VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    You should be able to go into settings / whitelist and right click / delete that item, or reset your whitelist. I can also setup a free VS Pro account for you, just email me at support@voodooshield.com. Thank you!
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    It's fun yanking their chains. Last time I got a call, I played around. He took me to the event viewer and asked me what I saw. I replied nothing. He wasn't prepared for that, so he led me in a circle bring me right back to the event viewer, and again asked me what I saw. I replied there was one message, and it said, if someone called claiming they were from MS, and if they directed me here, then they were scamming. Next thing I heard was click.
     
  3. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    How funny, I will have to remember that for the next time they call ;).
     
  4. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you! If you or any of the other wilders users would like a free VS Pro license, please email me at support@voodooshield.com.
     
  5. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,069
    Location:
    .
    Q1: ... is VS payload block in any way dependent on VirusTotal...?
    Does the exploit have to be known by VT for VS to block payload.
    Q2: ...any consideration towards VS communication with Sandboxie...?
     
  6. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Q1: No, not at all, they are completely independent
    Q2: We have not tested it yet, but I suspect that the KMD will block the sandboxed processes by default. If that is the case, we will want to make the blocking of sandbox processes optional by creating an option in settings. The whole goal of VS is to safely allow as much good stuff as possible... some people want everything to be blocked but most people want the fewest blocks possible, so it really is a juggling act. The thing is though, the whole purpose of Sandboxie is to run the application in a sandbox, so blocking the process is counter-intuitive to me, since the goal is to run process in a sandbox. The KMD is a lot more flexible than the AppCertDLL, so it really is limitless what we can do with it.

    Also, Vlad and I have been coming up with some cool ideas and enhancements that we can add once VS 3.0 is stable. One example is adding a right click option "Whitelist Folder" to the Custom Folder treeviews. That way the user can easily whitelist Program Files, for example. There are A LOT of things we can do with the Custom Folders treeview, and it will be quite easy to add.

    I think we might also add background whitelisting of the Program Files and specific Windows folders after the user installs VS. Basically, VS will start after installation, and "slowly" whitelist specific folders in the background. We do not want to whitelist the entire C drive, because we want to have the smallest possible whitelist for a lot of different reasons, but it would be nice to whitelist Program Files and specific Windows folders, and possibly remove the "Automatically allow PF / Windows" options from settings.

    We also will probably add a blacklist scan of the currently running processes, in case the computer is infected prior to installing VS.
     
  7. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, this is normal... it is just saving the settings. During this time, the close button is disabled. Vlad might be able to make that a little more user friendly... I just did not want VS to be reading from the .dat files while it was writing to it, so that is why I did it that way. Vlad is a much better coder than I am, so he is going to be able to really do some cool stuff with VS, and make it as user friendly and stable as possible.

    Yeah, the Windows 10 CMD issue is just a small bug in the code. Basically, when VS blocks a command line it has to kind of analyze it and figure out what to do with it, especially for cmd.exe command lines. For example, a batch file block, (eg. C:\Users\Dan\Desktop\test.bat) block is different than a "format D: /FS:NTFS /x block". That is, for the batch file block, VS should handle it as a process, block it, and show the path of the test.bat file. Where as on the format block, it should handle it as a command line and show the command line. So it is not like a difficult bug to fix, we just have to tweak the code a little so that VS knows what should be handled as a process and what should be handled as a command line. And actually, if we have samples that help us reproduce each scenario, then it is pretty easy to fix. But Vlad knows about this and we will make sure it is working correctly. There may be some small tweaks to do after the first VS 3.0 release, but overall it should be working great.
     
  8. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,069
    Location:
    .
    Well, that goes back to default allow blacklist block vs default block whitelist allow. I think we'll agree default block whitelist allow is easier and better. Would be intriguing if I could whitelist allow items running in application sandbox. Running an application sandbox'd is not blocked by VS. I'm thinking about a payload dropped in my web facing application sandbox blocked by default.
     
    Last edited: Sep 20, 2015
  9. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hmmmm, I never thought of that (I'm thinking a payload dropped in my web facing application sandbox blocked by default.). Yeah, I guess these would be blocked as well. We will just have to play around with it and see.
     
  10. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I appreciate that, and we might need to do that in the future, but I think we found a way to reproduce this error consistently. I was installing flash player (for firefox) on Windows 10 about a week ago, and I finally had the same issue. So we can use that to reproduce and fix the error. But if it continues to happen after the first or second version of VS 3.0 is out, please let me know.

    We actually could release VS 3.0 right now, but there are a few minor bugs like this that we are working out. And if we keep polishing it without releasing a beta, it may take a few more weeks. So Vlad is going to let me know when he is comfortable with the first beta release, then I am going to test the heck out of it and then he will post it. But I imagine in 2-3 weeks, we should have a completely stable, and essentially bug free version of VS 3.0 ;).
     
