VoodooShield/Cyberlock

Cool, thank you for letting me know... I will check it out. Yeah, VS should return to the previous mode... I am sure it is as easy fix. Thank you!

 

Hmmm, that is odd... I will check it out though, thank you!

 

Yeah, something else has to request TopMost, then VS will no longer be on top.

 

Hmmm, I will have to test and see, thank you for letting me know!

 

VS is extremely light on the HDD, especially compared to software that does real time HDD scans.

 

I think the time-out was because of the file that was uploaded... please try a different file... someone was trying to upload some malware that restarted the VM immediately upon execution .

Keep in mind that CS is intended mainly / only for unknown files...

Yeah, I agree, the report is way too detailed for a novice computer user. But the report is intended for advanced computer users and admins. Basically, I am adding a feature where the admin will receive the report in an email, and will be able to review it to see if the item should be whitelisted or not. And yeah, the MalScore will help determine whether the file should be ran or not. Also, the whole reason for the RDP session is so novice and average users can run an unknown file in a remote sandbox, and see what happens to that computer before they run it on their computer... Like... "do you want this to happen to your computer?".

Also, the main reason why we implemented Cuckoo Sandbox is to help with unknown malware. Although, there was already a BIG RED prompt that says "The scanned file was not found in the database, so it is extremely suspicious. Please use caution and choose Block unless you are certain this file is legitimate." Most files are already known, and really, if the file is already known, then it is not absolutely necessary to analyze it with CS. It cracks me up when people say "well, with VS, the decision to run the file is left up to the user in the end". What they do not realize is that VS's are carefully scripted and will guide them to the correct decision on whether to run the item or not.

Somehow we have to get away from the idea that it is necessary to run every freaking executable file that comes our way, especially if it is an unknown file. To me, unknown files should NEVER be allowed to run on ANY computer, EVER!

For the last 3.5+ years, my local clients who run VS simply no longer get viruses... I tell them that if VS blocks anything, just let it block it, and assume it was a virus. But if it keeps blocking something they want to run, then they can follow the prompts and allow the item. Anyway, I think the RDP aspect of CS will be extremely useful for novice and average users, so they can see what their computer will look like if they try to run something new. And I think admins will really like the detailed CS reports. And soon, we will figure out a way to ping the VS desktop software back with the MalScore results.

While the CS implementation is not yet perfect, we are off to an amazing start! I just wanted you guys to see what I had going so far. It will be another month or 2 before it is polished and ready for the public.

 

Yeah, I will look at this today and have it fixed soon. It was not until recently that I realized it was cmd.exe that was causing the PeaZip issue. Thank you!

 

Yeah, exactly we are good to go. Except I did notice that there is a small bug when showing this prompt when I tested it early... it still blocked it but the prompt was blank... it is an easy fix.

 

No, you do not need to sign up for anything at all... they are totally different servers.

 

No XP here, Dan. Both of my machines are Windows 7 x64.

Thanks.

 

I see. Hopefully it will not continue to be a problem, if so, please let me know.

 

I am sticking with v2.75 on XP...I guess I will not be able to keep using VS in future, unless I move to a newer OS. I understand.

 

VS will still work with XP, but I have not been able to get Cuckoo to work with it yet, I should be able to sometime in the future. Also, if everything goes right with the KMD, then XP will work exactly like all of the other OS's. But yeah, at some point we should all abandon XP, it is almost 14 years old after all .

 

If it blocks a CL when I am not in front of the computer, I have no way of allowing it until the block notification occurs again with me at the ready...

The only "user-unfriendly" aspect to VS is the lack of CL logging and an inability to white-list specific command lines - while being able to still keep vulnerable processes black-listed.

That's it. That's the one and only thing I can find that seriously degrades VS.

Afterall, if a user cannot get their printer, built-in Windows objects (e.g. most items in Control Panel require rundll32 CLs), external drive(s), etc - to work with VS - then they just aren't going to use it.

