Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.
Thank you Baldrick!
That is good to know.. thank you. I did not spend too much time on that site, but I did download the fake VS installer and ran it on a VM, and pretty much nothing happened, but I did not spend too much time with it. But I just wanted to make sure if I was posting something from a site like that, that everyone was aware that there could be something malicious on it. Thank you!
Hehehe, Baldrick, Tarnak and fs2com, you guys crack me up!
I am sorry to report that the Royals lost tonight, it was very, very close though. You guys know that as long as I have the say, you have essentially a lifetime license anyway, right?
Besides, I am trying my hardest to make something a heck of a lot more fun happen than a lifetime license .
Hi Dan, you are far to generous for your own good...but it is appreciated...and yo can be sure that for me VS is a KEEPER regardless of type of license.
Thank you so much for the thorough, honest, and detailed response. I appreciate and respect that. I have sent you an email with those SRP links along with some general suggestions for VoodooShield.
VoodooShield stops programs from running before SRP, which is nice and interesting. I have been running VoodooShield along with SRP and even UAC on highest setting, against the advice of the VoodooShield installer. But I want to point out that I have had zero issues whatsoever, no incompatibilities or anything. It's been a great experience. But yes, VoodooShield stops programs from executing first and I don't even get any pop ups relating to SRP stopping programs since VS stops it first.
I look forward to version 3.0 and the addition of a Kernel Mode Driver. Surely that will provide great security and likely better performance as well. I will continue my testing of VS 2 and explore the more advanced features of the paid version. Thanks again.
Hmm. I did not realize that VS did not use a kernel driver.
AppCertDLLs basically looks like the Windows version of Linux's LD_PRELOAD, injecting a DLL into every newly created process:
@VoodooShield, as I said I really like the concept of MAC adapting to user behavior. However... I'm not an OS security expert, so I want to tread carefully here, but pure userspace methods tend to be untrustworthy against advanced malware. Access controls don't really stick when implemented north of the kernel.
I look forward to developments re the kernel driver, but until then I can't really recommend VS to end users. Good luck with the development though.
The science behind the AppCertDLLs is to not allow an executable to spawn a process at all. I understand your concern though since the kernel mode driver runs at a lower level, and is well documented. I was informed by the developer that AppCertDLL method is not the same as user mode hooks, and that it does not use hooks at all. I know it runs at the API level. I have an ideal of the method VS uses, but I'm not sure so I will be interested in hearing Dan respond to this one. I think the KMD version will be out soon so the user will have a choice which method they want to use.
One great thing about VS is that it actually scans any new executable attempting to execute with it's cloud Virus Protection. It's a really great feature to have. It does not interfere with your real-time virus protection at all. I've used VS with NOD 32, WSA, and Kaspersky when testing. The only thing i've come across is VS prompted me about a command line string belonging to Kaspersky, but blocked it before I responded to the prompt. VS allowed it from then on though. It was decided to hard code it into VS so the user is not prompted about it at all. I was informed the new developer is looking though all the code for the command line strings now. The new developers seems to be working well with VS.
I hope you decide to at least give the KMD version a try if you are not going to try the AppCertDLL method.
The Free version of VoodooShield needs an About tab/screen of some sort to show version number just like any other software. My suggestion here would be to open up the Settings option for the Free version as well which will in turn include the About tab which is already in the paid version. However, I would suggestion to gray-out all of the settings on all of the tabs which are included in the paid version (not available in free). This will give the Free version users insight into the capabilities in which they can have if they choose to pay for a subscription, and seeing all of those options may indeed help increase sales.
The Paid version doesn't seem to show the time remaining in the subscription. My suggestion would be to show the subscription time remaining in the subscription in the About tab and also the on the VoodooShield web site where you log in to see Account information relating to the whitelist and so on.
