VoodooShield/Cyberlock

It is totally fine, it should work either way. I am a little confused, is there an issue with WP and VS? How is the latest version of VS doing on XP? Thank you!

 

Child and parent are totally separate once they are allowed to run and are whitelisted.

 

Thank you guys for noticing that .

 

We are getting there! Thank you guys for all of your help!

 

W8 criteria now reports VS Startup as Not measured

 

Yeah, we could have an option to do a one way or two way sync... I never thought of that.

 

I updated, however v2.31j has reverted to bootup at start, and my problem has not improved...It took at least 20 minutes before my system was responsive to a right click of the VS systray icon...Looks like I will have to go back to delaying VS starting at boot.

 

We can definitely make these features optional. I would like to keep the left click to turn VS ON and OFF the default, unless everyone thinks we should not have it that way. I really think that if users became used to left clicking VS to turn it ON and OFF (or tapping it on a touch screen), I think they would find it to be even easier to use than before. I am not going to add anymore features for a couple of weeks, until we are certain that all of the bugs are worked out. I know we are close. But once we start adding more features, let's talk about this a little more and figure out what clicks are best for VS. Thank you!

 

For me on my machine with my VS settings. Both SMART n' ALWAYS ON ... VS Prompts Blue and Red Alerts. So, it's not easy to grasp the difference. If ALWAYS ON were true lock down then VS would not prompt. VS would simply act silently based on existing snapshot. Unknowns / not in snapshot would be silently blocked by default.

 

I know...but, I like trying different security combinations. I have 3 other snapshots, that don't have VS installed...I wouldn't even begin to try and run VS in those as well. I had such a hard time getting .net framework installed to get VS to run in this snapshot.

 

20 minutes ...WOW

 

No issue with Win Patrol, just that it helps when wanting to delay a program at startup. See my earlier comment about how it runs, on XP a short time ago.

 

I know...it was as slow as molasses.

 

Well, the easiest way to explain the new anti exploit feature it is that VS will automatically block all child processes of web app parent processes... no matter where it is located on the computer, even if it is located in an automatically allowed folder (program files, certain windows folders, etc). At first is does not sound that significant until you realize what that allows us to do... Every exploit payload is a child process of a parent process that is susceptible to exploits (java, flash, browsers, etc.), right? Well, if VS does not allow child processes from any of the web apps or commonly exploited executables, doesn't that completely eliminate the possibility of an exploit successfully dropping and executing its payload?

If something is specifically whitelisted, then cool, it is allowed. But for example, if you are running firefox and visit a site with a java exploit, javaw.exe will be allowed because it is in the Programs Files folder (which is automatically allowed by default). But any exploit payload that javaw.exe tries to spawn will be blocked since VS's new "anti-exploit protection" does not allow child processes from web apps if they are not whitelisted. Also, this is pretty cool because it allows us to safely automatically allow folders, such as Program Files, even if a payload could be dropped there.

This feature is already active and working great on Vista and above in 2.31j (that is what I was doing this last week or so ). I tried to get it to work on XP, but the problem is that I cannot obtain the parent process PID because of the way the CPN works. Once we have the KMD, it will work and it will be super easy to implement.

Please do not get me wrong, it would be hard to get through VS even without this new feature, but remember, we are trying to create the perfect computer lock, right . I have always wondered if an exploit could somehow get though, but unless I am missing something, then we do not have to worry about that at all now .

Edit: Also, keep in mind, none of this would be possible without the whole VS web app concept, and it was not something that I planned from the beginning, it just kind of dawned on me recently that child processes of web app parent processes should be blocked by default. I guess what I am saying is that we started with a desktop shield gadget that toggles with web apps, and things just kind of build on each other and progress. So it was not by design, it was luck .

Also, as we all know, pretty much all payloads are dropped to appdata or programdata, but it is just nice to know that now it does not matter where they are dropped.

 

Dan, I have not tried last few versions but I noticed when you click on detection name in alert it takes you to Google.
Can you change it to go to VirusTotal result page instead?
Also, it would be more convenient to show scan ratio instead only one or two detection names.
Just "VirusTotal: x/y" would be enough.

