VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,462
    Location:
    Under a bushel ...
    I have also experienced dismhost.exe blocks (Win 7 x64), and even in install mode, with no freeze issues.
     
  2. Cache

    Cache Registered Member

    Joined:
    May 20, 2016
    Posts:
    432
    Location:
    Mercia
    Thanks SHvFI. Pleased that CS found the time to post the video!

    No guess from me I'm afraid. Overall though a good result for VS albeit with only a few malwares tested.
     
  3. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Thank you CS for the great video, I really appreciate it a lot and everything you do for the security community! I know you are busy with traveling, but if you get the chance, can I get that macro from you to see why it stayed in memory?

    Have a great time on your trip and we will talk to you soon!
     
  4. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you, this helps a lot!
     
  5. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I am not sure exactly what happened with the macro and rationalist.exe payload, but from what I can tell, rationalist.exe remained in a suspended state, so it was denied process creation (notice that the memory utilization stayed at 264k and I believe Process Explorer was showing that it was suspended) . CS can correct me if I am wrong, but I think either way the computer was not infected, although it would be nice to get that macro from her to find out why rationalist.exe remained suspended in memory so we can look at it.

    What I thought was really cool (besides the music) was her findings on the false positives with VoodooAi, and I suppose to a certain extent, VS's blacklist false positive detection. I have tested the heck out of VoodooAi for false positives (this is no exaggeration), and from my experience it does really well, so it was nice to see her have the same result. Also, I looked up the VoodooAi results from the malware she tested, and VoodooAi did extremely well.

    One last thing, in her intro she wrote "So I’ll just run a few samples with VS in autopilot mode- some from the wild and some not…". This is a little bit of an understatement ;). Let's just put it this way, it was an extremely well designed test... it was not like she just downloaded a malware pack and threw it at VS (note the several files that are unknown to the blacklist). So basically, I guess you can say this was a "customized" and well thought out test specifically for VS, and I imagine that she does that for all of her videos, which is a great thing.

    In other words, I have always respected her work, but since I understand a little more now of what goes on behind the scenes, I respect her work even more ;).
     
    Last edited: Jul 18, 2016
  6. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Me too, I am happy she made the time with her busy schedule. I think most of her videos have 4-5 or so malware samples on average, and I think this one had 11 (my lucky number).
     
  7. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Thank you, that helps a lot! I really need to have the macro in order to test properly. One of the very few extensions that I never paid much attention to was .pif... it looks like I need to pay some attention to that ;). Ultimately, it looks like the process was not allowed to be created, so I think we are safe, but it would be nice for it not to remain suspended in memory.
     
  8. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Did I miss the part where she tested Cylance Protect?
     
  9. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,098
    Location:
    Ontario, Canada
    @VoodooShield Dan I just seen this! USB Mode so it did show USB then I tried to execute a program and I clicked allow from the pop-up and now the VS Shield is broken with USB still installed. I ejected the USB and goes back to normal so a possible small (tiny) bug?

    Daniel

    2016-07-18_11-27-27.png 2016-07-18_11-23-24.png 2016-07-18_11-26-28.png
     
  10. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Thank you TH, I put it on the to do list!
     
  11. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,558
    Location:
    Among the gum trees
    Dan,

    Three days in a row now VS has blocked dismhost.exe so for the time being I'm going to uninstall VS to allow Windows to do its own maintenance without me having to baby sit it. Hopefully Vlad will have this and the freeze bug sorted soon.

    Thanks.
     
  12. @VoodooShield

    When I look at the info for DISM, I guess DISM is probably a protected processes.

    E.G. Process Explorer can't kill protected processes, so neither could VS.

    upload_2016-7-18_21-59-18.png

    Others having problems with update
    - http://www.outpostfirewall.com/forum/archive/index.php/t-27308.html (DISMhost recreating itself in tempdir causing numereous prompts).
    - https://community.sophos.com/kb/en-US/121918 (dot Net running very long, new dotNet binaries not being whitelisted)

    So may be it is not a bug, it is a result of how the OS updates and protects itself?

