VoodooShield/Cyberlock

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, even though the VoodooAi result was correct, there were hits on the blacklist scan, so VS blocked the item. Hopefully in the next 6 months we will be able to have VoodooAi override the blacklist scan even more than it already does (right now it only overrides the blacklist scan if only false positives are detected), but since VoodooAi is so new, it is better to play it safe and protect the user. Keep in mind, VoodooAi will be a lot more accurate and precise very soon after we retrain the models with truly random samples... but until then we have to protect the user. To me, all software developers should test their products with VT and correct all of the false positives... that would help the entire security community.

    The lastpass is a command line block... I have been thinking about adding a feature that automatically allows command lines from allowed processes... I just have not had the time to implement this safely yet.

    Keep in mind, with any application whitelisting software, there are always going to be some blocks... there is no way around it. I am doing my best to safely limit these as much as possible ;). Thank you!
     
  2. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Elaborate? I have been running both (CP on default settings) on my Win 7 x64 machine and have not noticed any issues.
     
  3. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hmmm, that is odd... I have had several reports of VS not working with CP... maybe it is something else. I was thinking that it had to do with policy restrictions from CP in C:\ProgramData\VoodooShield, since that is where all of the database files for VS is stored. I do not know much about CP, but I am guessing that it protects appdata and programdata quite a bit, and maybe it was messing up VS's .dat files. I only had about 7-10 reports of this happening, but then again, that is 7-10 more than any of the other security software, but who knows, maybe they do work well together and it might have been something else.
     
  4. Iangh

    Iangh Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    849
    Location:
    Melbourne, Australia
    I just had a look at the log and there were no blocked processes, and threats blocked: 0. However, when I went to command line there was a blocked file, c:\windows\splwow64.exe 8192. I googled and this is safe so allowed it. Why wasn't the blocking reported in the log? Should it be blocked?
     
  5. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    Maybe depends on what is installed first, because CP have options to allow files/folder already on system.
    http://s32.postimg.org/bw7q0gq39/image.png
    I think if VS is installed first and CP second it may work...i guess...
     
    Last edited: Apr 29, 2016
  6. guest

    guest Guest

    From their website:
    CP blocks executables like Applocker/SRP?
     
  7. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Technically it probably was not blocked... basically, splwow64 and mssfeedsync are the only process in the ENTIRE windows folder that is not seen as a vulnerable processes. But we also protect splwow64 and mssfeedsync as well, but in a different way. Let me guess, did you print something from a web app? ;). So everything is working correctly, but I just have to fix the way these items are added to the command lines, I forgot about that, thank you, I will fix that right now.
     
  8. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Ahhhhh, great point! I am trying to think which one should be installed first, but I cannot think yet, I just woke up ;).
     
  9. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I believe the main protection that CP utilizes is making changes to the group policy, which is why a reboot is required when you switch modes. I am sure they have other protections, I just do not know what they are. As Djigi was saying, it probably depends on what is installed first. So I would probably uninstall VS, then install CP, then reinstall VS and see if the installation completes successfully and also make sure VS works ok. Thank you!
     
  10. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    905
    Location:
    U.S. Citizen
    @SHvFI,

    Thank you for the link! I seem to keep missing that post for some reason! Not sure why?:confused:

    Do you have a time for the realtime scanner code in VS?

    Post: # 9566

    Kind regards,
     
  11. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you for letting me know! By any chance, were you doing anything special in Edge when this was triggered? For example, if you are in IE and you delete your browsing history, it will throw a command line like this "c:\windows\system32\rundll32.exe c:\windows\system32\inetcpl.cpl,clearmytracksbyprocess". Basically, if you can tell me what triggers this, it should be super easy to fix... if not, we will fix it one way or another ;). Thank you!
     
  12. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, probably in a week or two, once everything else is finalized. Thank you!
     
  13. Nocturnalizer

    Nocturnalizer Registered Member

    Joined:
    Oct 4, 2015
    Posts:
    42
    Location:
    London, UK
    I'm afraid the issue with the pop-up is still happening. When I put 3.15 into training mode it'll launch a pop-up telling me that I'm not protected, and it does this every 10 minutes or so, pulling me out of whatever game I might be in. I can turn that off using the method you described via email, but if there's a better way to fix that for the future that'd be great.
     
