VoodooShield/Cyberlock

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. guest

    guest Guest

    @shmu26 , you should really stop asking the implementation of the ERP's Vulnerable Process List to every security apps you like... :rolleyes:
     
  2. @shmu26
    Iffy apps won't get passed the VoodooShield's AI engine.

    @guest
    Thx for explaining
     
  3. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    guest, to tell you the truth, I already got tired of the way ERP prompts you without mercy. But I do like the way SecureAPlus implements the idea. They use parameters that narrow it down to suspicious behavior. That's a smart idea.
    To be sure, the VS Ai will stop those iffy apps, as mentioned by @Windows Security, but the user will often rely on his own intelligence, and install the app anyway. That's why it's good to have a second line of defense. People aren't perfect, and even the ones that are, still have their moments of weakness. That's why the user needs a second chance.
     
    Last edited: Aug 21, 2016
  4. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Dan,
    Unfortunately the noflash made no difference. Just got another hang of VS. Same symptoms. I will send logs... may be some relevant info below..

    Code:
    [08-21-2016 11:26:18] [DEBUG] - DriverCommunicationService::Exit main loop
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 41: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 40: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 38: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 39: End
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 37: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 48: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 36: End
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 35: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 34: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 33: End
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 32: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 31: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 30: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 49: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 28: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 27: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 29: End
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 50: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 26: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 24: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 23: End
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 25: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 51: End
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 22: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 20: End
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 21: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 19: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 18: End
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 17: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 52: End
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 16: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 15: End
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 14: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 12: End
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 13: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 11: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 9: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 8: End
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 10: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 6: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 42: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 43: End
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 4: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 44: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 45: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 47: End
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 46: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 54: End
    [08-21-2016 11:26:18] [INFO ] - Wait for response canceled
    [08-21-2016 11:26:18] [DEBUG] - DriverCommunicationService::Disconnected
    [08-21-2016 11:26:18] [INFO ] - HandleSingleProcess:Thread 71: End
     
    Last edited: Aug 21, 2016
  5. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    1,188
    Location:
    The Netherlands
    The right click menu appears but is unresponsive. This happened after installing a program (PrivaZer). I have now disabled VoodooAi. I will sent you the logs.
    Edit: installed another program (Notepad++) with VoodooAI disabled and no freeze of VS.
     
    Last edited: Aug 21, 2016
  6. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
    That's strange. I also installed PrivaZer (to test it only) and the right click menu is perfectly functional on my PC.
     
  7. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    1,188
    Location:
    The Netherlands
    VoodooShield didn't freeze after flashing the tray icon? Are you on the same windows version as me (Windows 10 Home 64bit Anniversary Update)? What is the version of VoodooShield you are using?
     
  8. faircot

    faircot Registered Member

    Joined:
    May 17, 2012
    Posts:
    228
    Location:
    UK
    v3.33 has been freezing constantly, especially on resuming from a sleep/screensaver state or when VS detects a new process (voodooshield ai disabled). Uninstalled for now and back to the SBS version which ran faultlessly here.

    Logs sent
     
  9. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
    No Voodooshield did not freeze after flashing the tray icon. And I am also using Windows 10 Home 64bit Anniversary Update. Using Voodooshield v3.33
     
  10. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    1,188
    Location:
    The Netherlands
    Thanks, so were running an almost identical configuration and mine freezes :( Maybe a conflict with AV or UAC settings? What AV are you running? I have set UAC to the max, what are your settings?
     
  11. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
    Hi Gandalf,

    I am running Emsisoft Internet Security and HitmanPro.Alert
    UAC is also set to max
     
  12. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    1,188
    Location:
    The Netherlands
    Thanks:thumb: I will try Emsisoft Anti-Malware in stead of 360 Total Security and see if that makes a difference.
     
  13. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Man, that is such a bummer that the freeze issue is still happening... here is the plan.