What do you think?

 

I think the new anti-exploit feature will work great with binary payloads, but memory only payloads write to the memory address within the process itself. I'm not sure how much damage can be done by infections that only infect the memory, but there are well known exploit kits that use this method.

 

I do not like how VS still flags something as a threat after using training mode to add it to the whitelist. I don't use the parent process feature because I do not want to allow child processes from parents at all times. I prefer to use training mode as a painless on-demand method of adding the parent, and child to the whitelist. Well, it would be painless if VS did not detect it as a threat after adding it to the whitelist (false positive in this case). This is the behavior i'm seeing unless training mode failed to add the executables to the whitelist. I tried launching the application no more than 2 minutes after using it in training mode, and it was detected as a threat.

 

I ran Tor Browser, and VS failed to toggle to ON in Smart Mode. I thought VS would toggle to ON because Tor Browser uses Firefox, and launches firefox.exe I checked the task manager, and firefox.exe was running when using Tor Browser.

 

We need a simple test to use to make sure that the Anti-Exploit feature is functioning as it should on everyone's machine. Anything that would make some common web apps like firefox, adobe reader, flash, etc. spawn a child process would do. I will look around to see if I can find something easy to use.

 

Here is one of the best and easiest to understand articles that I was able to find on Startup impact measurement in Task Manager: http://winaero.com/blog/how-the-windows-8-task-manager-calculates-startup-impact-of-apps/

I was also curious about how it was measure so I decided to do some brief research on it. Also, when you hover over the column title for Startup impact, it displays the following tooltip:

From the article:

Also, according to the article, Startup impact pulls data from C:\Windows\System32\wdi\LogFiles after each restart and states that you can open the BootCKCL.etl file with Windows Performance Analyzer which comes with Visual Studio 2012 and likely other versions.

Anyway, the winaero.com article goes into quite a bit of detail so you can follow that if you need to dig into it further.

 

To start off with, I'm new to VoodooShield and I bought the Pro Version yesterday. I like what I see with the product. I don't have the time to read 4 years of this thread now. I do have one question though. When MS Patch Tuesdays rolls around do I keep VS in the Smart Mode or shut it down?

 

It's quite likely that the Windows updates would install successfully with VoodooShield protection still on. Personally, I right-click on the VS tray icon and choose "Disable Protection" just before I install any Windows updates. I think a lot of users here do as well. Maybe just a force of habit, to prevent any potential issues with anti-executable software in general. I know that Dan has worked very hard so that Windows updates would work accordingly and without issues alongside VS. But who knows what any future updates to Windows might change things. So on the safe side, I choose Disable Protection. Just remember to turn it back on once the system reboots after the updates are complete. But also see if anyone else chimes in with their opinions on this as well, including Dan. Everybody has different opinions and I respect that.

 

VS 2.31j beta:
I have noticed that there are empty columns (first to the left) under Whitelist, User Log, Command Lines and Quarantine.
The width can be adjusted so if you expand them you get this....
What are those used for?

 

VS 2.31j beta:
I'm watching livestream in the latest stable Chrome (with ublock extension) and VS is set to Smart mode.
Every now and then I get block notifications with only random numbers....and the time is weird too (regular intervals at the beginning of a minute).
Here is the screenshot....notice that there are also empty entries.

 

Hey Dan ,

Beta 2.31j works very well on my board. Fast booting up and smoothly working witout any slowdowns, delays or errors. So I have no other new/important things to report except one.
Each time I'm using Google Chrome a baloon notification appears to alert about blocking command line and warn about potentially virus.
After clicking the notification nothing happens, both command lines and quarantine are empty, there are also no other traces of blocking anything in the user log.
This happens also each time, when I'm opening a new tab in working Chrome.
What seems strange - this issue doesn't apper while using IE11 or FireFox.

Could anyone confrim that issue?

Any ideas?

Thanks in advance ,

Mike