I know I've brought this topic up a bunch of times... so I'm just gonna leave it at that.

Best Regards,

HJLBX

 

I know... I am working on it as we speak. I was unable to reproduce the cmd PeaZip error for several weeks until about 4-5 days ago when I received your detailed description of the error, and I have been thinking about how to fix it since then. I did not realize until today that it is simply a bug in the code deals with the cmd.exe process. When I said "But if it keeps blocking something they want to run, then they can follow the prompts and allow the item." that had nothing to do with the cmd issue. I was just saying in general that I think it is funny that people say stuff like that, but obviously they have never either used VS or read the prompts.

All of the rundll32 command lines should be working perfectly... are they not for you? The only thing that is not working as far as I know are cmd.exe command lines that start with "cmd /c", like the PeaZip blocks. I actually have that fixed now, but now I have to change some other code... long story .

I had no idea that the Cuckoo feature was going to be anywhere close to that much work, would take a month, and cost that much money in new hardware. But I was still trying to reproduce the PeaZip CMD error, along with a couple of other errors that I am working on as well, but either way, we will get them fixed asap. I had to focus mainly on Cuckoo, otherwise I never would have finished it.

BTW, if you are not in front of your computer, VS should toggle to OFF... then it will allow everything... that is what the deactivation / toggling to OFF is all about.

Anyway, I will have a new version that fixes the cmd.exe command line issue soon. If you are having issues with rundll32.exe command lines as well, please let me know... no one else has said anything about that. Thank you!

 

@VoodooShield

I generally only operate VS in "Always ON" mode - just in case there is malware with autoIT functionality; it would be just my luck that I leave the computer, VS toggles to "OFF," and then a malware runs. Extremely unlikely since I use VS with discipline, but possible nevertheless - no matter how remote.

I clean install OS, then install VS, custom install softs, and finally, "Lock Down" system via VS. Piece of cake... right ? I agree with you completely on all your points regarding "unknown" files. In fact, I am befuddled as to exactly why the vast majority of users cannot grasp that an anti-executable (and virtualization) are the only logical solutions to malware these days.

As far as rundll32 issues, I posted a "white-list" request for those for which there was a prompt - and I selected to "Allow." Most of those were associated with Windows Control Panel items and security softs.

Others that were blocked - I have no idea what exactly was blocked - since there is no way to look-up the blocked CLs. I suspect most were\are cmd \C. I scoured the VS logs, but could find no complete CLs to forward to you; only the process blocked (e.g. cmd.exe, xcopy.exe, etc) was in the logs.

I've had issues with rundll32 being blocked with certain hardware, xcopy.exe blocked with automatic\scheduled backup softs... that's what I can recall at this moment. To get that particular system working I had to ditch VS and go with NVT ERP since I could white-list specific CLs.

Anyhow, I'm not bashing VS... just pointing out some issues. I, for one, am extremely grateful for VS...

Best Regards,

HJLBX

 

i'd think this is a very low priority - let me know when you bored with nothing else to do & i can try to explain it better

 

this seems odd - i have VS in Scan & Allow - i ran a script & VS allowed it and all the associated executables so they were then whitelisted - later i deleted the script, but on every boot of the PC the script and associated executables showed up in the VS User log as if they had just run - i eventually thought to delete the script from VS whitelist and then it stopped showing up in the VS User log...

 

Sorry, I don't know if the question has been ask before...On my laptop I am using VS and HitmanPro.Alert together and I am wondering if there
is a compatibility problem with the VS anti-exploit?

 

Hi Antartica

I am using the same as back ups to WSA; having been running MHP.A + VS for wll over a year now and I have never noticed any issues in relation to the two of them.

Regards, Baldrick

 

Hi Baldrick,

Thank you for this, I appreciate
Regards

 

Dan,

Once a program has been whitelisted shouldn't it remain whitelisted?



"VoodooShield has been running for at least three weeks now, so it should know by now exactly what to allow and what to block".

