VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, exactly, that is the main reason why we would have to do it over a period of time... and from what I remember, there were some other small issues within the code that we will have to address as well. For example, we will have to add a field to the snapshot.dat sqlite database that marks the file as scanned (so that it is not scanned over and over again). And if we do that, then there is always the chance that we might run into other issues ;). Thank you!
     
  2. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, and I am not sure what the exact limit is, but I imagine it goes by number of uploads per IP address, per minute... something like that. Thank you!
     
  3. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, that would be better, I will change it ;).
     
  4. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, a few months ago I tried to make it so that if there was not an internet connection (or if it was blocked or whatever), that VS will just resume anyway. Cool, I will install CIS, this will help me troubleshoot and refine this. Thank you!
     
  5. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Well, this is how the Publisher feature works, let me know what you think. Basically, whenever a new process is allowed, there is a variable known as _PreviousPublsher (or something like that), that changes to the signature of the publisher that was most recently allowed. So if you allow Firefox, anything that is digitally signed by Mozilla will be automatically allowed, until a different publisher is allowed, then that becomes the _PreviousPublisher (then Mozilla is no longer auto allowed). But I wanted to zero out the _PreviousPublisher variable from time to time, just for the heck of it, so I thought the best event for that would be when VS goes from ON to OFF. Also, whenever VS is first started, the _PreviousPublisher variable is null. BTW, we would just do the traditional allow by publisher, but I think this is the best of both worlds, just in case there really are hackers who sign their files. I do not visit the deep web, but I saw something either on TV or on youtube where they were discussing the exploit marketplace, where people could go to the deep web and purchase exploits. There was a graph that showed the "features" of the exploits, like OS, the exploited app, etc... and one of the features was "Digitally signed". Well, only about 20% were digitally signed, but it scared me enough not to include a general allow by digital signature feature.
     
  6. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, we would definitely want to create an option for that. Thank you!
     
  7. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,358
    Location:
    Among the gum trees
    Thanks.
    I was thinking more about some people being on a limited connection plan. I'm not, but I know there are some still on dial-up.
     
  8. hjlbx

    hjlbx Guest

    @VoodooShield

    BUG

    v. 2.78beta

    W8.1 x86-64

    Quarantine item list still does not show all items contained in C:\ProgramData\VooDooShield\Quarantine.

    Best Regards,

    HJLBX
     
  9. hjlbx

    hjlbx Guest

    @VoodooShield

    BUG

    v. 2.78beta

    W8.1 x86-64

    WITH VS PASSWORD ENABLED:

    Fresh VS installation as I am in the process of rebuilding the white list.

    Sometimes when I select Allow at the prompt, the file is added to the white-list, but the Allow is not recorded in the User Log and VS still keeps prompting for Block or Allow every time the files are executed. There's a whole bunch of files that are white listed but VS keeps prompting to Block or Allow...

    In short, the VS white list is not being followed\adhered to by VS.

    Clear VS password and issue is fixed...


    Best Regards,

    HJLBX

    PS - Let me know if you want VS logs. Please specify which ones.
     
    Last edited by a moderator: Jul 24, 2015
  10. hjlbx

    hjlbx Guest

    @VoodooShield

    VS does certificate check, correct ? (Can be counterfeited, I know... )

    Also, wouldn't VS detect the difference between (legitimate\safe) Mozilla.exe with hash #1 and (malicious\unknown) Mozilla.exe with hash #2 - where hash #1 and #2 are not the same.

    Best Regards,

    HJLBX
     
    Last edited by a moderator: Jul 25, 2015
  11. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,236
    Location:
    Under a bushel ...
    +1
     
  12. Gillor

    Gillor Registered Member

    Joined:
    Jul 12, 2013
    Posts:
    83
    Location:
    UK
    This worked fine Dan ...thanks
     
  13. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,975
    Location:
    Boston, MA
    Woke up to find this crash on my screen. Voodooshield has stopped working.
    Here are some of the temp files it logged.

    Snapshot dumper deactivated.
    - Snapshot available: 1.
    - Snapshots disabled: 0.
    - Snapshot status: 00000000.
    - Dumper status: 00000001.
    - Process WER flags: 00000000.
    - Watson request dump: 001001A4.

