VoodooShield/Cyberlock

How does autopilot work? I uninstalled VS after it kept prompting me that my IDE console was trying to access cmd.exe every time I would access it. Assuming this IDE is trusted and the console command is not malicious, would autopilot block it and keep it blocked, or allow it and keep it allowed?

 

Then try it again, your download seems to be broken/interrupted.

 

I find that VS is blocking a lot of Avira components such as enclosed. Can this be built into VS as it is annoying to have to acknowledge each one especially when they are being parked in the temp folder.

 

my guess is that the file name contains "reg", and that sounds suspicious to Ai.

 

As you can see in the screenshot #13221, it was not blocked from VoodooAi
"VoodooAi is not necessary for Windows files"

 

Hi
I am a bit of a novice when it comes to VS so please excuse me if the answer to my question is obvious.
When opening 'JDownloader' in Firefox, VoodooShield pops up a warning box saying it has blocked a blacklisted item. The item is 'cmd.exe' . Clicking on the box tells me the file is: (C:\windows\system32\cmd.exe)

I usually click 'Allow' and all appears to work normally.
Is there a safe way to prevent the warning box appearing every time I open 'JDownloader'?

Thanks in advance for any assistance.
mesaboogieman

 

If you have clicked on Allow and yet cmd.exe is not whitelisted, it sounds to me that you are using VS in AutoPilot mode. Is that correct? You need to whitelist the file and an easy way is to look in your User Log and find where the file was blocked. This should be shown in red. Then right click on the entry and click on Whitelist Item. If you had been using the Smart or Always On modes, the whitelisting would have been done automatically.

 

Can confirm that in Always On mode, VS never saved my settings for PyCharm console using CMD.exe. Look a few posts up, I asked a similar question. I uninstalled VS and hoped that someone could change my mind. No one did, so I saved myself the trouble installed the superior Appguard.

 

On reflection, it must be the case that the command prompt does not get whitelisted because to do so could lead to security issues.

 

No, CMD isn't whitelisted in SMART mode either. Believe me, I tried, not happening. Fine w/me.

 

CMD is blacklisted if VS is On:
'Options - Advanced Settings: "Blacklist the following items when VoodooShield is ON:"'

 

I don't see that option in Advanced Settings using v3.48 (unless I am missing something obvious).

 

Your not missing anything and I assume @mood is not using v3.48. CMD is always blocked by the way as Malware can try that to install so VS would block those routes. If you want to use CMD just set to Disable/Install mode and use CMD.

 

This is my guess why we see the Exploit message for Windows media player as it is a Web App.

 

That's correct.

 

Would Voodooshield stop browser exploits like this ?
http://arstechnica.com/security/201...ers-almost-identical-to-one-fbi-used-in-2013/

 

That exploit was based on javascript, which is always allowed to run in your browser. VS has an a feature to block programs spawned by web programs (Dan calls this an anti-exploit feature), so when javascript would have downloaded a piece of additonal code VS would have blocked that. In this case Javascript directly accessed kernel, which are both allowed by VS. So my guess is that VS would not have blocked this one. But perhaps @VoodooShield can join and run the exploit in a VM to test VS against it.

 

I just wanted to ask some of you guys: I've been using VS for quite a while and feel confident using it, but given that I'm a safe surfer, use Windows Defender as resident protection, run Zemana AntiMalware every week to scan and keep a SUA with full UAC, am I okay to just keep VS on Autopilot? I'd really like to just reduce the alerts I see on my system.

 

just want to make sure I understood this conversation correctly: the latest beta version of VS does not block CMD, but some older versions do?
If this is so, can CMD be manually added to a block list, in latest beta version?

 

Does VS block and protect against this:
https://www.wilderssecurity.com/thr...-2016-test-results.390319/page-3#post-2635688
http://lqdc.github.io/making-finfisher-undetectable.html

 

Sorry I am so far behind on the posts and pms... this has been a lot more work then I thought it was going to be... but I seriously am getting close, I promise .

Things are going really well overall, but it has been seriously crazy... I am sooooooo close though.

BTW... Hehehe, CS, I saw your post "Once again it seems that we are reduced to an application like this" https://www.wilderssecurity.com/threads/foltyn-securityshield-beta.389957/#post-2631901

You know better then that!!! If you can think of a way to stop all malware without locking the computer when it is at risk, then pm me... we will make billions (and share it with our wilders friends) . Sandboxing and policy restriction does not count... the masses need to be able to use it .

 

@VoodooShield Foltyn will be very effective when its main criteria is whether an executable file is signed since only 8% of the malware is signed.

75% of this signed malware is Android based or relates to fraudulent website certificates, so we are down to 2% real world risk on Windows PC's.

Less than 30% of the signed malware has a valid signature (in stead of forged signature), so we are down to 0.6% real world risk level when you actually check the validity of the malware (be sure to use the correct M$ API, ask a frustated AppGuard developer about it)

Malware which used the signatures of reputable vendors have gotten a LOT OF ATTENTION in IT-media, but IN REALITY they were less than 1% of signed malware on Windows PC's, so we are up to a 99,99 % protection level when you limit the signed whitelist to signatures of vendors ALREADY INSTALLED on your PC (this tailored, PC specific whitelist could be build during a VS snapshot scan)

Add your anti-exploit feature (not allowing web programs to spawn other executables) and your Blacklist AV-check for signed programs and imagine how solid and smart this whitelist would be. Apply the AI-engine only on non-signed binaries and signed binaries not on the trusted vendors list and allow only programs with a score of 0.2 or lower and yeah you will have your killer Next Gen security application.

I am more in favour of CS her view points, than yours in regard to LOCKING or using a SMART WHITELIST. I still think VS is great and sympathetic because your AI out smartens simular AI/ML engines with more people and cash on it.

You could still have your current LOCK (current always on), SMART (current smart) and AUTO (auto pilot mode with signed vendors list behavior as described above).

Regards Kees

 

Cool, thank you Kees and SHvFl... I am just trying to brainstorm with CS and you guys . One way or another we will end this malware epidemic .

 

Spot on, SHvFl...could not have summed it it better myself.

 

Sadly this seems buggy for me.

Started using it on my laptop about a week ago to serve as an anti exe, seemed ok with its feature set and useability, but then noticed I had processes hanging, I rebooted laptop and now voodooshield is locked to very high cpu usage.

Bear in mind this is the free version so I cannot play with settings, it is simply using the developers "optimised defaults".

Also I pm'd the dev about testing to see if I can test with the licensed version.

Update

I whitelisted on EAM and HMPA, and then restarted it, it is improved but not ideal. At startup it will tie up a cpu core for about 3 minutes, then it spikes to max out a cpu score everytime I start an exe.

Now on my laptop I run software to monitor my dsl line, this software every minute launches some binaries to collect data from my modem and then upload it to a website. This every minute causes voodooshield to lock up a cpu core for about 40 seconds.