VoodooShield/Cyberlock

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    A few people have reported a bug that is causing some lag when the blacklist / VoodooAi is analyzing a file.

    If this is happening to anyone, please send your DeveloperLog.log (from the c:\programdata\voodooshield directory) to support at voodooshield.com.

    Also, if you get a chance, please try to disable the blacklist scan and VoodooAi, to see if that helps narrow down what is causing this issue. Thank you!
     
  2. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    If anyone is having issues with a lag or slowdown, please try the following version and let me know how it goes. Either way, this should tell me what is causing the issue.

    www.voodooshield.com/Download/beta3/InstallVoodooShield352b.exe

    If you are not experiencing this issue, there is no reason to upgrade. Thank you!
     
  3. Izettso

    Izettso Registered Member

    Joined:
    Oct 1, 2007
    Posts:
    91
    I'm relatively new in using VoodooShield and I notice that on PC startup VoodooShield brings up a warning about reg.exe in Windows\SysWOW64\. I searched the forum for any information about this, but I could not find anything to enlighten me.
     
  4. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Nice to meet you Izettso! The next time this happens, can you please click on the Details link / button on the User Prompt once? This will show you the Parent Process of the blocked file. Can you please let me know what the Parent Process is? Thank you!
     
  5. Izettso

    Izettso Registered Member

    Joined:
    Oct 1, 2007
    Posts:
    91
    Found it! The parent process is Firefox.exe. I have it start along with other programs as a batch. What should I do?
     
    Last edited: Feb 25, 2017
  6. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    1,188
    Location:
    The Netherlands
    You have to use the training mode. Put VS in training mode and print form Firefox. After that you can get back to any mode you normally use and printing from Firefox shouldn't trigger an exploit warning anymore.
     
  7. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Thank you Gandalf! Depending on what the item is, VS might whitelist it or not. What exactly is Firefox spawning that is causing this? If you do not want to post it publicly, please feel free to PM me and I will take a look at it, thank you!
     
  8. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I wanted to address a question from this post (BTW, thank you TheMalwareMaster for asking about this):

    https://malwaretips.com/threads/voodooshield-and-parent-process.68689/

    I realize that the parent process feature has the potential to create some vulnerabilities, but I was extremely careful when I implemented this feature, and there are several checks before VS will allow an item from this feature. For some odd reason, I completely forgot compressed files... but that is obviously fixed now. If anyone finds something else that I missed, please let me know. I think we are pretty safe though because VS has had that feature for several years now, and we have not had any issues with it. Also, keep in mind, one of the checks is that the parent process is already whitelisted, which also means that it has already passed the blacklist and VoodooAi scans.

    The reason we absolutely need the parent process feature is simple. In order for computer novices, average users and the enterprise to adopt application whitelisting, it has to be as user-friendly as possible. Otherwise, application whitelisting would have been adopted by the masses years ago. As you know, this is the whole goal of VS.

    Also, I am not worried about FUD's... because of its more aggressive models / algorithms, VoodooAi is extremely adept in detecting FUD's. I do not have access to VirusTotal Intelligence, but from what I have seen... the new ML / Ai engines are detecting zero days immediately, and the traditional engines are detecting these threats days, weeks or possibly months later. There are now around 4-5 ML / Ai engines on VT, and they almost always agree, and also agree with VoodooAi. Basically, these engines are all analyzing the same features, so the results are going to be quite similar.

    I am the first to admit that VoodooAi is more aggressive than the other Ai engines (and will technically have a few more "false positives"), but I personally think this is a VERY good thing, and I also think this is where the industry as a whole has gone wrong. For far to long the industry has tried to do the impossible... it is impossible to correctly classify every file as good or bad, simply because there is A LOT of grey area. So to me, the best thing to do is to inform the user if there is any doubt that the file is malware... that way they can decide if it is worth the risk or not. So far, it has worked for our customers far beyond my expectations.

    Also, if a developer is going to not sign their work, utilize hacker tools, obfuscate and encrypt the heck out of their binaries, etc... then their software does not deserve to run on your system.

    I believe this is what Darren was talking about in this presentation: https://www.theregister.co.uk/2016/...s_try_whitelists_not_just_bunk_antivirus_ids/

    BTW, Alex has implemented an error reporting feature, so you guys will not have to send your logs to me anymore. Well, that, and we will be able to quickly fix any remaining bugs in VS. I should have done this a long time ago, but I just never got around to it. Thank you guys!
     