If that was the case, why do I need to allow programs that have already been whitelisted? For example, even here at wilderssecurity.com I've had to re-whitelist Adobe Flash Player NPAPI version in Firefox. Another example is msspellcheckingfacility.exe in IE 11. It has already been allowed previously, so why do I need to allow it again? What am I missing, Dan? What's the point of the first three weeks of 'training'?

Thanks.

 

@Krusty13

VS will notify the user when a previously white-listed file has been modified. A file is typically modified when it is updated. An update changes a file - in essence creating a new version. VS detects this new version as "Unknown" and prompts the user to Allow\Block.

Lots of files get updated in the background without user knowledge. VS alerts the user to the file changes resulting from the updates for maximum protection.

You can verify if a file has changed by looking for multiple entries for the same file name\path in the White List. Each entry will have a different MD 5 hash.

I suspect this may be what is occurring on your system.

If you are having to re-white-list files continuously then that would be an indication that something is amiss...

 

You are most welcome. my friend.

 

Ok, I think we are getting close. If I overlooked anything or screwed something up, please let me know .

These items should be fixed:

1. PeaZip cmd.exe command line issue. This is the way that it was always supposed to work, but there was a bug in the code. If for some reason any of the command lines are not working, please let me know... they should all be working, including rundll32.exe command lines. If something is not working, you might try to delete all of the .dat files in C:\ProgramData\VoodooShield and start over with a clean slate. If this happens, please let me know! Anyway, ALL of the command lines should be working properly now. Of course, you will need to allow the first block in order for each one to be added to the Command Line list. There are A LOT of command lines already hardwired into VS, so there should not be too many blocks.

2. bcdedit.exe... I reworked this section of code and make it so that bcdedit.exe will work with the command line features as well.

3. Scan & Allow should now return to Scan & Allow mode after deactivation.

4. The google chrome update issue with Scan & Allow should be fixed as well (Blocked - setup.exe - c:\windows\temp\cr_31760.tmp\setup.exe), but if it happens again, please let me know!

5. The cloud based blacklist scan should be faster now and not take more than a few seconds... long story . If for some reason it acts funny, please let me know.

6. Syncing the snapshot with the server... It is working, but the thing is, if you delete your whitelist (computer) from the server, VS does not know that you did so. So I can either add a button somewhere in settings to sync with the server, or you can just exit VS and start it again. I imagine if you click the Confirm Registration button, it would do the same thing. Let me know what you guys think we should do for this.

To do / remaining bugs:

1. We will add Cyberfox and 3 other web apps that you guys recommend in the next couple of weeks, once the whole Spartan thing is finalized. I will also add the dismhost hashes for Windows 10 when it is released so it will no longer be blocked (there is no other safe way around this).

2. We can add blacklisting of single files if there really is a good reason why we need to. We really should keep VS as clean and simple as possible. But if you guys have a real need for me to add that, please let me know and I will add it.

3. I have not figured out the H1Z1 game issue, although I was able to duplicate it on my end. I think the only thing that will fix that is when we switch to the KMD... assuming that it is not already magically fixed .

4. I have not been able to duplicate the PagePlus X7 error. I forgot who was having an issue with this... but if you are still having an issue, please let me know how I can duplicate the error.

5. I will wait to hear from Cyrano2 to see what he had in mind for "Custom Read-Only Folders”.

6. Toggling with WMP was not added yet, but we can add it if we decide collectively that an exploit can attack when all of the web apps are closed, or if WMP can "browse the web" and be exploited on its own, without other web apps running. Keep in mind, VS only toggles to OFF if all of the web apps are closed, and if all of the web apps are closed, how is an exploit going to attack? THIS is why toggling is so important... and cool . And as I was saying above... the user space is still protected.

Other than that, I think everything is fixed, but if not, please let me know. Thank you!

https://voodooshield.com/Download/beta/InstallVoodooShieldbeta.exe