VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    The Do not whitelist items in the appdata directories is just an additional security feature, that honestly, we probably don't even really need. Basically, pretty much every virus or malware writes to these folders. So to stop the chances of a virus spoofing an Acrobat Reader update, for example, we added this option. Really, executables should never be ran from these folders anyway... executables belong in Program Files and Windows. But since they do not belong here, nothing here should ever be whitelisted anyway... but of course there are always exceptions, and that is why we have that option.
     
  2. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I am not looking for an argument, I have enough to deal with ;).. You were suggesting that VS could be bypassed, so bypass it already ;).
     
  3. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yes, exactly ;).
     
  4. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    I know a few different methods used by security software to protect Program Files Folders. Some software scans Program Files Folders, and whitelist what software is already installed. It will allow that software, but will not allow anything new to execute there. I like this method very much. VS could do the same thing with it's snapshot technology, and would be faster than scanning. The other method is using policy to not allow web facing applications to write to Program Files. The user can even block writing to files already installed in Program Files. HIPS applications like Online Armor uses a hybrid approach. OA will scan Program Files during installation, and whitelist applications trusted in the cloud. OA will still monitor there activity. It also has an option to automatically allow signed applications. The user will be prompted for application installed in Program Files that are not on the whitelist. Online Armor does it really well because it has such good whitelisting, but some HIPS will drive you buggy answering the prompts due to their lack of whitelisting.

    I have not used UAC in forever, but I think it still monitors Program Files. It use to prompt me for CCleaner, and my disk defrag software. They are both installed in Program Files Folder so unless something has changed UAC does monitor Program Files Folder. CCleaner currently has an option in advanced settings to Skip UAC prompt. I have Online Armor already monitoring Program Files so it would be redundant for me to enable UAC plus I don't like how UAC prompts me when launching safe applications I already have installed. Its not really that bad, but I don't see the sense in it when I already have it covered with OA.
     
    Last edited: Feb 19, 2015
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    Sorry, I missed your reference to Rmus in your post. I will chat with him about it later. Thanks!
     
  6. funkymonkeyboy

    funkymonkeyboy Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    73
    I take it I can allow this.

    "c:\windows\system32\rundll32.exe" newdev.dll,deviceinternetsettingui 3

    Also when I auto detect web apps, it finds AVguard. Should that be a webapp?
     
    Last edited: Feb 19, 2015
  7. Miquell

    Miquell Registered Member

    Joined:
    Feb 8, 2015
    Posts:
    32
    Location:
    Poland
    Hi Dan,

    I've installed the latest beta 2.23k and unfortunately the issue with saving settings still tends to appear on my Windows 8.1 PL 64 bit :( Deleting the .dat files did not change anything.
    I made a short video (sorry for the poor quality but I had a little time) sent it to you via mail. Hope it maybe useful for something.
    Apart from this well-known issue the lastest VS beta build works great :thumb:

    Best regards,

    Mike

    BTW: The project of the new website looks AWESOME!! :D
     
    Last edited: Feb 19, 2015
  8. I looked at the website, may have overlooked it. Is there a list of email clients which will switch VD on automatically?
     
  9. Spruce

    Spruce Registered Member

    Joined:
    Dec 18, 2010
    Posts:
    297
    No, I use the swedish version.
     
  10. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,053
    Location:
    Ontario, Canada
    Have a look at this and I hope it answers your question!

    Daniel :)

    2015-02-19_10-33-27.png
     
  11. Miquell

    Miquell Registered Member

    Joined:
    Feb 8, 2015
    Posts:
    32
    Location:
    Poland
    Dan, I'm having some issues with my mail (somehow alerting me errors and that the message coudn't be deliverd) I sent you a link the video on Private Conversation.
    Hope you'll be able do download it.

    Cheers :)

    Mike
     
    Last edited: Feb 19, 2015
  12. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,053
    Location:
    Ontario, Canada
    Your very Welcome Kees.

    Daniel :thumb:
     
  13. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, I see what you mean, but we have to be very, very careful with what we do... we do not want to infringe on any patents. I distinctly remember reading in a patent that described scanning the hard drive and adding the executables that already exist to the whitelist. Now, I do not know if that is claimed in a patent or not, but it is certainly prior art, so that really is not an option right now, unless I can find which patent that was in and contact them about licensing their technology. Besides, we want to keep the whitelist as tiny as possible, and besides, if something already exists, why reinvent the wheel? I think the best thing to do is just to ask the user after a few days if they want to lock down their computer even further. That, or I have a couple of other ideas in mind... one might be really, really, really cool if I can get it to work.