When you right-click on the VoodooShield system tray icon, the visual display of the right-click options menu has irked me the most over my past few days of testing. Particularly it's the bold and capitalizing of the Choose Mode section. It's just too busy on the eyes. If you capitalize, then don't use bold. Or if you bold, don't capitalize. I understand that the Choose Mode section needs to stand out the most, for sure. But the combination of bold and capitalization is just too much. One option could be to use a pop out menu in the same menu style for the Choose Mode options and still use the same checkmark as well to show which mode is selected. Over the past few years I have seen similar system tray icons from Avast and I believe also Intel's graphics drivers and also AMD graphics driver in the past as well where they have similar system tray right-click menus, but when having quite a few different options it can be nicer looking to have a little pop out menu of similar look and style. It would just look much more tidy. Or to keep things simple, for now just remove either the bold or the capitalization, use just one. I don't have time right now to make a few mock ups of different design ideas. But if I have time later I will add it here. It's really quite a simple thing, but sometimes it is those simple things that can make that last little bit of difference when it comes to design.
Thank you for your time. Still loving VoodooShield. Just trying to provide some constructive feedback.
Thanks Dan, installed perfectly now...A real must have security app
Well, I must be mad or something but I cannot wait for the start of the v3.0 beta and the arrival of the KMD functionality...it should make VS even awesomer (is that a worder...and if not then it should be )
But Dan needs some rest so we will have to be...dare I say it...patient once again.
Very cool, thank you! Yeah, we hope VS 3.0 will be even better .
I appreciate what you are saying, but please keep in mind, even the KMD's have potential issues:
I could be wrong about this, but pretty much all malware comes from 3 sources, and all 3 that start in the user space:
1. Drive by downloads
2. Email Attachments
3. Packed installers
My point is that a lot of people talk about how VS does not protect at the kernel level, yet even the KMD methods offered by Microsoft allegedly contain security holes. Since most security software that is not baked into Windows utilizes KMD, wouldn't advanced malware be most likely to target the KMD as opposed to the CPN? Besides, we recommend that users run traditional security software along with VS, which most certainly utilizes the KMD. So if the advanced malware can bypass one, in theory, it should not bypass the other.
Please understand, I am a local computer guy who has been removing viruses and malware for 16 years. My clients used to get viruses and malware constantly. After they started using VS (even 1.30), they simply do not get viruses or malware anymore. While I am at their offices, I always notice that their computers are squeaky clean. Not only that, but as much as I love my clients, a good 30% of them are complete novices, yet they find the concept of a simple computer lock extremely easy to understand.
I truly appreciate your constructive criticism, so the following is not a response to you or your concerns... it is a response to the people who continue to automatically dismiss VS because "it does not run at the kernel level." And honestly, this is the last thing I am going to say about it . So please, do not think this is a personal attack on you... I just want to put this issue to rest in general.
To the people who continue to automatically dismiss VS because "it does not run at the kernel level", please do one of the following.
1. Choose your favorite non-traditional security software, and convince Microsoft to bake it into Windows, since it will then run at the kernel level and since UAC has been a massive failure
2. Create your own security software that somehow magically can protect PERFECTLY at the kernel level, and license or sell your idea to Microsoft
3. Send me Satya Nadella's phone number or email address, so we can bake VS into Windows... my email address is email@example.com
4. Offer some other suggestion
My point is... these people are pointing out potential problems, but are not offering any solutions. ALL security software have restrictions on how close to the kernel they can protect... ALL SECURITY SOFTWARE ONLY HAS A SMALL HANDFUL OF METHODS AVAILABLE TO THEM FROM MICROSOFT.
It TOTALLY cracks me up because they keep saying "VS does not protect at the kernel level", which such a broad generalization, and does not show that they actually know anything about the methods that are available. If they really wanted to prove a point that VS does not protect "at the kernel level" (and therefore does not adequately protect the computer), then why do they not write something or find something that will bypass VS? The reality is, they simply have not taken the time to research these methods (and therefore do not understand them)... they would just rather pretend like they know everything about everything without doing the work. And honestly, I have done tons of research on the different methods, and I still do not understand everything there is to know about them, and probably never will.
I am certain that SOMETHING can bypass VS, but no one has found a way yet, and believe me, many people have tried.
