VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, that is pretty much how it works, and it happens to work really well. It was a crazy idea I had after a few beers one night ;). Yeah, like if you start VS there is not a temporary digital certificate stored. But if you allow something, and assuming that file is digitally signed, then all new files with that digital certificate will be allowed, until VS deactivates automatically (or is shut down of course), or until another one comes along that is allowed by the user. The whole idea being this... typically, that feature is useful for installers so that all of the executables can be allowed automatically during installation (without the user having to keep clicking yes). Since VS does not permanently store digital signatures, it should be perfectly safe. As I always say... malicious code should NEVER be allowed to run on a system, because once it is allowed to run, then the system is compromised. So basically, VS will block (and scan) the first digitally signed malware file, and unless the file comes back clean and the user really, really wants to run the file, then it should work perfectly, right?. I hope I am explaining this right, if not, please let me know!

    The whole digital certificate issue is probably much more common than we all think it is. Please read the following link.

    http://www.welivesecurity.com/2010/07/22/why-steal-digital-certificates/
     
  2. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Sorry about that, I got your email and it is all fixed. For some reason you were not in our database... darn hackers ;). You should be good to go, if not, please let me know!
     
  3. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    Thank you for your explanation! That makes sense.
     
  4. l3l312

    l3l312 Registered Member

    Joined:
    Nov 11, 2014
    Posts:
    22
    Dan, you my friend are THE man! Worked like a charm. I really appreciate it. I'll keep preaching the Voodoo gospel and am looking forward to the next updates. Sorry to hear about the new Dev not being full on as you expected. Looks like the 3 yr cycle of non-coding will be broken. hehe Thanks again Dan.

    Best regards,
    l3l312
     
  5. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,563
    Hi Dan

    Sorry to say that I have more starting problems:-

    This is 7009
    Code:
    A timeout was reached (30000 milliseconds) while waiting for the VoodooShieldService service to connect.
    and
    7000
    Code:
    The VoodooShieldService service failed to start due to the following error:
    The service did not respond to the start or control request in a timely fashion.
    I think this might have been down to the router being off line. I have to reset the SNR to stabilise the connection, but would have expected VS to re-try.

    Using the icon it would not restart, so instead used VS under Services to restart it.
     
  6. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,172
    Location:
    .
    Morning Dan,
    In addition to unanswered questions in post: 2428756 edited today bjm_ said:

    How do I get rid of the UAC Off warning at boot. Either VS didn't Off it. Or, it got turned on and I Offed it.
    Is there a registry switch.
    If I do a VS over-install will that fix UAC Off (probably an unknown too many variables) and does an over install or uninstall / install prompt the need to train VS again in free version.
    Rhetorical: Where did you come up with the name VoodooShield. Voodoo implies black magic. VS is white magic.
    I would have went with VS = VirusShield. R U connected to Voodoo Security

    Too bad about the new developer for VS. Good news for the developer.

    Amazing how you came up with the idea. Hopefully patentable.
     
    Last edited: Nov 20, 2014
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    This was exactly my worry over the past few weeks Congratulations for him and his family for having a new baby coming soon, of course. That is very exciting. But regarding the complexity of code, this has been the number one worry of mine since I started using VS the past few weeks because I noticed many times in recent weeks where you have mentioned trouble finding new developers, or trouble having new developers stick around long enough, and now this. Anytime a new developer comes into any new software project they have to learn the structure of the codebase and, of course, it can be even more complex for security software.

    However, Dan, I know you are a good businessman and you have a passion for this software that you have created and I know that you will figure the development situation out and everything will be all good in time. I personally believe, though, that you need a full time developer on board at all times. Especially when it comes to implementing a kernel mode driver and so on. I do wish you the best of luck, always. I will continue to follow VS closely because I am kind of hooked on it now. Like a drug. :cool:
     
  8. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,172
    Location:
    .
    I'm got hooked just after two days of running VS. It is a drug. I agree with WildByDesign
    1) Read this on Bleeping today...wondering if VS locks out malicious JS protecting my personal files and folders while I'm in a web facing app (browsing).
    2) In the free version is it possible to reset whitelist snapshot for an single exe. It appears as if I may only reset a single exe by resetting my entire whitelist snapshot and training again. Training is just 5 min...so, is that the only way to reset a single exe in the free version. Does Pro offer granularity.
    VS is a drug :thumb:
     
  9. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    1) Yes, VS does block Javascript. I personally could not find any scripting that it wouldn't block. Even Powershell and much more. I tried everything.

    2) Yes. right-click on VS icon and choose the option for Log / Whitelist, something like that. Then within that, select Edit Whitelist. Instead of resetting entire whitelist, simply right-click on line for program you want removed and choose Remove. Not running VS at moment so the wording might be slightly off from what I said.
     