    Code:
    <?xml version="1.0" encoding="UTF-16"?>
    <DATABASE>
    <EXE NAME="VoodooShield.exe" FILTER="CMI_FILTER_PRIVACY">
        <MATCHING_FILE NAME="log4net.dll" SIZE="311296" SIZE_OF_IMAGE="0x50000" CHECKSUM="0x21762A13" BIN_FILE_VERSION="1.2.13.0" BIN_PRODUCT_VERSION="1.2.0.0" PRODUCT_VERSION="1.2" FILE_DESCRIPTION="Apache log4net for .NET Framework 2.0" COMPANY_NAME="The Apache Software Foundation" PRODUCT_NAME="log4net" FILE_VERSION="1.2.13.0" ORIGINAL_FILENAME="log4net.dll" INTERNAL_NAME="log4net.dll" LEGAL_COPYRIGHT="Copyright 2004-2013 The Apache Software Foundation." VERDATEHI="0x0" VERDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x508A5" LINKER_VERSION="0x0" FROM_BIN_FILE_VERSION="1.2.13.0" FROM_BIN_PRODUCT_VERSION="1.2.0.0" UPTO_BIN_FILE_VERSION="1.2.13.0" UPTO_BIN_PRODUCT_VERSION="1.2.0.0" LINK_DATE="11/18/2013 04:51:38" FROM_LINK_DATE="11/18/2013 04:51:38" UPTO_LINK_DATE="11/18/2013 04:51:38" VER_LANGUAGE="Language Neutral [0x0]" EXE_WRAPPER="0x0" CRC_CHECKSUM="0xCD78EDB3" />
        <MATCHING_FILE NAME="SQLite.Interop.dll" SIZE="1036800" SIZE_OF_IMAGE="0x102000" CHECKSUM="0x939FCC5C" BIN_FILE_VERSION="1.0.94.0" BIN_PRODUCT_VERSION="1.0.94.0" PRODUCT_VERSION="1.0.94.0" FILE_DESCRIPTION="System.Data.SQLite Interop Assembly" COMPANY_NAME="Robert Simpson, et al." PRODUCT_NAME="System.Data.SQLite" FILE_VERSION="1.0.94.0" ORIGINAL_FILENAME="SQLite.Interop.dll" INTERNAL_NAME="SQLite.Interop" LEGAL_COPYRIGHT="Public Domain" VERDATEHI="0x0" VERDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x10776C" LINKER_VERSION="0x10000" FROM_BIN_FILE_VERSION="1.0.94.0" FROM_BIN_PRODUCT_VERSION="1.0.94.0" UPTO_BIN_FILE_VERSION="1.0.94.0" UPTO_BIN_PRODUCT_VERSION="1.0.94.0" LINK_DATE="09/06/2014 02:29:05" FROM_LINK_DATE="09/06/2014 02:29:05" UPTO_LINK_DATE="09/06/2014 02:29:05" EXPORT_NAME="SQLite.Interop.dll" VER_LANGUAGE="English (United States) [0x409]" EXE_WRAPPER="0x0" CRC_CHECKSUM="0xB7D51C89" />
        <MATCHING_FILE NAME="System.Data.SQLite.dll" SIZE="286720" SIZE_OF_IMAGE="0x4A000" CHECKSUM="0xEFCE862C" BIN_FILE_VERSION="1.0.94.0" BIN_PRODUCT_VERSION="1.0.94.0" PRODUCT_VERSION="1.0.94.0" FILE_DESCRIPTION="System.Data.SQLite Core" COMPANY_NAME="http://system.data.sqlite.org/" PRODUCT_NAME="System.Data.SQLite" FILE_VERSION="1.0.94.0" ORIGINAL_FILENAME="System.Data.SQLite.dll" INTERNAL_NAME="System.Data.SQLite.dll" LEGAL_COPYRIGHT="Public Domain" VERDATEHI="0x0" VERDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x49473" LINKER_VERSION="0x0" FROM_BIN_FILE_VERSION="1.0.94.0" FROM_BIN_PRODUCT_VERSION="1.0.94.0" UPTO_BIN_FILE_VERSION="1.0.94.0" UPTO_BIN_PRODUCT_VERSION="1.0.94.0" LINK_DATE="09/06/2014 02:23:25" FROM_LINK_DATE="09/06/2014 02:23:25" UPTO_LINK_DATE="09/06/2014 02:23:25" VER_LANGUAGE="Language Neutral [0x0]" EXE_WRAPPER="0x0" CRC_CHECKSUM="0xA38F267B" />
