VoodooShield/Cyberlock

Hey everyone, sorry, this week has been way crazy... mainly because I have been working to figure out that last odd bug. I think it is fixed now... once it is ready I will let you guys know.

Also, I know I have a few pms and posts to catch up on, I will do that asap.

BTW, I found something very interesting... it is a ransomware simulator / pen test tool. If you test VS, please make sure you disable the parent process feature first .

I just tested VS with ransim, and it it seems that after the first time VS blocked one of the spawned payloads, it crashed the ransim tool (an error handling issue in the ransim tool)... so I am assuming that would count for a pass .

https://www.knowbe4.com/typ-ransim-form

Thank you guys... we are getting close with everything, have great weekend!

 

Dan,

VAi scans .exe, VAi 2 will scan more file extensions?

And hope standalone portable VAi 2 will be there too.

 

Hi Dan

I sincerely hope that you are trying to have a quieter weekend after "this week has been way crazy"?

Have been giving 3.48 a bit of a work out and so far I have yet to find anything untoward. Planning to clear all data, uninstall & clean install for a final (for me) test...but so far looking great under Win 10 Pro 64bit...with UAC on 'Never notify', and VS running in 'Always On' mode.

Regards, Baldrick

 

https://www.knowbe4.com/typ-ransim-form

just tried it and voodoo gave a notification but no where in the gui can I see anything that says it was blocked.

 

You don't see it in the User Log?

 

yes I do now it just took a while.

ok here is the deal. clicking on the exe voodoo blocks the file but right click and select scan I get a pop up saying the file is good.
see screen shots.

 

Strange, no block here. I could beform the test. On my system it was stopped by Emsisoft Anti-Malware, but not by VoodooShield or Malwarebytes 3.0.2 Beta.

 

at first appguard stopped then WAR. turned them off and tested with voodoo. always on and paranoid mode. and I think I unticked the right parent process as per dan.

 

"https://www.knowbe4.com/typ-ransim-form"

is the owner of the company the well know hacker kevin mitnick? I didn't think he was allowed to ever use a computer again.

https://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/

 

Bad news

With VS348 ( set to Always ON, but may have no relevance ) when you switch users, the second login goes to a black screen. The mouse cursor is still active, and when I press ctrl-alt-del, the correct menu is shown ( the one that has an option to allow you to change password ). So it is definitely logged in, just that the desktop doesn't show and is black.

Then I exited VS in the first session, and was able to log in properly in the second.

Re-installed VS345 and it doesn't happen no more.

 

But it was possible to switch accounts with earlier versions?

 

Total Security 360 blocked it.....

 

Dan,

It looks like VS was silently blocking the installation of MBAM 3.x beta after trying multiple times with VS in install Mode.. It wasn't until I Exited VS that I could install the beta.

Thanks.

Edited to link to the correct post.

 

Yes it was able to switch users in VS345

 

Block or Allow (VS Free, Smart Mode)?

 

it's signed by Microsoft, and it's an important system-file,...
Allow

 

That file was whitelisted on my system when I installed VS. So allow it.

 

I just testing RanSim.exe and if Allow that the score is not good:

 

djigi

I have been getting them warnings for the last , I can't remember how many builds. I kept mentioning it but still there. happens every morning when I boot up.
if you don't click any of the options on that popup , you could get as many as 12 of those warnings. in other words let the popup close itself.

 

You can't test RanSim with VoodooShield free as you need to amend the advanced options, you need to use Voodooshield Pro and follow Dan's instructions:

 

Hello,

I noticed some VS behavior that is a little puzzling to me. If I disable protection while in a browser and then re-enable it before closing the web app the VS icon stays locked (blue) even if the web app is closed (I'm testing this in Smart Mode). Shouldn't the icon turn red when running in Smart Mode in this case to let the user know that the PC is not locked?

 

Not so. I ran Ransim against VS free in Autopilot and it blocked all five scenarios. VS does of course prevent Ransim from starting so you have to Allow the following pop-ups to get to the test page
Ransimsetup.exe
Ransim.exe
Launcher.exe
Prepare.bat
Once you start the test you just let VS do it's own thing and it blocks all five.

 

I have portable version.
I put it on the desktop, run RanSim.exe, VS (Auto-Pilot Mode) block it and I allow it.


After that no more pop ups.
Here are the screenshot of User Log, dllhost.exe is blocked and Command Lines.


Test is just freeze like this:

 

OK, now I add this to whitelist:

• Ransim.exe
• Launcher.exe
• Prepare.bat

And test is done (not 100% protected)

 

Let me get this straight, you had to whitelist it to run it, yet you think it is not 100% protected, because the test says so after you whitelisted it?