    Just a thought, try to side step the trail your debugging now and do some grey box thinking with Vlad (looking at cause and effect and making educated guesses based on criteria on which something operates without knowing the details on how it operates)

    Because of the recreate of DISMhost in Temp folder, VS starts a cat and dog fight (Outpost problem). Because it is protected by the OS it can't be killed by VS (info of M$), when new dot Net binaries are updated, VS (which uses dotNet) starts to block the dotnet components it uses itself and eventually hangs itself/freezes (Sophos lockdown problem).

    Regards Kees
     
    Last edited by a moderator: Jul 18, 2016
  13. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you Krusty and Kees! I hope to hear from Vlad any day now, so I will probably wait for him to fix this... that way he can check all of the changes that I have made since he last worked on the code. Yeah, it does look like it is some kind of permission issue... Vlad is much, much better at that kind of stuff then I am.
     
  14. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    If they can't be blocked, then maybe protected processes should be "ignored" (=allowed) automatically from VS. :cautious:
     
  15. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,558
    Location:
    Among the gum trees
    @Windows_Security ,

    You may be right, Kees, but VS used to handle (whitelist) dismhost.exe fine from back in older versions of VS while Vlad was active here until I guess a new version of dismhost.exe was installed.

    Yeah, perhaps that is the way forward?
     
  16. Cache

    Cache Registered Member

    Joined:
    May 20, 2016
    Posts:
    432
    Location:
    Mercia

    Well I just forced use of dismhost.exe by running Disk Cleanup which I never normally do. I have VS running on AutoPilot (Ai only, no blacklist scanners) and it originally blocked it but then immediately allowed. I see it is now Whitelisted but can't confirm that just happened but I suspect that it did. No freezing.:)
     
  17. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,558
    Location:
    Among the gum trees
    After the block three days ago I thought dismhost.exe was whitelisted too but each day since then VS blocked it.

    Cache, what's your OS?
     
  18. Cache

    Cache Registered Member

    Joined:
    May 20, 2016
    Posts:
    432
    Location:
    Mercia
    Win7 Pro x64.

    EDIT:
    Just run dismhost again and, despite being whitelisted, it was initially blocked again by VS before again being allowed. This does seem odd behaviour.
     
    Last edited: Jul 18, 2016
  19. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,558
    Location:
    Among the gum trees
    Ah, the problem seems to be on Windows 10 because of protected processes.
     
  20. Cache

    Cache Registered Member

    Joined:
    May 20, 2016
    Posts:
    432
    Location:
    Mercia
    Good old Win7!! :)
     
  21. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    For testing purposes, you can change the DISM temporary directory (eg. /ScratchDir:C:\Scratch) whereas C:\Windows\Temp or user directory temp is used by default if not specified. Though this may still not help with regard to the permissions issue.
     
  22. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hey guys, I will catch up soon, but here is a version of VS 3.30 with the special dismhost code disabled, so you might see some dismhost blocks, but it should tell us if the freeze issue happens whether the special dismhost code is enabled or not. I do think it is some kind of protected process / permissions issue, which I am not very good with, but Vlad is ;).

    www.voodooshield.com/artwork/InstallVoodooShield330dismhost.exe

    I forgot to mention... if VS is not freezing, then please do not install this version.

    Thank you!
     
  23. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, exactly, thank you! And we can easily do this safely, so that is a good thing.
     
  24. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you for the tip!
     
  25. ieno

    ieno Registered Member

    Joined:
    Jul 19, 2016
    Posts:
    12
    Location:
    Netherlands
    Hi Dan, loooong time lurker here. Made an account just to say what a truly great product VS is and how cool it is to see the huge amount of time, support and dedication you're showing on here...I find this just incredible, thank you so much!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.