VoodooShield/Cyberlock

You should be able to go into settings / whitelist and right click / delete that item, or reset your whitelist. I can also setup a free VS Pro account for you, just email me at support@voodooshield.com. Thank you!

 

How funny, I will have to remember that for the next time they call .

 

Cool, thank you! If you or any of the other wilders users would like a free VS Pro license, please email me at support@voodooshield.com.

 

Q1: ... is VS payload block in any way dependent on VirusTotal...?
Does the exploit have to be known by VT for VS to block payload.
Q2: ...any consideration towards VS communication with Sandboxie...?

 

Q1: No, not at all, they are completely independent
Q2: We have not tested it yet, but I suspect that the KMD will block the sandboxed processes by default. If that is the case, we will want to make the blocking of sandbox processes optional by creating an option in settings. The whole goal of VS is to safely allow as much good stuff as possible... some people want everything to be blocked but most people want the fewest blocks possible, so it really is a juggling act. The thing is though, the whole purpose of Sandboxie is to run the application in a sandbox, so blocking the process is counter-intuitive to me, since the goal is to run process in a sandbox. The KMD is a lot more flexible than the AppCertDLL, so it really is limitless what we can do with it.

Also, Vlad and I have been coming up with some cool ideas and enhancements that we can add once VS 3.0 is stable. One example is adding a right click option "Whitelist Folder" to the Custom Folder treeviews. That way the user can easily whitelist Program Files, for example. There are A LOT of things we can do with the Custom Folders treeview, and it will be quite easy to add.

I think we might also add background whitelisting of the Program Files and specific Windows folders after the user installs VS. Basically, VS will start after installation, and "slowly" whitelist specific folders in the background. We do not want to whitelist the entire C drive, because we want to have the smallest possible whitelist for a lot of different reasons, but it would be nice to whitelist Program Files and specific Windows folders, and possibly remove the "Automatically allow PF / Windows" options from settings.

We also will probably add a blacklist scan of the currently running processes, in case the computer is infected prior to installing VS.

 

Yeah, this is normal... it is just saving the settings. During this time, the close button is disabled. Vlad might be able to make that a little more user friendly... I just did not want VS to be reading from the .dat files while it was writing to it, so that is why I did it that way. Vlad is a much better coder than I am, so he is going to be able to really do some cool stuff with VS, and make it as user friendly and stable as possible.

Yeah, the Windows 10 CMD issue is just a small bug in the code. Basically, when VS blocks a command line it has to kind of analyze it and figure out what to do with it, especially for cmd.exe command lines. For example, a batch file block, (eg. C:\Users\Dan\Desktop\test.bat) block is different than a "format D: /FS:NTFS /x block". That is, for the batch file block, VS should handle it as a process, block it, and show the path of the test.bat file. Where as on the format block, it should handle it as a command line and show the command line. So it is not like a difficult bug to fix, we just have to tweak the code a little so that VS knows what should be handled as a process and what should be handled as a command line. And actually, if we have samples that help us reproduce each scenario, then it is pretty easy to fix. But Vlad knows about this and we will make sure it is working correctly. There may be some small tweaks to do after the first VS 3.0 release, but overall it should be working great.

 

Well, that goes back to default allow blacklist block vs default block whitelist allow. I think we'll agree default block whitelist allow is easier and better. Would be intriguing if I could whitelist allow items running in application sandbox. Running an application sandbox'd is not blocked by VS. I'm thinking about a payload dropped in my web facing application sandbox blocked by default.

 

Hmmmm, I never thought of that (I'm thinking a payload dropped in my web facing application sandbox blocked by default.). Yeah, I guess these would be blocked as well. We will just have to play around with it and see.

 

I appreciate that, and we might need to do that in the future, but I think we found a way to reproduce this error consistently. I was installing flash player (for firefox) on Windows 10 about a week ago, and I finally had the same issue. So we can use that to reproduce and fix the error. But if it continues to happen after the first or second version of VS 3.0 is out, please let me know.

