VoodooShield/Cyberlock

@ghodgson @paulderdash
Do you see this issue only when the computer is rebooted?

 

Win 7 only. I am not using VS on my Win 8 machine.

Not sure. Was just looking back through my history via Nirsoft MyEventViewer - will have to check if it is related to a reboot only.

 

Hi Vlad,
As far as I can tell it does look like the fault only occurs on shutting down the PC. All the error/application reports seem to show VS crashes at shutdown, and on reboot all the Windows error reports start queing up.

@paulderdash
Out of interest is your Win 7 a 32 or 64 bit version ?

Thanks
Gordon

 

64 bit ...

 

Hi,
Yes - sorry, I should have read your signature. Anyway I wonder, as I have 64 bit too, if the problem is just limited to the 64 bit version of Win 7. Maybe Vlad could help with that.

Gordon

 

I see this on x32
The issue is seems to be in .NET version that deployed with Windows 7. I found that the crash is caused by .net garbage collection, however I still don't have any workaround for it

 

Ok Vlad, - thanks for the update.

Gordon

 

Could be only on reboot, but it looks like not every reboot.

 

I know Erik Loman has advised against adding security programs to HitmanPro.Alert's protected applications.

 

Hi recently i bougth norton security essentials and want to know if have some kind of incompatibilities whith this software and norton thanks

 

Hi,

Only this issue with the current beta version.

https://www.wilderssecurity.com/threads/voodooshield.313706/page-324#post-2532249

It is fixed in the next beta version when it is released.

 

VS is going to have a new feature soon, and there will probably be a few questions, so I figured that I would tell you as much about it now so that you will know what it is all about. The new feature is called “Voodoo Ai” for now, and if anyone has a better, less pretentious name, please let us know and we will change it . Voodoo Ai utilizes 3-4 machine learning / artificial intelligence algorithms along with other “features” of the portable executable (PE) binary (exe’s and dll’s) to assist users in making the correct decision (block or allow) when VS prompts them. Machine learning / artificial intelligence is kind of the latest “craze” in security software, and it differs from behavior blocking / heuristics in that the analysis all occurs pre-execution. VS is not the first to offer this (there is at least one other company specializing in this), and in the last 4-5 years there have been a lot of academic studies that have accessed the viability of machine learning and artificial intelligence in detecting malware, and as it turns out, while it will never be 100% perfect, it is quite accurate.

So here is pretty much how it works. When advanced users (like all of the wilders users) see a new file, there are a lot of different “features” of that file that help you and I determine whether it is a malicious file or not… basically if it acts like a duck and quacks like a duck, it is probably a duck. For example, if the new file is not digitally signed, it is marked as “hidden”, and it just “looks” odd, then we know that it is extremely suspicious. We are using several other features, but I was not planning on listing all of them for obvious reasons . BTW, if you guys can think of any tell-tale features of malware, please let me know and I will see if we can add them as well. So basically what this new feature does is combine the 3-4 ML / AI algorithms with the other tell-tale “features” and it decides whether the file should be considered safe or not.

This new feature is not quite as complex or impressive as it might sound, but so far it does seem to be quite accurate. For example, when I analyzed all of the executables in several of the Windows and Program Files directories that were known to be safe, it was 100% accurate, with the exception of 6 files from an ATI display driver. I looked at these 6 files a lot closer, and let’s just put it this way… if it was not obvious that they were from the ATI display driver, I would think they were malicious as well… one example is that they were not digitally signed. Not that I am picking on ATI, but really, these should be signed, along with the other “features” that should have been handled properly.

I also downloaded several malware packs and while it was not 100% accurate, it detected the vast majority of them as malicious. Once I also factored in VS’s “blacklist scan”, whether the file was unknown or not, it would have detected all of them as malicious.

The only time that this new feature was not as accurate as I would have liked was when it was analyzing files that have to kind of “dig deep” into windows, such as other security software and malware removal tools. For example, one of my favorite malware removal tools is adwcleaner, and this new feature detected it as “not safe”, even though it is obviously a safe file. So this new feature definitely errs on the side of caution, which is a good thing, especially when a lot of novice and average users do not know whether to allow or block a file that VS blocks.

For now, VS will simply display “Voodoo Ai: Safe” or “Voodoo Ai: Not Safe” in the user prompt until you guys can use it for a while and we can see how accurate it really is. If there are any false positives or false negatives, please let me know so we can make some adjustments. Once we are comfortable with its accuracy, there will be a lot of really cool things we can do with it. For example, if VS blocks something and the blacklist scan comes back as “unknown”, and Voodoo Ai determines that the file is not safe, then we can alert the user that the file is probably suspicious.

Machine learning and artificial intelligence will never be 100% perfect… it is a mathematical impossibility. But it is a powerful tool we can use to combat malware, especially when coupled with application whitelisting and multiple blacklist scans. It is a work in progress, and we will also continue to work on this new feature to make it even more accurate, although I am starting to think that if we add too many “features” that it will not be quite as accurate.

