VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. fs2com

    fs2com Registered Member

    Joined:
    Sep 20, 2014
    Posts:
    118
    Hi Dan... Seeing TripleHelix mention hash above, it might be a good idea to put on the download page the hashes information.
    So people can check if the downloaded file is corrupted or not
     
  2. pinso

    pinso Registered Member

    Joined:
    Jun 28, 2009
    Posts:
    251
    Location:
    India
    Can VodooShield block this program from running.
    Its a GBA emulator 600KB is size, but its infected with W32Sality virus.

    What it does is , it will infect every known exe file out there, the more exe file u run, the virus takes hold of it and it infects it. I am using Faronics Anti executable which will prevent any exe from running , but i havn't taken the chance of running it. I had enough of head-ache from it.

    If VodooShield stops or at least prompt that an unknown exe is running and whether you want to run it or not and also provided the pc will not get infected with this virus , then i might migrate to VodooShield.

    Can any VodooShield user try it. I want to know the outcome.
    I couldn't attach the file some unknown reasons:
    Please download the file from mediafire.

    ~Link removed. No links to possible malware allowed.~
     
    Last edited by a moderator: Nov 5, 2014
  3. pinso

    pinso Registered Member

    Joined:
    Jun 28, 2009
    Posts:
    251
    Location:
    India
    How will i know if ,VodooShield fare and is successful in stoping this virus from running.
     
  4. fs2com

    fs2com Registered Member

    Joined:
    Sep 20, 2014
    Posts:
    118
    Hi Pinso... as long as you install VS on a healthy pc.. it will block those virus from running when you're on "Always On" mode.
    And the shield will flashing so you know there's application that blocked by VS...

    If you're hesitate to test VS on your main machine you can set up a virtual machine and test those viruses...
    and don't forget VS is intended to ran alongside AV.. which by know will detect the W32Sality viruses
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You can PM me if you want, I'll give it a shot in my test environment.

    But VS will block it, I have no doubt. It will block any and all types of executable file types running from user space. In order to get by it you would have to first exploit a popular, already active process and infect by memory only. You would have to make one very slight modification to the .dll that VS users to inject the processes in which it kills, basically telling that .dll to keep processes alive instead. That's the easy part. But like I said, it would all have to be exploited and done in memory, not on hard drive / file system, and that would be the more difficult part. I have the details on how to to do, but I have been instructed not to post it and I will respect that wish.
     
  6. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    835
    Location:
    UK
    I run VS in Smart mode. So assuming you have a clean machine to begin with - what's the concensus of opinion re running it 'Always on' or in 'Smart mode'.

    Thanks
    Gordon
     
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Smart Mode would stop any executables just the same. Personally, I don't like Smart Mode because when it comes to security software, it should be either On or Off. But a lot of people seem to use it. As if it uses less resources or something. It still monitors the system just the same, but shows as On when any specified programs due any kind of Internet activity or a removable drive is inserted and such. It's really just a personal preference of some people, basically. I would classify Smart Mode as just a gimmick. Although do not let that change your opinion or value of the software itself, because it is wickedly strong. It's just more about choice I suppose.
     
  8. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    835
    Location:
    UK
    Thanks WildByDesign.
    Yes I have seen VS most definitely responds to activity even when 'off' in Smart mode, hence I had wondered if 'Always on' offered any advantages over 'Smart'.
    Regarding resources it runs extremely light in either mode.
    -- I quite agree, it's most definitely a keeper.

    Thanks
    Gordon
     
  9. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,217
    Location:
    UK
    Installed voodoo shield 2.12 yesterday on windows 7 64bit and it prevents hdsentinel v4.50 from showing in the system tray or a window from opening.
    It is present in processhacker so it has loaded but seems to have been prevented from showing any activity.
     
  10. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you, we should add that soon!
     
  11. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hey trott3r, thank you for letting me know! Have you tried to put VS in Training Mode and then reboot the computer? That should work. I see you are running Windows XP, so if this does not work, please let me know and I can download hdsentinel v4.50 on our XP test machine and figure out why this is happening. Thank you!

    Edit: Also, you might want to look at the User Log to see if VS is blocking anything. For example, if VS is blocking a command prompt, you might need to go into VS's settings, and on the tweaks tab, disable the CMD option temporarily.
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I went ahead and tried this from every angle in my test lab. First, I tested it on VT to know what I was dealing with. The majority of vendors detected it. Although Malwarebytes, Qihoo-360, Baidu, and SUPERAntiSpyware did not detect anything.