We actually could release VS 3.0 right now, but there are a few minor bugs like this that we are working out. And if we keep polishing it without releasing a beta, it may take a few more weeks. So Vlad is going to let me know when he is comfortable with the first beta release, then I am going to test the heck out of it and then he will post it. But I imagine in 2-3 weeks, we should have a completely stable, and essentially bug free version of VS 3.0 .

 

Cool, thank you, that will help a lot!

 

reset VS, but WFC update still fails unless GUI & service are shutdown - i'll let you know what happens with VS 3

 

Hi rm22

By WFC are you referring to Windows Firewall Control (Binisoft)? If so then I am surprised by what yo say as I have had issues with updates which I thought were due to VS intervention but what I have found is that they are due to WFC itself and then need for some updates to be run with admin rights. As it stands if one allows WFC under VS (and why would one not) there do not appear to be any issues on my system.

Apologies if I am misunderstanding you in any way.

Regards, Baldrick

 

The Pop Up states that you can uncheck the box but it is NOT recommended. How can we assume we are still safe if we uncheck the box? Why not provide more information?

 

Thank you for your reply.
Your explanation is clear enough to make me understand it

 

hi Baldrick - yes, i'm referring to the Binisoft controler. I could not even install WFC until i disabled VS GUI and service... tried to allow WFC in VS, excluded the install folders, etc, etc, but no dice. Updates of WFC have the same issue. But i don't have an issue with VS or WFC once they are both installed.

Interesting that you don't have the same issue - maybe a different OS? I've had a few issues with VS on Win8.1 that i don't see on Win7

 

Hi rm22

No issues on either Win 7, Win8/8.1 or Win 10...so I am not sure why you have the issue.

Regards, Baldrick

 

I had the same Problem rm22. Matter of fact I just went through it. I tried to update WFC, and had to uninstall VS before I could do it.

 

the issue seems to be caused by a WFC installer in ...AppData\Local\Temp that is blocked from communicating with the main WFC executable by VS.

@russ0408 I can update WFC by exiting out of VS GUI & stopping the VS service - then just restart the service & GUI after the update.
@Baldrick what state is VS in when you update WFC & did you do anything special to allow the installer? have you changed default settings in VS - maybe turned exploit protection off or something?

 

Hi rm22

I alway run in Scan & Allow mode since that mode was introduced.

Regards, Baldrick

 

hmmm - me to. oh well - hopefully this is resolved in VS 3.

 

where I can find a summary of the planned features in VS 3?

thanks

 

I'm having this exact issue too when connecting to my VPN, same command line. It shows up in the Command Line tab in VS, but I continue to get like 15-20 pop ups when I connect to my VPN. I'm using the free version of VS on this PC, not sure if that matters.

If it's a bug, can we have it fixed in version 3, please? ;-)

 

Thanks for the explanation. In all respect, I think calling what is basically an anti-executable technology an anti-exploit technology, is a bit confusing. If being able to SOMEHOW stop an exploit-attack is all that is required to be an "anti-exploit", then every single antivirus program in the world also have anti-exploit functionality. ;-)
But I get it, it's a marketing thing, a (technically incorrect) way of explaining to users, that VoodooShield will ALSO provide protection against exploits.

I hope to soon do some testing of what is possible to do by exploiting a vulnerable browser plugin, and then see what can be done without the need for a payload to execute, or the need for powershell or other tools which are blocked by VS. Exploiting Flash and using a meterpreter should make it technically possible to do all the stuff that Flash is able to do. So if Flash can turn on the microphone, when the hacker should also be able to do that, and if flash can do keylogging, then the hacker can extract the passwords that are typed etc.

How much can be done with this method without getting stopped by VS? I'd love to hear from anyone who has tried something like this. So far, it's the closest I have come to a realistic way of bypassing VoodooShield.

 

I am trialing the basic version and i have observed that if i enable Always On mode and leave the PC AFK, while navitgating in some website the software goes to Off.It recovers after moving the mouse.So why is it going off if i set it to ON exactly when i am not at the keyboard ?!