    1. If anyone is experiencing the freeze issue, please try running the SBS version for a few days... I really think this is the issue. BTW, has anyone had a freeze will running the SBS version? Here is that version: https://voodooshield.com/Download/beta3/InstallVoodooShieldSBS.exe

    2. You can try disabling VoodooAi, but it looks like faircot already tried that.

    3. If the SBS version still freezes... I have 2 backup versions (3.08 and 3.09) where the code is completely separated from each other. I can compile each of these, and we can double check by running each of these versions for a few days... that way we will be 100% certain that the changes in the code between these 2 versions is when the freeze issue first started occurring.

    4. Also, I am not sure if you guys remember Rajesh or not... but he was the main developer who helped me with VS 2.0, and he really did a great job, and he writes beautiful code, just like Vlad does. Rajesh had to take some time off because he actually had a baby as well 1.5 years ago or so (so his time was limited, just like Vlad's is now), but he contacted me out of the blue the other day and told me he was available to work on VS. Either way, there are a few other things that Rajesh can work on as well (new features, etc). So if the above steps do not solve the freeze issue, that will be the main thing that Rajesh can look at first. Either way, we have the freeze issue extremely narrowed down.

    I am really sorry the freeze issue has been this difficult and frustrating for everyone involved, but we have to be getting close to having it fixed once and for all. I really do think it is the SBS, so please try that version if you are experiencing the freeze issue. Thank you!
     
  14. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    1,188
    Location:
    The Netherlands
    Dan, I had a crash with the SBS version see post #11922 and the logs I sent you on the 17th.
    Do you still want me to run that version?
     
  15. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Sure, thank you! This could really turn into a long discussion, which is fine with me, because I want to make sure we get this right!

    Here is the thing... VS's whole philosophy is that a single line of malicious code should never be allowed to run, because if it does, then all bets are off. I always assumed (and still assume) that the whole reason for monitoring vulnerable processes was to ensure that the executable payload is effectively blocked. For example, a lot of exploits will run shellcode that calls a rundll32.exe function that ultimately executes the payload, but a malicious command line such as this is only going to originate from a web app, right? There are certainly malicious scripts, but VS will block those anyway. And besides, why would a malware author bother calling a script when they already have their executable payload running, which has a lot more access to functions and libraries then a script ever would? The point is... the executable payload should never be allowed to run in the first place.

    Sure VS could block every single command line and interpreters, but that would be extremely painful for the user, and I do not think it would make VS anymore secure. Actually, the reason VS has been so effective with my local clients and all of the other VS users is because we have gone to great lengths to make sure it does not block every single item. So then when a user is browsing the web or clicks on a malicious spear phishing link in an email, and VS blocks something "out of the blue"... they KNOW something is not right, and do not allow that item. That is... they were clicking on something that was questionable in the first place, then when VS blocks the item, they know for certain that they should not allow the item. I really think that if we block every single thing, it would be difficult for us to reach the mass market.

    We know that command lines and interpreters should not be able to spawn a non-whitelisted executable payload... that is the cornerstone of our protection. But the question is... once the executable payload is allowed, should it be able to do the opposite (spawn command lines and interpreters unrestricted). As Kees suggested... any executable payload that spawns malicious command lines and interpreters should be considered malicious, and should never be allowed to run in the first place, and I am certain that between the blacklist scan and VoodooAi... it would be extremely difficult to find an executable payload that would trick both the blacklist and VoodooAi. If the file is unknown to the blacklist, the prompt will be read, and the Ai user recommendation will be to block the file (it will even say in the prompt that it is suspicious that the file is unknown to the blacklist).

    I personally have never seen malware where the executable payload is "non-malicious", but yet calls a malicious script. The payload would be very quickly identified by the blacklist scan or VoodooAi as malicious. Although, we can add an option in VS that will let the user choose to block anything and everything. Please let me know what you guys think, thank you!
     
    Last edited: Aug 21, 2016
  16. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you for letting me know... I was thinking that might be the case (but hoping otherwise ;)).

