VoodooShield/Cyberlock

Hi
This one is my first priority. However I'm not so able to reproduce it. Please send me the logs to vlad@voodooshield.com, maybe there will be some useful information

Thanks

 

I seem to have many Command Line copies. Is this a known issue, or is it normal? I've reset my Whitelist a few times, should I delete all Command Lines at the same time?

Thanks.

 

I've found another possible bug.

Opening IE11 and clicking the Gear icon > Internet Options > Advanced tab > Reset > Apply > choosing to delete settings > both IE11 and VS lock up. Ending IE11 in Task Manager does not free up VS, which means you either need to end it Task Manager as well, or restart.

Reproduced on two machines.

Win10 x64.

Security programs as per my signature.

Thanks.

 

I'm pretty sure this is Netgear Genie but the details in the block are too few to know anything.



As soon as I allowed it the Network Map loaded.
Thanks.

 

you are running genie in a separate program? try with browser and browser will tell you.

 

Yes, separate Genie program. http://www.netgear.com.au/home/discover/apps/genie.aspx

I'm not sure what you mean here but I did have Chrome open when I started Netgear Genie. Maybe that's why I received the alert, but my main point was all I had to go on was "ver". That could be anything from benign (like I'm guessing it was) to a version of malware.

Thanks.

 

Hello
I agree that there is not so much information. Do you expect to show the parent process as well?
BTW sometimes the parent process will be something generic like svchost.exe

 

I tried to reproduce it, but without success.
Actually after clicking Reset I don't have an option to click Apply. The options window is just closed. Do you mean Restore default settings by Reset?
Anyway it worked fine on my Win10. If you see this reproduced please send the logs to vlad@voodooshield.com, maybe there will be something useful. I'll continue trying anyway

 

Command lines are not deleted as part of Whitelist cleaning.
What do you mean that you have many command line copies? There are the same command line entries?

Thanks!

 

Hello
I'm still unable to reproduce it on my dev computer and there is nothing valuable in the logs regarding that bug. I want to add some verbose prints, so could you try to reproduce it on VS version with those logs, so I'll see what's going on there?

Thanks in advance

 

Thank you all for your help in testing VS and making it better each release!

 

Vlad, to be honest I don't know what I would expect to see but something a little more than "ver" could be helpful.

Thanks.

 

Yeah, sorry about that. I meant, when I click Reset this small Window pops and if I put a check mark in the box and click Reset on that small box, that is when the lock-up occurs.



I'll send you the logs.

Cheers!

 

Sure Vlad - I am not often using my Win 7 machine (with VS) but will send logs next time I encounter it.

 

It appears VS is blocking my wireless Netgear adapter driver from running at boot. I have to unplug the wireless adapter from the USB port, and plug it back in after I boot each time. I think it is the driver being blocked anyways unless it is something from Windows being blocked. I can trouble shoot it more when I return. I have to leave in a moment. This occurred in beta 3.07 also, but I didn't report it because I was not sure what was causing it. I had just upgraded Eset Smart Security to version 9, and also just installed VS beta. I was not sure which was causing it. I rolled my machine back to Eset Smart Security version 8, and installed VS beta 3.08. The problem still occurs. It only started to occur again after installing VS. I went days without the problem occurring until I installed VS last night. This is the wireless adapter I have. I'm only using the standalone driver without the additional software. http://www.netgear.com/home/products/networking/wifi-adapters/WNDA3100.aspx

I also have another problem that appears to be caused by VS. I have several external drives connected to my computer. Each time I boot the drives fail to load after the desktop loads. They begin to load one by one about every 20 seconds. It takes a minute, or more for all the drive letters to appear in explorer. Not only that, but they load as if that was the first time the drive had been plugged into the computer. It prompts me for the firmware that comes with them each time. That only happens with my Western Digital Drives. I also have Seagate Drives, but they do not have firmeware that automatically loads at boot like Western digital. The user has the choice to install the additional software, or not with Seagate. Regardless even the Seagate drives fail to load as expected. If I have them plugged in they load one by one about every 20 seconds after the desktop loads.

I'm using Windows 7X64 Ultimate.

