VoodooShield/Cyberlock

The thing is... Vlad and I will be making some decisions very soon on the direction that VS is going to go from a business standpoint. Once everything is finalized, we will be able to afford to hire professional pen testers, and hopefully they will find at least one or more bypasses... and I promise to post them publicly .

BTW, I really would like to see how well VS would do in an independent AV test, hopefully that will happen soon as well.

 

5 documented bypasses in what - 10 or more years ?

You have fixed every single one swiftly - and have gone even further to bolster VS. What else can users expect ?

What is the probability that someone will land on a webpage, with a zero-day exploit, that uses the browser to create an, as yet, undetectable attack to smash the system ?

The probability is essentially miniscule for the average user.

OK. Can such a thing happen ? Yes, of course. Will it happen. Probably not - even over the long term.

Of course I want VS to be perfect - who wouldn't - but I think your very best is more than acceptable with the current state of IT. You have done a lot to improve VS. Plus, I haven't seen you trying to rush a half-baked product out the door either - which is contrary to standard industry practice.

Dan, you da man... a contrarian.

 

May 5th 2011 at 3am is the day that I was working on 2 computers with the same virus that locked me out of the computers I was trying to fix, and made me think of a user-friendly toggling desktop shield gadget / computer lock. So it has not yet been 5 years. We thought it would be 3-4 months worth of work... hehehe little did we know . It has been a lot of work, but a lot of fun as well, and I would not trade it for anything. BTW, there have been times when I rushed things a little too much . But the days of "move fast and break things" (facebook old motto) are long gone .

 

Win 10 64
VS version 2

Mode - Scan & Allow

WordWeb 8 Free - Comodo AV & Rising AV
VirusTotal Uploader 2.2 - Nano AV
Driver Talent - Bkav AV
OSTotoHotspot (Driver Talent) - Bkav AV

The above are FPs. The detection are from not so reputed & FPs prone AVs.

Rufus, Picasa, Google InputToolSetup, WinRAR.

The above are FPs but VS FPs engine deternined the detection as FP. The detection are from either Rising AV or Zillya AV.

The above is the reason I think few reputable AVs are better than any/all AVs.


Big Files - For big files you get alert like too large for the cloud, use caution & consider blocking. What are the plans for big files?


VS scans anything, dots move on the icon. Everything I run it was fine i.e for every programs run, dots move on the icon.
But, I have my OS drivers in a folder. There are app 8 drivers. Dots move on the icon for only the first driver executed.
i.e Which ever driver I execute first (i.e tested removing the whitelist entry), dots move on the icon, then execute other drivers, nothing on the icon. So dont know if other drivers are scanned or not?

 

Please upgrade to 3.0!!! You might have to delete all of the .dat files in the C:\ProgramData\VoodooShield folder after uninstalling VS 2.86.

We have already made some adjustments to VS 3.0's false positive detection feature, and implementing VoodooAi will help TREMENDOUSLY when we combine all of this together... I am working on the prompts as we speak. The blacklist scan is not going to be perfect no matter what we do, but I would rather be safe than sorry.

For big files, we will rely on VoodooAi.

We can tweak the dots (aka progress bar) at some point... I know exactly what you are talking about.

 

Tried version 3 & results are exactly same.

 

Yeah, they are the same, I just meant that in general you should run 3.0 .

In a few days, VoodooAi will help tremendously with the false positives... I have been working on it a lot, and it is turning out better than I imagined. For example, if the blacklist returns 2-3 hits from scan engines with unusually high false positives, and 1 that is usually accurate, and the VoodooAi is say less than .4000, then we will assume it is a false positive. On the other hand, if there is 1 hit from any of the scan engines and VoodooAi returns .8750 or something, then we will assume it is a true positive.

Neither VoodooAi or the blacklist scan are perfect, but when you integrate the two together, you can do some pretty amazing things with them... you will see soon .

 

On their way to you Dan

 

Salutations/Greetings!

