VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,002
    Location:
    .
    Not Checked
    Auto allow all software from program files folders
    Auto allow specific critical windows processes
    Auto allow windows 8 metro store
    Temp allow by publisher signature until reactivate
    Auto allow by parent process
    Checked
    Do not whitelist items in the appdata

    Upon Reset Whitelist Taking Snapshot ~ what criteria does VS employ to populate the Snapshot. Is VS Training simply the unfettered whitelisting of running processes ?

    Why not log running processes ? So, that I may snaphot whitelist discrete from running processes. What makes a running process... a safe to allow process ?
     
    Last edited: Feb 20, 2015
  2. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,002
    Location:
    .
    By saying Correct twice. I was asking for confirmation twice that VS Free cannot be bypassed. Note the question mark after Correct. Question mark indicates a question. Question mark simply prompts an answer. "VS Free cannot be bypassed. Correct ?" = Q: Can VS Free be bypassed ?
     
  3. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you MrGump, ichito and Miquell!

    Now that I have seen a video and have talked to you guys more about the non-english windows bug, I have a better understanding what is actually happening when the error occurs. It should be easy to fix. I am going to focus only on that for the next several hours and hopefully we can get it fixed asap!
     
  4. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Ahhh, good catch, thank you. Yeah, the quarantine button should not be showing when VS blocks something in Program Files, I will fix that. The reason is that VS will stop the virus or malware before it ever reaches the program files folder, so anything that it detects as a threat in this folder is most likely a false positive.

    See, that is a good example of how executables that run as invoker do not have access to certain folders, like Program Files and a lot of the Windows folders.
     
  5. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Oh, sorry, I read that as a bluff ;). That is the problem with text... sometimes people misunderstand each other ;)
     
  6. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yes, the snapshot is basically a snapshot of all of the running processes. I am not sure what you mean by "Why not log running processes?", but it sounds interesting, please explain a little more.

    Well, as long as the computer is clean when VS is installed, then in theory, there should never be a non-safe process in the snapshot. But worst case scenario, once your traditional antivirus cleans up malware that was left over from before VS is installed, simply reset your whitelist and you are good to go. Thank you!
     
  7. silver0066

    silver0066 Registered Member

    Joined:
    Dec 31, 2004
    Posts:
    989
    Hi Dan,

    I am still getting "Sorry, All Command Lines are Full" error when blocking or allowing on 2.23k
     
  8. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hmmm, thank you for letting me know! Have you deleted all of the similar command lines that are filling up all 20 of the command lines? Also, do they all contain "tiworker.exe" and start with "c:\windows\winsxs"?
     
  9. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,002
    Location:
    .
    I clicked Allow for c:\windows\system32\sc.exe received dialog below. Why ?
    DESCRIPTION:
    SC is a command line program used for communicating with the
    Service Control Manager and services.
    USAGE:
    sc <server> [command] [service name] <option1> <option2>...


    The option <server> has the form "\\ServerName"
    Further help on commands can be obtained by typing: "sc [command]"
    Commands:
    query-----------Queries the status for a service, or
    enumerates the status for types of services.
    queryex---------Queries the extended status for a service, or
    enumerates the status for types of services.
    start-----------Starts a service.
    pause-----------Sends a PAUSE control request to a service.
    interrogate-----Sends an INTERROGATE control request to a service.
    continue--------Sends a CONTINUE control request to a service.
    stop------------Sends a STOP request to a service.
    config----------Changes the configuration of a service (persistent).
    description-----Changes the description of a service.
    failure---------Changes the actions taken by a service upon failure.
    failureflag-----Changes the failure actions flag of a service.
    sidtype---------Changes the service SID type of a service.
    privs-----------Changes the required privileges of a service.
    managedaccount--Changes the service to mark the service account
    password as managed by LSA.
    qc--------------Queries the configuration information for a service.
    qdescription----Queries the description for a service.
    qfailure--------Queries the actions taken by a service upon failure.
    qfailureflag----Queries the failure actions flag of a service.
    qsidtype--------Queries the service SID type of a service.
    qprivs----------Queries the required privileges of a service.
    qtriggerinfo----Queries the trigger parameters of a service.
    qpreferrednode--Queries the preferred NUMA node of a service.
    qrunlevel-------Queries the run level of a service.
    qmanagedaccount-Queries whether a services uses an account with a
    password managed by LSA.
    qprotection-----Queries the process protection level of a service.
    delete----------Deletes a service (from the registry).
    create----------Creates a service. (adds it to the registry).
    control---------Sends a control to a service.
    sdshow----------Displays a service's security descriptor.
    sdset-----------Sets a service's security descriptor.
    showsid---------Displays the service SID string corresponding to an ar
    bitrary name.
    triggerinfo-----Configures the trigger parameters of a service.
    preferrednode---Sets the preferred NUMA node of a service.
    runlevel--------Sets the run level of a service.
    GetDisplayName--Gets the DisplayName for a service.
    GetKeyName------Gets the ServiceKeyName for a service.
    EnumDepend------Enumerates Service Dependencies.