 

Hi Cutting_Edgetech,

I have a different Netgear wireless adapter, this one, and VS isn't blocking it. If you don't unplug it and wait will it eventually load?

 

Hello
Actually VS driver is not expected to block anything unless VS is started. Please send the logs to vlad@voodooshield.com so I could investigate it

Thanks in advance

 

Just a quick thought... Is VS is the default settings? Some users install VS, then adjust the settings so that everything is extremely locked down. So if you settings are different from the default, it will help tremendously to know what your settings are (I used to run into this all the time). Thank you!

 

Hi Dan

Long time no see/hear. Hope that you are well.

v3.08 beta working fine here other than I continue to have the following logged under the 'Command Line' in relation to WSA:

"c:\windows\sysnative\rundll32.exe" "c:\windows\system32\wrusr.dll",synproc 8512

and I am speaking of 10s of such lines. Not sure why and whether there is something else I should be doing/setting, etc.

Regards, Baldrick

 

Hey Baldrick, yeah, long time no see... I have been wrapping up VoodooAi, it is almost ready (it turned out to be a lot more work than I thought it was going to be). I hope things are well with you guys too!

On the wrusr.dll issue, I think that is more of a Vlad question, so hopefully he will respond soon, if not I can email him.

Although it was a major struggle to get it right, VoodooAi really turned out well (I think you guys will be very happy with the results ). I have learned a lot about machine learning and Ai, so it is only going to get better and better, especially as we add files to the training data and retrain the models. Machine learning / Ai will never be 100% (if it was, there would not be a need for VoodooShield or any of the other security products ), but we did reach the goal of 99% + accuracy and precision... we used Microsoft Azure and IBM Watson, both were instrumental in getting the models right. I am going to talk with the IBM Watson team next week... we are working on a few things that we can add to VoodooAi that will be pretty cool.

The reason Ai will never be 100% is because sometimes a file just looks like malware when it is not, and vice versa. For example, Ai is used a lot with facial recognition... and sometimes the photo just looks like Jennifer Lawrence, but it simply is not her . There is no way around it. There are a few files, for example, baretail.exe, it is a killer tool used by a lot of developers (Vlad uses a lot), and pretty much all of the 30 or so features of its "fingerprint" absolutely screams malware, but it simply is not malware. Luckily, those files are extremely uncommon. Also, when it comes to greyware, VoodooAi does surprisingly well... moreover, when it encounters a file that is unquestionably malware, it returns an extremely high probability that the file is malware. So what I did was to set this threshold at 95%, and anything that has a probability over this threshold is classified as "Dangerous" (instead of "Unsafe"), although it might be better to set the threshold at 98% or so, and call the results between 50% and 98% "Unsafe", we will have to play around with it a little more and tweak it a touch.

I have not had the chance to upload that many new clean samples, but after tweaking the models with Azure and Watson, it looks like we do not really have to since the models turned out so well, although adding samples will always help with the accuracy and precision (with big data, you can never have too much ). The reason I have not bothered to do this is because I would rather the samples come from a truly random source (like random blocked VoodooShield files or user uploads), because I think the results will turn out better.

Another really cool thing is the massive list of default processes that will be auto allowed by VS. I actually took the time to install each version of Windows XP-10, and uploaded each standard Windows and MS Office files to VoodooAi to be used for model training, and also for the default processes. Not only each version of Windows, but each service pack... since obviously the .exe and .dll files are updated with service packs and updates. There is not a chance that I got EVERY single .exe and .dll, but I think I came close . Anyway, so these will no longer be blocked at all by VS, even the dreaded dismhost , although Vlad has already fixed that issue in another way. BTW, on of the problems with dismhost is that it runs from the appdata (or programdata folder, I cannot remember which one for sure), but anyway, it is extremely difficult to SAFELY make it work correctly, but we do not have to worry about that anymore.

BTW, do you guys think that VoodooAi should be a VS Pro only feature, or should we include it in VS Free as well?

Here are some screenshots... We need to make the "VoodooAi" a little bigger and make sure everything is lined up. Thank you!

http://voodooshield.com/artwork/safe.png

http://voodooshield.com/artwork/unsafe.png

http://voodooshield.com/artwork/stats.png

Edit... btw, please notice that the unsafe.png from above is DIGITALLY SIGNED with a VALID SIGNATURE. I bet that is the last time anyone auto allows by digital signature again .

