VoodooShield/Cyberlock

Cool, thank you, I will check it out!

 

It looks like Vlad is taking care of this issue, but just for the heck of it, I just tried this on 8.1 and it seemed to be ok... I will test on Windows 10 a little later today... Thank you!

 

Hi Dan,

VoodooAi gives me error from larger files.

For example:
TagScanner 6.0.6 portable(1.83 MB) and PhotoInstrument 7.4.0.838.(3.39 MB)


Windows 8.1 x64

Best Regards,

Plamen!

 

BTW, I wanted to clarify a little more on the vulnerable / child process issue... I believe all that is happening is that VS is allowing the child processes of Windows processes that are already in the whitelist. Vlad will be able to see for sure once he looks at the code. Either way the payload is blocked, so there is no reason for concern, but there really is no point in allowing processes that the web apps spawn.

Ooops, great catch, thank you! It should be an easy fix. Probably what is happening is that VS is checking the file size then skipping the blacklist scan AND the VoodooAi analysis, when it really should only be skipping the blacklist scan. Thanks again!

 

No problem! Keep up good work!

 

Thank you Piter!

BTW, just when you guys thought ransomeware could not get any worse . I wonder what it is going to be like 2-3 years from now?

http://blog.trendmicro.com/trendlab...reBlog (Trendlabs Security Intelligence Blog)

 

Thanks for the heads up on that one, Dan. Wow! It seems that the criminal organizations behind these different ransomware campaigns are evolving at a fast rate and gaining lots of traction when it comes to sophistication. I don't even want to try to imagine what the security landscape will look like in 2-3 years.

Hope you enjoy your Easter weekend!

 

Thanks Buddy!

 

Removed

 

@ yesnoo,

What did you removed? Details and why? Kind regards,
Trying to understand the thoughts and believes of others
individuals.

Also, I appreciate all the answers to my questions from everyone here at VS!!!

 

@VladimirM

VS beta 3.10

Bug Report:

1. User Log > right-click > Add to Whitelist

A. Sometimes the Voodooshield Remove Whitelist Item prompt will appear asking user to verify removal of the very 1st item on the Whitelist.
B. Other times, A does not happen, but the item selected is not added to the Whitelist

2. Auto-Quarantine is not functioning; currently, the user must select Quarantine in the prompt.

3. Whitelist & User Log

A. There is a "scrolling" bug; depending upon whether the user scrolls up or down, the first or last item in the list will fill the entire window during scrolling untilscrolling stops.

4. Whitelist

A. When the user right-clicks and selects Delete, the Whitelist jumps back to the very first object in the Whitelist; the user must begin at the very beginning of the Whitelist after each object deletion during a Whitelist audit.

B.. Delete an Allowed object from the Whitelist, close the GUI, afterwards VS syncs snapshot. Execute the object deleted from the Whitelist. The file will be Allowed and executes - without any prompt by VS. There should be a prompt for any items deleted from the Whitelist upon their next execution.

Also, the object deleted from the Whitelist - reappears in the Whitelist after execution.

5. Ai Prompt

A. There is no option to Allow and\or submit False Positive in Ai prompts for those designated Unsafe; the False Positive button does not appear even if the setting is enabled.
B. Some Ai prompts with very high mal-scores show [Block, Sandbox, Allow] while others show [Block, Sandbox, Quarantine].

6. Command Line Editor

If a user creates a rule using ? wildcard, for example WSA's .syncproc ?-?-?-? (dashes because of BBCode emoji), but later creates a rule .syncproc * using the * wildcard, then the command line editor does not notify the user that the .syncproc ?-?-?-? rule will be deleted.

In other words, the CL editor logic is not detecting when * rules effectively include any ? rules; the CLI editor logic is not deleting ? rules effectively included by * rules.

 

Cool, thank you for the help!

 

Bug Report:

Inserting an external HDD into a USB port, VS does NOT toggle to Smart Mode.

Same on two Win10 machines. Both machines were idle before inserting into the USB port.

VS 3.10 beta, Win10 x64.

Thanks.

 

Dan, it looks like everything is working just fine on my other machine.

Sorry for wasting your time.

Have a wonderful day!

 

The file should be auto-quarantined after 20 seconds (when the prompt is closed by the timeout).

CL widecard doesn't detect including another wildcard rules by design. So if both rules that you mentioned have action "Allowed", then both will stay in CL list. However if there are 2 intersected wildcard rules (there is at least 1 command that may match both rules) with different actions, then you'll get the error!
On adding the wildcard only the explicit entries that match the rule will be deleted.

All other - I'll take a look and will try to reproduce

Thanks!

 

Very odd... I tried this on 2 Windows 10 machines and it is working. Do you mean, in Smart Mode, VS does not toggle to ON when you insert the drive? Thank you!

 

It's totally cool... I just want to make sure everything is working well for everyone. Is it still not working on you other machine? Thank you!

 

Does anyone know anything about this file?

http://voodooshield.asuscomm.com:8080/analysis/2301/

The cuckoo score was low (2.5/10) and there were 2 "false positives" on the blacklist scan according to VS's blacklist false positive feature, but VoodooAi went freaking nuts .

Please be careful with this one... seriously.

 

Dan,

I mean with VS in Smart mode and my machines idle, inserting an external HDD into a USB port and VS is unresponsive, in that it does not even notice the HDD is plugged in, exactly as I wrote.

From your User Guide:

This does NOT happen.

Thanks.

 

Dan pointed out this ransomware that abuses Powershell: http://www.networkworld.com/article...-windows-powershell-word-document-macros.html

It is precisely because of this sort of Powershell abuse that VS is needed to protect a system.

 

@VladimirM

Auto-quarantine - I will recheck, recheck again and then report back.

CL wildcards - I did not know this was intended behavior. So if a * rule includes an existing ? Allow rule, the ? rule will remain... ?

For example, CL.* obviously will also Allow CL.?? - but the CL.?? rule will remain in CL whitelist after creation of CL.* rule - by intent\design ?

@VladimirM - Please confirm.

 

Tested VS 3.10 beta with:

• Sandboxie
• HitmanPro.Alert
• HitmanPro
• AppGuard
• Webroot
• Adguard
• TinyWall
• Shadow Defender
• Most of the commonly used stuff shipped with Windows
• Windows 10 b 1511

No problems. Webroot and Sandboxie command lines work as intended.

From what I see, only very minor stuff remains to be fixed.

 

Hey Dan here is some info from the Webroot Cloud as I did a search of the MD5 also on VT 2 detentions but many marked it as Good. http://snup.webrootcloudav.com/SkyStoreFileUploader/upload.aspx

Daniel

 

Confirm
Generally if one wildcard includes another then both will remain only if both have the same action.

Actually it may be the * to contain ? rule (i.e. x*y contains x??y) and vice versa the ? rule to contain the * rule. Ant it may be a rule with both * and ?

 

Thanks @VladimirM - unexpected behavior - that's all.