VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I looked into this a little more and I see exactly what the issue is. Basically, VS is having a problem parsing the following cscript command line, but it is an easy fix and will be included in the next release that will also fix the other 4-5 minor issues, and it will be ready in probably a week or so. Thank you for finding this!

    cscript //nologo "c:\users\dan\appdata\roaming\hard disk sentinel\hds_control_remove.vbs"
     
  2. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you for the info! Are you sure that the CPN / AppCertDll method lets the process run for a few milliseconds, because honestly I do not believe it does. I know the method we used in VS 1.30 let the process run for a few milliseconds (and a lot of people did not like that ;)), but the method we are using in VS 2.0 should deny process creation until VS can decide whether to allow it or not. Here is an example of the method we are using:

    http://www.kernelmode.info/forum/viewtopic.php?f=15&t=2053&p=16552&hilit=not impressive#p16552

    Basically, the cpn dll's denies process creation for any new processes, then asks VS if it is ok to run, so then VS checks if the process is on the whitelist, etc., and then lets the cpn dll's know whether it is ok to allow process creation or not. So as far as I know, this method should not be subject to race conditions. For example:

    #define APPCERT_IMAGE_OK_TO_RUN 0x00000001L
    #define APPCERT_CREATION_ALLOWED 0x00000002L
    #define APPCERT_CREATION_DENIED 0x00000003L

    Even the old KMD method that works with Windows 2000 and above temporarily shows the process in the task manager, assuming it is a big enough file that is not denied quickly. I will be excited to see what the new KMD method we are using in VS 3.0 does, although it only works with Vista and above. If you have any more information on this, please let me know. It is extremely difficult to find info on this method, but there is tons of info on the various KMD methods.

    Yeah, I cannot wait to see what all the new developer does, I will keep you guys posted.
     
  3. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,562
    Dan

    Yesterday VS again failed to load. Seems to happen most often at boot up after shutdown overnight. A later reboot and loaded ok. No change to the system.
     
  4. Sir Percy

    Sir Percy Registered Member

    Joined:
    Apr 22, 2010
    Posts:
    253
    Any plans to use a newer .net framework? Seems strange i have to install an old version i have no need for otherwise. :)
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I agree as well, I would rather that it uses a newer .NET version so that we don't need to enable/install the older version. Or if it was possible to not use .NET at all would be even better. The VoodooShield GUI slows down the system startup quite significantly. Everything loads fast on desktop and system tray, and VoodooShield shows up 45 seconds later or so. Although the VoodooShield service of course starts up fast and protection is already there. Just referring to the main GUI and system tray. Windows shows startup of VoodooShield as High impact, similar to that of antivirus and such. Although I do admit that once VoodooShield is up and running there is little to no effect on performance. It performs wonderfully. My understanding is that the GUI is in .NET which communicates with the faster VoodooShield service.
     
  6. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,850
    Location:
    Canada
    I also have similar problems. Except my computer won't boot at all. Windows 8.1 starts normally but after 5-6 seconds the computer shuts down by itself. Remove VS and the
    problem is gone. Tried it 3 times with the same results. Will wait next version to try it again...
     
  7. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hmmm, that is a bummer, thank you for letting me know though. I will have the new developer look at that asap. Do the VoodooShieldService and/or VoodooShield processes start when this happens? Does removing all of the files from the C:\ProgramData\VoodooShield fix the issue? Thank you!
     
  8. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, the whole goal is to have a different version of VS Windows 7 and 8, and it will use the .net framework that is native to that system. Vista not included unfortunately, since I believe the native .net version was 3.0. XP is not included either since from what I remember, it did not include a native .net version. And hopefully, the installer will detect the OS and install the .net version of VS that is native to Windows 7 and Windows 8. Then when Windows 10 comes out, we will do the same for it. Thank you!
     
  9. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, hopefully the new developer will optimize all of the code and make it run super fast from the start, and fix the start up issues that a few people are experiencing. Yeah, both the gui and the service are written in .net, which believe it or not, most developers agree that is the way to go. Especially if we can use the .net version that is native to each system. Thank you!
     
  10. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Sorry about that. Is there any chance that you could email me the .log files from the C:\ProgramData\VoodooShield directory, and we can figure out why this is happening? My email address is dan@voodooshield.com. We have had a couple of startup bugs on around 1% or less of all systems, so hopefully the new developer can fix this asap. Thank you!
     
  11. controler

    controler Guest

    I just installed Voodoshield the other day and after rebooting I had no tray icon and clicking on the desktop icon would not bring up the GUI. The process and service were running.
    Dan was able to fix this in just a few emails:) Great support Dan!!!!
    My prolem was fixed by deleting the files in the hidden C:\ProgramData\VoodooShield folder and rebooting as Dan recommended.
    I am also using an Windows 8.1 64 bit machine.
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I think that sounds good and respectable to detect and use the .NET version native to the particular version of Windows, very good. I didn't realize that the VoodooShield service was also .NET because it is super snappy. I suppose it seems to be more when something needs to be drawn on a screen (GUI) that is where .NET seems to be slow. Just like the GUI for EMET and many, many other .NET applications as well.
     
