VoodooShield/Cyberlock

Dan - hope your ship comes in but that you also retain control.

 

I have a command line that is repeatedly blocked: net user paul | find /i "password last set" > "c:\users\paul\appdata\local\temp\ops3d2f.tmp"" where the 'ops3d2f' part changes each time.
I have tried to white list it by replacing the file with ops*.tmp and *.tmp (a la NVT ERP) but it doesn't work.

 

No worries, Dan...and I have to say that I agree that the Free versions is...well, very generous in the functionality it offers, but then again I remember that you said that you did not want to offer a half baked product, even as a freeware version...so all credit to you for your integrity re. that. Yes, almost 5 years...it does not seem like that long that VS has been on my system but then again I did come to the party a little while after you first launched it as a beta...guided in by 'you know who' .

In terms of a version above Pro, I would just brand it as VoodooShield Ai...to me that is distinct enough and differentiates it from VoodooShield Free & VoodooShield Pro, as it should because it add a whole new dimension to the protection offered, i.e., "Computer lockdown taken to the next level of intelligence". But having said that I am no marketing guru and hence my advice should be taken with a large 'pinch of salt...

Like the sound of your plans...but would caution as to the Open Source approach for the PC, etc....I can see the allure of it but is it really the right way to go,at least in the short term and until you can get the Ai version well established? Again, just me sticking my big nose into things...

Well, I am looking forward to the relaease of the Ai beta...bring it on and we will give it some wellie for you, as per usual.

Regards, Baldrick

 

No it never loads no matter how long I wait. I have to unplug it, and plug it back in again. It works fine after that. If I remember correctly it says the firmware was unable to install. The firmware is already installed, but it seems to be blocked somehow. My keyboard, and anything else plugged in USB port takes a long time to work at boot time. It takes my keyboard about 2 minutes before it will work once the login screen appears. I had to roll my machine back.

 

VS was not in default settings. I had changed many settings. I will have to take screen shots of the settings the next time I install VS. It will be much easier for you to see the settings using images. If it is VS causing the problem then it probably has something to do with VS's interaction with the USB protocol. It took each of my 3 drives plugged in like 20 seconds to appear after the desktop loaded. The Western Digital drives were offering me to install the software again. When my Wireless Netgear USB adapter was blocked it said something like the firmeware was unable to install which is strange since the firmware is already installed. My keyboard took about 2 minutes before it would respond once the Windows Login Screen appeared. I already rolled my machine back so I will send the logs the next time it occurs. It does not occur every time I reboot, but it does occur often. I think it will be key to send the logs right after it occurs to see if it shows anything that might explain what the problem is.

 

Hello
Please try manually to edit some of the command line entries in Command Line panel like this:
net user paul | find /i "password last set" > "c:\users\paul\appdata\local\temp\*.tmp""

This should solve the issue with repeatedly blocking.

Allowing command lines by wildcard is working, however using it is not too much user-friendly right now

Let me know if it solved

Thanks

 

Hi Vlad, that is exactly how I had it (but only one instance), but I still got the block / allow prompts.
I'll see later if deleting all the other opsxxxx.tmp command lines solves the problem.

 

Is using policy restrictions such as those employed by this software (Simple Software Restriction Policy) overkill if used with VS?


http://softwarepolicy.sourceforge.net/

 

I discovered that the USB port issue I was experiencing is being caused by a failing external drive, and not VoodooShield. It was only coincidence that it was only occurring when VS was installed. I think the load sequence at boot with VS installed caused the drives to load more delayed, and caused the issue to occur more often. That's the fourth Drive that has gone bad in the past year. They have all been Seagate Drives. I will never buy another Seagate drive again. I have also had 3 Seagate drvies fail within a month of buying them in the past. It's been taking up all my time recovering my data.

Edited 2/9/16 @ 5:50

 

Realistically, VS and SSRP should work together in harmony since VS is now kernel-mode for blocking while SSRP blocking is done in user-mode, if I understand correctly. So as long as both are configured correctly, I don't see there being any conflicts. It is always worth trying if you would like. However, I do believe strongly that you are in great hands with VS along and therefore adding SSRP is not likely going to give you any additional protection over VS.

