VoodooShield/Cyberlock

We can actually add more information to the user log or prompts... but really I only want to add other info if it will actually be useful to people... I do not want to add something just because we can. For example, I added parent process to the user log in the latest version, and if you guys think the SHA256 hash or something else is quite useful, please let me know, it is super easy to add since the info is already there.

Thank you for the suggestion on the Alt+Tab... I read your post the other day and fixed it in 3.11, so it should be working correctly for you, if not, please let me know!

 

Did you ever get this resolved? If not, please try VS 3.10 or 3.11, it should work. If not, please let me know. 2.86 is not the best on 10 .

 

I definitely see what you are saying, and there are a lot of factors involved when dealing with this stuff. For example, when a web app spawns java.exe and VS blocks it... it is blocking the executable and not the command line (if I am explaining that correctly). So basically, there really is no safe way to whitelist java.exe by name, path, hash, because it basically whitelists the entire thing. Although, in theory, VS will easily block any payload that a java exploit spawns... even if java.exe is allowed. But that is why I am going to take some time and figure out exactly how we can safely handle stuff like this. It will not be long... I would say 2-3 weeks at the latest.

For now I removed these options because I am redoing that section, and they are hardwired in anyway. As I start working on it, I will tell you guys what I am up to and see what all input you guys might have. Thank you!

 

Yeah, good point, I never noticed that. I can change this at some point, thank you for letting me know!

 

Thank you for the suggestion! I think I am missing something though... how does this differ from Custom Folders? This was actually the whole purpose of custom folders... and with the custom folder option, we will be able to add things like "Scan this directory" or "Do not scan this directory"... really cool stuff like that. Please let me know!

 

I am not sure... hopefully I will hear back from them soon and be able to add that! It will be super simple to add... the data is already right there.

 

Thank you guys!

 

Yeah, it should be fixed in 3.11... thank you guys!

 

Yeah, I am keeping an eye on this... I know whats up with it... I am on it, thank you!

 

Hmmm, something is odd here... if you continue to have problems, please let me know!

 

Hmmm, I will add that to my to do list and take a look at it, thank you!

 

Hmmm, thank you, I will take a look at that.

 

Hmmm, can you please post a couple of links to the portable apps you are having issues with?

Actually, believe it or not, it is not actually a lag... the new version simply scans the file with the blacklist first, then shows the prompt once the blacklist scan is finished, then it analyses the file with VoodooAi. The old version would show the mini prompt while the blacklist scan was running... and we can certainly do it that way, but to me it made a lot more sense to start the blacklist scan, then show the shield's progress bar, then once the blacklist scan was complete, then show the mini or user prompt, then analyze with VoodooAi, then once it is finished, update the blacklist results to reflect the combination of the blacklist and VoodooAi results. The other advantage of doing it this way is VS can show the blacklist scan results on the mini or user prompt, without showing a generic prompt, then updating the prompt once the blacklist scan finishes. The reason it is better to do it this way is because if a threat is detected, the mini or user prompt will immediately say "Threat Detected" (or whatever), and most users will probably not investigate it further and accidentally allow something they should not... basically, if a threat is detected, it is better for VS to just take care of it. The only downside to doing it this way is that there is what appears to be a lag... but it really is not a lag. If we need to show a generic prompt in the time between the actual block and the blacklist scan, then we can certainly do it that way... I would be happy either way. I hope this makes sense... please let me know what you guys think.

Yeah, I am trying to simplify VS as much as possible, and there really is no need to have 2 different sizes of whitelists and logs, etc. If you guys really want it though, I will put it back .

As far as VoodooAi / false positives are concerned... if the file is not even digitally signed, just think of what other good coding practices were ignored. So basically, if a file is not digitally signed, there is a chance that VoodooAi will think it is suspicious, but I have seen it go both ways... it is all up to the machine learning model. In other words, if a file is not digitally signed, it is not a false positive as far as VoodooAi is concerned... the file should be signed. Also, please keep in mind that suspicious does not mean unsafe .

I recently had a software developer contact me because the blacklist scan had 2 hits for his product. Well, the software was not signed, and when you executed the file, the darn thing goes total full screen, and you cannot even alt+tab to reach the desktop. And, I found out the hard way that if the internet is not connected, there is no possible way to close his software, or even shutdown the computer... so I had to forcefully power down my computer. Anyway... he wonders why his software gets false positives... go figure.

Please send me your development log in the C:\programdata\voodooshield directory and I will check out that exception!

 

Hmmm, that is odd... can you please let me know what the command line that is being blocked is? It will be a simple fix.