        <MATCHING_FILE NAME="unins000.exe" SIZE="750241" SIZE_OF_IMAGE="0xC5000" CHECKSUM="0xA469C5D3" BIN_FILE_VERSION="51.52.0.0" BIN_PRODUCT_VERSION="0.0.0.0" FILE_DESCRIPTION="Setup/Uninstall" FILE_VERSION="51.52.0.0" VERDATEHI="0x0" VERDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x60000" FROM_BIN_FILE_VERSION="51.52.0.0" FROM_BIN_PRODUCT_VERSION="0.0.0.0" UPTO_BIN_FILE_VERSION="51.52.0.0" UPTO_BIN_PRODUCT_VERSION="0.0.0.0" LINK_DATE="06/19/1992 22:22:17" FROM_LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="Language Neutral [0x0]" EXE_WRAPPER="0x0" CRC_CHECKSUM="0xC6704221" />
        <MATCHING_FILE NAME="VoodooShield.exe" SIZE="1756096" SIZE_OF_IMAGE="0x1B0000" CHECKSUM="0xA5CE9645" BIN_FILE_VERSION="2.0.0.0" BIN_PRODUCT_VERSION="2.0.0.0" PRODUCT_VERSION="2.0.0.0" FILE_DESCRIPTION="VoodooShield" COMPANY_NAME="VoodooSoft, LLC" PRODUCT_NAME="VoodooShield" FILE_VERSION="2.0.0.0" ORIGINAL_FILENAME="VoodooShield.exe" INTERNAL_NAME="VoodooShield.exe" LEGAL_COPYRIGHT="Copyright © VoodooSoft, LLC 2015" VERDATEHI="0x0" VERDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x1B595D" LINKER_VERSION="0x0" FROM_BIN_FILE_VERSION="2.0.0.0" FROM_BIN_PRODUCT_VERSION="2.0.0.0" UPTO_BIN_FILE_VERSION="2.0.0.0" UPTO_BIN_PRODUCT_VERSION="2.0.0.0" LINK_DATE="07/17/2015 04:20:17" FROM_LINK_DATE="07/17/2015 04:20:17" UPTO_LINK_DATE="07/17/2015 04:20:17" VER_LANGUAGE="Language Neutral [0x0]" EXE_WRAPPER="0x0" CRC_CHECKSUM="0x46968FF4" />
        <MATCHING_FILE NAME="VoodooShieldService.exe" SIZE="79384" SIZE_OF_IMAGE="0x1A000" CHECKSUM="0x30FCEEC4" BIN_FILE_VERSION="2.0.0.0" BIN_PRODUCT_VERSION="2.0.0.0" PRODUCT_VERSION="2.0.0.0" FILE_DESCRIPTION="VoodooShield" COMPANY_NAME="VoodooSoft, LLC" PRODUCT_NAME="VoodooShield" FILE_VERSION="2.0.0.0" ORIGINAL_FILENAME="VoodooShieldService.exe" INTERNAL_NAME="VoodooShieldService.exe" LEGAL_COPYRIGHT="Copyright © VoodooSoft, LLC 2011" VERDATEHI="0x0" VERDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x16D98" LINKER_VERSION="0x0" FROM_BIN_FILE_VERSION="2.0.0.0" FROM_BIN_PRODUCT_VERSION="2.0.0.0" UPTO_BIN_FILE_VERSION="2.0.0.0" UPTO_BIN_PRODUCT_VERSION="2.0.0.0" LINK_DATE="07/17/2015 04:20:02" FROM_LINK_DATE="07/17/2015 04:20:02" UPTO_LINK_DATE="07/17/2015 04:20:02" VER_LANGUAGE="Language Neutral [0x0]" EXE_WRAPPER="0x0" CRC_CHECKSUM="0xAE557C7C" />