  14. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    This can help just uncheck or make the time longer like I did so you don't forget about VS in training or in install mode.

    2016-04-29_11-41-09.png
     
  15. Willpower

    Willpower Registered Member

    Joined:
    Jan 3, 2014
    Posts:
    30
    Location:
    Sunny Okanagan, BC Canada
    Yes this is interesting as I also run CP on Default along side of VS v.2 up to v.3.15 on W10 64 Bit with no issues at all.
     
  16. Nocturnalizer

    Nocturnalizer Registered Member

    Joined:
    Oct 4, 2015
    Posts:
    42
    Location:
    London, UK
    Awesome, thank you! I'll make the time a bit longer. I mostly want to use it for an hour or so and then turn it off.
     
  17. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hehehe, sorry about that... I did not fix this for training mode, I only fixed it for the other modes ;). Do you think that if another app is full screen, then we disable that prompt altogether? Does that sound about right? Also, if the option "Notify me after 5 minutes if VoodooShield is OFF" is checked... should VS automatically toggle to the previous mode, or should it just stay in training? Thank you!
     
  18. Nocturnalizer

    Nocturnalizer Registered Member

    Joined:
    Oct 4, 2015
    Posts:
    42
    Location:
    London, UK
    Well, I was wondering if the best course would be to have a pop-up as soon as Training mode is selected that very explicitly tells the user that they are not protected while in that mode, and then perhaps an option to dismiss the pop-up forever or only for a certain period of time? That way the user has the choice as to whether they want the pop-up or not.

    Perhaps the user could have the option to say "Disable pop-up for 60 minutes and then automatically enable Smart Mode". Something like that?
     
  19. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I see what you are saying... that would be pretty cool, although it kind of complicates things a little, and since we are only talking about a scenario when VS is in Training and another app is full screen, this probably will not happen that often. I mean after a day or two, there is very little reason to ever put VS in training mode, unless you are installing complicated / large software... and even then, we are only talking about if another app is full screen. Because as it stands, there is already an option to disable that notification. Thank you for the suggestion... we can think about this while we fix the last couple of issues.

    For now, do you think when another app is full screen and VS is in training mode... after 5 minutes, should VS toggle to the previous mode, or should it stay and training (and either way not prompt the user)?
     
  20. Iangh

    Iangh Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    849
    Location:
    Melbourne, Australia
    That's the really strange thing. No, I didn't print anything from a web application or anything else after installing VS.
     
  21. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hmmm, splwow64 must do more than printing stuff then ;). I am not all sure what it does... but either way it is fixed now, thank you for catching that.

    I think the only 2 last things are the access is denied error in SUA, which I am working on now, and Krusty's command line (besides the few small items that I have). Then I will go through all of the posts and respond and make sure I did not miss anything.
     
  22. Nocturnalizer

    Nocturnalizer Registered Member

    Joined:
    Oct 4, 2015
    Posts:
    42
    Location:
    London, UK
    If it does toggle to the previous mode, I think that would work well and at least there would be some protection for the user. As long as the app that recognise that someone is in a full-screen app and apply that properly, I think that'd work well.
     
  23. Nocturnalizer

    Nocturnalizer Registered Member

    Joined:
    Oct 4, 2015
    Posts:
    42
    Location:
    London, UK
    Oh Dan, I forgot to mention another little bug I've discovered - VoodooShield in Smart Mode doesn't seem to recognise the Vivaldi Browser, so it never switches to 'On' when I fire up that browser. I've tested it with Firefox and it works fine, going from Off to On successfully but with Vivaldi it remains red.

    I'm using Vivaldi 1.1 64-bit.
     
  24. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you, I think that will work pretty well too. Have you tried to add Vivaldi as a Custom Web App in Settings / Web apps?
     
  25. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    No Dan, I did not have Edge open at the time but I did have another browser open, I think IE11 if I remember correctly.

    That's why I was surprised to see the mention of Edge and didn't know whether I should allow it or not.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.