VoodooShield/Cyberlock

Cool, thank you for letting us know! I just received an email from a wilders user, and actually I do not know who it is yet. But he has a lot of detailed information about the VS freeze... he is a computer dude in India and has been running VS on his clients computers, and they have various traditional security software on them. VS works great with some, and not others... I asked if he wanted to post his findings, so let's hope that he does. Either way, between the info that you guys supply on here, his recent email and the additional logging, I think we will have the freeze issue fixed soon. Thank you!

 

Cool, thank you for posting this info, it really helps! It really is crazy... it is almost impossible to determine what is malware and what is not anymore... which is why I think we should have a zero tolerance policy .

 

Thank you TH, I agree... Now, if they made the PUP's easy to remove, it would not be that big of a deal. But pretty much every one that I have seen made it extremely difficult to be removed, by the user or a computer tech. Seriously, without adwcleaner, I would have had to reinstall windows on many, many, many occasions... they really are that bad.

 

Hehehe, now that is funny Kees . Thank you for the good laugh!

 

How funny, you guys are cracking me up!

 

I know this sounds far too simplistic Dan but do you think there is there any benefit in asking all testers to provide you with a list of the security software that they are running along with VS and whether they have had VS freeze? Just thinking that it might give you some idea if there is a pattern before requesting more detailed logs from the more likely candidates.

Pleased to report no issues with 3.28L so far. I am also running Webroot SA and Malwarebytes Anti-Exploit if that is of interest.

 

Just installed 3.28 and running in smart mode. My realtime AV is Emsisoft Anti-Malware and i'm trying to decide if Malwarebytes Anti-Exploit is overkill. Not installed for the moment. No issues to report yet.

 

If it's any help, I've been running MBAE for over two years and it is incredibly light on resources. It is also "install and forget" and I've installed it on family members' PCs to complement their main AVs.

 

Thanks, I know it's light on resources and I too install it on family members pc's. But VoodooShield itself has anti-exploit functionality. MBAE has never blocked an exploit on my computer. So I wonder if I need it and if there can be a conflict with VoodooShield. I want to keep my setup as simple as possible.

 

All I can say is that from my experience, there is absolutely no conflict between MBAE and VS. Whether you NEED them both is another matter of course.

 

If the application that is being exploited is patched with the latest updates then it is unlikely you'll see any alert from MBAE or some other anti-exploit tool. For the most part the attack used in exploits work against older unpatched versions of Flash, Java etc. so if you have any of these vulnerable programs and you hit a website with that exploit code then yes, you should see an alert from MBAE.

I'm not sure if VoodooShield's anti-exploit protection works in a similar way. Hopefully @VoodooShield can shed some light on this aspect.

 

No, not yet.

 

Dan, I did some quick testing using the same malware pack that you used. I ran scans on 500 files. They actually all seem to be malware and adware without any PUPs. But, I need to do some more testing to see if some the adware detected, is actualy installers which can install unwanted extras you can opt out of, rather than installing actual adware.

A few of the files were detected as being clean by Jotti. However, it's possible that they would have been detected by one or two scanners if scanned at VirusTotal due to it using more scanners. I used to use the excellent PhrozenSoft VirusTotal Uploader, but it no longer works, so I'm using JottiQ as an alternative.

 

I just scanned 500 more files, and I can confirm that pretty much all the samples are actual malware or adware. There were a few damged files, but for the rest there were only 9 files that were either definitely safe or most likely safe (only a single heuristic detection for the file at VirusTotal). So it is a good source of files for testing.

 

I am using VS for past one year and have installed the free VS on more than 80 customers computers, they are all working perfectly ok, earlier there used to be lots of problems created by viruses....

what I found after installing VS, a few systems around 7 still gave freeze problems, so any how I solved the problem in 5 of them.

what I found that after VS AI came from around v 3.10.... there was a clash of VS Artificial intelligence along with real-time scan of AV.

How I solved it ? by removing the variety of AV and installed Avira, as it works perfectly and there is no clash with VS.

Overall after installing VS, it protects a lot, earlier due to viruses, fresh install of Windows had to be performed.

My security set up is Sandboxie also with Avira, second line of defense is VS alongside MBAE. for testing variety of software I use Shadow defender.

