VoodooShield/Cyberlock

I had to uninstall VS because it slowed my boot down and my system was very sluggish, now it's fast again!

 

Or something like "Default mode" would also be awesome .

 

noticed that if i remove my snapshots from your website they never come back, even when it says its synching

 

Is Dan on vacation?

 

How intensive is this on the HDD? I am getting a SSD soon and don't want a security program that is tough on it.

 

I think Dan will be up to his neck sorting out the KMD for the next version.
He'll be back.

 

Yes he is very busy! Cuckoo Sandbox It's coming soon!

 

Hehehe, sorry I have been away... I got a little carried away with the new features . The Cuckoo Sandbox is pretty much ready, although we will want to refine and tweak it a little in the next few days. There is still a little more work to do on the KMD, but it is getting there. I might even take a little break for a few days before finishing that up.

Here is the latest version with the Cuckoo Sandbox integration. So far I have not been able to get it to work with XP (and it may not ever), but it seems to work great with everything else. So if you are running XP, there is no reason to upgrade to this version.

This version is all about the Cuckoo Sandbox / Remote Sandbox. So either drag and drop a file, or have VS block a file, then choose “Sandbox”, then “Cuckoo”.

If you want to watch the analysis in real-time, in a remote desktop session, just make sure you check the option “Watch Cuckoo Sandbox analysis in a Remote Desktop session in real-time”, before you click the “Cuckoo” button. I was going to have it enabled by default, but I did not want to scare one of our other users that have no idea about the RDP features . Besides, the more bandwidth (among other things) we can conserve, the better.

http://www.voodooshield.com/freeoffer/Install VoodooShield.2.77 beta.exe

I have not tested the Cuckoo server other than just running internal tests, but I think it will do quite well. It estimates that it can perform 13,000+ analysis per day (or 525+ per hour), but I guess we will see . For now I limited the RDP sessions to 1 every 5 minutes, just to make sure I did not overlook something... and we end up crashing the server . There are a lot of "moving parts" between VS and the Cuckoo Sandbox, and a lot of things that could potentially go wrong, but I think everything is pretty darn stable at this point. Hopefully there will not be any firewall issues, but I think since it is just a standard RDP, it should be fine.

Hopefully I will be able to catch up on the posts I have missed this weekend... then after these last few features are finished, hopefully things will go back to normal. Thank you, talk to you soon!

 

BTW, I forgot to mention that the mouse on the RDP will automatically move around on the desktop... this is normal, it is simulating mouse movement and clicks to help evade sandbox detection.

 

Hi Dan

First impressions are good in terms of of existing functionality and as far as I can seethe recent additions have not affected normal operation. Yet to give the sandbox a run for its money but some far nothings seems broken. Will post back over the weekend after trying to make the cuckoo sing...

 

Working well so far. The only thing I've had an issue with is getting cuckoo to finish analyzing a file. I let it run for about 5-6 min and never finished. It was just a small EXE file too. I figured it shouldn't take so long. Other than the it's running nice and smooth.

 

... Sounds OK. How do I reverse it if I need to?

 

VS Basic settings GUI ...................

 

Awesome! Thank you Sir.

 

v. 2.77beta

Sat 7/18 18:00 US EST

Cuckoo sandbox keeps returning time-out.

* * * * *

This is not a criticism - just pointing out some rather complicated issues with no easy solutions.

In its current incarnation the Cuckoo sandbox analysis report is way too complicated for the typical user to interpret. Such interpretation requires knowledge well beyond what even most die-hard security software enthusiasts possess.

Therefore, I question its value to the typical user. If the average user cannot decipher the analysis report, then those infos are essentially useless to the user.

Perhaps for most users all that is needed is a "score" (in a notification instead of the browser) from 0 to 10 that lets the user know how probable it is that the file is malicious. For example, 0 = known safe and 10 = known malicious.

Even if VS would implement such a scale there is a problem with scores 4, 5, 6 and 7. The typical user is apt to simply "Allow" without any further investigation. In these cases, infos in the report are, indeed, needed to make an informed judgment. Despite this fact, again we return to the primary problem that necessitates the use of a malware "score" scale to begin with - the typical user lacks the knowledge to make sense of the report.

Perhaps it might be best to have a user-defined "threshold" setting. For example, allow only files with a Cuckoo score of <= 4.

Although, even if deemed worthwhile, I am not sure if any of these can technically be implemented; how does one link the Cuckoo sandbox results to VS ?

In any case, virtually impossible problem to solve = VS to compensate for user 1) lack of knowledge and 2) poor judgment.

Some food for thought...

Best Regards,

HJLBX

 

BUG

v. 2.77beta

W8.1

Despite Wscript, Cscript, Rundll32 and Regedit being blacklisted when VS is ON, they are still able to run.

Best Regards,

HJLBX

 

BUG

v. 2.77beta

W8.1

When open Quarantine via VS UI it does not list all items actually inside C:\ProgramData\VooDooShield\Quarantine.

Best Regards,

HJLBX

 

Cool, thank you. I think the Cuckoo Sandbox turned out pretty well, I just have a little polishing to do and we will be good to go! As far as WMP is concerned, VS will not let it spawn a child process so we should be good to go!

 

Hmmm, it should be blocking wscripts and cscripts (it is working on my machines anyway, let me know if it is not working on yours). But as far as rundll32 and regedit, I need to remove those options. rundll32 is now managed through command lines, and regedit is now allowed when VS is ON. Thank you!

 

Cool, thank you, yeah, that was a bug, I think it is fixed now, so it should be fixed in the next release. Although, it will not detect the old items, just the new ones.

 

Yeah, VS does block items when it is in Smart Mode... and if the blacklist scan comes back clean, then it automatically allows the item. Also, keep in mind, for an exploit to attack, a web app has to be running, right? We can make VS toggle with WMP, but I really do not think it is necessary. The whole purpose of Smart Mode is for it to safely whitelist as many items as possible when web apps are not running.

 

This is covered by the Anti-Exploit feature. In Smart Mode, if an exploit tries to spawn a payload through WMP, VS will block it. We can toggle VS with WMP, but either way the payload from the exploit is going to be blocked.

 

Hello @VoodooShield

I know it is a lot of work - really, I do... but users need a way to allow safe command lines for the vulnerable processes.

With the Cuckoo sandbox and KMD projects underway, I'm not sure this request is a priority. However, managing command lines is fundamental to getting everything to work with VS - especially hardware.

The command line logging and management functionality of NVT ERP is its one decisive advantage over VS.

Best Regards,

HJLBX

 

Without toggling, VS will block anything and everything that is not on the whitelist. If you are going to lock a computer, you have to make it as user-friendly as possible, otherwise it will burden the user with unnecessary prompts... you know, like the prompts that are blocking perfectly safe items. Some advanced users prefer to have total control of what is being blocked and allowed, and that is why VS also has Always ON mode.

 

VS extends monitoring\protection to child processes = Anti-Exploit feature ?