VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,098
    Location:
    Ontario, Canada
    I already told Dan rundll32.dll keeps popping it's ugly head opening IE or Chrome but it's not being logged with the h version?

    Daniel

    gh.png th.png

    hj.png
     
  2. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,169
    Location:
    .
    Curious, what if malware (probably trojans) rename themselves as a legit program and communicate with the internet.....
    Does the hash of a legit program allowed by default with Allow all from Programs Files folder change when the name is maliciously changed...
    Thereby, would name change cause VS Prompt and VS scan ? Or, may this rename slip through under default Allow all....
     
  3. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,098
    Location:
    Ontario, Canada
    It would have to bypass VS in order to do so and that will not happen unless you allow it to.

    Daniel
     
  4. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,169
    Location:
    .
    So, naming malicious as legit name will not fake out VS ?
    because hash will still be unique ?
     
    Last edited: Mar 20, 2015
  5. simmersK00L

    simmersK00L Registered Member

    Joined:
    Mar 20, 2013
    Posts:
    323
    Location:
    USA
    don't think related to sbie here, thunderbird was not running with sbie and neither was anything from usb, but not definitive. hey if you open vs settings | webapps look to see what app(s) are in bold (subtle) and that will tell you what app has vs "on"
     
  6. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,004
    I just went to check in WInPatrol, and I inadvertently shut it down. When I restarted it, I got the following popups [SSM & Sygate], which I both allowed.

    ScreenShot_VS_v2.31f beta_14.gif


    And, finally showing VS in delayed startup. Why, you are having a problem with delayed startup in WinPatrol, is a mystery.

    ScreenShot_VS_v2.31f beta_15.gif
     
  7. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,004
    I wonder what Dan, thinks...about us delaying the startup.
     
  8. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,169
    Location:
    .
    ....it's been a few builds since I switched off start at boot.... I'll have to try start at boot and see what happens
     
  9. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,169
    Location:
    .
    Yes, you're correct.. .. I forgot about bold'd web app....Thanks....for me it would likely be Firefox....I just didn't know how to determine if SBox'd Firefox was causal v non-SBox'd FF. I'll observe SBoxie system tray Icon holding dots (active). So, again it's a chicken egg question. But, as you report not related to SBoxie. Then it would have to be Firefox holding VS blue....
     
    Last edited: Mar 21, 2015
  10. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Sorry I have been away, I have been working on something pretty cool.

    You will now see an option in Settings / Advanced "Enable VoodooShield anti-exploit for all web apps in all file / folder locations"

    Basically, VS works just like it did before, but now any new child process of a web app or possible exploitable software (Java, Acrobat, etc), is automatically blocked, even if it is in one of the automatically allowed folders (Program Files, Windows, etc.), unless it is specifically whitelisted. Of course, this all happens before the Parent Process feature has a chance to allow something.

    This all came about because an acquaintance of Miquell named Adam discovered a way to drop exploit payloads to the Program Files folder in earlier versions of Windows (I believe Windows 7 and below) and earlier versions of Java (I believe Java 7 and below). So thank you Miquell and Adam for all of your help!

    CET mentioned that I should check into this possible security hole awhile back as well, so thank you for your help as well!

    I think everything is working properly, but I am going to send this to Adam to see what he thinks. I just wanted you guys to try it in the meantime to see if VS is now blocking something that it should not be blocking, or is doing something that it should not be doing.

    I also added a few other things, for example, the number of threats blocked. Thank you Callender for the recommendation!

    Hopefully I will have time to catch up on the posts I missed later today, if not, very soon! Thank you!

    http://www.voodooshield.com/freeoffer/Install VoodooShield.2.31i beta.exe


    Edit: Oops, sorry, I just realized this... I have to do something special for Windows XP, so XP users, please hold off until later. I will let you know when it is ready!!! Anything above XP should be good to go!
     
    Last edited: Mar 22, 2015
  11. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    835
    Location:
    UK
    Hi Dan,
    No worries ! I think we all thought you would be working on something.
    The new features sound great, I will give this a try probably tomorrow.