    The following commands don't require a service name:
    sc <server> <command> <option>
    boot------------(ok | bad) Indicates whether the last boot should
    be saved as the last-known-good boot configuration
    Lock------------Locks the Service Database
    QueryLock-------Queries the LockStatus for the SCManager Database
    EXAMPLE:
    sc start MyService

    Would you like to see help for the QUERY and QUERYEX commands? [ y | n ]:
     
  10. silver0066

    silver0066 Registered Member

    Joined:
    Dec 31, 2004
    Posts:
    989
    How do you delete the command lines? When I select them from the Command Line tab and delete, it whites out the space, but the space or container? remains.

    None of them contain "tiworker.exe" and start with "c:\windows\winsxs".
     
  11. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, I need to do some more testing with the "auto allow specific critical windows process" feature unchecked. Basically, sc.exe requires a command line, otherwise it does not know what to do, and it basically just gives you instructions on how to use sc.exe. We can refine this a little more when I have time... I just never turn this feature off, so I have never seen these errors.

    One thing is for sure, as many settings as you tweak, you are going to find little issues like this ;). Really, in my opinion, VS should be ran in its default settings, and settings like this should only be changed when necessary. And only 1-3, not half of them ;). For example, if I wanted to make VS run really poorly, I could go in and basically change all of the default settings to the opposite, and it would not run well at all. It does help though that you find stuff like this, and I certainly do appreciate it! Thank you!
     
  12. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    You should be able to just highlight all of them and tap the backspace key, then when they are all gone, click the save and close button.

    Hmmm, I am confused... the last image you posted contained "tiworker.exe" and start with "c:\windows\winsxs", so I think we are just misunderstanding each other. Actually, before you delete the command lines, can you please copy and paste a lot of them and pm me or post them on here? If they are extremely similar, I do not need you to send me the duplicates. Thank you!
     
  13. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,971
    Location:
    Poland - Cracow
    OK...it's already checked
    ver. 2.12 - can save settings
    ver. 2.20c - app failed, service not started
    ver. 2.21b - can't save settings
    There is time gap (ca 1,5 month) between 2.12 and 2.20 and next and I don't know what was changed except some features and GUI...and popup about disabling UAC.
     
  14. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you ichio, that helps tremendously! If for some reason I cannot figure it out today, I will see if you guys can tell me how to install the Polish version of Windows. Basically what I did before to test this bug was to install the English version of Windows, then install Windows language pack Vistalizator, but VS worked normal with that.

    Anyway, I will look at 2.12 right now and see what changed. Thanks again!
     
  15. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    BTW, ichito, was that the 2.12 release? Not a beta, correct?

    Also, the guy from France helping us figure this out as well made a video, and in his video, when he clicked "Save and Close", the little white mini prompter (toaster kind of) did not pop up and say "Saving Settings". Does VS say "Saving Settings" at the bottom right when you click save and close?
     
  16. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,002
    Location:
    .
    Question ~ How do I use VS Sandbox ?
    I open MS Notepad with VS Sandbox. BTW ~ VS Sandbox Folder is empty. Attempt to save Notepad text. I do not have required privilege.

    VS Sandbox appears to strip rights from process and process does not go to Sandbox Folder.
    How may I use VS Sandbox ?
     
  17. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    This is identical to the Quarantine button, which I have already fixed and will be part of the next release. I will do the same for the Sandbox button. Windows processes should never be sandboxed because it runs them with limited rights. It is an easy fix.

    To use the Sandbox, simply run any executable that is not an installer, and has not been previously whitelisted, and if it passes the blacklist scan, then there will be an option to run it Sandboxed, which basically runs the file with limited rights. When this happens, VS explains in the User Prompt that the purpose of the Sandbox button is to run a file Sandboxed initially, just in case you are not sure if it is a good file or not, even though it passed the blacklist test.