Upgrade to the newest version of Sandboxie. VoodooShield 3.09 Beta said, that was a piece
of Malware?

False Positive,link below, can you check into please? X64 Bits Link.
http://forums.sandboxie.com/phpBB3/viewtopic.php?f=57&p=119291#p119291

No problems with VS and Sandboxie at this point! In Smart (Default) But in ALWAYS ON
there is still a when I exist VS.

Kind regards,

 

Jiangmin, McAfee-GW-Edition, Rising and Zillya a little confused I think.

FPs inevitable on new fairly uncommon apps like SBIE for some vendors I'm afraid. Using 57 engines give you great detection but FPs also sometimes. The price you pay.

Cheers

 

If VoodooShield can disable some low detection/FP AV engine, that would be very good.

 

I think I'm misunderstanding, so does VS has the ability to monitor parent-child process execution? So let's say ransomware tries to launch explorer.exe or svchost.exe in a suspended state, will this be blocked by VS?

 

Still do you think an option for detection level would be good?
Like if the user sets the detection level to "3", detection alert will appear on 3 or more AVs detection & not for 1-2 AVs detection, if the users sets it to "5", detection alert will appear on 5 or more AVs detection & not for 1-4 AVs detection.

And VoodooAi is local or cloud or both?
You said big files will be dealt with VoodooAi. If VoodooAi is cloud then dont you think would be a prob for limited data plan users?
100, 200, etc... MB files upload will affect the data plan of those users.

Guess currently VS doesn't upload files if the hash is not found in the databases. When VS will have the upload feature, would it be automatic or manual?
I think manual would be good i.e on alerts something like upload to VS cloud or option to set automatic/manual.

 

http://voodooshield.asuscomm.com:8080/analysis/2208/

 

VS,

In "Scan & Allow Mode", every other functions works the same as default "Smart Mode" except files found clean by 57 engines are automatically allowed?

 

thanks. I would have replied earlier but I forgot to enable email notifications.

another question: on Saturday, dropbox issued an update. So I got a bunch of pop-ups about new dropbox processes. How can I know whether such things are legit, or if they are malware masquerading as a dropbox update?

 

VS,

Version 2 on Win 10 64 here.
Password Protection VS enabled.

When I try to open Task Manager, I get VS Password Protection window, is this a bug or by design?

 

right, that is exactly the kind of info I would want to see.
maybe I just missed it. Where does the digital signature show in the pop-up?

 

thanks. Now I will know where to look next time it happens.

 

Version 2 blocked silently some Windows Updates.

Exiting VS, WU went fine.

 

Hi Dan

Was just wondering if there are any plans, in future versions, to increase the number of Web Apps that can be Custom Web Apps list? I currently scan regularly and regularly the number of these on my system exceeds the current number of slots. Appreciate that you cannot provide an indeterminate number of slots but perhaps if you would consider doubling the number that would be good. Not a biggie but perhaps one for the WIP/To Do List?

Many thanks, Baldrick

 

I was saying the Parent Child feature is not a good ideal because of exploits. When a process is exploited it happens within the process memory. The exploited process could then be used as the parent to allow the child which could be the payload. That's why I was saying never allow vulnerable processes to be parents (web apps). During our discussion we decided web apps should never be allowed to be parents.

This discussion has made me wonder if the exploit used on that Chinese forum was able to launch those other processes by taking advantage of the parent child feature. When you switched to the KMD driver did you make sure that Vlad was aware that the parent child feature does not apply to web apps (vulnerable applications)? Web apps should never be permitted to allow child processes using the parent child feature. Another way to launch those processes would be to inject into processes already running, and use those processes to do it. That could be why they were able to launch additional processes, but not successful in executing their own binary payload.

Edited 3/20 @ 3:36

 

I have not tried the test tool yet. Does java have to be installed on the machine for it to work? What does it try to manipulate in order to execute a payload? I want to be sure i'm using it correctly.

 

Can someone post a link to the latest VS beta build?