    Last edited: Feb 25, 2017
  9. ako

    ako Registered Member

    Joined:
    Nov 16, 2006
    Posts:
    667
    My PC has stoned a few times after installing VS. I uninstallled it. Let's see if the problem persists. (Wewill see if there is another reason for this.)
     
  10. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hmmm, that is odd... by "stoned" do you mean it is it having the same issue that you had 6 days ago when you posted "I tried MBAM 3 again with the same result: PC stoned after some time. Ditched it." on the following forum?

    https://www.wilderssecurity.com/threads/antimalware-useless.392068/page-3#post-2654184

    I can look at your DeveloperLog.log if you would like... it will tell us if VS is causing an issue. You can find the DeveloperLog.log in the c:\programdata\voodooshield folder. Then just email it to support at voodooshield.com, thank you!
     
  11. mWave

    mWave Guest

    That's ridiculous, not everyone has money to spend on code signing authenticity. Did you ever think that maybe some developers do not have good jobs with additional money to spare alongside their bills, or they may not even be working at all? I can think of some products which are safe and are not digitally signed off the top of my head: Xvirus Personal Guard, Crystal Security are 2 examples.

    Maybe some people focus on the loyal user-base instead of people trying to reverse their products. At the end of the day, there is nothing you can do to stop someone determined enough... Obfuscation for MSIL is very easy to undo and other factors like packing will just result in unpacking. How do you think AV vendors analyse malware which is obfuscated/packed? It's not full-proof and for some people it's a complete waste of time.

    Apart from that, I agree with your other points in your post.
     
    Last edited by a moderator: Feb 25, 2017
  12. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Code signing certificates are not expensive at all... well, except for the EV certificates required for kernel mode drivers (but most devs do not need this). You can get a code signing certificate for $84 or less.

    Unsigned binaries is one of the biggest reasons we are experiencing a major malware epidemic. When developers sign their work, they are letting everyone know where that file came from. Could you even imagine if no one ever signed their files? We would have billions or trillions of files, and no one would have any idea where they originated. If I am going to run new executable code on my system, I want to know where that code came from... and it is only fair that developers do their part. It is their duty.

    You can sufficiently obfuscate code with valid obfuscation tools... there are tons of them, and many are free, and these tools will not trigger an adverse response from most security software. The problem arises when devs obfuscate and encrypt their code with the same sketchy tools that the blackhats use.

    Malware is like this... if you are walking down the street late at night and you pass by two people, knowing that one is good and one is bad. The first person you pass by is a priest, and a few minutes later you pass by a slingblade looking dude... which one is most likely good, and which one is most likely bad?

    What you are essentially asking security developers to do is to distinguish the good from bad, and at the same time, telling devs that it is perfectly acceptable to make their binaries look like the slingblade looking dude.

    That is fine if devs do not want to follow the rules, as long as they understand that there is a chance that their work is going to be classified as malware.
     
  13. Izettso

    Izettso Registered Member

    Joined:
    Oct 1, 2007
    Posts:
    91
    After reading your question I thought the problem may be my Firefox start page which an extension called Speeddial. However, I changed the startup to "about:blank", but VS again brings up the message when I start Firefox.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    There is another issue to me about this signing. If a developer doesn't have the funds and I know it can be a problem for a developer, but do I want to trust my computer and my dollars on a program that is being developed on a shoe string.

    Also when someone says programs x and y are safe, how do you know they are safe. By assumption or have you tested.
     
  15. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Ohhh... so this happens whenever you start Firefox in general? If that is the case, most likely it is one of the Add-ons / Extensions. You might want to temporarily disable each one until you figure out which one it is. If you figure out which one it is... please let me know. I will say this... there better be a VERY good reason that the extension has to call reg.exe... otherwise, I would not trust this extension.
     
  16. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, exactly! And actually, the digital signature, obfuscation, etc. list that I posted earlier is just a partial list... there are a lot of other factors or "features" that determine the build quality of the executable... so I totally agree with your point. And out of the 400 or so features that VoodooAi analyses, at least one third to one half are directly affected by the decisions the developer makes.
     
  17. mWave

    mWave Guest

    For a single developer who is in education and does not have work, $84 can be expensive.

