VoodooShield/Cyberlock

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. mWave

    mWave Guest

    Use PsSetCreateProcessNotifyRoutineEx (which you already use) in your driver to detect process termination; once termination for the VoodoShieldService.exe or the GUI is identified via the callback notification function, restart it.

    You can also check if the process is executing already from within the callback before trying to send data back to user-mode and start it back up first if it isn't found. This makes it more difficult for malware to attack you, since it'd terminate but it'd need to stay continuously running to keep terminating it. :)
     
  2. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    It does Dan ;)
     
  3. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I see, thank you for the info, but what happens when a windows native whitelisted process that is running as a Network Service asks VoodooShield.exe to exit?
     
  4. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Just the Pro version ;). I was extremely careful when implementing the parent process feature... it should be safe.
     
  5. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Very cool, thank you for letting me know! I have to do some onsite work, thank you guys!
     
  6. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    it should not be allowed.
    you shoul make a setting like "enable self-defense". if the user wanna kill voodooshield.exe, he needs to uncheck that setting first
     
  7. M3gatron

    M3gatron Registered Member

    Joined:
    Oct 3, 2016
    Posts:
    41
    Location:
    ::1
    That is correct-mouse over will give you the correct result but I prefer to have the full path available instead of doing this as it will allow me to quickly determine what to do. It's just personal preference :)
     
  8. M3gatron

    M3gatron Registered Member

    Joined:
    Oct 3, 2016
    Posts:
    41
    Location:
    ::1
    @VoodooShield

    I got VS to crash 3 times today but there is nothing in either DeveloperLog.log or DeveloperServiceLog.log (image attached)- Basically,when I am running smart (default) mode and when I clicked on the prompt couple of times,it just crashed (v3.5.3)- I will try to replicate and let you know

    Fault bucket , type 0
    Event Name: AppHangTransient
    Response: Not available
    Cab Id: 0

    Problem signature:
    P1: VoodooShield.exe
    P2: 3.10.108.0
    P3: 58b6e243
    P4: unknown
    P5: unknown
    P6: unknown
    P7: unknown
    P8:
    P9:
    P10:

    Attached files:

    These files may be available here:


    Analysis symbol:
    Rechecking for solution: 0
    Report ID: 947a3aca-0446-11e7-ba72-9c5c8ec13275
    Report Status: 2049
    Hashed bucket:
     

    Attached Files:

  9. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    But we are dealing with a Windows native whitelisted process that is already created and running as a Network Service, that is asking VS to exit. VoodooShield.exe obeys and shutsdown when ExitWindowsEx is called when the user shuts down the computer... should VS try to block this as well?
     
  10. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, we would have to add an additional line and possibly make the entire prompt bigger. We can look into this at some point though, thank you!
     
  11. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, please let me know how to reproduce this and I will fix it, thank you! I just tried clicking all over the prompt and could not get it to crash.
     
  12. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    no, i guess that is the only acceptable exception :)
     
  13. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    We thought about doing something like this, but then we have to worry about race conditions... that is, will VS restart quick enough to block the item?

    We are looking at several different methods, and I think we might have found one yesterday that is perfect for VS. Thank you!
     
  14. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Hi gorblimey,

    I don't know if Cyberfox is related or not. Maybe I have been prompted because a web app was running and because I use CF more than any other browser it could be a coincidence that Cybefox was opening at that time. I've only been prompted on one machine so far. Anyway, I'm monitoring the situation.

    Great user name by the way.
     
    Last edited: Mar 8, 2017
  15. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Ah ha! I would bet there are many, many others ;).

    I think everyone is missing the whole point of VS... so let me explain what I am trying to do.

    A lot of security researchers are now suggesting that the only way to truly stand a chance in the current malware epidemic is to lock down the system.

    And when considering the lock down approach, there are only three options.

    1. Do not lock the system down at all... This is not secure

    2. Lock the system down 100% of the time... This is not user-friendly

    3. Lock the system down when it is at risk... https://www.google.com/patents/US9197656

    Even though there is zero risk of malware implementing the single targeted script that is an issue for VS, we will be implementing self-protection asap.
     
  16. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Dan, are these errors anything to worry about? I guess not as it looks like something to do with syncing the whitelist, right?
    Code:
    [ERROR] - Error posting snapshot to server (The remote name could not be resolved: 'voodooshield.com')
    [03-09-2017 10:11:34] [ERROR] - Exception in HttpHelper_PostSnapshot: The remote name could not be resolved: 'voodooshield.com'.    at System.Net.WebClient.UploadDataInternal(Uri address, String method, Byte[] data, WebRequest& request)
       at System.Net.WebClient.UploadData(Uri address, String method, Byte[] data)
       at VoodooShield.HttpHelper.PostSnapshot(String csvlist
     
  17. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Read it again. It is switching over to the Firefox 52.0 ESR branch for 12 months.

    Also:

    https://8pecxstudios.com/Forums/viewtopic.php?f=6&t=1756#p11512

    Also, there is another thread for discussions about Cyberfox - https://www.wilderssecurity.com/threads/cyberfox.384457/
     
  19. gorblimey

    gorblimey Registered Member

    Joined:
    Jan 19, 2017
    Posts:
    158
    Location:
    West Oz
    *puppy*
     
  20. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
  21. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Well, I'm done discussing Cyberfox in the VoodooShield thread anyway.
     
  22. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285

    All I can say, is 'gorblimey'...I haven't a clue! :)
     
  23. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    This feature has been disabled / not working for a little while now... the new web management console is almost ready and it will start working again.
     
  24. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    That's funny, if I log into my account my three machines show with their respective whitelists shown.
     
  25. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    :thumb::D
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.