VoodooShield/Cyberlock

Actually it's made and will be out on the 16th. I'm privately doing some potential false positive testing (legit but unsigned apps as well as good vs bad scripts) before publication and so far all is fine.

I should also add that I was aware of the running the malware exe only for the last video, so for this one I backhandedly added both URL checking and email protection. For the URL part I found some malware that would connect to malicious URL's to see if the app could detect and stop it, and for the email portion used malware that would both send out ransomware as well as serve as a false email client by D forking svchost.

Easy, Easy.

(Lagavulin- I see by your icon that you are a fan of Frank. On my channel (April 9 2015) I put together the entire Blues in A minor track- I'll PM the link to you. Just close your eyes and let Genius sink into your bones...)

 

@cruelsister I don't have a nose that knows where it goes nor do I have a tiny little mustache but I am in favor when that would be the accompanying music for that the video.

 

Hmmm... just remember to kiss me in the morning... lmao

 

Dearest cruelsister, for the record I'm a fan of yours too. Time to mix a martini and hit that link you sent me. Thank you for being the best!

 

If I am not mistaken, I believe CS is talking about a new app that "CloudScan analyzes MS Office documents, scripts, executable files, to detect malicious behaviour, by opening them in virtual machines. Currently it is especially focused on detecting ransomware."

It is definitely a very cool application (mainly for ransomware)... I always thought it would be cool to add something like this to our Cuckoo Sandbox, but never had the time to implement (sending the result from Cuckoo back to VS's gui). Besides, Cuckoo is a rather thorough analysis, and sometimes takes a while to process the file, so it would take a while to send the result back to the gui. Well, that, and the meta data that the Cuckoo report contains is much more insightful than the MalScore that Cuckoo reports.

So instead, VS's new enterprise web management console is going to automatically analyze the file and send a notification to the admin, and display it on the dashboard of the management console.

Here is a sneak peak of the new management console... Alex is doing an amazing job, thank you Alex! (Yeah, I know there are a couple of typos! )

https://voodooshield.com/artwork/vms1.png

https://voodooshield.com/artwork/vms2.png

BTW, does anyone ever wonder if the security industry's current fascination and focus on ransomware is going to set us up to be blindsided by massive amounts of non-ransomware malware? .

 

Good point Dan, was thinking the same myself the other day what with the rise of DDoS attacks...something that experts thought were things of the past as they are generally viewed as unsophisticated, etc.

Let's hope that 'black' thought does not come to fruition.

Regards, Baldrick

 

cpu usage issues are gone on the full version, but I did disable a lot of scan related options, I will try to pin down which option is the culprit, I have left the AI stuff enabled.

 

Well for financial malware, social engineering fraud and ransomware the financial gain is obvious, so for consumer market these types will prevail for coming years.

 

'If I am not mistaken, I believe CS is talking about a new app that "CloudScan analyzes MS Office documents, scripts, executable files, to detect malicious behaviour, by opening them in virtual machines. Currently it is especially focused on detecting ransomware."

I think I know which one you speak of but at present it doesn't use the cloud for the as far as I know. it is a future feature.

QUOTE: " is connecting cloud but not for analyzing the file (this is planned in future versions! files will be sent to the cloud and run on virtual machine, before they are allowed to run on user's computer). It sends some informations "that help improve application"- for example, to see which applications are running other applications but from temporary folders, to see if we need to scan them in future versions, and ofcourse- code which was detected as malicious, to eliminate false alerts in future. Cloud really improves development of security applications (and all others)."

UNQUOTE:

 

Good to see you are preparing for corporate market. What is planned for the zones (processes and devices are obvious)?

Will v4 also get the option to select which engines to include in the AV-blackscan, whch benefits home users also?

Guess there is not much use in asking about the status of the last of the top 3 features we discussed on skype (link), something tells me you won't implement that in a 100 years time to agree to disagree on this one

 

ok some more feedback.

I unticked deny by default which I assumed would make me get popups for anything not whitelisted, but voodooshield did actually block a script without an option to allow.

Also "automatically run file after scan" is what was causing te massive cpu usage.