        <MATCHING_FILE NAME="VSUP.exe" SIZE="423960" SIZE_OF_IMAGE="0x6C000" CHECKSUM="0x55CF6AB1" BIN_FILE_VERSION="1.0.0.0" BIN_PRODUCT_VERSION="1.0.0.0" PRODUCT_VERSION="1.0.0.0" FILE_DESCRIPTION="VSUP" COMPANY_NAME="Microsoft" PRODUCT_NAME="VSUP" FILE_VERSION="1.0.0.0" ORIGINAL_FILENAME="VSUP.exe" INTERNAL_NAME="VSUP.exe" LEGAL_COPYRIGHT="Copyright © Microsoft 2015" VERDATEHI="0x0" VERDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x6BCDD" LINKER_VERSION="0x0" FROM_BIN_FILE_VERSION="1.0.0.0" FROM_BIN_PRODUCT_VERSION="1.0.0.0" UPTO_BIN_FILE_VERSION="1.0.0.0" UPTO_BIN_PRODUCT_VERSION="1.0.0.0" LINK_DATE="06/28/2015 02:38:31" FROM_LINK_DATE="06/28/2015 02:38:31" UPTO_LINK_DATE="06/28/2015 02:38:31" VER_LANGUAGE="Language Neutral [0x0]" EXE_WRAPPER="0x0" CRC_CHECKSUM="0x5C2DF1AA" />
    </EXE>
    <EXE NAME="KERNELBASE.dll" FILTER="CMI_FILTER_THISFILEONLY">
        <MATCHING_FILE NAME="KernelBase.dll" SIZE="1133200" SIZE_OF_IMAGE="0x115000" CHECKSUM="0x1FE95AF9" BIN_FILE_VERSION="6.3.9600.17415" BIN_PRODUCT_VERSION="6.3.9600.17415" PRODUCT_VERSION="6.3.9600.17031" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="6.3.9600.17031 (winblue_gdr.140221-1952)" ORIGINAL_FILENAME="Kernelbase.dll.mui" INTERNAL_NAME="Kernelbase.dll" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERDATEHI="0x0" VERDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x114D5C" LINKER_VERSION="0x60003" FROM_BIN_FILE_VERSION="6.3.9600.17415" FROM_BIN_PRODUCT_VERSION="6.3.9600.17415" UPTO_BIN_FILE_VERSION="6.3.9600.17415" UPTO_BIN_PRODUCT_VERSION="6.3.9600.17415" LINK_DATE="10/29/2014 02:55:51" FROM_LINK_DATE="10/29/2014 02:55:51" UPTO_LINK_DATE="10/29/2014 02:55:51" EXPORT_NAME="KERNELBASE.dll" VER_LANGUAGE="English (United States) [0x409]" EXE_WRAPPER="0x0" CRC_CHECKSUM="0x5C4915B0" />
    </EXE>
    <EXE NAME="kernel32.dll" FILTER="CMI_FILTER_THISFILEONLY">
        <MATCHING_FILE NAME="kernel32.dll" SIZE="1309744" SIZE_OF_IMAGE="0x13E000" CHECKSUM="0x25882EE1" BIN_FILE_VERSION="6.3.9600.17415" BIN_PRODUCT_VERSION="6.3.9600.17415" PRODUCT_VERSION="6.3.9600.17031" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="6.3.9600.17031 (winblue_gdr.140221-1952)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERDATEHI="0x0" VERDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x140FEC" LINKER_VERSION="0x60003" FROM_BIN_FILE_VERSION="6.3.9600.17415" FROM_BIN_PRODUCT_VERSION="6.3.9600.17415" UPTO_BIN_FILE_VERSION="6.3.9600.17415" UPTO_BIN_PRODUCT_VERSION="6.3.9600.17415" LINK_DATE="10/29/2014 02:45:30" FROM_LINK_DATE="10/29/2014 02:45:30" UPTO_LINK_DATE="10/29/2014 02:45:30" EXPORT_NAME="KERNEL32.dll" VER_LANGUAGE="English (United States) [0x409]" EXE_WRAPPER="0x0" CRC_CHECKSUM="0x9ABF3B67" />
    </EXE>
    </DATABASE>
    