Yeah, there were a lot of changes, so I knew there would be bugs... but if I were to never release the software, I would have never found these bugs. For example, your WLM bug... I NEVER would have discovered that. But the good news is... trust me when I say this, the new code is in phenomenal shape, and all of these little bugs are super easy to fix.

 

Hey TH, how are you? Why does ENZO sound familiar? I did a quick google search but did not find anything... do you have any links?

 

Yeah, I am not it... it will not be long now .

 

Dan, something resembling this:

c:\windows\system32\rundll32.exe c:\windows\system32\inetcpl.cpl,clearmytracksbyprocess flags:32 winx:0 winy:0 ieframe:00000000

It may not be exactly the same because I used REVO Uninstaler to remove as much of VS as it could so I could have a clean 3.10 install, and this Command Line comes from 3.10.

Thanks.

 

Hehehe, all that is missing is the mini-filter kernel mode driver support for XP. From what I remember, it is not officially supported, but there are products that we are all familiar with that use the same driver, and they work with XP, so there has to be a way to make it work.

I am not exactly sure what direction VS is going to go, but once we figure it out, then we might be able to add XP support. I could probably do it on my own, but it would take WAY to much of my time, and I would rather be fine tuning VS (even though, believe it or not, there is not that much more fine tuning to do) or doing some marketing.

We had been talking to a handful of security companies about partnering with them or them just acquiring VS... but 2-3 fell through for one reason or another, and I am waiting to hear on another one (which actually would be the biggest deal out of all of them). But now that the software is built and most of the hard work is done, I am thinking that I just want to raise a little money and build VS on my own... I think we have way too much momentum to sell out and not finish the job. It would not be cool if a year from now, if VS was quite successful, and then I realize that it would not have taken that much work to get it where I wanted it to be... besides, I think that is going to be the really cool part. Now that the software is pretty much ready and our patent is in place, it is time to raise a little money and do some marketing .

But having said that... once we figure out what direction we are going to go, XP support will be at the top of the to do list.

BTW, speaking of negotiating with companies... I think I just need to get them to understand one simple thing...

Here is a video that describes how daunting traditional enterprise level application whitelisting can be:

https://www.youtube.com/watch?v=tjqFAHSTKWk

So my point is... most security people would agree that application whitelisting is probably the most secure technology, but if it is too difficult to implement in the real world... does that mean that the computer should NOT be locked when it is at risk? So basically, with VS, there is no reason to not lock your computer when it is at risk.

And keep in mind... a web app is not subject to exploitation if it is not running .

THAT is what I need to get these people to understand .

 

Cool... thank you... that is close enough, I know what you are talking about! It will be fixed in the next version .

 

Thank you good Sir.

 

Any portable apps you can try like 4kvideodownloader, DnsJumper, Rufus, MKVToolnix, MediaInfo, etc...
Just disconnect the internet & try to run portable apps. Also try to run installed apps too. Just remember internet should be disconnected, apps should not be in VS whitelist i.e first time run of apps after VS install.

And I meant in previous version on the GUI when you click any function on the left side, details are shown on the right side, right?
Now in the latest beta for some functions like whitelist, quarantine, etc...when you click those a new window opens i.e if you click whitelist on the left side, a new window for whitelist opens on top of the main GUI, is this by design?

 

BTW, the internet not connected bug is fixed... it was a simple mistake on my part. I accidentally forgot to check if the internet was connected before checking to see if the file was in the VoodooAi database, so it hung. It is probably what threw the exception as well, but please send me your developer log anyway, just to be sure.

 

Cool, but are they .exe files or .paf files? Either way it should be fixed, but if you could send me a link to a sample so I can verify that it is fixed, that would be helpful. It never hurts to double check.

Yeah, there used to be an option to Maximize the Whitelist Editor, User Log, Command Line Editor and Quarantine Items... but in the interest of simplifying VS, I removed this option. I can put it back in if we really want to... but a while back, I got an email from an admin that manages thousands of workstations, and he said that he really liked VS, but that, for example, the whitelist editor was the size of a "postage stamp", hehehe . I think if you are just browsing VS and checking out the new features, then not maximizing these 4 tabs is more convenient... but, for everyday use, it is probably better to maximize these tabs, that way they are not the size of a postage stamp . Does that make sense?

 

Windows Smartscreen - Publisher: Unknown
http://s31.postimg.org/y0yygysqj/Clipboard01.png

 

Cool... thank you for letting me know. Yeah, we are supposed to be signing with SHA256 instead of SHA1 (Microsoft changed this at the beginning of the year)... I just have not done that yet. Until we do, this will be an issue, but I will fix that soon .