 

@VoodooShield sorry Dan I have a problem with voodooshield 3.48
Now, I cannot perform a right-click or drag-&-drop analysis to .exe files
on 1 or 2 occasions, it works but mostly, it shows "Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item"

I tried to run Voodooshield in administrator priveleges but it still doesn't work most of them time

what do I have to submit to help to identify the cause?
It was working before in v3.45. I rarely use this right-click/drag-and-drop analysis but I tried and got this problem
thank you

 

Dan I am seeing an issue which I believe is caused by running voodooshield.

The scripts that I have running every minute to collect stats from my modem have hung, this has actually happened twice (first time was when using the free version).

One of the processes stays running in a unkillable state, task manager says access denied, process hacker says cannot kill an exiting process. This may have been possibly related to the issue I posted in an earlier post where I said voodooshield had blocked a script, but sadly I didnt check at the time if it had actually broken anything, the only way to recover from the locked process is to reboot.

If needed I can send you all the scripts/binaries for you to analyse.

The incorrect block which gave me no choice to allow was a command line block not a executable block, and I think it was when the hangs started as I can see the timestamp in the blocked command line.

 

Hey guys, once again I am sorry I have been away… I really am almost finished though… probably another week or two at the most. After a couple of days, I will be waiting on the machines so I will be able to catch up on a lot of stuff that I missed.

But tonight, after all of this work, I finally got to see the initial results… and they look amazing. The funny thing is… this is on a very, very small training data sample size, so the results are only going to get better.

I was seriously worried that I would do all of this work and adding all of the new features would complicate things, and the results would not be much better. It turns out, I am happy that I took the chance.

VoodooAi 1.0 used 30-40 features… it was me getting my feet wet with machine learning and Ai. I always knew we would do a second version that included new features and stuff... and actually I am already thinking about new features for VoodooAi 3.0 .

Anyway, here are a couple screenshots of the initial results. Basically, what it is showing is the predictive strength of each feature. Keep in mind, this is just the predictive strength of just that one feature… when you combine them, there is a synergistic effect and the results can turn out nicely.

Once again, keep in mind, this is a very, very quick trial run with a very small sample set…

The old VoodooAi’s best feature had a predictive strength of 86%... the new VoodooAi’s best feature (so far) has a predictive score of 97%. Not only that, but instead of only using 30-40 features, we will end up using around 250-400 (it is difficult to say at this point), and each new feature has the potential to help the other. Also, once we are working with a larger, more representative training data set, the numbers are only going to get better.

So yeah, it looks like the results are going to be amazing… almost so much that we do not need to lock the computer when it is at risk… hehehe, just kidding Kees… the computer needs to be locked when it is at risk .

Hopefully in a day or two I will be waiting on the machines to train, and I will catch up asap .

I know it is kinda silly to post what I just posted, but I wanted to give you guys an idea of how things are going… they are going amazing . Besides, you guys have done a lot for VS as well, and you should know what all is going on!

http://voodooshield.com/artwork/OldAi.png

http://voodooshield.com/artwork/NewAi.png

Thank you guys for all of your help, talk to you soon!

 

Hey Dan,

Did you get the email I sent a few days ago?

 

guys i am struggling with the commandline stuff, as my scripts still keep freezing, I would appreciate help, I didnt want to post a question here, and looked in the documentation first but I am stuck.

I have command lines that seemingly get randomly blocked, e.g. the same script runs every minute 100s of times a day but VS will decide to block it at say 3 hours later after it has already ran 100s of times.

I found blocked command lines in the command lines tab, and I see various right click options, there is allow which I assume will whitelist that specific command line, but does it whitelist in all scripts or just that one line in that specific script?

Also there is edit, delete and add buttons. What do these specifically do? so e.g. if I add echo * on the add screen, is that a wildcarded whitelist for all echo commands? (is echo commands been blocked).

If I right click allow the lines are still listed as blocked, I dont know if this tab is a log screen or a list screen that is just listing detected command lines and their status allow/block. What I do know is if I either try to do a wildcard add or right click and then click allow, the items with blocked next to name still say blocked, they dont change to allow, so I am confused.

Any help appreciated.

