VoodooShield/Cyberlock

The Do not whitelist items in the appdata directories is just an additional security feature, that honestly, we probably don't even really need. Basically, pretty much every virus or malware writes to these folders. So to stop the chances of a virus spoofing an Acrobat Reader update, for example, we added this option. Really, executables should never be ran from these folders anyway... executables belong in Program Files and Windows. But since they do not belong here, nothing here should ever be whitelisted anyway... but of course there are always exceptions, and that is why we have that option.

 

I am not looking for an argument, I have enough to deal with .. You were suggesting that VS could be bypassed, so bypass it already .

 

Yes, exactly .

 

I know a few different methods used by security software to protect Program Files Folders. Some software scans Program Files Folders, and whitelist what software is already installed. It will allow that software, but will not allow anything new to execute there. I like this method very much. VS could do the same thing with it's snapshot technology, and would be faster than scanning. The other method is using policy to not allow web facing applications to write to Program Files. The user can even block writing to files already installed in Program Files. HIPS applications like Online Armor uses a hybrid approach. OA will scan Program Files during installation, and whitelist applications trusted in the cloud. OA will still monitor there activity. It also has an option to automatically allow signed applications. The user will be prompted for application installed in Program Files that are not on the whitelist. Online Armor does it really well because it has such good whitelisting, but some HIPS will drive you buggy answering the prompts due to their lack of whitelisting.

I have not used UAC in forever, but I think it still monitors Program Files. It use to prompt me for CCleaner, and my disk defrag software. They are both installed in Program Files Folder so unless something has changed UAC does monitor Program Files Folder. CCleaner currently has an option in advanced settings to Skip UAC prompt. I have Online Armor already monitoring Program Files so it would be redundant for me to enable UAC plus I don't like how UAC prompts me when launching safe applications I already have installed. Its not really that bad, but I don't see the sense in it when I already have it covered with OA.

 

Sorry, I missed your reference to Rmus in your post. I will chat with him about it later. Thanks!

 

I take it I can allow this.

"c:\windows\system32\rundll32.exe" newdev.dll,deviceinternetsettingui 3

Also when I auto detect web apps, it finds AVguard. Should that be a webapp?

 

Hi Dan,

I've installed the latest beta 2.23k and unfortunately the issue with saving settings still tends to appear on my Windows 8.1 PL 64 bit Deleting the .dat files did not change anything.
I made a short video (sorry for the poor quality but I had a little time) sent it to you via mail. Hope it maybe useful for something.
Apart from this well-known issue the lastest VS beta build works great

Best regards,

Mike

BTW: The project of the new website looks AWESOME!!

 

I looked at the website, may have overlooked it. Is there a list of email clients which will switch VD on automatically?

 

No, I use the swedish version.

 

Have a look at this and I hope it answers your question!

Daniel

 

Thx Daniel

 

Dan, I'm having some issues with my mail (somehow alerting me errors and that the message coudn't be deliverd) I sent you a link the video on Private Conversation.
Hope you'll be able do download it.

Cheers

Mike

 

Your very Welcome Kees.

Daniel

 

Yeah, I see what you mean, but we have to be very, very careful with what we do... we do not want to infringe on any patents. I distinctly remember reading in a patent that described scanning the hard drive and adding the executables that already exist to the whitelist. Now, I do not know if that is claimed in a patent or not, but it is certainly prior art, so that really is not an option right now, unless I can find which patent that was in and contact them about licensing their technology. Besides, we want to keep the whitelist as tiny as possible, and besides, if something already exists, why reinvent the wheel? I think the best thing to do is just to ask the user after a few days if they want to lock down their computer even further. That, or I have a couple of other ideas in mind... one might be really, really, really cool if I can get it to work.

I just tested UAC with default settings, and it did auto allow a file (Windows 8.1 / 64 bit). I know what you mean though... the way UAC is, sometimes it prompts the user EVERY SINGLE TIME they open the same file. So it has always been kind of a mystery how it works . Thank you!

 

Sure, that looks good. I will add it to the hardwired list. Thank you!

 

Cool, thank you! We are getting close (with ichito's, the French guy and your help that is). I hope to have it fixed today sometime.

 

How do I defend against an erroneous assumption ~ ~ There's a reason why
ALL software is offered AS IS without any express or implied warranty.
2.23k

 

Excellent questions and I'm sure many of us are curious. Quite honestly, I think we would need Fabian or any of the anti-exploit devs to answer these definitively since they would have a full understanding.

 

Sure, that would be great to get some more opinions on this topic from seasoned security devs. Here is my very brief explanation.

The whole purpose of an exploit is to find a vulnerability in some software, eg, flash, java, etc, that allows the exploit to run an executable payload so it can do something… some kind of work or damage… basically run some executable code.

Well, if the payload (executable) is blocked from ever running in the first place, how is it going to copy the file to another folder? The exploit itself can only run the executable, it cannot copy a file from one place to another. Let alone the whole concept of windows protected folders, where you need admin permission to copy a file to certain vulnerable folders ( I know, this is not available in XP).

Also, programs only have access to certain folders, unless the program is ran as admin. For example, VS’s GUI runs as invoker, so it can only write to certain folders. Right now, VS is only coded to write to the c:\programdata\voodooshield folder, and that is why all of the .dat and .log files are stored there. This is what TH was saying earlier… another example is that Internet Explorer is going to write only to the Temporary Internet Files in the user space (or whatever). So unless the exploit can run the payload, and somehow magically tell the exploited code to run as admin and copy a file to a different place, that also happens to be a windows protected folder… well, I think we are safe .

So what I am saying is that if an exploit attempts to run its payload, but the security software blocks the executable payload, it cannot possibly copy a file to anywhere.

This is the way I understand it, but someone please correct me if I am wrong!

Edit: So this is why you find most viruses and malware in the user space... appdata or programdata typically... it is because they have no problem writing to these folders.

 

Post 5933: You said "Well, then you've got a gold mine.... I'll run FREE .... as VS cannot be bypassed. Correct ? VS FREE cannot be bypassed. Correct ?"

By saying Correct?...TWICE... that sure sounded like you found a way to bypass VS. Does that mean I have a gold mine?

 

seems to be best one yet for me. I dont even experience a stutter when launching it

 

Sorry Dan...on my Vista 32-bit PL still the same as Miquell wrote. I have in my archive about 10-15 earlier versions of VS and I'll check in which settings works properly...because they earlier worked without issues as I remember. Maybe problem is in some little change of code of VS?

 

Hi ichito,

Good idea Maybe somehow it will be helpful in solivng this issue.
On my board saving settings seems to be working as such, however each time when I'm opening the settings windows again, the previously made changes are not visible.
I also hope that maybe the problem will require only minor adjustments and little changes and I'm sure that Dan will quickly solve it

 

click'd Quarantine and nothing happens ? Why ?

 

Does Quarantine drop rights? I Quarantin'd mspaint.exe > then I was unable to save print screen because not having privilege. I opened Paint with Run as Admin and was then able to save. What happens to a process upon VS Quarantine? VS Quarantine Folder is empty ?