VoodooShield/Cyberlock

Hey, look, VS finally has a User Guide .

www.voodooshield.com/Download/VoodooShieldUserGuide.pdf

This is a rough draft... please let me know if you guys find anything that I missed. The goal was to keep it as concise as possible, but still contain all of the important info.

 

VoodooAi still the same problem (if this is the latest version):

 

I am just having my first play with AI (portable) and am finding several programs marked up as unsafe that I consider safe such as:-

Quicken
MS Money
CCleaner
Adobe Photoshop.

There are others but can't remember them.

I don't know if this is meant to be the output format but to me it would make more sense if they were shown as whole numbers, or maybe just the slider. Though that would not work for colour blind.

 

Hmm..

 

About VT... yeah, exactly, but I am wondering why it is taking so long for the other engines to catch up. Maybe it is because of what you suggested, maybe they are just a little behind because there are so many files to check. Thank you for checking out the user guide!

 

Yeah, the stand alone version of VoodooAi has not been updated since its initial release.

 

Apologies if this has been asked before but it is a long thread and difficult to get through now.

I tried VS way back at the beginning but moved away. Been trying freemium recently (latest beta) and impressed. I use always on. The only issue I have is whether VS turns itself off to allow some safe apps to run. Specifically HMP and Privazer. When I run either of these 2 then relaunch my browser VS tells me protection is off and asks if I want to re-enable. Is this just a beta bug, display issue etc or is it actually turning itself off?

Thanks

 

Thank you for catching that! What happened was that there were quite a few invalid results from when our Croatian friends were testing VoodooAi. How VoodooAi works is that it analyzes the file, then it stores the results in a database, that way the next time someone analyzes the exact same file, the results are returned much quicker... and besides, the results are going to be the exact same, even if you analyze the file twice (unless we change the algorithms). BTW, this is why sometimes the results are returned very quickly... it just means that someone had already analyzed the file and it is in the database. Whereas if it is a new file that has not been analyzed before, there will be a slight delay. Also, if there is an even slightly longer delay, that means that the machines are not warmed up because a new file had not been analyzed within the last hour or so, and it takes a couple of extra seconds for them to warm up.

So I just had to clear the invalid results that were stored in the database, so please try it again... it should work great. If you are getting crazy results, please let me know!

Yeah, we definitely need to make some gui changes! Thank you!

 

Yeah, that makes sense to me!

 

Hi Elwe! This is a feature that can be disabled in Settings... it is the first option on the Advance Settings tab... "Automatically reactivate when returning to a web app". The whole purpose of this feature is to let the user know that VS is OFF when they return to a web app (since VS was either manually or automatically turned OFF at some point).

If you need a license, please email me at support@voodooshield.com. Thank you!

 

Thanks for that, much appreciated. Will take you up on that and try with that setting enabled. Could you possibly confirm there are occasions where VS will auto turn-off for usability reasons with some apps?

Thanks again

 

Thanks. Much appreciated.

Makes sense. Was 'always on' I was thinking about but will read the guide to get more familiar with what has changes since I last looked.

Regards

 

Welcome! VS should only toggle with the web apps, or if the user clicks the Install button on the user prompt, then VS will turn off. If you notice anything different, please let us know!

 

Thank you @Dzp5t ..which helps a newbie such as myself...

 

Man... where are you guys finding these samples? Be VERY careful with this one... it is locky ransomware.

http://voodooshield.asuscomm.com:8080/analysis/2153/

VT: 2/57 (Baidu and Rising)
Cuckoo: 6.3/10
VoodooAi: 0.9916/1.0000

 

Thank you, Saved to my documents.

 

Ditto! Thanks Dan.

 

Yeppers...+1 here...and now for some bedtime reading...

 

Salutations/Greetings!

> I will be into the User Guide www.voodooshield.com/Download/VoodooShieldUserGuide.pdf agree bedtime reading.

"Hey Moose, is this still an issue? If so, please let us know, thank you!"
> The issue with Sandboxie seem to have a clear up, only mishap with sandboxie about 4 days ago.

Thank for the answer about Smart (Default) appreciated.
"Smart mode will toggle VS ON and OFF when web apps
are launched, whereas Always ON just stays on all the time
and does not toggle with the web apps. I hope to have the
VS owners manual ready soon... sorry for the delay."

 

I'm doing good. I keep myself busy with my language studies. I've been testing some rules I wrote for web apps with another application. I have blacklisted several web applications (including firefox) from being the parent of rundll32.exe, cmd.exe, taskhost.exe, conhost.exe, and taskeng.exe. I have been using these rules for a little over a week now, and it has not caused any problems. I'm not really sure taskeng.exe needs to be monitored by parent. I could not find a detailed enough description to make a decision so I wrote a rule for it anyway for testing purposes. I think most other vulnerable resources can be safely blocked globally. I would still give an option in VS to allow the user to add their own executables to block. Wilders users, and administrators will love to have that functionality.

I think VS should focus more on monitoring web applications using parent child rules. runll32.exe, cmd.exe, taskhost.exe, conhost.exe, etc.. can't be blocked globally, but I think they can safely be blocked using parent child rules. This will make the web apps feature more effective in mitigating exploits.

 

Thank you as well Dan!

 

That looks perfect to me.

 

Thank you guys, I appreciate it!

 

Hey CET, how are you?

Hehehe, you and hjlbx feel pretty strongly about the whole vulnerable processes thing, huh?

We better test it just to make sure... I could have messed up a couple of years ago when I wrote this part of the code, so let's check just in case!

Here is a quick and dirty file I just wrote... it is not signed or anything. When you execute the file from the link below, it will drop a file to your desktop called "VSExploitPayload", which is a totally benign file... all it does is display a message box that says "Exploit Successful!".

www.voodooshield.com/artwork/VSExploitTest.exe

1. First try running VSExploitTest.exe from your desktop... it should block the initial file VSExploitTest.exe. If you allow this file, it should spawn the VSExploitPayload.exe that was dropped to your desktop 3 seconds later (I made it sleep for 3 seconds to make sure the file finished downloading). Usually payloads are dropped to appdata or programdata, but I figured the desktop would be easier for this test, and the results would be the same.

2. Reset your whitelist

3. Try running VSExploitTest.exe from any Windows folder... depending on which Windows folder you run the file from, VS might or might not block VSExploitTest.exe, but it should block VSExploitPayload.exe either way.

You can also try running VSExploitTest.exe from the Java folder in Program Files for example, and it should block the payload as well. There might be a folder that contains a vulnerable process that we are not aware of, so if you find one, please let us know!

Just to be sure, you might run VS in default settings... or if you change any of the settings, please let me know we can be on the same page . Thank you!