VoodooShield/Cyberlock

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. Ashanta

    Ashanta Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    702
    Location:
    Europe
    Could you tell me on which cases do you recommend using 'Always ON' Mode ?

     
  2. rs11

    rs11 Registered Member

    Joined:
    Jun 23, 2009
    Posts:
    52
    I have VoodooShield and an on demand scanner that scans on start up.
    Do you think I can get away without a realtime antivirus program?
    Also 2.31j is working fine here!!
     
  3. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    835
    Location:
    UK
    Some will advise having a real time anti virus too.
    BUT it all depends on whether your machine was clean before you installed Voodoodshield, as VS protects from infections, it doesn't remove them.
    I don't run any real time antivirus just VS and a weekly on demand AV scan, and everything is fine, - but importantly my machine was clean before I installed VS.

    Gordon
     
  4. alphonso

    alphonso Registered Member

    Joined:
    Mar 22, 2015
    Posts:
    15
    I think you could if you were careful. but realistically I think it makes more sense to employ whatever positive measures we can to ensure we are running in a clean and secure pc environment. and the spectrum is wide indeed and as varied as there are people. so, we can have one or many tools as we want and feel comfortable. me, I like the progressive approach offered by VS, as the times have been a changing. but at the same time there is no shame in using a complimentary antivirus solution. This is by no means an admission of weakness but a judicious assortment of tools to get the job done. of course, as few as possible that give the great result: hence the two prong approach with VS and an AV of your choice. A clean machine is a beautiful thing, it makes you feel like you have proper control over your machine, and thereby should theoretically make you happier and more productive. I am currently experimenting with Avira freeware. avwsc.exe kept getting blocked by VS. eventually I deleted that file but the av is still working normal.
     
  5. rs11

    rs11 Registered Member

    Joined:
    Jun 23, 2009
    Posts:
    52
    Thanks guys for the answers:)
    I just always wondered if it was worth it.
     
  6. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hey everyone, here is the latest version. From what I can tell, it is running great and is pretty much ready to release to the public. Sorry I am behind on the posts, I will catch up asap.

    http://www.voodooshield.com/freeoffer/Install VoodooShield.2.31k beta.exe

    Also, if anyone is interested in seeing the new anti-exploit feature in action, here is a sample bypass, even though it is not a true exploit. UAC will block it, so make sure it is disabled, and also make sure you have java installed, I think any version of java will work. Then just double click on the VSTestJava.jar file, and this will drop an executable file named "VS.exe" into the Program Files folder, but VS will block it, even though the Program Files folder is in an allowed folder. This is the bypass that prompted me to add the anti-exploit feature, and is actually a pretty cool trick. Thank you Adam for the help! Please feel free to share with other developers if this bypasses anything else.

    http://www.voodooshield.com/freeoffer/javabypass.zip
     
  7. MrGump

    MrGump Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    406
    K is working great! On all my systems. Rundll issue solved
     
  8. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    Possible bug:

    Go to Command Line and edit an entry.
    Close VS GUI, re-open it and go to Command Line again.

    The change is not remembered...an entry is reverted to the original one.
     
  9. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    835
    Location:
    UK
    Hi Dan,
    Installed 2.31k beta.
    Tried running it with anti exploit enabled but as previously reported with 2.31j VS continues to block my .pdf reader from being launched from my browsers - even after it is allowed numerous times, VS doesn't remember and blocks it again.
    After disabling the Anti exploit, everything functions as it should.

    My rundll32.exe isn't resolved, I'm still getting the command line prompt for my CDROM drive.. "c:\windows\system32\rundll32.exe" shell32.dll,shellexec_rundll e:\start.html

    Thanks
    Gordon
     
  10. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    I also got an alert for
    c:\windows\system32\rundll32.exe c:\windows\system32\pla.dll,plahost "lsc memory" "0x828_0x438_0x672f6987"
     
  11. hjlbx

    hjlbx Guest

    2.31k beta - BUG REPORT
    • Even in Training Mode some back-up software, e.g. EaseUS Todo, will not proceed to user-interface; EaseUS Todo process starts but hangs at its start-up screen and never proceeds to user interface. Completely disable VooDooShield and EaseUS Todo functions properly... or - with VooDooShield protection enabled, right-click "Run as Administrator" EaseUS Todo and it will run normally.
    NOTE: EaseUS Todo and all its modules show as "Allowed" in User Log, but not all modules in Whitelist.
    • OneDrive File Manager (Windows "Metro" App version) initially blocked: C:\Windows\filemanager\filemanager.exe
    • Photos App initially blocked: C:\Windows\filemanager\photosapp.exe
    • User Log only updates if exit, and then re-open, VooDooShield Settings.
    • Please add "Do Not Whitelist 'Power Shell' to Tweaks tab.
    • When extract files using 7zip or PeaZip, get CMD.EXE Block Notification.
    • VooDooShield has no "self-protection"; can easily be disabled via Task Manager.
    No way to allow commandline utilities, e.g. ipconfig, to display properly with VooDooShield protection on? Utilities run but commandline console closes immediately.

