VoodooShield/Cyberlock

@VoodooShield
VS 3.17beta fixed the following bug:
VS (Training Mode): After connecting an UBS-hdd, VS switches to Disabled/Install Mode
VS (Smart Mode): After mounting Truecrypt-Volumes, VS is enabled (No web apps running)
Nice
Edit: I spoke to soon. The first one was fixed, but the second bug occured again after a reboot.
After installation of 3.17beta: VS (Smart Mode) - No Web App + mounted Truecrypt-volume = VS (Off)
After a reboot: VS (Smart Mode) - No Web App + mounted Truecrypt-volume = VS (On - USB)

 

Hehehe, I have no way of explaining this, but there must be an explanation. Here is my point... when I was 11 or so, I had my first Commodore VIC20, and later I upgraded to a Commodore 64 (yeah, I am bragging that I had such a cool computer just to impress you ). All joking aside, the very first lines of code I ever wrote were something like this:

10 Print "It is working"
20 Goto 10

My point is... if line number 10 is not included in that sub, is it even a possibility that the computer is going to print "It is working" to the screen? Now, I have seen some pretty weird stuff, and essentially everything is possible, and I am not a betting man, but I would guess that VS did not delete that file. But I am certain there is an explanation somewhere .

 

Cool, thank you! Both of these blocks make sense... I just have to figure out the best way to fix them.

The lastpassbroker.exe block was blocked by the anti-exploit feature, but for some reason I forgot to scan the file with the blacklist and VoodooAi, so once I fix this, it will either auto allow the file or make the correct recommendation.

The command line block should be and easy fix.

Thank you for letting me know about these! I will fix them asap!

 

Oops, my bad... I was thinking that this issue was resolved by fixing the Training Mode bug, so I never checked to see how Truecrypt interacts with the usb stuff. I will check it out... thank you for letting me know!

 

@VoodooShield

> Post: # 9796

Thank you for posting the latest version of VS!!! Truly appreciated!!!
Version: 3.17

 

@VoodooShield A Commodore 64 was my second computer (before moving on to an Amiga, and then eventually "downgrading" to various PCs), my first was a Teaxs Instruments TI-99/4A.

It seems that VS is deleting the files. There's no other possibility. What seems to be happening is this:
When I click on quarantine, VS tries to quarantine the file, but fails to do so for some reason.
VS doesn't realise that it has failed to quarantine the file, so the file gets added to the quarantine list in VS (even though the file was never written to the quarantine folder) and VS deletes the original file.

The end result is that the installer I tried to quarantine gets deleted, and VS shows it as being quarantined, even though it isn't there. When I try to restore the non existant file from quarantine, VS removes it from the list of quarantined files.

I've confirmed this with multiple files. As soon as I click on quarantine, the file gets deleted.

 

Is this a Win 7 thing? If I stop both of VS's processes I can delete all the files from ProgramData without issues on Win 10 x64.

Daniel

 

The ACL for this directory was changed; Users have the right to modify files in this directory.

 

If VS does not have access to write to the C:\ProgramData\VoodooShield folder, it is going to crash long before it has a chance for this file.move method to delete anything. The question is, why does VS not have access to this folder? What happens when you try to move the file with explorer? Thank you!

 

I can move files to the quarantine folder with explorer.

 

Hmmm, very odd. I will check out that part of the code this weekend... it has been a while since we implemented the quarantine feature, so it would be a good idea to look at this part of the code. Are you saying that no matter what file you try to quarantine, it kinda pretends like it is moving, but it never actually is copied into the quarantine folder, but it disappears from the source directory? Also, are the files on the C drive, or different drives, or some odd location? Thank you!

 

Yes, that is what's happening. The files are on the C drive.

 

There is a possibility to monitor folders/files with the utility FolderChangesView from www.nirsoft.net
Monitor the quarantine-folder with this tool and all activity from files that are modified/created/deleted can be seen.

 

@mood Thanks for the suggestion, but there's nothing to monitor. No files are being saved to the quarantine folder.

 

Ok, now it all makes sense... thank you for your patients and persistence on this issue, it really helps a lot! I checked out the code and I know exactly what is going on. The most important thing is that we need to make sure that VS has access to the C:\programdata\voodooshield folder. And the file.move method is actually in the service now (I think it used to be in the GUI), so if the move fails because VS does not have access to these folders, then I can see how something like this can happen. It is an easy fix either way... thank you for finding this!

What you might want to do is to uninstall VS, then move the C:\programdata\voodooshield folder to the desktop (or wherever), then reinstall VS. Then copy the .dat files back to where they belong. This should fix this issue for you... but I will figure out a permanent fix for 3.18.

 

Thanks Dan. For the moment, I'll wait for v3.18, as I don't need to quarantine files that often. Also if I wait, I will be able to test quarantine in the new version to make sure the fix works for me.

 

Hi Dan
VoodooShield does not detect internet download manager like web app.And by default allow by parent process is checked.Then every program downloaded by idm is allowed to run.

https://www.youtube.com/watch?v=GYCKi2-lYCg&feature=youtu.be

Best Regards,
Plamen!

 

That's cool... that way we can make sure it is working correctly, thank you!

 

Hi Plamen, thank you for letting me know... the auto detect web app feature detects if there are any http connections when the settings window is open, and if any of the running apps have an active http connection, then they are added to the list. Is it possible to just add idm manually by double clicking on one of the 8 custom web app boxes? If so, does everything work correctly?

 

Thank you David! Yeah, probably the toughest file type for VoodooAi are drivers, and I really need to remove that adjustment on the VoodooAi multiplier when the blocked file is in app data or program data. We basically just need to refine VoodooAi a little more... it will take a little time, but we will get there .

 

BTW, thank you TH and mood for your help!

 

HI,
Dan!

Yes if i add idm manually everything is fine.
Regards!

 

Glad you found the explanation

 

Voodoo Shield,

Tried VS 3.17 Beta on Win 10 64.
Things seems fine but on exiting HDSentinel Portable from taskbar VS freezed for few secs & got 2 error windows. After closing the error windows VS was back to normal.

Attached are the screenshots

By the way when such error happens with VS & user ignore the error & continue or exit & restart VS, does VS functions fine or VS is broken?

 

Hi yesnoo

No such errors here when doing the same thing...but Vs did prompt for the allowing of a cscript.exe-related command line which I have not seen before.

@VoodooShield

Whilst on the command line functionality I am seeing, once again, numerous occurrences of:

"c:\windows\sysnative\rundll32.exe" "c:\windows\system32\wrusr.dll",synproc 'nnnn' (where 'nnnn' is an incrementing number)

seems to have come back with a vengeance in recent builds?

Regards, Baldrick