  10. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,172
    Location:
    .
    Hello WDB
    Thanks for your info and interest
    1) So, VS protects against Poweliks and Crypto Ransomware

    2) I already tried as you instructed. That's why I asked if Pro had granularity. Here's my scenario. I opened a pdf with Foxit Reader. Foxit Reader was not in my whitelist snapshot as yet. VS pop'd > scanned Foxit Reader > came back with option to Block Sandbox Allow. Sandbox would not go as some reference to Foxit Reader whole program not available. May be because I was running Firefox Sandboxie'd and Foxit Reader Updater does not have access to web. I do all my updates outside my Sandboxie brower sandbox. Anyway I Allowed and pdf opened. I tried to recreate the event so I could observe. I deleted reference to Foxit Reader in whitelist snapshot. I Sync'd VS ~ and pdf file opened with no pop from VS. Log still showed foxit reader.exe Allowed. I Cleared Log not knowing if that would make a difference. Again deleted Snapshot Foxit Reader > Sync'd VS and pdf file still opened with no pop from VS and whitelist snapshot had entry for foxit reader. I could not recreate the initial event where VS pop'd and scanned. So, that why it appears with this scenario I do not have granularity in free VS. IDK Sandboxie works through VS. Sandboxie is in whitelist snapshot. Don't know how to test again as I must have trained everything else except Foxit Reader. Now Foxit Reader is Allowed and in the Snapshot. Guess, I can try Adobe Reader. That's not trained yet. But, I was wanting to keep Adobe Reader out of my Snapshot. I imagine there is no harm in adding Adobe Reader. Just like to prove to myself that I may edit snapshot granular by app. So, far no joy.
    Comments
     
    Last edited: Nov 21, 2014
  11. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    Is Foxit Reader located in the Program Files Folder? I have not used Foxit. If it is then I'm not sure why it gave you a VS prompt the first time unless it was due to some file Foxit was using in the user-space like in the appdata folder. Do you have, "automatically allow all software from the Program Files Folder" ticked? If you do then you should not get a VS prompt for Foxit unless it is executing something in the user-space. That may be why Foxit is not showing up in your whitelist because you already have all software in the Program Files Folders whitelisted in the settings. If you have that option ticked in the settings then I don't know if you can remove individual software from the whitelist that is installed in the Program Files Folder. You have already allowed all software installed in the Program Files Folder. Maybe VS excludes by file Path when that option is ticked in the settings, and the files don't have to be on the whitelist even though they are listed. So if you remove the file from the whitelist then you still will not receive a VS prompt because it is still being allowed by path. That would be a good question to ask Dan.
     
    Last edited: Nov 21, 2014
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Always happy to help and share with the community.

    Unfortunately, for more control over individual programs you would need the Pro version. Surely if you asked nicely, Dan would hook you up. But yes, Program Files folders are automatically approved and whitelisted in Free version. It's much easier that way for regular everyday people to use the Free version because they don't necessarily have the knowledge that us security-conscious people have. For us, who like control and lots of settings to tweak, the Pro version gives you way more ways to lock down your system even tighter. The Free version is more of a fine balance between security and convenience. Although I must say that the Free version is still locked down quite tight. Pro just gives you more control over everything. Personally, I would definitely put my trust in VS Pro. Well worth it. For everyday users who aren't very security-conscious or lack the technical knowledge, Free version would be the way to go for their use case scenario.
     
  13. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,172
    Location:
    .
    You must have read my mind. Yes Foxit Reader is located in Program Files. The first time with the pop. I did see AppData entry but, thought no one would be that interested as it seems you all run Pro. Sandboxie running does have AppData Local and Roaming. So, on the initial pop I saw Foxit Reader.exe + AppData entry. I deleted all reference to Foxit Reader > Sync > open pdf > no pop > check Log and Snapshot > only listed Foxit Reader. Repeated the delete > sync > no pop. The free version does not have any tick boxes. Training seems to be extremely intuitive. Foxit Reader is whitelist snapshot now. Log states Allowed.
    I doubt I would tick automatically allow all software from Program Files. I like having the training whitelist Programs. I have no options to tell training what to do. I open SpywareBlaster for the first time and VS SmartMode did it's thing. It is what it is. I do have the option to delete line by line in the whitelist but, it doesn't seem to change Allowed. Once Allowed ever after delete > sync. The app opens no pop. Maybe Program is defaulted and I'm just seeing the programs in the user space. I think I got the pop because Foxit Reader is in Sandboxie Start>Run allowed to run in the sandbox but not allowed to access the Internet. Opening Foxit Reader. Foxit Reader Updater wants to run accessing the internet. Maybe there was a race beween Sandboxie and VS. It was the first time seeing the pop. So, not having a book with pictures I can color. I'm in a learning curve. An hour later I noticed disk thrashing and looked over to VS Icon as it was Off. I was still browsing. When the thrashing stopped after one min. VS Toggled to On. So even in Always On. Training must be happening. I just don't why the thrashing and why in Always On VS went Off. Bug?
    Guess I better get Pro and see what all you loyal VS citizens are talking about.
    Tic boxes? :eek:
     
    Last edited: Nov 21, 2014
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    How did you go about testing to see if VS blocks javascript?
     