     
  14. hjlbx

    hjlbx Guest

    @VoodooShield

    Need a toast or an audible cue when VS blocks an app in W8/8.1 and W10.

    When VS blocks an app the typical user will not immediately know what is happening since a VS block notification does not take the user from the app screen to the desktop. They're apt to kinda stare at the screen and think the app does not function. Not a huge issue, just a less-than optimal UI matter - that is due to the way MS Windows Apps work...

    Does that make sense ?

    Best Regards,

    HJLBX
     
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,601
    Location:
    USA
    I don't use Windows 8-10, but it sounds like a needed change to me.
     
  16. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,875
    I have had problems with VS after the last two reboots. Looks like it might be time for an uninstall, then fresh install...I am running v2.75 on XP.

    ScreenShot_VS_unable to connect VoodooShield Service popup_01.gif ScreenShot_VS_unable to connect VoodooShield Service popup_02.gif
     
  17. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    355
    Location:
    Canada
    I have been trying to install the Binisoft Windows Firewall Control - it was failing due to the installers being blocked from communicating with each other. I had VS in disabled/install mode + tried doing a custom allow for the folders the installers were in + unticked the 'scan user space' option... nothing seemed to work... i finally uninstalled VS and WFC installed no problem.

    so it would seem VS was blocking the install - are VS and WFC not compatible or should i have been doing something different - i don't see how i could have had VS any more "disabled"

    edit - i've re-installed VS & there doesn't seem to be an issue with WFC - so looks like it is only an issue with the install
     
    Last edited: Jul 27, 2015
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,358
    Location:
    Among the gum trees
    Hi rm22,
    I don't know if it makes any difference but I'm getting in to the habit of putting VS in Training Mode while installing or updating programs now. Don't know if that would help here though.
     
  19. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    355
    Location:
    Canada
    @Krusty13 - that usually works for me as well, but i continued to try to disable VS more with each failed install attempt
     
  20. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,358
    Location:
    Among the gum trees
    Perhaps one option you could of tried before uninstalling VS is to right click the gadget and exit VS, install the program, then restart.
    I'm sure Dan will have an idea of what went wrong.

    Cheers!
     
  21. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    355
    Location:
    Canada
    i tried that as well - still failed.

    edit - i can't remember if i tried to stop the VS service... that should work assuming 'exit' just shuts down the gui and not the service
     
    Last edited: Jul 27, 2015
  22. Cyrano2

    Cyrano2 Registered Member

    Joined:
    Mar 19, 2010
    Posts:
    130
    Location:
    Spain
    Thats exactly what I was thinking, I was talking about a restriction policy for all files, not just executables. That way, you can limit what you can or can not do to all the files within the protected folder. My example was, as options: block, read-only, hidden and no-execution (this last option is, I think, more or less what the "Custom Blocked Folders" is actually).

    I've also tried "Custom Blocked Folders" with a whitelisted file and when I've put it in the protected folder and tried to execute it, VS asked me about what to do, so thumbs up ;).
     
  23. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,358
    Location:
    Among the gum trees
    @VoodooShield ,
    Is VS compatible with Win10 yet? If not, will it be soon?
    Thanks.
     
  24. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yep, it is already to go! There were a couple of small curve balls that I had to work around, but man, it really seems to be running well on 10. I will catch up very soon on the posts that I missed and finish the to do list... there were a few things that I did not get to today, but they will be finished soon. I wanted to make sure everything was working well with 10 first.

    Even if you are not running Windows 10, I highly recommend upgrading anyway... there was a bug that could cause stability problems / crashing with VS, but it is fixed now.

    https://voodooshield.com/Download/beta/InstallVoodooShieldbeta.exe

    Thank you, talk to you guys soon!
     
  25. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,358
    Location:
    Among the gum trees
    Thanks Dan. :thumb:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.