Thus the freezeeee problem is due to clash of VS AI alonwith some specific AV, due to which VS starts consuming lots of ram and this leads to freezeeee.

I think, Dan needs to look into this clash with some real-time AV.

overall VS is a very sophisticated piece of software and hope Dan solves this compatibility issue with some AV.

 

Thank you Cache... yeah, exactly, I think that will really help narrow down the freeze issue.

 

Great to know, thank you!

 

I agree, MBAE is super light and works well with VS, so it certainly could not hurt. VS should block any payloads of exploits and should also block when an exploit from a web app tries to exploit, for example a vulnerable windows file. But since they work really well together and are super light, you might as well run both!

 

Cool, thank you for checking that out. Yeah, the one thing I did do to pre-screen the samples is to make sure that they were actually executable (not damaged), other then that, I just wanted to keep the test as random as possible. VirusShare really is a great resource for malpacks... I also like the fact that they seem to have a lot of variants of the same malware in each sample... they do a great job!

 

Thank you indian11, this will help tremendously. BTW everyone, this is the computer dude that emailed me earlier, and pretty much said the same thing in his initial email to me. VoodooAi was actually first implemented in 3.09, but it did not show in the GUI yet at that point, so I think indian11 really has this narrowed down for us... and I am sure everyone appreciates his help a lot, since this bug has been extremely difficult to isolate!

It is also great to hear that you have the same experience that I have had with installing VS on customer computers! The thing is, we have to make certain of two things... first, we have to make sure that the basic locking mechanism is working correctly and that VS actually blocks what it is supposed to block. And second (which is independent of the first), we have to make sure that the VS interface is designed in such a way that the users are able to understand and use VS properly, so that everything that needs to be blocked, is actually blocked, and not accidentally allowed because of operator error (or an ineffective / confusing gui). And really, there is no better place to test this then the real world, on actual user computers... and it is great to see that you have had the same experience that I have had... that basically, after installing VS on customer computers, malware problems seem to magically disappear.

So you have helped tremendously on several things, and I certainly appreciate it! I hope to have the freeze bug fixed very, very soon. Thank you!

 

That's a great point Tony... MBAE is pretty silent (often times due to patching), which is a great thing... there is no use in bothering the user with unnecessary or dangerous affirmative user prompts.

MBAE works by blocking the 24 or so exploit techniques used by malware authors, so it is pretty cool what they do. VS blocks the payloads from these exploits, but also blocks web apps from opening pretty much all of the windows files, since these are the most commonly exploited files. We could specify a list of vulnerable windows processes and only block these, but every few months, there seems to be a new vulnerable windows process that all of the malware authors are trying to exploit. When that happens, somehow the vulnerable windows process list would have to be updated in order to patch this vulnerability. A few months back, I came to realize that web apps never need to open any of the windows files anyway, so why not just block them all? There were a handful (3 or so) that we have to allow web apps to open, and only block the payload if an exploit tries to spawn a child process from these vulnerable processes, but it ended up really working great and made everything super secure... my only regret is that I wish I would have thought of this a long time ago .

So yeah, you should be perfectly secure with VS, but as light as MBAE is, it certainly would not hurt to install it as well. Thank you Tony!

 

Cool, thank you for letting me know. Man, if we could just figure out a way to reproduce the bug, we would be good to go. But like me, you have to wait 2-3 days to get it to freeze .

 

Cool, thank you, I appreciate that! Please let me know what you find!

 

Yeah Dan, it's a right pain in the arse. The only time VS freezes on me is when I'm prompted for something out of the blue, like when Software Reporter Tool runs for example. Since I normally disable VS when updating or installing VS does not freeze.

 

Cool, so maybe if we can figure out how to spawn the Sofware Reporter Tool on a system with Norton, or one of the other AV's that indian11 mentioned, we might be able to reproduce the issue. If we can reproduce the issue, it will be a 2 minute fix. It probably is a permission issue with VoodooAi... like the AV is locking the file and does not give VoodooAi permission to analyze the file. The logging that I added yesterday should create a log entry if this happens... that is unless we figure out how to spawn Chrome's Software Report Tool manually first . Thank you!