  15. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,172
    Location:
    .
    1) Curious, does VS play well with W8.1Pro as Pro has added security eg: BitLocker , BioMetrics
    As a section of the drive is encrypted does that pose any issues for VS

    2) Edit: Had my first experience with drag and scan. How convenient!
    Download AdwCleaner ~ drag to VS Icon ~ 1 TrojanDropper
    Probably a FP. But, I have no issue with that...prefer caution over crap.
    ToolsLib post the hash so a check with vt prompted same results. Go figure :thumb:
     
    Last edited: Nov 22, 2014
  16. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,172
    Location:
    .
    Again, to introduce myself. I just started with the free version. As there is no matrix. I did not appreciate the difference between free and Pro. Thanks to Wilders for providing a venue and to Pro users compassion for VS. The free version does not have tick boxes. Even though I may delete reference to Foxit. VS free version seems not to pay attention. I must have to Reset Whitelist and Train again. As you write ~ Good question for Dan. I was surprised yesterday when 3 exe's of a whitelisted program file previously not run auto-populated to Snapshot. I now see that children of a whitlisted program file are allowed to run. What was interesting and unexpected was while browsing.. VS AlwaysOn. VS turned Off. I investigated and found the 3 exe's. So, even though the app was in my snapshot. The un-before run exe's had to be added and I imagine that caused VS to Off even though set to AlwaysOn. For approx 30sec's. There was HD thrashing ~ VS Off then trashing stopped and VS On. I believe my user space was still protected for that 30sec's. Oh may be of interest the program was NIS. The children are parts of NIS engine that I presume needed to background scan or update. VS is a drug :thumb:
     
  17. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,172
    Location:
    .
    Yes...interesting in your testing.
     
    Last edited: Nov 23, 2014
  18. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Very cool, thank you! Yeah, it would be nice to find someone who can take over the development so I can focus on other things. One of the problems is that the code is quite complex now, and it would take a different developer a long time to familiarize themselves with the code. So I am going to keep going, and when I get stuck, I will ask one of the other developers for help. There are quite a few new features I would like to add, but I am going to do it gradually over time, and not 60 or so hours a week ;). Besides, now that the code is in great shape (with version 2.13), it will be much easier to work on.
     
  19. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Thank you for letting me know! Yeah, on some systems, the VoodooShieldService is not starting properly. I will take a close look at the service and see what might be causing it. What other security software are you running? The only known incompatibility is MBAE.
     
  20. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I would just turn UAC ON or OFF manually, that does the same thing that VS does to turn it OFF. That should fix it.

    It is a long story how we came up with the name, I posted it on this thread awhile back, maybe I will try to find it at some point.

    No, we have never heard of Voodoo Security.

    Yeah, I think we have a great chance of getting a solid patent on the toggling desktop shield gadget / computer lock concept, along with the snapshot. We are in the final stages of getting our patent issued, and believe me, it has not been easy or inexpensive ;).
     
  21. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Thank you, I appreciate that! Yeah, one way or another VS is going to move forward. This whole thing has been one obstacle after another, but that is part of the fun ;). I am sure I can keep going on the code and make it even better, but a couple of weeks ago I was burned out, but now (after a quick break) I am all fired up again ;). Actually, this weekend I replaced my HDD with a SSD because my development machine's hard drive was SOOOOOOOOOOO SLLLLLLLOOOOOWWWWW, and it absolutely drove me nuts for a year or so. But we are good to go now, I am going to start adding new features soon, including the KMD. When I get stuck, I will ask one of the developers or find a new one to help me.
     
  22. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Thank you! Here is a JSExploit Test... Yeah, VS has no problem blocking this kind of stuff (or anything that we have found so far). Actually, most browsers block this kind of stuff as well, and you have to manually allow this kind of stuff. Here are the instructions, I hope I am not forgetting something:

    http://voodooshield.com/artwork/JSExploit.html

    1. Save the above file to your hard drive
    2. Copy an exe to your c:\ root and rename it Test.exe
    3. Open the above file in Internet Explorer (it is the only browser that I know of that will let you allow this blocked content without making changes to the settings)
    4. Run it and watch VS block it.

    Yeah, you can reset the whitelist snapshot in the User Log / Snapshot screen. Just click Edit Snapshot then Reset Whitelist.

    I am not sure what you mean by granularity, can you please explain?
     
  23. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you! BTW, if you ever do find something that slips though, keep a copy of it for when we post the VoodooShield Challenge to the public ;). We are going to do that soon, but we want to do it right, with terms and conditions and everything, so that everyone knows what the rules are and that there are no misunderstandings. The first VS Challenge that I posted a few weeks ago was probably not a good idea since it was just a last minute thing that was not planned very well ;). But thankfully it all worked out ok, and there were no misunderstandings... but even more importantly, I did not have to personally buy anyone an iPad Mini ;). When we do it for real, the company will pay for the "prizes" if someone wins, so we will be able to offer much more than an iPad Mini hopefully.
     
  24. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, VS should have no problem with either of those. We tested CryptoLocker with VS 1.30 and 2.0 and it worked perfectly.

    I just installed Foxit Reader, and as CET suggested, it was allowed since it is in the Program Files folder... so I am not seeing where the rub is. Please explain and I will do my best to help. BTW, the sandbox feature basically just allows the user to test unknown executables, and it does not whitelist the sandboxed executable. Thank you CET for the help!
     
  25. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, thank you for all of your help!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.