VoodooShield/Cyberlock

Cool! I'll get the logs to you as soon as VS plays up next.

Just to be clear, I'm not expecting "Ver" to be universally whitelisted, just that when one whitelists something once it is from then on whitelisted and we aren't prompted to allow or block it again.

Thanks.

 

Yeah, exactly... but there is a slight bug in that it is cutting off part of the command line. It does not hurt anything, but it should be an easy fix. Thank you! Also, please check your pm's it will explain it even better.

 

@ Nocturnalizer, and anyone who else wants to play some Rocket League, I think we are about ready... what time is good for you guys in the next few days?

 

VoodoShield has been causing major problems today. It is blocking any installers from running, even after switching from Autopilot to Disable. The only solution was to exit VS. I loaded VS again, and the problem was still there, so for now I am not running it.

I'm using the 3.16 beta.

 

Hmmm, that is odd, thank you for letting me know. What version of Windows are you running? Can you please post a couple of links to installers that failed and I will test them?

BTW, you might want to delete all of the .dat files in the C:\ProgramData\VoodooShield directory, this always seems to help A LOT. Especially if there were old .dat files from VS 2.0.

 

For some reason I have been unable to reproduce this issue so far... when the desktop shield gadget disappears, does it come back like 1-2 seconds later, or does it disappear completely? Is there anything that you can do to make it reappear after it disappears? Thank you!

 

I'm running Windows 10 Pro 64 bit.

Here are two installers which fail to launch.
download.easeus.com/free/EaseUS_DiskCopy_Home.exe
downloadmirror.intel.com/24345/a08/Intel%20Driver%20Update%20Utility%20Installer.exe

Deleting the .dat files did not help.

 

VS 3.16...for now without issue on Vista (32)

 

Hmmm, very odd, both worked in all modes for me flawlessly with 3.16 on Windows 10 64 bit. When VS was on AutoPilot, the VoodooAi score was pretty low for both (and 0 hits from the blacklist), so it auto allowed everything as expected, with the exception of one command line on the Intel installer that you provided. BTW, I am going to refine this a little more so that command lines of allowed parent processes are auto allowed.

You said "It is blocking any installers from running, even after switching from Autopilot to Disable."... after VS blocked the installers and you clicked "Install" or "Allow", what happened? Also, did Disable Protection mode have any prompts? Like, what happened? Also, if you get a chance to send me your VoodooShieldLog.log from the c:\programdata\voodooshield folder, that would probably help a lot too. Thank you!

 

Hey ichito, how are you? Long time no see! Thank you for letting me know!

 

There were no prompts, they were automatically blocked. However, I restarted Windows and VS started working fine again, and the prompts returned.

 

I've found another problem. When the WPS (Kingsoft) Office updater launches (it's a set to run as a scheduled task), there is no allow option.

 

It certainly looks unsafe, though it is well-known office product - strange.
There should still be an allow though.

 

Threats detected + VoodooAI: Unsafe = no allow possible
It's a false positive, there should be an option for the user to allow it.
But wasn't it possible with earlier beta's?
Especially this option, that has been removed in newer beta's: "Show button instead of links to allow false positives when threat is detected"

 

Windows 10 Pro x64
When PC is in idle VoodooShield blocked Command Line.

http://s32.postimg.org/dbksb329x/image.png

 

Thank you for letting me know. I think I found and fixed the bug late last night, but only if you have "Deny by default" unchecked. If not, we just need to keep an eye on it.

 

Yeah, this is kind of the worst case scenario for VS / VoodooAi / User Recommendations, especially when blacklist hits are detected, and something we need to fine tune. The raw VoodooAi scored probabilities for that file were 0.3739 / 0.8548 / 0.7533, so the initial composite VoodooAi score was .6606, which would be classified as "Be Careful". But the composite VoodooAi score is adjusted (multiplied by 1.25) when the file is in a favorite malware hiding spot, such as appdata or programdata. It is further slightly adjusted with each additional blacklist hit, assuming that VS did not believe the blacklist hits to be false positives. Since the composite VoodooAi score was adjusted at least twice, this resulted in a VoodooAi score of 1.000, which hide the Allow False Positive button. This is super easy to tweak... and basically, we just need to fine tune the composite VoodooAi adjustments. I am starting to think that we should show the Allow False Positive button until this is fine tuned, and also, I am starting to think we should remove the 1.25 multiplier for files that are in common malware hiding spots. We will get it right... it is super easy, we just have to play with it a little. Thank you for letting me know!

 

Yeah, I think we will show the Allow False Positive button until all of this is fine tuned, thank you!

 

I just did a reformat and started fresh, with a new install of VoodooShield and this issue is no longer present. It had to be something in my prior configuration.

I apologize that I had you waste your time on this, as I know you have other reports to deal with.

Sorry Dan

Thank you for looking into it though.

 

Yeah, that is exactly what happened! Basically, if ever indication is that the file is malicious, then we probably do not want to show the Allow False Positive button... but until we get it right, we better show the button . Yeah, I removed the "Show button instead of links to allow false positives when threat is detected", mainly because I replaced the link with a small button. Maybe we should just always show the Allow False Positive button (well, when there are blacklist hits of course), even when all of this is fine tuned? Thank you!

 

Cool, thank you for letting me know... this one should be hardwired in. There was one I was having problems with, I think this is the one. I will check it out.

 

It's totally cool, believe me, you did not waste any of my time at all, I appreciate your guys help tremendously. I had made a lot of changes to this part of the code, so it is good that we investigated this issue. Weird things happen with computers... there is no way around it . About the only thing you can do is to install the software on 50+ computers and see what weird bugs and software conflicts appear . I can test all day long on 4-5 of my computers / VM's, and nothing odd will pop up until VS is installed on other people's computers, running different software and different OS's.

If you do see this bug again, please let me know, thank you!

 

I bet that makes things much harder to pinpoint, since all of us have unique configurations. I thank you for all your hard work, as I am seeing how much time, effort and love goes into this project.

As far as any issues go, I'll let you know if anything else pops up.

Thanks Dan

 

The above bold for only AutoPilot Mode or all Modes?

 

I have experienced this but just once...dont know the reason?