Emisoft - Voodoo Shield Discussion

Discussion in 'other anti-malware software' started by Feandur, Jul 28, 2013.

Thread Status:
Not open for further replies.
  1. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    Actually, quite well. We have quite a few users with rather dated machines :).

    You seem to be rather obsessed with VMs. So just for you I took the time to install VS on my normal workstation (i7-2700k, 16 GB RAM, Windows 7 x64, hopefully that is current enough for you ... I mean ... it's 2 years old already!).
    The result is, that the old killvoodoo.exe version required around 60.000 executions until it won the race against VS and killed it. Well, that's a bit much. So I applied the optimizations I mentioned in the video. I rewrote the test in Assembler to get rid of all useless code that is usually executed during initialization. I also added the kill code into a TLS callback to execute even earlier than normal. VS is killed pretty reliable on my machine now (9 out of 10 times):

    Removed the link. The VS author has it and I am sure he will fix the issue soon :).

    VT shows 3 detections due to the trick I used to get my code to execute earlier.
     
    Last edited: Jul 30, 2013
  2. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
  3. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Sounds good, I have some onsite work to do, but I will test it a little later. Do you mind sending me the source code before I test?

    You still did not answer the main question... How is VS not blocking applications if they cannot start when VS is ON and kills them?

    If your file kills VS, we will change the kill method, it is that simple. I just hope it does not make the system crawl like other software that uses this method.

    When we are finished talking about VS, can we talk about your software and any bad attributes it might have?

    BTW, I am flattered that you are overestimating the "VoodooShield Craze", as you put it. You do realize that hackers would have to include your code in their virus to specifically target VS in order to kill it, right? I am honored that you think we have that big of a user base that hackers would target us.
     
    Last edited: Jul 30, 2013
  4. netbook0tr

    netbook0tr Registered Member

    Joined:
    Nov 7, 2010
    Posts:
    24
    Location:
    england
    Take it easy man :)

    VS allows any process to run for few milliseconds...
     
    Last edited: Jul 30, 2013
  5. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    You have a PM :).

    They can start. They just won't run for a long time. Blocking execution for most people means that the file is prevented from being executed at all. Not just killed after a few milliseconds.

    Properly implemented, there shouldn't be any issues.

    Sure. There is always room for improvement :).

    Of course they would have to. But you also realize that they will do exactly that, once you have any meaningful distribution, right? Personally I prefer to be informed about design flaws before potentially thousands of users get owned by malware. I hope you share that sentiment :).
     
    Last edited: Jul 30, 2013
  6. ZeroDay

    ZeroDay Registered Member

    Joined:
    Jul 9, 2011
    Posts:
    714
    Location:
    UK
    You seem to be taking this rather badly. You should be grateful that Fabian has discovered a flaw and shared it with you so you can address it, and more to the point before said flaw causes your users to become infected.
     
  7. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    86,075
    Location:
    U.S.A.
    There's no need to turn this thread into a fight. Let's focus on the subject, and have a civil discussion. Thank you!
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,520
    Location:
    U.S.A.
    :thumb:

    BTW - your accent is not that bad. I have heard far worse German accents in my time. It's those Brits I can't understand ..........:D
     
  9. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    If I create a piece of software that calls the Windows API function DeleteFile() on all the files in the "My Documents" folder, does VoodooShield block every single one of those DeleteFile() calls? If not, how many files will get deleted?
     
  10. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    86,075
    Location:
    U.S.A.
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    As discussed between VoodooShield and Fabian Wosar, it has been requested to close this thread.

    Should you have any questions about either software, you can PM them both. Thank you all for participating!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.