Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.
How about a screen shot?
Default is ticked. I unticked it.
Yeah, maybe at some point we will not use .net at all, but I have to say, most developers still believe that .net is best for the gui. If we use the .net that is native to each OS, then .net does not have to be installed or activated, so I would like to do this asap. We have a few small bugs to work out and need to add a few new features, including the KMD, but hopefully we can add this soon. Thank you!
Cool, thank you controler... if anyone else has this issue, this is the temporary fix. We will have to figure out what is causing this and fix it.
Cool, thank you, this will help a lot when we start to debug under Windows 10. Right now, 10 is not far enough along for us to do any real serious debugging, but we will be on top of it and VS will be compatible with 10 by the time it is in the RTM stage. Thank you!
Thank you, I appreciate that! Yeah, this last year was rough, especially the last 6 months, but I think we are in great shape now! We just have a few small things to work out. Now that I have someone else taking over as lead developer, things should go really well .
Definitely, thank you guys for all of the help!
Cool, thank you Mark, I appreciate that very much!
Cool, thank you dgj05 and ghodgson, I will forward this to the new developer and see what he says, this will help a lot!
When I have tested UAC, basically, when I copy an executable to Program Files, Windows (UAC maybe) will ask for admin permission to copy the file to this folder. Then UAC will run the file whether it is signed or not. This is essentially how VS works because nothing can copy or install itself to the Program Files folder unless it is allowed by the user. BTW, I have been running VS with UAC on (Windows 8.1), and VS has been blocking items faster that UAC... has anyone else noticed this as well?
Yeah, VS currently uses the Low Integrity mode / method. We tried another method but it only worked with .net applications. The Low Integrity method seems to work pretty darn well, but we are going to develop the sandboxing features some more in the future, and we will look at the Restricted Token method that you mentioned! Thank you!
It's cool . I think we need to add a feature to both the Free and Pro version where after a couple of weeks, VS asks the user if they would like to disable the 2 options that automatically allow program files and specific windows folders. Please keep in mind, there are only around 5 folders in the windows directory that VS automatically allows when enabled. I still do not see how something can copy or install anything to these folders without VS's permission, but being that the whole goal of VS is to be a computer lock, I am very interested in locking everything down as much as possible... but still making sure it is user friendly . Thank you!
Over at the Norton Security Forum there has been concern expressed about the new cloud based SONAR (behavior detection) when the user is using his/her PC while not on-line. The use of VooDoo Shield was suggested as a possible solution. One poster expressed the view that VooDoo Shield would be a poor substitute for a properly functioning SONAR which apparently requires an active internet connection.(Norton has failed to respond to concerns expressed about the issue in any way, leaving the Community worried and confused.) That poster expresses his concerna about VooDoo Shield as a substitute for a non functional SONAR as follows:
"A user could download an executable program to their computer. Let's say this program plays a"free game". The program does not contain a virus, so Norton Security does not stop it. The program keeps track of the number of times it has been started. The first 9 times it is started, it just plays the game. The user thinks the program is ok, and the user allows VoodooShield to white-list the program. Since the program does not behave suspiciously, Norton Security's behavioral protections do not get invoked.
Then, one day, the user's internet connection does down. The user has no access to the internet, and decides to play an offline game while waiting for their internet connection to be restored. The user runs the previously downloaded (and white-listed by VoodooShield) program. This program has not been altered, bit-for-bit it is the exact same program that was originally downloaded and white-listed. VoodooShield thinks everything is fine.
However, the logic (code) of the program itself could be designed such that after it has been run 9 times it does something different (or perhaps the logic of the program checks to see if an active internet connection exists, and if not, then the logic does something different). Again, the bits (i.e., code) in the program have not changed ... it is the exact same program that was originally downloaded ... the program's code is merely taking a slightly different path through the program's logic (if you have any background in coding, think about what happens with an IF, THEN, ELSE statement). So VoodooShield would not see anything different in the previously white-listed program, and allow it to run. However, the program could be designed such that on the 10th time it was run (or perhaps when the program detects that there is no internet connection available) then in addition to running the "free game" the program installs some malware.
Since (in the scenario I am describing) the user does not have an active internet connection, then Norton Security's behavioral protections cannot be accessed to detect that this program is trying to install something (i.e., suspicious behavior) ... thus (in this case) Norton Security's behavioral protections cannot stop the program from installing malware ... and VoodooShield is also not able to protect the user.
Symantec needs to address the potential exposure that can occur when the user's computer does not have an active internet connection."
Curious to hear what the experts here think of this comment.
Good question, thank you hawki! This is how VS 2.12 handles this scenario. Basically if there is not an internet connection, VS will allow you to run non installers in a sandbox, but will not allow you to run installers. Other than that, if it is not on the whitelist, VS will block it until there is an active internet connection. I think we did this correctly, but if anyone has any suggestions on how we can tweak this to make it better, please let me know! Thank you!
Edit: Or, obviously, if anyone has any suggestions on any other scenario, please let us know as well! Maybe Symantec can replace Sonar with VS? . Obviously I am joking, and I believe Sonar is more of a behavioral analysis, so I think VS would compliment Symantec and Sonar nicely. If we are dealing with metamorphic or polymorphic malware, the hash would change and it would be denied by VS.
I forgot to mention (sorry, I got sidetracked)... if on the tenth time the code does something malicious, then it is malicious code and will at some point be detected by the blacklist scans. I do not think this is a very likely situation though because I would think that the whole goal of malware is to attack as fast as possible, otherwise there is a good chance that the file will be flagged as a threat before the code runs on the tenth time (on other computers). I guess a malware author could do this, but like I was saying, if a delay like this was built in to the code, it will probably be detected as a threat long before it can run its malicious code.
