VoodooShield/Cyberlock

I am glad you were able to reproduce this on your end.

Thank you for the reply and looking into this issue, hopefully it won't be difficult.

Thanks Dan for all your hard work.

 

Yeah, System Restore might be good too.

 

chrome seems to leave more processes running when it is shut down within a minute or so of launching

i believe that i launched a web app - manually toggled VS on/off/... - closed the app - and then VS did not turn on/off when startng/stopping a web app until i went into the menu and selected smart mode (which was already selected) not 100% sure on the sequencing - i can try to reproduce next week when that laptop comes back from vacation.

Everything is blocked with VS turned on. With VS turned off all folders i tested in C:\Users\... the executable was blocked by VS. But - again with VS turned off - executables are not blocked in D:\..\Documents or any of the other user folders i've moved - Pictures, Video, Music. I moved the folders the recommended way - using the 'move' button in the 'location' tab of the folder properties - OS is Win 8.1 if that matters & folders were moved prior to VS install. how does VS track the user folders? i.e. do i need to have a folder called 'Users' on D:?

 

Apologies if this is somewhat off topic.

It appears that Windows Update KB3057839 (https://technet.microsoft.com/library/security/MS15-061) has caused a problem with clipboard running under Sandboxie.

My technical knowledge of VS is not that great but I get the impression that I may be protected by VS if I temporarily uninstall this particular update until Sandboxie can sort out the problem.

Anyone able to confirm or otherwise?

 

Fixes in 4.19.3

1) Fixed GetNextProcess issue that prevented SbieDrv from loading in XP

Fixes in 4.19.2 (doesn't work in XP)

1) Fixed SBIE2205 Service not implemented: CloseClipboard C0000058 error caused by Windows update KB3057839
2) NtGetNextProcess can be used to alter processes outside the sandbox and will now be blocked.

 

Thanks bjm_. Everything working fine now.



Still it would be interesting to know (for me anyway) whether VS would have provided adequate protection had I uninstalled Windows Update KB3057839 which apparently was issued to resolve vulnerabilities in kernel-mode drivers potentially allowing elevation of privilege. VS anti-exploit protection?

 

Yeah, that a Dan question. Cheers

 

Enabled or Disabled... it does not matter.

If you install PeaZip, open - play with it - then close it, the VS block notification balloon should appear... on W8.1 that is.

If you recall, you fixed it in version before 2.5.

 

Cool, and I am sure there are other places in Windows we can add this feature too. If anyone can think of any, please let me know!

 

Cool, if anyone has an issue where Chrome leaves more than one Chrome.exe process running after it is closed... if you can possibly do the following, it will help a lot. In Chrome, if you go to Settings / More Tools / Task Manager, and send me a screen shot of the processes that are hanging, that would help a lot.

Sounds good... please let me know what you find on the toggling. But yeah, if all of the web apps are closed in Smart mode, then clicking on the desktop shield gadget should not toggle VS ON. We can change this if people think we need to, but I think that should be a feature of Always On and not Smart Mode.

I see what you are saying about the D drive. Currently, if you move the Documents, Pictures, Video and Music folders using the move button, yeah, VS will not block executables in these folders if it is OFF. It should block everything in a folder named "Downloads" whether it is moved or not, and of course appdata and programdata... but moving these is a different story. VS just tracks the entire user profile, along with any folder that contains the word "download", so creating a folder named "Users" will not help. Let me look at this... I think we can tweak it a little to work a better, and so that when the user profile folders are moved, it will account for that. Thank you!

 

Hi Gillor, yeah, VS should protect you, here is why... They article says "The most severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application." VS should block the application, and you should be safe.

This article has nothing to do with installing kernel mode drivers, but for example, in order to install a kernel mode driver, something has to happen in userland, which VS should block before the driver is installed. Basically, the machine is not going to attack itself.

Also, while VS does not block sandboxed processes, it should block anything outside of sandboxes. I hope that answers your question, if not, please let me know. Thank you!

 

VS's antiexploit protection specifically blocks all child processes from commonly known exploited apps. Also, VS only temporarily allows by Parent Process, and only if the user allows it.

It makes training VS a lot easier so there are not as many blocks of good stuff, while keeping everything secure.

 

Cool, thank you, I will look at it this weekend! But so far PeaZip has been working great on my 8.1 system.

 

BTW, it sounded like you were genuinely concerned about this issue, so I have been thinking about it a little, and wanted to say a couple more things. I think we should keep in mind that for every exploit, zero day, virus, malware, etc. that we know about, there are probably at least 5-10 that we do not know about. So I personally think that it does not do us any good to worry about one specific threat. VS should block any payload that an exploit drops, but if you are concerned, you should consider running EMET or MBAE along side your traditional antivirus and VS. Both EMET and MBAE specialize in blocking the 24 or so exploit techniques that hackers use when finding vulnerabilities and creating exploits... and it never hurts to have several layers of protection.

