VoodooShield/Cyberlock

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. Appaloosa

    Appaloosa Registered Member

    Joined:
    May 13, 2016
    Posts:
    29
    Is anyone having trouble getting to whitelist online?
     
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Last edited: Jun 21, 2016
  3. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, our website is experiencing issues... I am not sure what is up yet. I went to upload the new version and found this out the hard way ;). Hopefully it will be back up and running normal soon. Thank you!
     
  4. Appaloosa

    Appaloosa Registered Member

    Joined:
    May 13, 2016
    Posts:
    29
    Thanks, Dan ! Just trying to make sure it wasn't something I did . I changed quite abit around this morning and have been fighting things not quite right all day. Thanks, Rocky
     
  5. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    First, keep in mind that all of the samples were in fact malware. Sure, some of the samples were borderline PUP's, but I think that it is a good idea to have a great mix of different types of malware... believe me, you do not want any of these samples to run on your machines... keep in mind a lot of these samples are trojans. Also, keep in mind that a lot of the samples that were not detected by the AV products that were tested never showed a GUI... we know this because we can count the number of items running on the task bar (or the number that displayed a gui), and compare that to the items that were missed. I think it would be quite easy to make a compelling argument that any of the samples that were undetected and did not appear on the taskbar or display a gui, were most likely not PUPs, and most likely were some pretty bad stuff. Also, keep in mind, I wanted this to be as random of a test as possible, so that when other people duplicate the test, they will see similar results. If I would have cherry picked the samples, it would not have been a random test.

    We can ask J from virusshare how he collects his samples... but from what I have seen, they are usually very high quality samples... with tons of the latest ransomware in the latest packs. If you have a source that you think would work better for this test, please let me know.

    Having said that, I see what you are saying and I pretty much agree... I am actually getting ready to do a "1,000 Malware Sample Pre-Execution Efficacy Test / Ransomware / Evilware Edition", with the top 3-5 or so performers from the last test, if I can find that many really bad samples.

    The main issue (and I only briefly discussed this earlier) is this... how do I scan the files to ensure that they are really bad malware and not just PUP's? I mean, what is the best method to determine that a sample is true malware without biasing the test? For example, I was going to scan all of the files first with Zemana (which I love btw), but then the test would be heavily biased in favor of the engines that Zemana uses. If someone has any ideas, please let me know. Also, please test on your own as well!

    And as I was saying before... I think we can all agree that the user should, at a minimum, be aware that the item they are about to install on their machine contains at least some malicious code, and has the ability to compromise their security and privacy. All of the samples used in the test, except for one (that I am aware of), meet this description... and I strongly believe that the user should have been alerted for all of them (except for the one). Thank you!
     
  6. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Rocky, did you break our website? Just kidding ;)! It looks like it is up and running again, thank you for the heads up!
     
  7. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you Krusty! Yeah, that seems to be the case... so what I did was add TONS of logging everywhere. If this does not trap the bug, I will keep adding logging until we find it. Really, at this point that is all we can do. I think Vlad is too busy to take a look at it, and I do not want to bother him too much. It would be extremely helpful to have his eyeballs and the code, simply because he is a lot more familiar with all of the changes during this time. But either way, we will get it... I will just keep adding log entries until we find it... it is there somewhere ;).

    Hehehe, I will look at the dismhost code as well, thank you (and everyone else) for all of your help!
     
  8. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    Dano fix your site! :p
     
  9. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    BTW, I still cannot connect to our FTP to upload the latest version with the logging, but I will upload it as soon as I can.
     
  10. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    Awe come-on your getting old my young friend. :D
     
  11. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, I know, it is really messed up ;). Hopefully it is just routine maintenance and not under attack after J from virusshare posted this ;). (Sorry, I do not know how to link an individual tweet, and I am too tired to try to figure it out).

    https://twitter.com/VXShare
     
  12. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    Go get some rest buddy! Sweet dreams!
     
  13. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I know what you mean, it is no fun getting old ;). I am not that tired yet... hopefully the site will be up soon. Thank you TH!
     