    I just tested UAC with default settings, and it did auto allow a file (Windows 8.1 / 64 bit). I know what you mean though... the way UAC is, sometimes it prompts the user EVERY SINGLE TIME they open the same file. So it has always been kind of a mystery how it works ;). Thank you!
     
  14. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Sure, that looks good. I will add it to the hardwired list. Thank you!
     
  15. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you! We are getting close (with ichito's, the French guy and your help that is). I hope to have it fixed today sometime.
     
  16. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,065
    Location:
    .
    How do I defend against an erroneous assumption ~ ~ There's a reason why
    ALL software is offered AS IS without any express or implied warranty.
    2.23k
     
    Last edited: Feb 20, 2015
  17. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Excellent questions and I'm sure many of us are curious. Quite honestly, I think we would need Fabian or any of the anti-exploit devs to answer these definitively since they would have a full understanding.
     
  18. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Sure, that would be great to get some more opinions on this topic from seasoned security devs. Here is my very brief explanation.

    The whole purpose of an exploit is to find a vulnerability in some software, eg, flash, java, etc, that allows the exploit to run an executable payload so it can do something… some kind of work or damage… basically run some executable code.

    Well, if the payload (executable) is blocked from ever running in the first place, how is it going to copy the file to another folder? The exploit itself can only run the executable, it cannot copy a file from one place to another. Let alone the whole concept of windows protected folders, where you need admin permission to copy a file to certain vulnerable folders ( I know, this is not available in XP).

    Also, programs only have access to certain folders, unless the program is ran as admin. For example, VS’s GUI runs as invoker, so it can only write to certain folders. Right now, VS is only coded to write to the c:\programdata\voodooshield folder, and that is why all of the .dat and .log files are stored there. This is what TH was saying earlier… another example is that Internet Explorer is going to write only to the Temporary Internet Files in the user space (or whatever). So unless the exploit can run the payload, and somehow magically tell the exploited code to run as admin and copy a file to a different place, that also happens to be a windows protected folder… well, I think we are safe ;).

    So what I am saying is that if an exploit attempts to run its payload, but the security software blocks the executable payload, it cannot possibly copy a file to anywhere.

    This is the way I understand it, but someone please correct me if I am wrong!

    Edit: So this is why you find most viruses and malware in the user space... appdata or programdata typically... it is because they have no problem writing to these folders.
     
    Last edited: Feb 19, 2015
  19. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Post 5933: You said "Well, then you've got a gold mine.... I'll run FREE .... as VS cannot be bypassed. Correct ? VS FREE cannot be bypassed. Correct ?"

    By saying Correct?...TWICE... that sure sounded like you found a way to bypass VS. Does that mean I have a gold mine? ;)
     
  20. MrGump

    MrGump Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    406
    seems to be best one yet for me. I dont even experience a stutter when launching it :)
     
  21. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,973
    Location:
    Poland - Cracow
    Sorry Dan...on my Vista 32-bit PL still the same as Miquell wrote. I have in my archive about 10-15 earlier versions of VS and I'll check in which settings works properly...because they earlier worked without issues as I remember. Maybe problem is in some little change of code of VS?
     
  22. Miquell

    Miquell Registered Member

    Joined:
    Feb 8, 2015
    Posts:
    32
    Location:
    Poland
    Hi ichito,
    Good idea:thumb: Maybe somehow it will be helpful in solivng this issue.
    On my board saving settings seems to be working as such, however each time when I'm opening the settings windows again, the previously made changes are not visible.
    I also hope that maybe the problem will require only minor adjustments and little changes and I'm sure that Dan will quickly solve it :)
     
  23. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,065
    Location:
    .
    click'd Quarantine and nothing happens ? Why ?
    VS quarantine.png
     
    Last edited: Feb 20, 2015
  24. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,065
    Location:
    .
    Does Quarantine drop rights? I Quarantin'd mspaint.exe > then I was unable to save print screen because not having privilege. I opened Paint with Run as Admin and was then able to save. What happens to a process upon VS Quarantine? VS Quarantine Folder is empty ?
     
    Last edited: Feb 20, 2015
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.