useless in the attacks on the home users, because the vulnerability is closed or the AV signature is created. They can be still used in attacks on organizations, because some of them still uses unpatched systems and vulnerable software.


Exactly what I was saying! :ROFLMAO::ROFLMAO::ROFLMAO::ROFLMAO:
 
F

ForgottenSeer 69673

I don't know much about it but maybe BlackFog? And as @Umbra said, some AV suites.

Yes, we know what Dan would say, and we know what Eddie Mora says.... so? I searched for Opc0de's video BTW! I couldn't find it here on the forum.:LOL:

Once again we return to this issue: Whether home users will encounter these sneaky types of malware? I'm with @Andy Ful on this one!
Do you remember where you saw the video?
 

bribon77

Level 35
Verified
Top Poster
Well-known
Jul 6, 2017
2,392
I do not know, what do you think but I think that in a virtualized environment like Sandboxie, or similar, it would be effective from an attack on memory. And to be used with VS or with any Anti-exe.
 
Last edited:
D

Deleted member 178

The real thing is so evaluate the scope of the software against the environment/behavior of the user.

No software does everything, so there is no reason to try defending or advertising the said software against something it is not designed to do.
 

128BPM

Level 2
Verified
Feb 21, 2018
90
Comodo HIPS also has a feature for monitoring the memory.

Interprocess Memory Access - Malware programs use memory space modification to inject malicious code for numerous types of attacks, including recording your keyboard strokes; modifying the behavior of the invaded application; stealing confidential data by sending confidential information from one process to another process etc. One of the most serious aspects of memory-space breaches is the ability of the offending malware to take the identity of the invaded process, or 'impersonate' the application under attack. This makes life harder for traditional virus scanning software and intrusion-detection systems. Leave this box checked and HIPS alerts you when an application attempts to modify the memory space allocated to another application.
 
D

Deleted member 178

I don't know much about it but maybe BlackFog? And as

Once again we return to this issue: Whether home users will encounter these sneaky types of malware?
It doesn't matter, we don't pick a solution based on a malware prevalence.

I use an anti-malware, i hope it protects me against any kind of malware, old and new.
I don't care if the malware is destined to home users or enterprises.

If i fear exploits, I use true anti-exploits.

I don't expect an Anti-Malware to prevent exploits.

was posted 6 years ago. VS has come along way since then.
Its scope didn't changed, it still monitors only exe.
 
E

Eddie Morra

I'm looking for answers to the following questions before deciding whether I should recommend VoodooShield to a friend or not.

1. Does VoodooShield have any investors?
2. Are there any contracts between VoodooShield and any government agencies?
3. Do any third-party AV vendors license out VoodooShield technology?
4. How large is the VoodooShield team - are there any legally-employed staff or only freelance for hire, and is it mostly remote work or is there an official office building?
5. When was the last full source code audit and who performed it? If there was one, are there any public details which can be shared?
6. How is automated stress-testing performed before new releases to try and find previously undiscovered bugs? For example, are there any automation's to help test the robustness of various functionality when put under pressure?

I can't find much on the above questions, if anyone happens to know the answers and is willing to share, it'd definitely be handy.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
It seems that VS checks scripts against a database in the cloud and Virus Total. If the script is not in the database unknown and it is not signed, then VS will block it unless the user will choose otherwise.

VS.png


In the Auto Pilot mode, VS works as an anti-exe based on the cloud reputation service (VirusTotal + VoodooAi). If the reputation is good, then the executable is allowed. If not, then it will be blocked. Such setup will produce many false positives. The false positives for scripts are not important, because most users do not use scripts - they can always assume that the script is malicious, which will be usually true. Yet, too many false positives for the EXE files are dangerous in the long term, because the users tend to ignore VS alerts and seek the truth via on-demand scanners (not good for the fresh malware).
I know that the developer was thinking about the solution similar to RunBySmartScreen, but finally chose VT + VoodooAi only.
Anyway, VS is a good solution for the semi-locked systems, if the users consequently allow VS doing the default actions.
The users who think that they are smarter than VS, can have problems, unless they really know what they are doing.

Post edited - added "and Virus Total" in the first sentence. So, for scripts VS checks three factors (at least): known to the database, VirusTotal detections, and digital signature.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I'm looking for answers to the following questions before deciding whether I should recommend VoodooShield to a friend or not.

1. Does VoodooShield have any investors?
2. Are there any contracts between VoodooShield and any government agencies?
3. Do any third-party AV vendors license out VoodooShield technology?
4. How large is the VoodooShield team - are there any legally-employed staff or only freelance for hire, and is it mostly remote work or is there an official office building?
5. When was the last full source code audit and who performed it? If there was one, are there any public details which can be shared?
6. How is automated stress-testing performed before new releases to try and find previously undiscovered bugs? For example, are there any automation's to help test the robustness of various functionality when put under pressure?

I can't find much on the above questions, if anyone happens to know the answers and is willing to share, it'd definitely be handy.
That is a reasonable point of view, especially when VS is recommended to work in businesses and organizations. But, for many home users the sufficient criteria will be the digital signature and the good reputation. The developer put the information on his website, that VoodooShield was patented by US Patent No. 9,197,656.
 
E

Eddie Morra

That is a reasonable point of view, especially when VS is recommended to work in businesses and organizations. But, for many home users the sufficient criteria will be the digital signature and the good reputation. The developer put the information on his website, that VoodooShield was patented by US Patent No. 9,197,656.
I've created a thread to ask my questions now to prevent this thread from being hijacked further, and I apologise for derailing the thread. The questions I was interested in were not a good fit to be asked on this thread given the topic at hand, but a separate thread specifically focused on them is a lot more appropriate in my opinion.
 

noob guy

Level 1
Verified
Oct 7, 2018
44
I keep hearing about using Auto-pilot for VS. Well both the default mode (even for VS free) and the developer's recommendation is to use VS in Smart Mode, which is more secure than Auto-pilot because it locks down the system. Yes it does not remove the dumb user problem (who clicks "allow"), but Smart mode in VS, plus a good AV that updates regularly will be a decent combo for ordinary home users like me who don't have unsafe surfing habits. I think Andy Ful summed it up well.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top