    That is true to an extent, but it is not a "duty". Some software is freely available and makes absolutely no profit, and that very same developer may be struggling already let alone spending more funding on digital signatures.

    That's nonsense as well. Blackhats can use the exact same tools that genuine developers use. Packers like UPX which are used by genuine software to compress the file size can be used by malware too, for example. As for obfuscation tools like SmartAssembly, ConfuserEx and .NET Reactor... All 3 are also used by both genuine and malicious developers. ;)

    No, I never said anything like this. Let's go back to my post and check what I said, maybe you will understand if I step through it with you (think of it like debugging if that helps you) :)

    I am not complaining towards your product, I am merely disagreeing with what you said here:
    Like I've already said, being digitally signed does not make the software "worthy" to run on the system, and if you think this then that is pretty ridiculous IMO. Yes, it is useful when it comes to trusting software/where it originates from, but it doesn't automatically mean that a piece of software is clean and if the software is clean but not digitally signed then there shouldn't be a problem.

    Now if we step back a bit and read what you said here:
    Yes and breaking this protection is very simple, then you can freely carry on reversing as you would have without the software having any protection in first place.

    Now regarding native applications (e.g. C/C++ and Assembly), due to the way they are compiled a lot of the useful information is already stripped down. Regarding MSIL, you can decompile them even easier than native software since it works with a JIT compiler through byte-code via the CLR, therefore if it's obfuscated you can deobfuscate it without a problem... Now discussing packing in general, if you know what you are doing (which tons of people do), you can defeat such packers through unpacking mechanisms (e.g. debugger knowledge, dumping from memory to disk, etc.). Anti-debugging is also a waste of time since you can beat that relatively easy as well.

    At the end of the day, anti-reversing is not on everyone's to do list, and it really depends on what sort of software is being developed. In your scenario, anti-reversing may be beneficial but if someone like me is determined enough, some hours within IDA Pro and some debugging (WinDbg) will give me anything I want to know. Whereas other software which is not security-orientated, but provided for free, may not necessarily need to bother with such mechanisms.

    Urm, did you ever think that maybe some software is provided for absolutely no cost and makes absolutely no profit what-so-ever? Please don't tell me you've never used a free product coming from a poor background to do one thing or another in the past. Not everyone is developing software to make money, some do it as a hobby alongside their real life with their real job... You can't tell me that? Right then, case closed. ;)

    Obviously Xvirus Personal Guard and Crystal Security (my examples from the previous post) are absolutely safe, they are even advertised on this forum and also MalwareTips and I know both the developers. And for the matter, it's through the latter. They were only 2 examples.
     
  18. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    @mWave... we can talk about this until we are blue in the face, but the fact remains that there is a very strong mathematical correlation between these 400 features, as demonstrated here:

    www.voodooshield.com/artwork/newcurve.PNG

    While Ai is not perfect, there are VERY strong correlations in these features. When you see the math, it is truly magical.

    Are you suggesting that there are better features that security vendors can utilize to analyze malware pre-execution? If so, please let me know! It has to be pre-execution though... as bad as malware is these days, letting one line of malicious code run is unacceptable.
     
  19. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    You are absolutely correct! But keep in mind that the only reason they use these techniques is to evade detection by traditional blacklist engines. So when the blackhats stop using these techniques, guess what happens? The traditional blacklist engines will be more adept at detecting these threats. So basically, you need both.
     
  20. ako

    ako Registered Member

    Joined:
    Nov 16, 2006
    Posts:
    667
    Last autumn I tried MBAM and soon the PC got one bluescreen and once it got stoned if I recall correctly. When I uninstalled it no problems for a long time. I installed VS some time ago. After I tried MBAM again PC got stoned again. I uninstalled MBAM. Now stoning happened, however, again. Hard to know what is the reason.

    Unfortunately there is no folder c:\programdata\voodooshield :(

    Let's see if the stoning happens again.
     
  21. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    It is a hidden folder.
     
  22. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, sounds great. After you install VS again, that folder will show up. And if there are issues, please send me your log and it should be an easy fix. Thank you!
     
  23. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    D'oh! Oh, yes you need VS installed too. :D
     
  24. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    +1 lol
     
  25. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    I'll email ya anyway :p lol
    Very concise post Dan, thanks for the "Heads Up"
    I agree with 99% of what you posted, you get a 1% fail on that for not mentioning free coffee. ;)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.