    Any way of scanning an entire system for installed apps - including legitimate scripts - during VooDooShield install - rather than limiting the snapshot to only modules in active memory?
     
    Last edited by a moderator: Mar 27, 2015
  12. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    Works very well here once I allowed it via WSA! LOL

    Daniel :)

    2015-03-27_10-03-09.png 2015-03-27_10-06-13.png
     
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Good news, my exploit no longer works.

    For mine, the issue was getting it to the Program Files folder. Once it was manually copied there, though, it would bypass VS. So I figured I would try to piggyback on this javabypass PoC here to get it into the Program Files folder. It was not able to bypass VS. I also decided to try again without the Java trick by simply just copying my example to the Program Files folder and executing manually. Regardless, it no longer bypasses VS. I am all out of ideas now and it's fantastic that VS is continually getting stronger.

    Great job Dan! :thumb:
     
  14. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,674
    Location:
    South Wales, UK
    Hi Dan

    Looking VERY TASTY here under Win7 64bit...very smooth, quick and very unobtrusive until it needs to be. Some more testing to do but already this looks like one for the pressed.

    Nice one, matey.

    Regards, Baldrick
     
  15. alphonso

    alphonso Registered Member

    Joined:
    Mar 22, 2015
    Posts:
    15
    oh, ..I am so glad that I had my shields up today. I got to see VS firsthand in action. I had downloaded a gadget called AlarmClock.gadget
    from the authors website. I ran a scan but not sure now what I used to scan, but it turned up negative. so I ran it. and from what I vaguely remember, a helper.exe was blocked but I allowed it. and then VS flashes as I noticed a series of exe files being generated and blocked as I witnessed from the user log. at this point thunderbird uninstall asked if I wanted to uninstall thunderbird, so I cancelled that. that was the helper.exe filed I had allowed a second earlier.

    then I ran malwarebytes, and it found a rootkit and had it quarintined, then ran mbar and it still found the same thing, this time I rebooted to clear it. still, I then recovered from a backup on a different hardrive using a live O&O DiskImage media...just to be more confident. I am pretty certain it was this gadget that I executed. by the way it produced a lovely little alarm clock with nice colours and settings. I loved it., but I think this rootkit had something to do with it. anyway, Avira did not seem to do anything, so It was 100 percent VS that prevented all of those .exe files, named au_exe bu_.exe cu_.exe du_.exe eu_.exe fu_.exe, etc... I think it went thru the whole alphabet. so this rootkit,
    started to generate executable files and each was blocked. the other symptoms were it slowed my pc to a crawl. I think the virus got into the MBR, so like I say in the end I just recovered from a backup rather than take a chance that anything might still be lingering. I have run more scans and things seem back to normal.
     
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    So, do you think VS allowed the rootkit to be installed on your machine? I would love to have a sample of the malware you executed.
     
  17. alphonso

    alphonso Registered Member

    Joined:
    Mar 22, 2015
    Posts:
    15
    I'm not sure what happened exactly. but, the file I downloaded I can tell you where it was from ~Link Removed~
    it was AlarmClock.gadget
    Like I say it was a very cool gadget, and I cannot be certain this was what unleashed the rootkit, but it was the last thing I downloaded and executed.
     
    Last edited by a moderator: Mar 27, 2015
  18. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I'm checking the file now.
     
  19. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I checked the file with Virus Total, and it got no hits. All 57 engines came back clean. That does not mean it is not malicious file though. I will try executing it a little later.
     
  20. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,072
    Location:
    Texas
    Remember our TOS.
    https://www.wilderssecurity.com/help/terms
     
  21. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Does anyone else think the buffer space should be removed where the arrows point in the screen shots below. The columns seems a little odd. It seems like maybe better use of the space needs to be made. Maybe its just due to me liking the white list, and user log together more in prior builds. I think maybe the main left column should be completely removed.
     

    Attached Files:

  22. alphonso

    alphonso Registered Member

    Joined:
    Mar 22, 2015
    Posts:
    15
  23. Miquell

    Miquell Registered Member

    Joined:
    Feb 8, 2015
    Posts:
    32
    Location:
    Poland
    Hey Dan :)

    Stable, mooth, very fast and powerful - this beta really looks great and works flawless on Win8.1 64bit :thumbd:.

    Thanks Dan, great job! :)

    Mike
     
  24. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    I asked here but got no reply....
    https://www.wilderssecurity.com/threads/voodooshield.313706/page-256#post-2473074
     
  25. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    Why pick on little things just as long it's working well?

    TH
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.