  11. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you, that will help a lot!
     
  12. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    reset VS, but WFC update still fails unless GUI & service are shutdown - i'll let you know what happens with VS 3 :)
     
  13. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,600
    Location:
    South Wales, UK
    Hi rm22

    By WFC are you referring to Windows Firewall Control (Binisoft)? If so then I am surprised by what yo say as I have had issues with updates which I thought were due to VS intervention but what I have found is that they are due to WFC itself and then need for some updates to be run with admin rights. As it stands if one allows WFC under VS (and why would one not) there do not appear to be any issues on my system.

    Apologies if I am misunderstanding you in any way.

    Regards, Baldrick
     
  14. silver0066

    silver0066 Registered Member

    Joined:
    Dec 31, 2004
    Posts:
    990
    The Pop Up states that you can uncheck the box but it is NOT recommended. How can we assume we are still safe if we uncheck the box? Why not provide more information?
     
  15. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
    Thank you for your reply.
    Your explanation is clear enough to make me understand it:)
     
  16. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    hi Baldrick - yes, i'm referring to the Binisoft controler. I could not even install WFC until i disabled VS GUI and service... tried to allow WFC in VS, excluded the install folders, etc, etc, but no dice. Updates of WFC have the same issue. But i don't have an issue with VS or WFC once they are both installed.

    Interesting that you don't have the same issue - maybe a different OS? I've had a few issues with VS on Win8.1 that i don't see on Win7
     
  17. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,600
    Location:
    South Wales, UK
    Hi rm22

    No issues on either Win 7, Win8/8.1 or Win 10...so I am not sure why you have the issue.

    Regards, Baldrick
     
  18. russ0408

    russ0408 Registered Member

    Joined:
    May 16, 2010
    Posts:
    38
    Location:
    On. Canada
    I had the same Problem rm22. Matter of fact I just went through it. I tried to update WFC, and had to uninstall VS before I could do it.
     
  19. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    the issue seems to be caused by a WFC installer in ...AppData\Local\Temp that is blocked from communicating with the main WFC executable by VS.

    @russ0408 I can update WFC by exiting out of VS GUI & stopping the VS service - then just restart the service & GUI after the update.
    @Baldrick what state is VS in when you update WFC & did you do anything special to allow the installer? have you changed default settings in VS - maybe turned exploit protection off or something?
     
  20. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,600
    Location:
    South Wales, UK
    Hi rm22

    I alway run in Scan & Allow mode since that mode was introduced.

    Regards, Baldrick
     
  21. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    hmmm - me to. oh well - hopefully this is resolved in VS 3.
     
  22. guest

    guest Guest

    where I can find a summary of the planned features in VS 3?

    thanks
     
  23. TNO_sec

    TNO_sec Registered Member

    Joined:
    Sep 26, 2010
    Posts:
    47
    I'm having this exact issue too when connecting to my VPN, same command line. It shows up in the Command Line tab in VS, but I continue to get like 15-20 pop ups when I connect to my VPN. I'm using the free version of VS on this PC, not sure if that matters.

    If it's a bug, can we have it fixed in version 3, please? ;-)
     
  24. TNO_sec

    TNO_sec Registered Member

    Joined:
    Sep 26, 2010
    Posts:
    47
    Thanks for the explanation. In all respect, I think calling what is basically an anti-executable technology an anti-exploit technology, is a bit confusing. If being able to SOMEHOW stop an exploit-attack is all that is required to be an "anti-exploit", then every single antivirus program in the world also have anti-exploit functionality. ;-)
    But I get it, it's a marketing thing, a (technically incorrect) way of explaining to users, that VoodooShield will ALSO provide protection against exploits.

    I hope to soon do some testing of what is possible to do by exploiting a vulnerable browser plugin, and then see what can be done without the need for a payload to execute, or the need for powershell or other tools which are blocked by VS. Exploiting Flash and using a meterpreter should make it technically possible to do all the stuff that Flash is able to do. So if Flash can turn on the microphone, when the hacker should also be able to do that, and if flash can do keylogging, then the hacker can extract the passwords that are typed etc.

    How much can be done with this method without getting stopped by VS? I'd love to hear from anyone who has tried something like this. So far, it's the closest I have come to a realistic way of bypassing VoodooShield.
     
  25. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    604
    Location:
    Wallachia
    I am trialing the basic version and i have observed that if i enable Always On mode and leave the PC AFK, while navitgating in some website the software goes to Off.It recovers after moving the mouse.So why is it going off if i set it to ON exactly when i am not at the keyboard ?! :)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.