VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. fs2com

    fs2com Registered Member

    Joined:
    Sep 20, 2014
    Posts:
    118
    IIRC the other days when I try VS on a computer with MBAE and WFC there's a problem after installing and reboot the first time..
    after reboot the VS doesn't automatically start... I check the process and the VoodooShield.exe is there... but VoodooShieldService.exe isn't...
    So I check the service and it didn't start... so right click on it and click start, then the program load and WFC pop-up and I click allow for the program.
    After that everything is seems alright... Don't know the service doesn't automatically start it because MBAE or WFC.
    But I just point it out so if someone got in the same situation can start the VS service manually
     
  2. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you, that helps out a lot! I did not have a lot of time to test the 2 together, but they did not seem to like each other very much, I am not sure why ;).
     
  3. fs2com

    fs2com Registered Member

    Joined:
    Sep 20, 2014
    Posts:
    118
    Glad that help Dan ;) Will let you know if later found out some strange incompatibility with other software, since I like to tinker with some new softwares out there
     
  4. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Very cool, thank you!
     
  5. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    BTW, here is a project that demonstrates that it is very difficult, if not impossible, to start a process from kernel mode:

    http://www.codeproject.com/Articles/13572/Starting-a-Process-from-KernelMode

    Please note, the .sys is flagged as malware, although I do not think it actually is. Also, please note, that VS blocks the user mode executable that attempts to start the kernel mode driver ;).

    So my point is, we already know that in theory, VS should block all new user mode processes. And I am assuming that since this project on codeproject.com was so highly rated, that this is the best attempt at actually starting a process from kernel mode. So hopefully VS cannot be bypassed, but if it can, we will do what we can do to patch it, and move on to the next VoodooShield Challange (with bigger prizes ;)), until we make VS as bulletproof as possible.

    Anyway, I think this is a good head start for anyone interested in the VoodooShield Challenge ;).

    Also, I could be wrong about this, but I do not believe the method that VS uses injects a dll into every new process. I did not work that much at all on this part of the code, so I cannot say for sure, but I was under the impression that it did not do this. If someone knows for sure, please let me know!

    Edit: More interesting reading:

    http://msdn.microsoft.com/en-us/library/windows/hardware/ff554836(v=vs.85).aspx

    http://stackoverflow.com/questions/1311402/differences-between-user-and-kernel-modes
     
    Last edited: Nov 1, 2014
  6. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    970
    Location:
    Canada
    I think I'm going to give this a try. Would this be redundant if I'm running Appguard?
     
  7. Securon

    Securon Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    1,960
    Location:
    London On
    Good Morning! Digmor! I ran Voodoo Shield alongside AppGuard and WSA Security Plus...all ran Harmoniously! What if Any Anti-Virus App are you currently utilizing! Sincerely...Securon
     
  8. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,647
    Location:
    DC Metro Area
    WARNING THAT PIC INCLUDES A DRIVE-BY CONNECTION TO A SUSPICIOUS HOST AND SHOULD BE DELETED.
     
  9. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    970
    Location:
    Canada
    Emsisoft Anti Malware. And I guess it is morning.:D
     
  10. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    18,002
    Location:
    UK
    Using Emsisoft here and I get no warning about Tarnak's picture.
     
  11. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    970
    Location:
    Canada
    So your infected now I guess.:eek:
     
  12. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    970
    Location:
    Canada
    Voodoo Shield didn't go well. Couldn't get rid of icon in bottom right hand corner even though Hide Icon was checked, and everytime I opened any software on my computer it popped up asking me to allow it. I thought learning mode would mitigate this. Maybe I don't understand how VS is supposed to work. Uninstalled for now.
     
  13. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    970
    Location:
    Canada
    Securon, hows it going in your million dollar cabin on Lake of The Woods? I assume you uninstalled VS, any reason why? Oh, and did you see the Stamps game today, snow much?
     
  14. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    See, I was not kidding about the fake sites ;). Please review post 4840, then download VS from here:

    http://voodooshield.com/Download/
     
  15. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    AG is great and works very well with VS. AG focuses on policy restrictions and VS focuses on whitelisting. Please ask Cutting_Edgetech if you want to know more, he is extremely knowledgeable on this topic.
     
  16. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    In all fairness, if well over 99% of our users have figured out VS, I would hope you would be able to as well. Do not over think it... it is a simple toggling desktop shield gadget / computer lock. I mean really, a lot of our users are 80 year old grandmothers.

    It should not be blocking pretty much anything... it should be pretty much totally silent. Are you using the English version of Windows? I was always afraid that VS may not work that well on non-english versions of Windows.

    Edit: If you get a chance, please make a video of VS doing what you described. I am totally confused why it would be doing this, I think a video would help.
     
    Last edited: Nov 2, 2014
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,654
    Location:
    USA
    Some of the protection would be redundant, but each product offers additional protection that the other does not have. I don't have time to list the differences at the moment because it's 5 am here, and I have to leave soon. I will have to get back with you later today. The 2 work well together on my machines. I'm using Windows 7X64 Ultimate.
     
    Last edited: Nov 2, 2014
  18. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,647
    Location:
    DC Metro Area
    I'm using Emisoft IS 9. I have my settings under "privacy risks" set so that EMIS warns and blocks about connections to suspicious hosts that present a privacy risk. Not really a big deal. A privacy risk is defined as a host that "Is used for advertising or tracking purposes." Given the recent use of advertising networks that have been exploited to spread malware I avoid such hosts. I understand that the major networks have supposedly cleansed them of the latest exploits I still avoid them. I rarely get these pop-up warnings so I pay attention to them when they appear. appllicationgrabb.net is the suspected host.
     
    Last edited: Nov 2, 2014
  19. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hey hawki, yeah, it is a fake VS download site, I can tell by the name of the installer. Can you please send me a link? I am not having any luck finding that page on applicationgrabb.net. I cannot even get to applicationgrabb.net, maybe they have already been shut down.
     
  20. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,647
    Location:
    DC Metro Area
    Last edited: Nov 2, 2014
  21. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,979
    Dan,

    Are you talking about the link at post 4842, because I just accessed the site.
     
  22. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Thank you hawki, but that link just takes me to the whois info.

    Tarnak, what I mean is the link in blue at the top of hawki's pic from post 4883.
     
  23. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,979
    I followed the original limk that you posted the other day, but looks like the download for VS has been moved.

    ScreenShot_Malicious site for VS download_01.gif
     
  24. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you, can you please send me a link?

    BTW, I can tell it is a different file from the one I posted the other day since the file size changed again, although the name of the file is the same. Man, these people are relentless, and our users are downloading this file. We will take care of them though ;).
     
  25. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,979
    From my history...

    ScreenShot_Malicious site for VS download_02.gif
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.