Some more info

The command been blocked is "echo %date% %time%"
If I type that in the search box voodooshield creates a unhandled exception (I was trying to see if the stuck block status was due to me redordering the results as is hundreds of command lines listed and I can only find the blocks by double clicking allow to show block first).
I then noticed when voodooshield shuts down the hung unkillable processes come to life.

--edit--

I think the issue was when there is too many items in command lines list voodooshield gets buggy. I wiped everything there, and added a echo* which I see as whitelisted, now no longer new echo stuff appears in the list and toggling block/allow works properly.

I watched it populate as my scripts ran and have edited rules with either masks (?) or wildcards (*) as necessary to minimise rules, and the whole process seems stable now, voodooshield also uses a lot less cpu when these scripts run now as well presumably because its not processing a command line list 100s (or maybe even 1000s) of items long. I dont know yet if this will be stable to prevent the hangs as I need time now to see if everything stays stable.

The program seems to be working well for anti exe purposes, its only the command line section that I have had issues with.

Also some feedback on the voodooAI, I have it set to the default balanced, and when I updated sandboxie the AI determined the sandboxie upgrader to be very

unsafe, I proceeded using the false positive button.

--edit again--

Now hit an issue with the anti exe, I ran the snapshot function of the modem stats collection stuff, and this has now ran dozens of time since VS installed without a prompt, I think its not even in the user log at all before now. This time I got a prompt and it said it was untrusted due to FP hits in the scan, in the dialog box is no option to whitelist, only to allow a one time run.

I then proceeded to the user log and right clicked it, selected whitelist, no error apears but it stays listed as blocked, the status will not change to allow, seems similar to the earlier issue I had with command lines, the user log is not that large tho, at a guess 100-200 or so items.

Ok I see now it is listed in the whitelisted tab (although added 3 days ago), so I expect the issue is the user log is not supposed to show the live status like the command lines tab. If I double click the binary it doesnt block.

My suggestion is when whitelisting stuff in the user log to show some kind of confirmation it succeeded.

-- further edit --

unreliability again

So in the last 5 minutes I have manually ran the snapshot feature of my stats collection tool 8 times. Each occasion it runs the exact same commands. The commands may slightly differ in that timestamps form part of the commands but otherwise its the same process.

First 4 runs yielded no prompts.
5th run yielded the anti exe prompt I mentioned above.
6th and 7th runs no prompt
8th run (now) has blocked a echo command line even tho echo* is whitelisted.
---
9th run after no prompt
10th run after no prompt

cmd.exe is now listed in the userlog, however no matter how many times I select whitelist it will not appear in the whitelist tab. So stuck again.

 

Yeah, I just responded, sorry, I am way behind on everything, I hope to catch up soon!

 

Cool, thank you for letting me know... can you please email me your scripts so I can reproduce the error and fix the issue? Please email them to support at voodooshield.com. You might want to zip them up and rename the extension on the zipped file to something like ".zi9" so that the file is not blocked. Thank you!

 

Hi

Just installed SlimJet browser.

I have VS (free)v3.48 beta and SlimJet browser v12.0.11.0.

Whenever I start SlimJet browser the VS icon shows an 'OFF' in red color although right clicking on it shows it's on 'SMART (Default)' mode. It'll not change to blue color even when using the SlimJet browser

However, if I open Chrome and Firefox browsers the icon will change to 'ON' in blue color and in 'SMART (Default)' mode indicating it's correct.

Anyone has this issue?

Thanks

 

Cannot do it since VS needs the Pro version. I'm using VS free version

Thanks

 

But in Autopilot mode it'll remain blue in color for all my 3 browsers. The icon will never change to red whether my browser is open or close

Thanks

 

Thanks

I set to 'ON' mode

 

ok will send tonight, it does seem the hang issue has not reoccurred on the automated scripts now tho, so reducing the scripts whitelist seems to have had some beneficial effect.

 

Hey guys! Ok, I am getting really, really close, and I think we can start training the machines sometime today or tomorrow. That will take a few days, and I hope to have the next version ready sometime later this week.

If anyone has some really great malpacks that they would like me to add to the training data set, please send them to me... it would help A LOT!

As soon as I start training the machines, I should have a lot more free time, and should be able to catch up on everything, thank you!