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Dan, I know that you've said recently that you have received some VS bug reports already related to Windows 10. So you have probably already heard this one, so I apologize if it's a duplicate. But when VS is installed on the system (Win 10), the new Start menu fails to load properly but it only happens maybe 1 out of 6 startups. I have been trying to dig deeper into this the past few days to see where the failure point is by looking in Event Logs and also VS logs but VS doesn't log a block for this particular issue. I'll let you know though if I can pinpoint this in more detail, for sure.

    EDIT: Some miscellaneous blockages from log below. This is from Windows 10, but it is quite possible that these could relate to Windows 8.1 as well because much of the underlying technology is the same at this point.

    Code:
    [11-07-2014 07:00:41,604] 6 [INFO ] - CommandLineHandler Blocked: c:\windows\system32\sc.exe start wuauserv
    [11-07-2014 07:00:41,620] 6 [INFO ] - LD: 114
    [11-07-2014 07:00:41,632] 6 [INFO ] - CommandLineHandler Blocked: c:\windows\system32\sc.exe start wuauserv
    [11-07-2014 07:00:41,839] 6 [INFO ] - Blocked: c:\windows\system32\rundll32.exe
    * believe the blockages above relate to starting of Windows Update services.

    Code:
    [11-06-2014 07:55:12,419] 8 [INFO ] - CommandLineHandler Allowed: c:\windows\system32\rundll32.exe aepdu.dll,aepdurunupdate
    [11-06-2014 07:55:12,466] 9 [INFO ] - CommandLineHandler Blocked: c:\windows\system32\rundll32.exe windows.storage.applicationdata.dll,cleanuptemporarystate
    [11-06-2014 07:55:12,497] 9 [INFO ] - LD: 106
    [11-06-2014 07:55:12,497] 9 [INFO ] - CommandLineHandler Blocked: c:\windows\system32\rundll32.exe windows.storage.applicationdata.dll,cleanuptemporarystate
    [11-06-2014 07:55:12,825] 8 [INFO ] - CommandLineHandler Allowed: c:\windows\system32\rundll32.exe startupscan.dll,susruntask
    [11-06-2014 07:55:13,060] 9 [INFO ] - CommandLineHandler Allowed: rundll32.exe wsclient.dll,wsptlr licensing
    [11-06-2014 07:55:26,537] 8 [INFO ] - CommandLineHandler Allowed: "c:\windows\system32\rundll32.exe" "c:\windows\system32\werconcpl.dll", launchercapp -queuereporting
    [11-06-2014 07:58:35,637] 8 [INFO ] - CommandLineHandler Allowed: "c:\windows\system32\rundll32.exe" "c:\windows\system32\werconcpl.dll", launchercapp -queuereporting
    [11-06-2014 08:00:29,119] 9 [INFO ] - CommandLineHandler Allowed: "c:\windows\system32\rundll32.exe" "c:\windows\system32\werconcpl.dll", launchercapp -queuereporting
    * not entirely sure what these relate to, but just general system things after booting up Windows.

    So the majority of the blockages that I see regularly with rundll.exe and others are normal Windows operations. It's really hard to say how these VS blockages could potentially cause system problems or certain system component problems.

    Aside from some normal Windows operations, I have had lots of rundll.exe errors with other legitimate program installations plus also lots with some questionable software which are related to installing custom themes on Windows, tweaks and so on. I wont post the logs for those though because they are questionable and certainly not needing to take up your time with unnecessary things.

    I am debating between taking the time to continuously review logs for blockages and adding Custom rules and/or whitelisting rundll.exe and others or just removing VoodooShield altogether.

    But make no mistake about it, the protection provided by VS is thorough and solid. I do like the fact that they also monitor, block and control Regedit, Rundll, cmd, powershell and other scripting methods as well. It locks things down tight. I have spent many hours over the last week thoroughly testing VS and to learn the inner workings of it. Trying various known and unknown ways to break it, trying to find weaknesses and such. And you know what? It is damn solid! I cannot break nor bypass it. Excellent work with everything, Dan. I have lots of respect for you and for VoodooShield. Regardless, I will continue to follow progress very closely every step of the way and look forward to it.
     
    Last edited: Nov 7, 2014
  14. Sir Percy

    Sir Percy Registered Member

    Joined:
    Apr 22, 2010
    Posts:
    253
    Ok thats nice to see..thank you, Dan.

    Tings seems to shaping up quite nicely btw, it's been a bit of a rough ride during development, there were times where it seemed like the bugs would never end and a final would not come and i think you deserve credit for not jumping ship like many probably would.

    I sure Voodooshield ain't a goldmine yet, hopefully it will be for you & your investors when word gets around the globe. :)
     
  15. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,850
    Location:
    Canada
    Thanks Dan for your fantastic support.:)
    I will see if I have time during the week-end to re-install it and then send you the .log files
     
  16. Marie68

    Marie68 Registered Member

    Joined:
    Nov 7, 2014
    Posts:
    1
    I just signed up to Wilders to say what a fantastic piece of software this is,i'm very impressed to say the least and i'll make damn sure that plenty of people on the various boards i'm a member of will learn about this excellent software as it certainly deserves a lot more recognition than it currently receives.