But as far as worrying about one single threat, please think of it like this. Until there is a magic technology that can distinguish with 100% certainty (or approaching 100%) good code from malicious code, independent of whether the code is brand new and unseen or not, then it is probably best to lock our computers when a web app is running, or just lock the computer all of the time if you want full control of what processes are allowed. But the reality is, we have known since the early 1900's (several decades before computers even existed obviously) that distinguishing with 100% certainty, good code from malicious code, is a mathematical impossibility. There was a mathematician (if anyone knows his name, please let me know), from the early 1900's that theorized that one day there would be machines that would accept and processes code that we write, and that they would do useful things... his insight was genius obviously. He further theorized that there would be good code and bad code, and that we would never be able to determine with a high degree of certainty whether the code was good or bad... (an even more genius insight if you ask me).

For example, when you visit an ATM machine to withdraw cash, you want to be 100% certain that the person behind you cannot obtain your pin number... not 99% certain, right? That is not a very good example, but it is the best one I could come up with for now.

So until someone comes up with a way to distinguish with 100% or so certainty good code from bad code, it is probably best to figure out a way to lock our computers using the most user-friendly and secure method possible, especially while it is at risk due to a running web app. Having a great traditional AV and specialized security software like EMET, MBAE, sandboxes, VM's, etc is important as well. Anyway, that is just my 2 cents .

 

On Windows 10 the mail app and the project spartan/edge browser are not recognized as web app so protection remains off in smart mode. Shouldn't they be added to the web apps? As free user you can't add them yourself.

 

Yeah, I was going to add Spartan after they had 10 a little more finalized, but I did not think about the mail app, thank you for letting me know! I was waiting on adding Spartan because I was not sure if they were going to keep IE or not, but it looks like they are going to have both, for legacy reasons. Changing a web app is MUCH different then adding a web app in VS's code, so that is why I was waiting. But yeah, it will not take long to add... I just do not want to do any unnecessary recoding that might mess something up.

BTW, if you do not have a pro license, just email me at support@voodooshield.com and I will set one up for you. Thank you!

 

You may want to hold off on this until the Spartan re-branding to Edge is complete which should be included in the next Fast flight build. When that build comes, I can let you know directory path, executable name, etc. if you need that.

Keep up the fantastic work, Dan.

 

@VoodooShield ,

Feature Request:

Certainly not important but is there a simple way to see how many entries are in our whitelist on the UI without having to log in to our account, or manually counting them?

Does anyone else think this could be useful?

Thanks,
Krusty

 

Just a suggestion...

The user should have the option to add more than the currently 8 additional apps - above and beyond those included in the built-in Web Apps list - that connect to the network; just about all my apps connect - not even counting system files, updaters, etc.

Other suggested options:

• Setting to start in "Always-On" mode.
• Means to white-list blocked commandlines (previously discussed).
• At least add blocked commandlines to Developer Log or real-time CL log (previously discussed).
• Means to back-up white-listed commandlines to cloud (and you can use to further refine VS's built-in CL list).

I only have 8 to 10 commandlines at any given time - which is testament to how comprehensive the internal VS CL list actually is... but I only have the Dev Log to lookup blocks - and it is often incomplete. If I did see something that was blocked - I have no means to white-list it - even if something was broken because of it. Sort of a "Catch-22."

Best Regards,

HJLBX

 

Like @WildByDesign says no need to rush things, because Windows 10 is still in development, thanks for your response and like the others are saying, keep up the great work

 

So I've decided to uninstall AppGuard and just keep VoodooShield, mainly because there seems like there would be a lot of overlap between the two, and VS won't keep safe programs from modifying things like AG does, even if the program still runs fine. However, I was wondering if there are any weak spots in VS that could be covered by other programs. It seems fairly comprehensive, as even when it is "off' it will still scan un-whitelisted executables on VirusTotal.

 

@VoodooShield Dan a request for another web app to add: Postbox form https://www.postbox-inc.com/
A paid Thunderbird clone used by my mother in law.
If you need anymore information please ask.

 

Hi Dan,

Thanks for your comprehensive explanation. Really grateful for taking the time and trouble to reply in such detail. It wasn't that I was particularly paranoid about this issue, more to get a better insight in to what VS can do or can't do.

Version 2.73a running like dream on my Windows7 64-bit by the way.

 

Gödel’s Incompleteness Theorem...anybody?

 

And just to add...2.73a is running like a dream also here...and I AM JUST A LOVING THE SCAN & ALLOW FUNCTIONALITY...that is now my default mode of operation.

Respect, Dan...mucho respect!

Baldrick