VoodooShield/Cyberlock

@VoodooShield
About Protected Process Light feature. It tried to attack a view Windows processes and some times the programs trying to kill them hanged because Windows OS itself protects them (link), even when those attacking programs ran as Admin/High-IL. This is simular to folders which are owned by the "Trusted Installer" can't be deleted by programs running ad Admin/High-IL (because ACL Trusted Installer is the higher in rank than System or High IL).


@Krusty
I was playing with another security program that also had problems with (blocking) Chrome's Software Reporter Tool. It seemed that when the Software Reporter Tool was already suspended another program trying to block it caused Chrome to hang (my Software Restriction Policies also blocked it and that caused them to interfere).

I see that you have Norton running. When you Google Software Reporter Tool LINK there is also something mentioned about Norton causing problems (but some other info in the link is incorrect, so lets not jump to conclusions). Does your other PC also has Norton running?

 

I have Win 10Pro x64, Win Defender is OFF, UAC on MAX - never have any froze issue with VoodooShield
Other softwae I use:

• Keyscrambler
• Shadow Defender
• Windows 10 Firewall Control
• Sandboxie

 

Yes, both machines have Norton installed. I suggested to Dan that Norton could be causing issues and he downloaded and installed it but I don't think anything was conclusive. Chrome isn't hanging on my machines, just VS.

 

Allow it outbound access TCP port 80 & 443

 

OK thx

 

Thank you guys for all of the info... I will catch up on the posts asap! I am also going to email Vlad to see if he has a little time to help me isolate this last bug once and for all.

Also, here is a video you guys might find interesting... if so, please share it with everyone you think might be interested in watching it.

https://www.youtube.com/watch?v=PvfrS6_nyyM

 

Norton Smart Firewall > VoodooAi = Allow
Rented ISP router > Default (afaik)

Update: router security High > rejects outbound, must have forgot, I set Firewall Security High.
High works for all other.... (afaik).

 

I think there might be a memory leak in 3.28. I just installed it freshly and it began climbing up in memory to around 150MB, steadily climbing. It then stopped here and reset itself back to 34MB, where it seems to be saying. Any ideas Dan? I've attached a screenshot showing the memory usage as it was climbing.

EDIT: It does seem to be staying at around 36MB now and not rising. Not sure if this was just a random thing or not, but if you need any logs etc let me know! (Not that I know how to provide them haha).

 

Looks that way but not as high as you.

Daniel

But much more than WSA

 

Funny, when this last freeze of mine happened I noticed VS was using well over 100MB before I killed it in Task Manager. ... Forgot to grab a screenshot.

 

Norton isn't particularly interested in PUPs.and a normal home user wouldn't throw a thousand malware at it all at once, but anyway.... I wonder how VS with its freezes would handle the sample?

 

Thank you guys for sending my your logs... we will figure out this freeze issue one way or another, we have to be getting close.

There were several posts on the freeze issue, but there really is no point in responding to each on, but if I missed anything, please let me know.

I think we should probably go back to the old game plan of users who are experiencing the freeze issue, to maybe run VS 3.08 for a few days and see if they are still experiencing the freeze issue. I really think the freeze issue started in 3.09, so if 3.08 does not freeze, that will really narrow down the possibilities.

Here is 3.08, thank you!

www.voodooshield.com/Download/beta3/InstallVoodooShield_3_08.exe

 

Yeah, I was thinking that it might be one of the issues, until my Windows 7 with UAC disabled froze .

 

Yeah, not everyone does experience the freeze issue... which actually kind of makes it even more difficult to isolate .

 

Yeah, I changed the way VS flashes... before it used several threads, now it just uses one thread to flash, so there might be a minor tweak or two that we have to do so that it does not turn white. I will keep an eye on it. Thank you!

 

Cool, thank you, I can fix this when I fix the other (regional comma) bug in VoodooAi.

 

Yeah, it is very odd that only some users have the freeze issue... we will figure it out though... we have to be getting close. I emailed Vlad, I am hoping he will help figure this out once and for all.

 

Cool, thank you Kees!

 

The stand alone version of VoodooAi is just a quick and dirty POC. It really is not intended to be used other than to demonstrate VoodooAi with a lot of samples all at once, as opposed to analyzing them one at a time with VS.

Once VS 3.0 is finalized, I can polish it a little... I agree, it is way too big for the screen . Thank you!

 

Yeah, that was the struggle with this video... I mean, if we only show the screenshots of the final results, then how does everyone know that the tests are legit?

That is why I added the Skip annotations... but I certainly agree, I hardly doubt anyone would watch the whole thing all of the way through... I know I didn't .

BTW, you will notice that one of the files is actually a somewhat clean file... the file I am referring to is 9 / 1000 (39:41 in the timeline) in the VS test. VoodooAi determined it to be clean (0.360, but that is just over the 0.3333 for AutoPilot to auto allow the file, and there was a false positive, so either way it was not going to be auto allowed. I just thought it was funny that out of all 1,000 samples, VoodooAi found that one to be clean... and I think there might be one more somewhere in the video, if anyone finds it, please let me know.

Anyway, here is the Cuckoo analysis on the file: http://voodooshield.asuscomm.com:8080/analysis/212/

They do a great job at VirusShare.com, but when you are dealing with that many samples, there are going to be a few clean ones. That is the funny thing about malware, you just never know for sure if something is malware or not.

I was going to scan all of the files first with Zemana or some other multi-engine product, but I wanted the tests to be truly random... that way, when other people test, they should experience the same basic results.

But yeah, I agree, maybe I should have a shorter video as well. Thank you!

 

Yeah, thank you... that is because I disabled the code that flushes the memory after VS blocks something. Vlad had it disabled after implementing the KMD, so I tried it both ways just to test. It turns out, it is better when it is disabled. The only disadvantage is that the memory utilization for VS can go a little high when it blocks a large file, but eventually it will be cleared out. I can play around with it some more and see what we come up with.

 

Cool, thank you TH!

 

Yeah, we need to keep an eye on this because if the memory utilization is always super high when VS freezes, that might be an indication. Thank you!

 

Amazing! Thank you for the video.