VoodooShield/Cyberlock

I looked at your logs and could not identify the command line that is being blocked, but they look great. None of the changes since 3.53 should have affected this either way, but if the command line is blocked again, can you please send me the specific command line? Thank you!

 

Thank you for letting me know... if this happens again, you might want to exit out of VS and delete the snapshot3.dat file in C:\ProgramData\VoodooShield, then start VS again to see if this issue is corrected (this will reset your whitelist though). If this still does not fix the issue, then can you exit out of VS and delete the settings3.dat file (this will reset your settings).

This has been happening everyone once in a great while to a handful of users, and usually I just have them delete all of the .dat files. But if we narrow down which one is causing this issue, by deleting them one at a time, it will give us an idea why this is happening. Thank you!

 

Dan - sent you a PM.

Btw no issues with 3.56.

 

I've sent you the log from my other machine too, Dan.

Thanks.

 

Hi Dan

Thanks, but not sure what it is you are saying here as I am finding this behaviour perfectly normal and in fact the RAM & CPU usage with this version are some of the lowest that I have seen. I am not understanding what problem you may think there is with my installation of VS?

Apologies If I have missed something salient here.

Regards, Baldrick

 

Version 3.56 running great here in autopilot mode.
I got a popup of an unsigned command line being blocked.
Can I allow it or not?
rundll32 c:\windows\system32\generaltel.dll,runinusercxt 4bo2pkuo3ekbohor.1.2.2 {2852722e-9f72-44f7-b8e8-c6d43b0ca6a5} {42c6c866-5749-a068-0bba-7cec123c1282} isadmin wamaccountcount officeaddins
That's the only problem I have. Sometimes I don't know how to answer a popup like this...

 

Sorry about that... I thought you were having a high CPU utilization usage issue with VS. If so, you can try the procedure above. If not, we do not have to worry about it, thank you!

 

Hi Dan,
I did raise this back in January post (#14245 – page 570) – but perhaps not very clearly looking back at it.
The auto quarantine function on my set-up doesn’t appear to be working.



Taking positive action in response to this message is fine but if I take no action e.g. NOT clicking the message or NOT clicking X, VS blocks the threat but doesn’t auto quarantine it.

 

Yeah, command lines can be tricky for anti-executables, especially since there is no blacklist or VoodooAi file insight to help the user decide. Just imagine if users did not have file insight for ALL of the blocks... especially for the novice users.

VS typically automatically allows the non-malicious command lines in several ways. First, most of the common command lines are hard coded. Second, command lines spawned by a whitelisted process are auto allowed. Third, we are going to add a cloud based command line system, which will help a lot too. I am always amazed how many command lines VS automatically adds without prompting me. I have to reset my whitelists and command lines daily for dev reasons, and I hardly ever get a block. For example, in the last 12 or so hours, 20 were automatically added without prompting me.

That particular block looks like some kind of an office addin. Do you have some kind of addin for Outlook or Word?

 

Hi Dan

Absolutely no need to apologise. I am grateful for the concern and it was most likely by uncleasr explanation that caused the misunderstanding/wasted your precious time.

I will hang on to what you have stated...for use should I ever notice high CPU usage...but for now everything is going swimmingly well at this end re. VS...in fact better than ever.

Methinks this latest version of VS may be prime time ready.

Regards, Baldrick

 

I have only the built in add ins for Microsoft Office 365. Didn't add something myself.

 

Cool, just so everyone knows what CS is talking about, here is the original link:

https://www.wilderssecurity.com/threads/cybergenic-shade-sandbox-tool.380371/page-6#post-2661225

I believe she is discussing how some malware will utilize a timer for sandbox evasion. For example, one way a lot of AV vendors create definitions for malware is to run the file in a sandbox... somewhat similar to Cuckoo, and sometimes even Cuckoo. So malware will start, but delay the actual malicious code for several minutes or hours, to trick the sandbox into thinking that it is not malicious. With VS, you should not have to worry about that since the file will be blocked.

 

Sorry I missed that post... yeah, that is a bug, it was easy to reproduce. It will be an easy fix, and I will fix it in the morning for the next release. Thank you for finding that!

 

Hmmm, that is a tricky one. We need to identify where it is coming from somehow. Let me think about it.

 

Ok, thanks

 

The reference to generaltel.dll would suggest to me it's something to do with sending telemetry data to Microsoft. I've seen the same on my PC and just allowed it.

 

Thank you, for now I will do the same.

 

The commonality is we both have Office 365 - it's probably why the command line is additional to what you've seen, unless that is, you have it aswell.

 

The Snapshot you posted showed high CPU usage and I have never seen that before so that's why I questioned it nothing more. Do you know why it was that high at that time and do you see it go up that often?

 

Nope, Daniel...have never really seen it before so I suspect that it may just have been a blip. No idea why it was high at the time but will look to keep an eye out for it as and when it happens again. Generally I am seeing CPU at running between 0% - 1% usage.

But if I spot anything I will post back here with details.

Regards, Baldrick

 

Thank you, all you guys who looked into this, I will hardwire these into VS today.

When I was researching the topic last night, the ironic thing is that HJLBX requested that we hardwire these command lines a long time ago .

https://www.wilderssecurity.com/threads/voodooshield.313706/page-282#post-2493571

 

Yeah, it is uncommon, but it does happen every once in a blue moon. Deleting all of the .dat files fixes the issues, but I figured it would be best, when this happens again, to delete one at a time, that way it will give us an indication where the issue might be. So if it does happen to anyone, please delete your .dat files one at a time until we see which one is causing it, thank you!

 

Thank you Dan and @askmark and @SHvFl

 

Yeah, thank all of you guys! I hardwired the command lines and fixed the auto quarantine issue, for the next release. So far, the latest beta looks pretty good, so I think we are close, but Krusty might have an issue on one of his three computers, so we will wait and see what everyone else says. If for some reason it is still not working, we can remove that feature for now, and revisit it later... Alex and I really need to focus on finishing the web management console and new website (even though it is going to look the same). Have a great weekend!

 

BTW, here is a great video that explains some really cool stuff about this topic. The part everyone was discussing starts at 44:25, although the whole thing is interesting.

https://www.youtube.com/watch?v=NkvjDitkDpM