VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. guest

    guest Guest

    Totally agree with that.
    it was made to lock the OS?
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Made to completely lock the computer mandating a reboot to free it.
     
  3. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    18,007
    Location:
    UK
    I experienced that lock and only option open to me was a hard reset.
     
  4. zarzenz

    zarzenz Registered Member

    Joined:
    May 19, 2002
    Posts:
    502
    Location:
    UK
    I don't understand why self protection is even considered to be necessary, because surely if only whitelisted applications are allowed to run, or otherwise blacklisted applications are not allowed to be run, then how would it be possible for any attack to be mounted against VS under normal operating conditions.

    Having my start menu and search being locked out under 355b2 was not good if self protection which may not even be needed is affecting the OS in this way.
     
  5. guest

    guest Guest

    i dont think it was the original purpose; seems unwanted :D

    If my memory is correct, because a script, made to target VS, terminated it. It was mentioned few pages ago.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    That's correct, so you protect the VS processes, not shut down the whole machine. Hopefully VS should have been able to handle the script. It's bad if it couldn'tl
     
  7. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    Exactly, this is the reason: https://www.youtube.com/watch?v=eiXB8H3-wEI&ytbChannel=F4zzx

    By the way, VS 3.55 is a beta, so users should expect bugs and should give feedback to improve the new features
     
  8. guest

    guest Guest

    so VS should be more oriented to stop scripts rather than self protecting itself; since any kernel exploits would nullify self protection anyway.
     
  9. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    In my opinion, if self-defense is ON, nothing should be able to close VS, unless the PC is being shut down.
    If the user needs to manually close VS, he/she should disable self-defense first.
    That's why I like this idea:
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Exactly, except it was designed to lock up the whole PC. What you described is exactly what it should be.
     
  11. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    mWave wrote about how to implement self-protection, but it goes beyond my understanding :p

     
  12. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,563
    3.55b2 was running ok until I ran BBC Iplayer and it kept stopping the download. Then installed Opera when it crashed. It resurrected itself but was not able to use it. Most of the computer was slow or locked up. The C drive disappeared from Explorer. Gone back to 3.53

    Will send dev logs
     
  13. zarzenz

    zarzenz Registered Member

    Joined:
    May 19, 2002
    Posts:
    502
    Location:
    UK
    I get that, but wouldn't a user have to allow the malicious script to run and therefore have complete control over what is able to infiltrate the system for that to happen in the first place. Unless I've missed something here I would never allow any unknown script to run if it wasn't originated from a known acceptable source.

    Surely the whole point of VS in its original form is to lock the computer to unknown sources.
     
  14. guest

    guest Guest

    You won't , but Average Joe will surely allow it. Don't forget to always think about a product as a noob (if the product targets the basic users market).
     
  15. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    From the video I posted here, you can see that the script was inside an excel macro.
    So, of course the user has to manually enable the macro for the script to take its action, but with a self-protection the script won't be able to terminate VS and won't infect the system
     
  16. zarzenz

    zarzenz Registered Member

    Joined:
    May 19, 2002
    Posts:
    502
    Location:
    UK
    That's fair comment and in which case let's hope Dan can get the self protection working to an acceptable operational state.
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Then the self protection was poorly aimed. ERP can block scripts by making wscript a vulnerable process, Appguard can block execution of script executing programs like wscripit, HMPA would protect by use of it's application lockdown, but none of them to lock up the whole system.

    Or if you want it that way give me an option to turn it off. That should solve the whole problem
     
  18. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    We are on the same page :thumb:
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Where is Dan?
     
  20. guest

    guest Guest

    Dan's brain said "system failure, scanning operation initiated, approximated reparations time 1 week " :p
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    ROFL. Now that I can relate
     
  22. Achelous

    Achelous Registered Member

    Joined:
    Mar 20, 2017
    Posts:
    10
    Location:
    UK
    Not to mention that the self protection is flawed, instead of targeting the processes you can target the service holding the device driver VSScanner.sys. Once this service has been stopped and deleted, the device driver is no longer executing in memory, which means there is no more process monitoring... Whether the VoodoShield.exe and VoodoShieldService.exe processes are still running or not does not come into question, since they are not responsible for the process monitoring. The lock down functionality will neither be triggered in this scenario.

    Once you've unloaded the device driver you can target the processes and have them terminated, now VoodoShield will not be present in memory at all and there will be no lock-down triggered. In other words, the self-protection does not actually "protect" the software package in any shape or form, and should be re-considered in terms of functionality.

    Alternatively, the VoodoShield team could just scrap the idea of the self-protection feature if they are unable to get a working and sufficient implementation which isn't flawed. I don't think that would matter too much, the team could focus on other aspects first for now... Especially since it's an anti-executable and not supposed to be a fully fledged security suite.

    I recon most people use VoodoShield alongside their primary security solution anyway. :) :)
     
  23. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    He obviously does not know Dan very well ;)
    He will get it, these are the bumps in the road. I am surprised so many are crying, in fact that disturbs me,
    especially here.
    I will keep installing as he keeps pushing them out, and a dime to a dollar says things will be just fine ;)
    This is the learning, and trial and error crap that leads to a better product, and all of us know that, or should.
    Keep at it Dan :thumb:
     
  24. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    The tunes will change once Dan logs on...I guess the guy is not only developing but has a personal life to live too...Nothing makes me laugh more than the on\off obsequious behaviour of a few regular members in this and other developer forums on WS.
     
  25. gorblimey

    gorblimey Registered Member

    Joined:
    Jan 19, 2017
    Posts:
    157
    Location:
    West Oz
    I'm waiting for the self-defese property to be settled, as mine is a mission-critical box, and I'm becoming impatient as I need the user-switching module in 3.54++.
    My system security is in my sig, but depends on only VS and then Avast as the software components. Avast has a "captcha" VS should look at:

    AvastComponentStop.png

    which is presented when the user wishes to disable any shield or shut Avast down.

    And I did read mWave's screed with great interest--I'm not a coder, but it all made a lot of sense.

    I agree with the concept that VS should not lock the entire computer as part of the self-defense. As has already been stated, VS is an anti-exe, which means it should be able to block the offending app regardless of its nature. Perhaps an alert indicating the user should throw the app at the resident AV may be in order, I do not believe VS should be encumbered with 2 or 3 dozen AV scripts to decide how to do this for itself. But in any case, if the AV missed the app in the first place... :( what makes anyone think it will see it now?

    Actually, VS is my primary security solution, Avast is backup. But yes, maybe self-defense should be removed and rethought while other features can be released to production.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.