    I'd also be very happy to beta test future versions of VoodooShield if you need anymore people to test it.

    I just realized i gave myself a female name when signing up,it should be marke68 and not marie68,oops.:oops:

    Best Regards

    Mark
     
  17. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I agree 100%, more people definitely deserve to know about it. And now with the Free version available, along with the right advertising (I don't mean within the product, of course), word of mouth, reviews and such. I believe that the user base will grow substantially over the next year or so.

    By the way, welcome to Wilders, Marie. I mean, Mark! :isay:
    Just kidding. Much respect!
     
  18. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,562
    Failed again to load this morning but on a reboot it started normally
     
  19. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,562
    Just had a look in the System Event and am seeing two errors

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    A timeout was reached (30000 milliseconds) while waiting for the VoodooShieldService service to connect.

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="49152">7009</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2014-11-08T10:56:11.454886500Z" />
    <EventRecordID>23090</EventRecordID>
    <Correlation />
    <Execution ProcessID="812" ThreadID="816" />
    <Channel>System</Channel>
    <Computer>David-PC</Computer>
    <Security />
    </System>
    - <EventData>
    <Data Name="param1">30000</Data>
    <Data Name="param2">VoodooShieldService</Data>
    <Binary>56006F006F0064006F006F0053006800690065006C00640053006500720076006900630065000000</Binary>
    </EventData>
    </Event>
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    And the second one

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    The VoodooShieldService service failed to start due to the following error:
    The service did not respond to the start or control request in a timely fashion.

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="49152">7000</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2014-11-08T10:56:11.454886500Z" />
    <EventRecordID>23091</EventRecordID>
    <Correlation />
    <Execution ProcessID="812" ThreadID="816" />
    <Channel>System</Channel>
    <Computer>David-PC</Computer>
    <Security />
    </System>
    - <EventData>
    <Data Name="param1">VoodooShieldService</Data>
    <Data Name="param2">%%1053</Data>
    <Binary>56006F006F0064006F006F0053006800690065006C00640053006500720076006900630065000000</Binary>
    </EventData>
    </Event>
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Hope it makes some sense to you
     
  20. fs2com

    fs2com Registered Member

    Joined:
    Sep 20, 2014
    Posts:
    118
    Okay... After 2 days setting back to Automatic, today VS Service failed to load again today...
    Log information just said "The VSS service is shutting down due to idle timeout. "

    Now I set back to "Automatic (Delayed Start)" :D

    Like dgj05... it's timeout setting cause the problems?
     
  21. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    835
    Location:
    UK

    I had this exact same error but only on one occasion a couple of days ago - Error 7009 timeout and Error 7000 Service control manager.

    VS error 7009.png

    Gordon
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,602
    Location:
    The Netherlands
    I do not see why VS would fail to block this malware from running, since it's an executable file, it does not matter that it was infected. Also if I'm correct, because of UAC, malware can not automatically run from the "Program Files" folder, unless you installed the app.

    I have not read all the posts in this thread, but does VS already offer the sandbox feature? If I'm correct it runs app in "low integrity" mode? What about the "Restricted Token" method, is this the same as running apps with another integrity level?

    http://msdn.microsoft.com/en-us/library/windows/desktop/aa379316(v=vs.85).aspx
     
  23. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    The issue here is that by default, VS disables UAC and uses wording to strongly recommend allowing it to be disabled. So this is default for the majority of regular, everyday VS users (not us security-minded users who will re-enable UAC in most cases). So for the larger percentage of VS users, they will not get those UAC prompts and blockages. This would/could affect Windows system folders as well, although VS does monitor that and does verify by hash.

    The other issue related to this, and again a VS default, all executables are allowed to run from Program Files folders, completely bypassing VS and not even verifying hashes at all. However, in the paid version you can switch this and train Program Files as well and verify hashes.

    The two issues combined is a deadly combination, in my opinion, which is why I would personally choose to use paid version and lock that MoFo down tight. ;)

    Not sure that I've seen any other security software disable UAC by default or even suggest it. That being said, from all of my thorough testing, VS works flawlessly with UAC even on the highest level, they compliment eachother well. No conflicts or issues whatsoever.

    EDIT: Sorry, I did not want to clutter up this thread and go over something that I had already previously stated and discussed, but since asked by Rasheed, I wanted to clarify it for him in case I didn't explain it well enough previously.
     
    Last edited: Nov 9, 2014
  24. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hey everyone, thank you for all of the posts. I sent all of the source code to the new developer on Friday, so I have been sleeping pretty much since then ;). He reviewed the code via remote last weekend and started working on it on Friday. He is going to fix these last few bugs, then implement the KMD and add a few new features. I have a few things to do today, but a little later I will reply to the posts above ;). I am hoping that these last 5 or so bugs will be fixed within a week or so, who knows, maybe even sooner than that!
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,602
    Location:
    The Netherlands
    Thanks, I now understand it a bit better.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.