Emisoft - Voodoo Shield Discussion

Re: Emsisoft Anti-Malware 8.xx Sammelthread

Actually, quite well. We have quite a few users with rather dated machines .

You seem to be rather obsessed with VMs. So just for you I took the time to install VS on my normal workstation (i7-2700k, 16 GB RAM, Windows 7 x64, hopefully that is current enough for you ... I mean ... it's 2 years old already!).
The result is, that the old killvoodoo.exe version required around 60.000 executions until it won the race against VS and killed it. Well, that's a bit much. So I applied the optimizations I mentioned in the video. I rewrote the test in Assembler to get rid of all useless code that is usually executed during initialization. I also added the kill code into a TLS callback to execute even earlier than normal. VS is killed pretty reliable on my machine now (9 out of 10 times):

Removed the link. The VS author has it and I am sure he will fix the issue soon .

VT shows 3 detections due to the trick I used to get my code to execute earlier.

 

True, but I am not talking about the OS, I am talking about the processor!

http://ark.intel.com/products/27433/

 

Sounds good, I have some onsite work to do, but I will test it a little later. Do you mind sending me the source code before I test?

You still did not answer the main question... How is VS not blocking applications if they cannot start when VS is ON and kills them?

If your file kills VS, we will change the kill method, it is that simple. I just hope it does not make the system crawl like other software that uses this method.

When we are finished talking about VS, can we talk about your software and any bad attributes it might have?

BTW, I am flattered that you are overestimating the "VoodooShield Craze", as you put it. You do realize that hackers would have to include your code in their virus to specifically target VS in order to kill it, right? I am honored that you think we have that big of a user base that hackers would target us.

 

Take it easy man

VS allows any process to run for few milliseconds...

 

You have a PM .

They can start. They just won't run for a long time. Blocking execution for most people means that the file is prevented from being executed at all. Not just killed after a few milliseconds.

Properly implemented, there shouldn't be any issues.

Sure. There is always room for improvement .

Of course they would have to. But you also realize that they will do exactly that, once you have any meaningful distribution, right? Personally I prefer to be informed about design flaws before potentially thousands of users get owned by malware. I hope you share that sentiment .

 

You seem to be taking this rather badly. You should be grateful that Fabian has discovered a flaw and shared it with you so you can address it, and more to the point before said flaw causes your users to become infected.

 

BTW - your accent is not that bad. I have heard far worse German accents in my time. It's those Brits I can't understand ..........

 

Re: Emsisoft Anti-Malware 8.xx Sammelthread

If I create a piece of software that calls the Windows API function DeleteFile() on all the files in the "My Documents" folder, does VoodooShield block every single one of those DeleteFile() calls? If not, how many files will get deleted?