 

Hi Dan

Thanks for the response. I will await Vlad's input...hopefully he can get around to looking at it soon.

With regard to VoodooAi as a Pro only feature or available in VS Free...I have to come down on the side of keeping it as a Pro feature only, at least for the moment/initially when launched. You have put a goodly deal of work into it and you should be rewarded for that. And one could argue that you should even bring it out as a VS Pro Super version, i.e., one higher than Pro...if you get my drift. The other reason for Pro only is that the Free version is nice and simple for those that want it that way, so why complicate it with a level of functionality that they may not want or want to understand?

In terms of the slider in the screenshots...I think that you should improve the slider, i.e. what is currently a vertical black bar, as it is somewhat out of keeping with the rest of the look and feel. Perhaps an oval or diamond shape would look more harmonious, and perhaps something other than black as it looks too stark against the rest of the colours, etc. Just my thoughts for what they are worth... But other than that...looking good.

Regards, Baldrick

 

Hmmm, that is a great point... maybe there should be a version above pro... I like it, thank you! BTW, people comment all of the time that we give away WAY too much in the free version, and I tend to agree with them, but that is ok . Yeah, it has been a lot of work, can you believe it will be 5 years in just a few months? It is funny how you see these companies that appear to be over night successes, but then you find out they have been hard at work on their project for 7-8 years . Between you and I... if we can get an exclusive mobile license in the next few months, there might even be a chance that we just make everything on the PC side open source. We would post everything on github and all meet in Vegas . Who knows what is going to happen, but I will tell you that things are extremely crazy right now (in a good way), and I should be able to talk about it in a couple of months.

Yeah, on the graph indicator, I know what you mean... I struggled with that darn thing for a couple of hours, and that was the best I could get it... you should have seen my worst version (everyone knows I am really bad with graphic design) . I was going to take a picture of Molly's face and put it on there, but there were not enough pixels . But anyway, if you or anyone else has a better design for the graph indicator, or even the graph, please feel free to photoshop the image and let us know what you come up with! Thank you!

 

Sounds good, Mate! Does that mean we might see it incorporated into a beta soon?

Cheers!

All the best, Dan.

 

Hey Krusty,

Yeah, it is kind of a long story, but I ended up integrating it into VS 2.86 first (since I had to do that anyway for XP users for the time being), and I sent that version to Vlad, and whenever he has time he is going to integrate it into VS 3.0. I still have a few small things to do on VS 2.86, so once I finish those, I will release VS 2.90. I also have to finish up the stand alone VoodooAi program that I posted on here awhile back... it is not really necessary, but it will be kind of cool to have as a demonstration of VoodooAi by itself, that way users can test VoodooAi easier, since they are able to analyze multiple files using only VoodooAi.

After we release all of these in the next few days or weeks, we will want to integrate VS's blacklist scan with VoodooAi, because they are currently completely separate. What I mean by that is something along the lines of combining the blacklist scan with VoodooAi to produce an "auto decision". Most of the time the blacklist scan and VoodooAi results agree with each other, but sometimes they do not, and especially since VoodooAi is so new, I would trust the blacklist scan over VoodooAi, especially if the blacklist scan returns a 0 or a high result, like over 10 positive hits. Yet another scenario... if VoodooShield's false positive feature detects false positives, and VoodooAi is high or low, then maybe the VoodooAi should influence the blacklist scan results. And there are tons of other scenarios, so we just have to work through each one and make it as easy as possible to help the user decide whether the blocked item is a threat or not, and we will adjust the verbiage on the prompts accordingly, and hopefully have some form of an auto decision. VoodooAi's main purpose is to give the user some insight into a blocked item when the item is unknown to the blacklist scan, even though that is quite uncommon, but this is where VoodooAi will be most helpful.

So that will take a month or so, and during that time, we should have a lot of random samples uploaded to VoodooAi, so we can retrain the Ai models, and the results should be even better. We will also be able to finish up the new Watson algorithm and integrate it into VS. Then we will release VS 3.0, and we should be good to go! Thank you!

 

Yes I have this too. Could the wrusr.dll be something to do with WSA?