VoodooShield/Cyberlock

The file is not auto-quarantined after timeout.
I tried with 2 harmless samples with detections more than 20 & files were not auto-quarantined after timeout.

And, I tested latest Java updates with VS 2 & VS Beta 3.10
VS 2 - During Java updates, I got few alerts from VS like Java is blacklisted by VS, you can temporary allow...
VS Beta 3.10 - During Java updates, no alerts from VS, is this by design in Beta 3.10 or a bug?

 

@VladimirM

3.10 beta

Auto-Quarantine is not functioning. I tested, re-tested and tested again.

 

Hi Dan,

Where did you get your sample from?

The “legitimate” diel.exe. is actually a component of Ascalaph Designer (AscalaphDesigner/MDynaMix/tranal/diel.exe.) a molecular modelling package with an MD5 of 45c1884f93adcafb0b0a82f54ecddcef which Virus Total is showing as 0/56.

The Cuckoo Sandbox sample you refer to has an MD5 of e8e3ee4d2035ddba41d4bb016f47d04c so I can only assume that they are different with the latter perhaps being suspect, especially in the light of VoodooAi’s reaction.

 

I had asked if Beta 3.10 is stable enough to use on production system. And seems its stable enough as Recommended Beta download on official website gives 3.10.

 

@VoodooShield

Future build\version

Feature Requests (multiple - for consideration):

• Auto-purge rules when a file changes and user selects Allow at VS modified file prompt (in case old version was updated for security reasons - don't want old hash version in Whitelist); hash based scan - and not just file path
• Rules clean-up; right-click scan Whitelist and remove objects no longer on system - e.g. uninstalled applications\deleted installers & script apps
• Right-click User Log, option to open plain-text version of log - or link to log in ProgramData
• Cuckoo in Action column of User Log when user submits file to Cuckoo Sandbox (same as when user selects local VS Sandbox)
• CTRL + F to activate cursor in Search field of Whitelist
• Search field on User Log with CTRL + F
• Darken (increase contrast) of the word "Search" in the Whitelist Search field
• Ability of user to define additional vulnerable processes - e.g. vbs.exe, RegAsm.exe, etc, etc, etc.

VS now has its own built-in debugger or just debug (additional collected infos) logging ?

 

@VladimirM

Password Bug (Major)

3.10 beta

Enable VS password under Utility.

VS will prompt for all processes - for every object that is already included in the Whitelist.

In other words, VS rebuilds the Whitelist when the Password is enabled.

 

I enabled the password option a few minutes ago for testing, and I'm wondering why VS keeps blocking chrome.exe even if it's in the whitelist.

If i select User log, rightclick the blocked item ("Whitelist item") there comes a prompt: "Are you sure you want to delete ..."

 

Yeah, still not working on the other machine.

Now that I know it's machine specific, I think it might have to do with my configuration.

I'll tinker with it for awhile.

 

Yes. I know. Reported these bugs earlier. @VladimirM will get them sorted out...

 

It's indeed seems to be a bug, however, after checking the code, seems like it always behaved like this. I'll check with Dan what is expected behavior (that code was written before I started to work, so I need to check)

 

@VladimirM

There were issues reported about implementation of password protection a good while back; in other words, it is a known, old issue - but, you know - with all the development and improvement of VS - reports can only be a few things at a time. That's the best that can be expected.

All my testing of old matters have been sorted out - except this one.

 

fixed

fixed

 

Is a new beta coming soon?

 

In a week or two

 

I see... can you maybe try to exit out of VS on one of the machines and delete all of the .dat files in the C:\ProgramData\VoodooShield directory, then start VS again? Is anyone else experiencing this issue? Thank you!

 

Cool, thank you... this one had me baffled .

 

I just downloaded the sample from Cuckoo Sandbox... yeah, it must be a false positive for VoodooAi. I was just surprised that it was basically a 1.0000 probability, even though it appeared to be a clean file. That is, VoodooAi will have a few false positives, but I have never seen a false positive with that high of a probability before, so I was curious where that file came from. Thank you!

 

Yeah, both 2.86 and 3.10 are stable enough to run on production systems. There have been a lot of updates and fixes on 3.10, and as soon as we wrap up the beta, we will probably discontinue 2.86... so that is why I am trying to get everyone to install 3.0. Thank you!

 

Cool, thank you, I added these to the to do list and we will look at them closer soon. VS does not really have its own built in debugger, but it has has debug logging for a long time.

 

@VladimirM I just wanted to chime in and state that you are doing a phenomenal job with your recent developments to VoodooShield. Not only are you doing a great job with development, but also you are doing a fantastic job with regard to keeping an open line of communication with users here at Wilders and responding well to suggestions, bug reports, and even criticism. You deal with everything extremely well, professionally, and you tell it like it is. I respect that greatly. I think that Dan has got a great "team-worker" here with you on his development team. And since Dan is a creative genius, hopefully this also helps to free up some of his time to brainstorm even more great ideas for future development. Keep up the fantastic work, sir!

 

Hmmm, that is odd... what is the path of Chrome.exe? Old versions of Chrome used to install to either AppData or ProgramData, so that would explain this, if this is the case. But newer versions of Chrome install to Program Files, so it works a lot better.

I am not sure what is going on with the user log... which version of VS are you running? Thank you!

 

Thank you WildByDesign! I agree, Vlad is doing an amazing job and making VS what it was always supposed to be!

 

According to #9127 i'm not the only one.
Disable password option = (chrome.exe is in the whitelist) and it is allowed (as expected)
Enable password option = (chrome.exe is in the whitelist) but it is blocked from executing, i have to allow it every time
Chrome is installed in AppData.

Regarding the User log:
If i rightclick an allowed process VS says that it's already whitelisted - Ok, that's fine.
But if i rightclick a blocked process ("Whitelist item"), VS wants to remove a complete different executable from the whitelist


VoodooShield 3.10 beta

 

Before I do that, both machines have clean installs of Windows 10 and VS 3.10 beta was the first and only version installed. There were no earlier versions of VS installed.

Thanks.

 

I installed VoodooShield yesterday on a Win 10 machine. During the installation I was asked if I wanted to install the latest beta. I agreed and installed the program. I was expecting to have to agree to turn off Windows UAC but that option was never presented as part of the installation. I checked and Windows UAC is still set to "Always" notify. VS is currently set on SMART (default) and I notice the badge changes to OFF mode after several minutes of inactivity in my Chrome browser. It switches back to ON as soon as I move my mouse. Is this all normal?