 

Vlad I gave up on deleting all the opsxxx.tmp files. Too many of them, and can only do one at a time, unless I do a reset.
Couldn't find the *.tmp file I had added, so added it again, just in case. Will monitor it again from now.
You're right editing command lines is not user-friendly. One cannot right-click edit a command line, one has to copy and add a new one, then edit that.
Edit: @hjlbx had already referred to something similar in #8376

 

I saw only one policy there -

However I'm pretty sure there are more policies. At least from my understanding of the description it seems to be one of VS competitor I think using of 2 programs that have the same purpose seems to be overkill.

But I didn't used that software so I cannot be 100% sure

 

I thought to do something like that:
- Right click on the command line entry -> Edit
- Edit to use wildcard (*-any chars, ?-single char)
- On save all entries that match that wildcard will be erased. Only the rules that match the action (Block or allow)


The only question is the order of applying rules. For example you have two rules:
BLOCK - ping 192.168.*
ALLOW - ping 192.168.0.*
BLOCK - ping 192.168.0.5

so what do you expect to do on getting command ping 192.168.0.5? what about ping 192.168.0.4?

 

Ha..I'll follow your and WildByDesigns suggestion and stick with VS. I was just curious if it was simply another layer in addition to VS

 

Your solution sounds good!
Re order, probably safest to give most granular rule precedence ... block 192.168.0.5, allow 192.168.0.4?
@hjlbx - any comments?

 

Easy method is for priority of rules to be applied from top-to-bottom:

BLOCK - ping 192.168.0.5 (least restrictive)
ALLOW - ping 192.168.0.*
BLOCK - ping 192.168.* (most restrictive)

Bottom line is users have to pay attention to rules they create; conflicting rules can wreak havoc. The onus is on the user to understand what they are doing to a large extent. Even if you try to simplify things via some type of rules configuration wizard, the user must know what rules to create. This is true for most any AE\SRP soft.

 

Here is some harder exercise:
ALLOW - 192.168.0.*
BLOCK - 192.168.*.5

What to do with 192.168.0.5?

Sorry for the challenges, but I originally come from QA field, so it's better to think about such corner cases before the implementation.

 

@VoodooShield

Purported VooDooShield bypass: http://bbs.kafan.cn/thread-1936040-1-1.html

I used Internet Explorer to translate, but some images did not load; they load in Cyberfox\Firefox.

If you have privileged VT key, then you should be able to obtain sample.

 

Selected BLOCK in each of the alerts; malware still able to launch processes.

OP on kafan forum will not share any infos.

That's all I know.

Looking at the processes running under Internet Explorer in Process Hacker it appears to be one of the many documented methods to bypass white-listing - which one specifically I do not know. Plus I can't read Chinese so had to use Bing Translate - which isn't that great.

VS developer needs to get ahold of sample via VT.

 

@VoodooShield

VT report: ~ Removed VirusTotal Results as per Policy - PM Developer ~

The VT report is linked on one of the pages linked in the bypass report.

 

Hello
Thank you for the heads up.
I'm trying to understand what's going on there. (by using Google translate) however without too much success. Tried to register on that forum, but still forbidden to see the download section.
I'm trying to find that trojan file.

 

I saw that report, however there is no link to download the file. I tried to find the file by using hash, but without success.
It seems, like that blocked file is not the trojan, but some trojan child process. The logs may help there a lot

 

OP won't give any infos... so it is unsubstantiated.

 

I think you need Asian keyboard.... possibly doesn't accept non-Asian characters for email registration.

I had same trouble on Korean website... LOL.

Since file was uploaded to VT recently, should be downloadable with a privileged VT key.

 

I registered on the side, however the download links are closed. MAybe they expect from me to write something like a 10 posts before opening. I have Hebrew keyboard, but don't think it will help there
I tried to download with VT key used by VS, but got access denied, so it doesn't seem to be a priviliged. I need to check with Dan