VoodooShield ?

I already told Dan rundll32.dll keeps popping it's ugly head opening IE or Chrome but it's not being logged with the h version?

Daniel

 

Curious, what if malware (probably trojans) rename themselves as a legit program and communicate with the internet.....
Does the hash of a legit program allowed by default with Allow all from Programs Files folder change when the name is maliciously changed...
Thereby, would name change cause VS Prompt and VS scan ? Or, may this rename slip through under default Allow all....

 

It would have to bypass VS in order to do so and that will not happen unless you allow it to.

Daniel

 

So, naming malicious as legit name will not fake out VS ?
because hash will still be unique ?

 

don't think related to sbie here, thunderbird was not running with sbie and neither was anything from usb, but not definitive. hey if you open vs settings | webapps look to see what app(s) are in bold (subtle) and that will tell you what app has vs "on"

 

I just went to check in WInPatrol, and I inadvertently shut it down. When I restarted it, I got the following popups [SSM & Sygate], which I both allowed.

Spoiler: screenshot

And, finally showing VS in delayed startup. Why, you are having a problem with delayed startup in WinPatrol, is a mystery.

Spoiler: screenshot

 

I wonder what Dan, thinks...about us delaying the startup.

 

....it's been a few builds since I switched off start at boot.... I'll have to try start at boot and see what happens

 

Yes, you're correct.. .. I forgot about bold'd web app....Thanks....for me it would likely be Firefox....I just didn't know how to determine if SBox'd Firefox was causal v non-SBox'd FF. I'll observe SBoxie system tray Icon holding dots (active). So, again it's a chicken egg question. But, as you report not related to SBoxie. Then it would have to be Firefox holding VS blue....

 

Sorry I have been away, I have been working on something pretty cool.

You will now see an option in Settings / Advanced "Enable VoodooShield anti-exploit for all web apps in all file / folder locations"

Basically, VS works just like it did before, but now any new child process of a web app or possible exploitable software (Java, Acrobat, etc), is automatically blocked, even if it is in one of the automatically allowed folders (Program Files, Windows, etc.), unless it is specifically whitelisted. Of course, this all happens before the Parent Process feature has a chance to allow something.

This all came about because an acquaintance of Miquell named Adam discovered a way to drop exploit payloads to the Program Files folder in earlier versions of Windows (I believe Windows 7 and below) and earlier versions of Java (I believe Java 7 and below). So thank you Miquell and Adam for all of your help!

CET mentioned that I should check into this possible security hole awhile back as well, so thank you for your help as well!

I think everything is working properly, but I am going to send this to Adam to see what he thinks. I just wanted you guys to try it in the meantime to see if VS is now blocking something that it should not be blocking, or is doing something that it should not be doing.

I also added a few other things, for example, the number of threats blocked. Thank you Callender for the recommendation!

Hopefully I will have time to catch up on the posts I missed later today, if not, very soon! Thank you!

http://www.voodooshield.com/freeoffer/Install VoodooShield.2.31i beta.exe


Edit: Oops, sorry, I just realized this... I have to do something special for Windows XP, so XP users, please hold off until later. I will let you know when it is ready!!! Anything above XP should be good to go!

 

Hi Dan,
No worries ! I think we all thought you would be working on something.
The new features sound great, I will give this a try probably tomorrow.

Regards and thanks
Gordon

 

...<<unless it is specifically whitelisted>>
...seems like 2.31i new protocol is to bolster Auto allow that I shy away from anyway... and once Auto allow adds to snapshot or as I whitelist...the process (parent n' child) gets a pass anyway...
Does child get whitelisted under parent or as a separate event...

W8.1 64b ~ 2.31i ~ Reset Whitelist n' Train

 

Oops, sorry, I just realized this... I have to do something special for Windows XP, so XP users, please hold off until later. I will let you know when it is ready!!! Anything above XP should be good to go!

 

Hi Dan

I am always worried when you are away from here and not posting...it usually means that you are up to something/cooking up something new to beguile us with...and I was right...

Will get this installed on both my systems tonight and look to give it some wellie over the next couple of days. Will report back if I notice anything untoward.

Regards, Baldrick

 

Excellent job Dano @VoodooShield same as Baldrick will report any issues if any come up.

Daniel

 

I do have one issue and if anyone can confirm! Right Click on the VS Shield in the Tray it closes fast and it should stay open till you select something Win 8.1 Pro x64.

Daniel

 

This version is compatible with XP, but the new exploit protection feature might not work until we implement the KMD, which is going to be a little while. I highly, highly doubt a virus would ever act that way anyway, and I have never seen it.

There were a few small bugs in the last version, but I think they are all worked out now. I really am going to not add any more features until we are 100% sure all of the bugs are worked out. Thank you!

http://www.voodooshield.com/freeoffer/Install VoodooShield.2.31j beta.exe

Edit: I meant to say the new exploit protection feature might not work with XP... it is working for Vista and above.

 

Hi Daniel

Yeap, I can confirm that.


Hey Dan

Many thanks for another betas and of course I will let you know if only I notice something strange.

Cheers

Mike

 

Thanks Buddy I will let you know if I find anything else or not! LOL

Daniel

~ Image Removed ~

 

Thanks and it's now fixed in the j version!

Daniel

 

2.31j

 

I just did a new install of 2.31j, meaning no prior installation of VS on this image. I still get strange entries on the whitelist. It has Driver Radar Pro from No Virus Thanks on the whitelist. ERP, or Driver Radar Pro has never been installed on this image. I checked the Program Files Folder shown on the whitelist, and it is not there. I'm using Windows 7X64.

Edited 3/23/ @ 7:41: VS must have added Driver Radar Pro to the whitelist from the cloud from a prior installation of VS. I always disable backing up the whitelist to the cloud, but it creates a partial backup before I can disable the feature. I don't think it should add items to the whitelist from the cloud though without asking because those items may no longer be installed such as in this case. I went ahead, and deleted all the backups in the cloud.

 

I would like to be able to disable left clicking of the shield without forbidding the user from allowing new items. I would prefer the GUI to open if I double click on the shield instead of turning the protection off, or on. VS already gives the option to disable protection by right clicking on the shield, and choosing Disable Protection.

 

What type of mitigation method does VS employ with it's new exploit protection? I read above that it may not work until the KMD version of VS is complete.

 

I agree with CET as well.