    The reason you keep seeing this is because the "Automatically allow specific critical Windows processes" is unchecked. Really, that should be checked, but it does help to work out little "bugs" in VS since you are running VS with that option unchecked. So that really does help me a lot.

    I will make that change right now, thank you!
     
  18. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    BTW, I had a weird thought today. If UAC was not baked into Windows, and was an add on similar to EMET, how many people would install it? Just curious ;).
     
    Last edited: Feb 20, 2015
  19. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,002
    Location:
    .
    Question: Is VS Free with default limited access settings and features as protective as VS Subscription with functional optional settings. Since VS Subscription should be run at default then perhaps include that info with FAQ's. Perhaps clarify that VS recommended setting is "default". Perhaps clarify in FAQ's that VS optional available settings to be changed only when / if necessary.
    Question: Is VS Free the same as VS Fee? Question: Is VS Free the same as VS Fee sans optional settings ? Optional settings that should be left at recommended "default"... anyway ? Question: So, why run VS Fee in lieu of VS Free ?

    BTW: I'm thinking and please correct me if I'm wrong. Any setting away from default will eventually be satisfied through VS prompt user action.
     
    Last edited: Feb 20, 2015
  20. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I see what you are saying, good point. Here is our new site (even though it is not finished yet), please let me know if you think we explain it well enough. But yeah, I believe the free version is every bit as secure as the paid version, and includes the optimal settings pre-configured. I do not remember which review it was, but one reviewer remarked something like "The free version strikes a good balance between security and user-friendliness with the optimal settings pre-configured, so most people will just want to use the free version." These were not the exact words, but it was something like that.

    http://voodooshield.com/newsite/

    Edit: Sorry, I missed this part "BTW: I'm thinking and please correct me if I'm wrong. Any setting away from default will eventually be satisfied through VS prompt user action."

    Yeah, I tend to agree, but I really think it is every bit as important to automatically allow as much good stuff as possible, as it is to block the bad stuff. The reason is because I have always thought that the affirmative user prompt is by far the most dangerous security hole (even more so than exploits). Especially when a lot of users automatically click "Allow" by default. I think we need to get away from overburdening the user with too many prompts, otherwise they will become numb to security software and just always click "Allow".

    Eventually, the goal is to put VS's desktop shield gadget on all devices, especially mobile. And basically, there would not even be a balloon or prompt... they would just see VS flashing and know that the lock is blocking something. Then they would click the shield to find out what was blocked... assuming that VS is blocking something that they want to run in the first place. If VS is just flashing, but not stopping the user from doing what it wants to do with the computer, then they can just ignore the flashing. So this takes the entire affirmative user prompt security hole out of the equation... completely. Having said that, I really think that is the reason why VS has been so effective the last 3 + years. I think most users just ignore the current balloon notifications, which is what they should do in my opinion. BTW, I truly believe that this is the reason UAC has failed so miserably. It presents the user with an affirmative prompt and FORCES them to make a decision... and over time they become accustomed to clicking yes or allow every time. Sorry, I went on a little tangent there ;).
     
    Last edited: Feb 20, 2015
  21. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hey ichito, if you are running the latest version... 2.23k, and have tested the settings a time or two and have seen them fail, can you please send me the DeveloperLog.log from the c:\programdata\voodooshield folder? I think I know what is causing the problem. Especially if you see the words "ERROR in SaveSettings:" in the developer log... then I know what's up. It may not be a super easy fix, but it should not be too bad. Thank you!
     
  22. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hey ichito, I figured it out. It was not the language pack at all, it was the regional settings. As soon as I changed my Region Settings in the control panel to Polish (Poland), I was able to reproduce the error. And it is a super, super easy fix. Actually, reproducing the error is always the difficult part. Once I can reproduce the error, Visual Studio pretty much tells you how to fix it, and if that does not work, then a quick google search will fix it. Anyway, I am going to take a break, but I will post the fixed version later tonight or tomorrow. BTW, I bet if you change your regional settings to English, it will work ;). Thank you for your help, and sorry it took so long to figure out!
     
  23. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
  24. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,971
    Location:
    Poland - Cracow
    Thanks my master...
    It works Dan...tooo-dooo!...you are big man :D
    Thansk fory your patience and diligence :thumb:
     
  25. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    What was causing the problem with Polish OS?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.