    Regards and thanks
    Gordon
     
  12. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,169
    Location:
    .
    ...<<unless it is specifically whitelisted>>
    ...seems like 2.31i new protocol is to bolster Auto allow that I shy away from anyway... and once Auto allow adds to snapshot or as I whitelist...the process (parent n' child) gets a pass anyway...
    Does child get whitelisted under parent or as a separate event...

    W8.1 64b ~ 2.31i ~ Reset Whitelist n' Train
     
    Last edited: Mar 23, 2015
  13. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Oops, sorry, I just realized this... I have to do something special for Windows XP, so XP users, please hold off until later. I will let you know when it is ready!!! Anything above XP should be good to go!
     
  14. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,614
    Location:
    South Wales, UK
    Hi Dan

    I am always worried when you are away from here and not posting...it usually means that you are up to something/cooking up something new to beguile us with...and I was right...;)

    Will get this installed on both my systems tonight and look to give it some wellie over the next couple of days. Will report back if I notice anything untoward.

    Regards, Baldrick
     
  15. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,098
    Location:
    Ontario, Canada
    Excellent job Dano @VoodooShield same as Baldrick will report any issues if any come up.

    Daniel :)
     
  16. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,098
    Location:
    Ontario, Canada
    I do have one issue and if anyone can confirm! Right Click on the VS Shield in the Tray it closes fast and it should stay open till you select something Win 8.1 Pro x64.

    Daniel :)
     
    Last edited: Mar 22, 2015
  17. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    This version is compatible with XP, but the new exploit protection feature might not work until we implement the KMD, which is going to be a little while. I highly, highly doubt a virus would ever act that way anyway, and I have never seen it.

    There were a few small bugs in the last version, but I think they are all worked out now. I really am going to not add any more features until we are 100% sure all of the bugs are worked out. Thank you!

    http://www.voodooshield.com/freeoffer/Install VoodooShield.2.31j beta.exe

    Edit: I meant to say the new exploit protection feature might not work with XP... it is working for Vista and above.
     
    Last edited: Mar 24, 2015
  18. Miquell

    Miquell Registered Member

    Joined:
    Feb 8, 2015
    Posts:
    32
    Location:
    Poland
    Hi Daniel :)
    Yeap, I can confirm that.


    Hey Dan :)

    Many thanks for another betas and of course I will let you know if only I notice something strange.

    Cheers ;)

    Mike
     
  19. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,098
    Location:
    Ontario, Canada
    Thanks Buddy I will let you know if I find anything else or not! LOL

    Daniel :)

    ~ Image Removed ~
     
    Last edited by a moderator: Mar 23, 2015
  20. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,098
    Location:
    Ontario, Canada
    Thanks and it's now fixed in the j version!

    Daniel :)
     
  21. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,169
    Location:
    .
    2.31j :)
     
  22. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    I just did a new install of 2.31j, meaning no prior installation of VS on this image. I still get strange entries on the whitelist. It has Driver Radar Pro from No Virus Thanks on the whitelist. ERP, or Driver Radar Pro has never been installed on this image. I checked the Program Files Folder shown on the whitelist, and it is not there. I'm using Windows 7X64.

    Edited 3/23/ @ 7:41: VS must have added Driver Radar Pro to the whitelist from the cloud from a prior installation of VS. I always disable backing up the whitelist to the cloud, but it creates a partial backup before I can disable the feature. I don't think it should add items to the whitelist from the cloud though without asking because those items may no longer be installed such as in this case. I went ahead, and deleted all the backups in the cloud.
     

    Attached Files:

    Last edited: Mar 23, 2015
  23. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    I would like to be able to disable left clicking of the shield without forbidding the user from allowing new items. I would prefer the GUI to open if I double click on the shield instead of turning the protection off, or on. VS already gives the option to disable protection by right clicking on the shield, and choosing Disable Protection.
     
  24. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    What type of mitigation method does VS employ with it's new exploit protection? I read above that it may not work until the KMD version of VS is complete.
     
  25. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I agree with CET as well.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.