There are other important things that we need to do before we implement this new feature, but hopefully Vlad can implement it soon. Thank you!

 

Hi Dan,
The new vision for VS sounds pretty cool.
However, you will have seen above that I and some other Win 7 users are having a problem with VS 3 crashing at shutdown. Vlad is working on it but is struggling to find a solution.
Presently I'm back using ver 2.86 because of all the errors being produced with VS3, so is a solution to the Win 7 .NET problem in ver 3 on the cards ? otherwise some Win 7 users may get left behind with it's further development.

https://www.wilderssecurity.com/threads/voodooshield.313706/page-326#post-2533422

Regards
Gordon

 

Hey Gordon, yeah, this is one of the important things that we need to fix before we add new features . Vlad is working on it and will hopefully have a fix very soon. BTW, when does this error occur? Is it when you shut your computer down, or exit out of VS, or both? Thank you!

 

Hi Dan,
Thanks - I don't recall VS crashing when exiting it just seemed to be on shutting down the computer. Followed by large numbers of Windows error reports and dump files when the computer was started up again.

Gordon

 

https://en.wikipedia.org/wiki/Machine_learning

 

Sure, thank you! BTW, did you get a chance to delete all of the files in the c:\programdata\voodooshield directory? I am not sure if this will fix it or not, but it is worth a try. I just installed 3.03 on my Windows 7 64 bit machine (I had 2.86 on it previously) and it was not working well until I deleted those files... but after I did, it started working great.

Also, Vlad had to make some changes to the WCF service to fix another bug a while back... I wonder if that has anything to do with it? Maybe he has a version of VS 3.x that you can try before the WCF service changes were made. Just a thought.

I am not sure if he has done this yet for this particular error or not... but he can add some exception handling code to the service and hopefully it will write the error to the DeveloperServiceLog.log, and that should help too. I know he has done this for other errors, but I am just not sure if he has for this error or not.

Also, what other security software are you running?

 

Yep, that's it! Google "malware machine learning" or "malware artificial intelligence"... it is really cool stuff, especially all of the research pdf's from the various universities. There are some people who do not believe it will be that effective, but most people do. I was not a believer until I saw with my own eyes how accurate it is. I think we can pretty easily achieve a consistent 98-99% accuracy, and then if you couple that with application whitelisting and multiple blacklist scans... I think it is our best hope .

I think it is the next big thing in security software, and I imagine that pretty much all of the security companies are at least looking into it.

 

Yes I deleted all the programdata files and did a clean install of V3 -- see my report last Friday............... https://www.wilderssecurity.com/threads/voodooshield.313706/page-327#post-2534900
I kept copies of the VS programdata logs before deletion just in case I needed them later.

I haven't run a realtime AV for 3 years now. Just Voodooshield with MBAM and EEK on demand for weekly scans. PLus Hitmanpro alert v2, so there is very little that could interfere with VS.

Gordon

 

I think we just need to add some exception / logging code and then send Vlad the logs... has he done that for this particular error yet? Thank you! I have some onsite stuff I have to do, but talk to you guys soon. Go Royals!!! (Sorry TH )

 

No not to my knowledge. If Vlad wishes to add the logging code, I would be happy to run VS 3 again to check it out for him/you. (As stated I'm back running 2.86 presently)
Thanks.
Gordon

 

Hello
The crash caused by heap corruption and it's impossible to catch those types of errors. It seems to be .NET issue, so there is no really fix, but workaround needed.

 

VoodooShield 3.03 Beta Release
You can download it from https://voodooshield.com/Download/beta3/InstallVoodooShield.exe
It's recommended to turn off or uninstall any old versions of VoodooShield prior to installing the new version or update by using the old version.

System requirements:

• Windows Vista sp1 and above (XP is not supported!)
• .NET 2.0/3.5 and above

What's new in VoodooShield 3.03 Beta:

• Fix Norton Toolbar issue
• Fix duplicated whitelist entries
• Fix empty SHA in whitelist
• Fix not sending network files to VirusTotal
• Some performance improvements
• Little code fixes

Have a good day,
Vladimir

 

VoodooShield 3.03 Beta Release - known issues

It's not really an issue. The file is recognized as installer by the Installer detector so it turn off the VS. I agree that there should be more informative message that VS is going to be turned off

Still unable to reproduce. Please try with the newer version

The functional part is implemented, so you can add a wildcard to the command line list. However it is may be not so user friendly yet. There are also some questions about the order of rules applying (i.e. firstly apply explicit rules and then wildcard or apply them in order that they are present)

I found where it crashed, but there is still no fix. The crash caused by heap corruption and seems to be .NET issue, bu I'm still looking for a workaround.

 

Thanks Vlad! Doing a clean reinstall!

Cheers,

Daniel