    Ok, this is what we will do... a little later today, I will compile those two unique versions of VS 3.08 and 3.09. We should probably start by running the 3.09 for a day or so to make sure that it freezes. Once it freezes, we can try the 3.08 version for a few days and hope that it does not freeze. If it still freezes, I will compile the previous backup that I have, and we will keep going backwards until we have the version that does not freeze. Once we know what version was the last one that does not freeze, Rajesh or I will compare the code and see what changes were made. As I was saying, we have already ruled out 95% (or so) of the possibilities, so we have to be getting close! I will post those versions a little later today, thank you!
     
  17. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    1,188
    Location:
    The Netherlands
    Okay, I will wait for those versions. They will be signed for Windows 10 AU?
     
  18. khanyash

    khanyash Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    2,428
    Does this means, if the executable is allowed then spawned command lines & interpreters will be allowed too i.e no command/interpreters alerts?
    If Yes, then would like to see it as an option (I like it But as an option coz most users may not like it as default).
     
  19. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, here are the versions... yeah, I made sure that they work with 10 AU, thank you for mentioning that! Well, they should anyway, if not please let me know!

    We have been assuming (hopefully correctly) that this version does not freeze:
    https://voodooshield.com/Download/beta3/InstallVoodooShield308FreezeTest.exe

    The first time I ever noticed a freeze was will 3.09, and hopefully, this version will freeze (it is the version I am running now to test, although, I have not had a freeze in 3-4 weeks).
    https://voodooshield.com/Download/beta3/InstallVoodooShield309FreezeTest.exe

    So if 3.08 does not freeze, but 3.09 does, then we have really great versions of source code that we can compare to find out what went wrong. I have already compared the code several times, but so far I have not been able to isolate the issue.

    So basically, the whole point of this test is to make sure that the freeze issue started occurring somewhere between these two versions. Please let me know how they do, thank you!
     
  20. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    1,188
    Location:
    The Netherlands
    Okay, will do a clean install of the 3.09 freeze test version now and will let you know if it freezes. If it does I will try the 3.08 version.
     
  21. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Installed 3.09, we will see how it goes! :thumb:
     
  22. faircot

    faircot Registered Member

    Joined:
    May 17, 2012
    Posts:
    228
    Location:
    UK
    Dan

    I really appreciate your determination and perseverance in tracking down this freeze issue, especially as you must have other, more lucrative, projects to deal with. VS has become a firm favourite of mine and, when it's working well, one of the quietest security progs I've used. Do hope you nail this soon.
     
  23. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, for example, if you install Hard Disk Sentinel, it has a script that runs on startup. I believe that this script should not be blocked because it is a whitelisted program in the Program Files folder, that was determined to be clean by the blacklist and VoodooAi. Please remember, the whole purpose of VS is to lock the computer when it is at risk!!! I hear all the time from my local clients (most who are extreme novices), "I love VS, but I do not understand why it is blocking my HP printer (because VS blocked a command line from the HP software), I thought it only blocked stuff from the web or email!". And I hear them on the phone or in person, how frustrated they are when VS blocks something like this... because VS should not be blocking this!!!

    Here is a great example... have you ever seen UAC block the exact same program on windows start up each and every time, because it requires admin approval? One example was some Asus utility from a while back... I found it absolutely absurd that this was even being blocked once... let along every single time... and this is not a bug, it is by design!!!

    The reality is... you are not going to become infected printing a letter, but you might become infected browsing the web or checking email, which is why the computer should be locked when it is at risk, and unlocked when it is not at risk. If I did not think we could do this 100% safely, I would never do it.

    BTW, different versions of VS handle this differently... I am just experimenting until we find the perfect balance between security and usability (with security being the focus).

    We can certainly add this as an option... but the ONLY way we are going to be able to lock A LOT of computers is if VS is user-friendly, and does not block stuff like this.

    If I am missing something, please let me know... like if you guys can think of a specific example where this method would put the user at risk. Thank you!
     
  24. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you fax and faircot... sorry it is taking so long!
     
  25. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    BTW, I might have forgotten one small thing... so if the 3.08 and 3.09 freeze versions did not install properly, please download again!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.