    • Running the executable from user space: VS detected and killed the process rather quickly. Although the executable was able to run for approximately 1.5 seconds (as per Process Monitor), the virus was not able to achieve anything and the process was killed quickly. There was no infection, no damage done, and the process was not able to access anything on the system. It was blocked successfully with VS in Smart Mode and also Always On.
    • Running the executable from Program Files: VS did not detect or kill the process or present any kind of warning. Luckily, my test system is locked down, Limited User Account, and I had intentionally added additional Software Restriction Policies prior to running the executable to block it just in case it was able to bypass VS. This was tested in VS with Smart Mode and also Always On. The reason is because VS, by default, has a rule to allow all executables to run from Program Files directories without any scrutiny, comparing hashes or anything like that.
    Anyways, as you can see VS blocked it and prevented any infection. It cannot bypass it with the exception of Program Files folders. With the Paid version you can disable that option and train the programs in those directories as well and lock the system down significantly. The Free version is obviously trying to find the balance between security and comfort because a lot of Free users are just every day people who wouldn't know much about what to allow and what not to allow. I personally think that the Free version is a nice balance. And if you want more, there's always the paid version.
     
  13. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you, we appreciate you taking the time to test this file! Yeah, some large files will temporarily show up in the task manager or process monitor, and I am not sure why, especially since the process is denied from being created. CET discovered this oddity awhile back, and both the CPN and KMD does this.

    Yeah, that is exactly the whole purpose of the free version... the vast majority of users would never want to tweak any of the settings, they just want a simple computer lock that locks their computer when it is (most) at risk. I actually just run the free version as well ;).
     
  14. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Ack, don't say that Dan! Hush! :argh:
    You are always an honest person and we all respect you for that, for sure.
     
  15. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hehehe, how funny ;).
     
  16. fs2com

    fs2com Registered Member

    Joined:
    Sep 20, 2014
    Posts:
    118
    Dan... Regarding the VS Service failed to start... Now after about 3 days when I put it on startup type : Automatic (Delayed Start) the VS service always managed to start successfully... So for a workaround now people with the same problem can set it to Automatic (Delayed Start) until you can figure out what cause the conflict...

    Meanwhile I'll try to set it back to Automatic again since MBAE put beta version out yesterday... to see if it conflicted with old MBAE or not...
    Will report in a couple of days ;)
     
  17. fs2com

    fs2com Registered Member

    Joined:
    Sep 20, 2014
    Posts:
    118
    Should I convert to free version and join the band wagon :p
     
  18. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,217
    Location:
    UK
    Training mode has the same results :(

    Its actually win7 64bit (I multi boot)

    Nothing is blocked in user log and i can see that hdsentinel is allowed

    thanks for your time
    Martin
     
  19. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Very cool, thank you, that will help a lot! There seems to be a couple of programs, including MBAE, that do not seem to get along with VS 2.0 that well. So we will have to fix this one way or another. If you could let me know what you find out, that would be great!

    Hehehe, that is funny about the free version, you guys crack me up ;).
     
  20. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you for letting me know. I am trying to download hdsentinel right now, do you use the installable or portable version? Also, you might try to go into VS's settings, and on the Custom tab, add the directory of the hdsentinel. Either way, please let me know what version of hdsentinel you are using and I will give it a go! Thank you!
     
  21. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,217
    Location:
    UK
    Installable.

    v4.50 pro
     
  22. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Wow, I see what you mean, hdsentinel and VS do not get along at all, so this will be a great program to help us test VS. I noticed that hdsentinel was running a lot of scripts, but even disabling these options in the Settings / Tweaks tab did not make a difference, and putting VS in training mode did not make a difference either. I will put this on the immediate to do list, it will be an easy fix. Thank you for reporting this!
     
  23. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,217
    Location:
    UK
    Glad to help :)
     
  24. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,217
    Location:
    UK
    BTW
    c:\program files (x86)\utilities\disk\hard disk sentinel\ exclusion doesnt help.
     
  25. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    It doesn't actually have anything to do with file sizes or flaws or anything, it is working as designed. What I mean by that is that the current design and killing mechanism in VS is an older specification built within Windows to get the job done without the need for kernel mode drivers and such. So it is by design, it is following Microsoft standards and specifications perfectly. I don't have my Process Monitor logs at the moment so I can't get the exact details of the changes that happen within the process threads due to VS killing it. But that is how it works, the process has to start up initially in this particular standard, then VS recognizes it and takes over the process thread and kills it. It's extremely effective. Some methods catch a process before it even starts, and this one happens to catch it just milliseconds after it starts but still effectively kills it. Some people are bothered by that, but personally the fact that it still kills the processes, keeps your system safe, nothing is accessed and no damage is done, I am satisfied with that. I suppose about the one and only exploit that could get to it would be that it's susceptible to race conditions (http://www.sans.edu/research/security-laboratory/article/race-cndtns). Meaning that it is vulnerable to being bypassed but it would have to be a knowledgeable and skilled hacker to do so and requires careful timing.

    I am happy though with VS in it's current state and have no worries putting all of my trust in it. It works great and effective. But at the same time, I am curious and excited as well at the future of VS and whatever implementations the new developer can pull off to make it even more secure. I will be happy to beta test any time and provide detailed feedback.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.