I was thinking about this question last night... like, what would be the worst case scenario for malware. Remember conficker, and how it infected a lot of machines and basically did nothing except to call home everyday as it waited for further instructions? That is similar to the scenario you described, but I think it has a better chance of evading detection until it is instructed to run its malicious code.
For 33 years we have been running unlocked PC's. I think it is time that we stop running just any random executable code, lock our computers and run only what we really need to run. I was excited when UAC was first announced in 2006 because it was almost like a computer lock. The first version of UAC released with Vista needed a lot of work, and MS has made it a little better over time, but I think they could make it a lot better. When Apple realized that they needed to address the ever growing malware situation, they created Gate Keeper 1.5-2 years ago, which is great, but even it needs some work... like some kind of user interface, and maybe not rely so heavily on publisher / digital signatures.
Either way, I think we need to come up with some kind of user-friendly computer lock that only allows what is absolutely necessary, and we need to stop running just any random executable code on our systems. To me, malicious code is malicious code, and it should never be ran on any system, for any reason, whether it is in a sandbox, VM, or whatever. We still need blacklisting, heuristics / behavioral analysis, etc., but it would be nice to move a little more towards a unified whitelisting system where all software developers would basically demonstrate that their software does not contain malicious code.
VS is obviously my version of a computer lock, but maybe tomorrow someone will think of an even more effective and user-friendly computer lock than VS or anything else on the market. And I am perfectly ok with that .
Edit: BTW, I realize that a lot of advanced computer users might not want to lock their computers, especially if they are pen testing or testing malware. But I believe that the 90-95% of the users who are not advanced users should lock their computers, in a deny by default method so that the possibility of them clicking "Yes" or "Allow" is eliminated. Especially if they work at places like Target, Home Depot, or any of the many banks that have been breached recently .
Yesterday, I got a popup from Zemana Anti-Logger, advising of an update to the program. However, I disallowed it, since it wasn't convenient at that stage to proceed with the update.
However, I got the same ZAL popup again later, and this time I allowed it.
VS, this time stepped up to the plate, and in it's inimitable style blocked the temp file from running, but because I am cognizant of what is usually happening on my system, I chose to overide the inital VS warning amd allowed the temp file to run. The update proceeded to run, successfully.
Yes that's why I asked, because AFAIK, even when you turn UAC off in Windows 8, it will still not allow you to copy files to the "Program Files" folder.
Yes, I think it's probably an easier way to restrict apps without the risk that apps will not run at all, because of the low integrity.
I have the beta version, 2.41 and every time I start up my laptop, i have a message to update this beta version. The problem is that it couldn't connect to the server for downloading this beta version.
Could you tell me which is the latest beta version, please ??
win 64 bt home .
even with VS set to training, i cant install shockwave and adobe has errors when installing. i was only able to install shockwave with VS shutdown. Protectect user space is off. FYI
The latest one is VS 2.12 Final... you got 2.41 beta?
I don't use shockwave but adobe flash installed fine with training mode... even though near the end it shows a new instance which says installation error because another instance is already running... but the program updated fine...
Like WBD post in earlier page I think... it advisable to disable VS while installing program to avoid blocked installer and reactivate after the program finish installing
disable VS then install Flash again, you wont receive any errors. By Disabling i assume you mean "shutdown" VS so that I may install a program seems strange to me. Wouldn't that make security software worthless?
than again, Gumps ain't to bright
New User here, had to register to give props! lol I've perused the last 10 pages (191-201) before posting any ?'s. I'm glad I did, cause i got the link to the free offer which expired today. Installed it yesterday. I did experience VS not loading tray icon and desktop widget. It also took 3 boots for the welcome message to appear. That's when I started reading these posts.. lol. One thing I found is that Geek Uninstaller was flagged as a trojan or something to that effect. I'm diggin' this software, great job Dan.
To resolve the startup issues, I deleted the files in ProgramData folder as suggested.
Oh, and thanks for being so generous to the members/helper bees. From reading all these posts sounds like you're a good natured, honest, and all around cool human being. Thanks again.
Learned about VS from Britec (Youtube)
Running Win 7 Ultimate 64 Bit Svc Pack 1
Included are my logs.
No... right click on the VS and select Disable Protection for a while...
Yes it might seems strange for some.. but you know sometimes some installer run a bunch of scripts/another exe that might get block by VS so then you'll get kind of crippled installed software, even though in the end the installer finished the installed. Some part/thing might be problematic by that...
Then again VS is addition to AV protection in our computer... so if you turn off VS for a brief I don't think it will be much a security breach or some kind...
as long you installed software that you know it's already safe and genuine... It just like you installed your software right before you using VS right?
Not so much different... after you turn on VS then you'll get another layer of protection to your PC..
thank you! that makes much more sense and I have never used that function. TY
You welcome MrGump
Thank you guys for the help! Welcome l3l312 to the forum, and thank you!
The free VS Pro offer ended last night, but if you guys ever need a license, please let me know.
Also, the VoodooShield Challenge is over for now as well... but we will have an official one soon that we will post on our website. So if you find anything that can bypass VS, be on the look out for the real VoodooShield Challenge .
The new beta will be ready soon, it will include the 4-5 minor bug fixes, and possibly 1 or 2 new minor features.
Separate names with a comma.