  14. Appaloosa

    Appaloosa Registered Member

    Joined:
    May 13, 2016
    Posts:
    29
    I have been trying to get a copy of the whitelist on the cloud most of the day but still no go. Guess I'll try tomorrow.
     
  15. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, it is still down... I will email the host and see what is up, thanks again!
     
  16. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    BTW, Roger... I just scanned the 1,000 files with Zemana, and it quarantined 954 of files... so we really were dealing with some pretty bad stuff. When I looked through the report, there were quite a few adware samples... but most were pretty ferocious critters, and not the standard weak PUP's. I will post the report as soon as I can.

    I really think Zemana would be a great "litmus test"... anything blocked by Zemana should be blocked by your AV in my opinion. We just have to make sure that we do not test with any of the engines that Zemana uses. Does anyone know where I can find a list of engines that Zemana uses?
     
  17. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    It is the same version as the last one, so does that mean no other changes except the logging?

    Thanks.
     
  19. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    Zemana is very good at detecting PUPs. If the PUPs were excluded, the number of quarantiend files would be less. I've got over well over 100 files and registry keys that I've added to the exlusion list in ZAM. All of these are either PUPs or installers which bundle other software. None of them are malware.
     
  20. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, exactly, only logging was added.
     
  21. dbrisendine

    dbrisendine Registered Member

    Joined:
    Jul 15, 2006
    Posts:
    51
    Location:
    BC, Canada
    Just installed the latest version with logging and it crashes when I try to view the Quarantine tab.

    Log shows

    [06-21-2016 20:58:03] [INFO ] - ******************* User started VS 3.28 Beta ***************************
    [06-21-2016 20:58:31] [ERROR] - Exception in UpdateQuarantineDgv. SQL logic error or missing database
    no such table: QuarantineLog
    at System.Data.SQLite.SQLite3.Prepare(SQLiteConnection cnn, String strSql, SQLiteStatement previous, UInt32 timeoutMS, String& strRemain)
    at System.Data.SQLite.SQLiteCommand.BuildNextCommand()
    at System.Data.SQLite.SQLiteDataReader.NextResult()
    at System.Data.SQLite.SQLiteDataReader..ctor(SQLiteCommand cmd, CommandBehavior behave)
    at System.Data.SQLite.SQLiteCommand.ExecuteReader(CommandBehavior behavior)
    at VoodooShield.QuarantineStorage.GetQuarantineLogTable(String sid__1)
    at VoodooShield.Settings.??()
     
  22. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    In any event, I think we can agree that the user should be alerted to the fact that the file contains something that might adversely affect their computer or compromise their privacy, right? I guess I have seen too many computers messed up by PUP's... and honestly, a lot of times they were even more difficult to remove then a lot of the more malicious malware.

    I analyzed the remaining 46 files the ZAM did not quarantine with Cuckoo, so have a look if you would like. There are a lot of obvious malicious samples (10 / red), and if you look at some of the ones that tested benign or suspicious, a lot of those did not run the executable for whatever reason, or something weird happened and it was not a valid test. In short, I would not want to run any of those files on my machine... there is something wrong with most or all of them, except for possibly 1-2 of them.

    Users should only run executable files on their machines that contain no malicious code. It is safe to say that the absolute vast majority of these samples had malicious code.
     
  23. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hmmm, sorry about that... I wonder why it did that. I just tried it on mine and it worked, but I did not have anything in quarantine.

    If you do not have anything in quarantine, then I would just exit out of VS and then delete the Quarantine3.dat from C:\ProgramData\VoodooShield.

    If it happens again, or if anyone else has this issue, please let me know! Thank you!
     
  24. dbrisendine

    dbrisendine Registered Member

    Joined:
    Jul 15, 2006
    Posts:
    51
    Location:
    BC, Canada
    Exit, delete Quarantine3.dat and restart seems to have fixed it. Thanks. o_O??
     
  25. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    I agree with you on that. However, if you are testing antiviruses with a collection of both malware and PUPs, then antiviruses with poor PUP detection are probably going to do badly due to probably not detecting a lot of the PUPs.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.