So instead of just saying "VoodooShield does not protect at the kernel level", let's make this fun...We will call it the VoodooShield Challenge. We were going to do this at CES last year, but we ended up not attending.
The first person who can find or write an executable virus or malware that can bypass VS 2.0, wins a free iPad Mini or comparable Windows Tablet of their choice. Whoever emails me first (firstname.lastname@example.org) with a sample drive by download website or email attachment executable that bypasses VS, I will personally hook them up with a free tablet. This will be well worth the $250 or so to make VS even more secure, because I am certain that SOMETHING can bypass it. But hurry, or Fabian might have a shiny new iPad mini if he hears about this offer first .
Edit: VS does not officially support XP, so the bypass MUST work on Vista and above, not just XP.
Until then, if someone wants to bypass the KMD, the link is above . Thank you!
Thank you for your thoughts!
Cool, thank you for the suggestions, please keep them coming! I like all of these suggestions, let me see what I can do .
Very cool, thank you! Your VS account is updated, if you have any problems at all, please let me know!
Thank you Baldrick! Yeah, I started resting yesterday afternoon... I was at lunch the other day and well, let's just put it this way... I need to relax and get healthy again. The good news is, I will not be stressed out about development anymore, and I can focus on some of the other things that we need to focus on. Besides, I accomplished what I set out to accomplish with my limited coding abilities... and that is confirmation that the whole idea of putting a toggling desktop shield gadget / computer lock on every device may not be that crazy after all .
I am excited to see what our new developer comes up with, he is really good. I have a massive list of refinements and new features... I just hope I do not drive him crazy with all of the new features and refinements. Thank you!
I said I would keep you updated on the non starting of VS. It has happened again today but I cannot find any reason for it. The process is running in the background but it is not working to any effect. Nothing has changed in my security. Also I cannot restart it from the desktop icon. The only way is to reboot.
It is behaving similarly to when you use the Task M to shut down VS under Apps and I am unable to start it again. I am assuming that it should be able to restart from this position rather than having to reboot.
I can send you the logs if you wish but there are none for today's date.
Hey Dave, thank you for letting me know. When this happens, is the VoodooShieldService running or not? If it is not running, and you start the VoodooShieldService, does VS come up normal? There have be 2-3 reports of this issue in the last week from our new users, and I am thinking it is maybe because the service is not starting properly on some systems for some reason.
Yeah, if you could send me the logs that would be great. And the next time it happens, can you please check to see if the service is running, and if it is not, just start it and VS should come up fine. If this is not what is causing the issue, we will have to figure something else out that we can try. But the logs should help a lot. Thank you!
To be honest I'm not familiar with the AppCertDLLs method, but if I understand it correctly, it's better to use a kernel-driver (AKA filter-driver) because it gives more protection options and is less easy to bypass. On the other hand, you do have a point, if the current method is already robust enough, then people should not have to worry.
The service is always running when this happens.
I will get the logs off to you. They may contain one or more instances when this has happened.
If you compare the code between the AppCertDLL and the KMD, they are very similar, which is why implementation of the KMD into VS should be very simple. We did this on purpose to avoid blue screens. We would rather error on the side of caution, knowing that the AppCertDLL is extremely robust in its own right. Well, and it has the advantage of not having the bypass posted by a major security company for the whole world to see . Me personally, I will always prefer the AppCertDLL until someone shows me that it can be bypassed. Then again, we already know the KMD can be bypassed, so what is one to do? . Thank you!
Cool, thank you. BTW, did you say that sometimes VS starts fine, but other times it does not? What percentage of the time does it fail to start? Also, I am sure you have told me before, but what is your security setup? I will say, I was running MBAE the other day because I had not tried it in awhile, and it did not seem to get along with VS very well at all. I will have to test some more, but it did some strange stuff... but maybe it was just a fluke.
God on you...waiting patiently here for the beta...or even an alpha if you need some testing done. Am currently looking at VS 2.0 again in terms of what more can be suggested re. v3.0...and will let you know if I come up with anything (but then again it may already be on your "...massive list of refinements and new features" in which case...so much the better...as long as they get on there...