Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.
Totally agree with that.
it was made to lock the OS?
Made to completely lock the computer mandating a reboot to free it.
I experienced that lock and only option open to me was a hard reset.
I don't understand why self protection is even considered to be necessary, because surely if only whitelisted applications are allowed to run, or otherwise blacklisted applications are not allowed to be run, then how would it be possible for any attack to be mounted against VS under normal operating conditions.
Having my start menu and search being locked out under 355b2 was not good if self protection which may not even be needed is affecting the OS in this way.
i dont think it was the original purpose; seems unwanted
If my memory is correct, because a script, made to target VS, terminated it. It was mentioned few pages ago.
That's correct, so you protect the VS processes, not shut down the whole machine. Hopefully VS should have been able to handle the script. It's bad if it couldn'tl
Exactly, this is the reason: https://www.youtube.com/watch?v=eiXB8H3-wEI&ytbChannel=F4zzx
By the way, VS 3.55 is a beta, so users should expect bugs and should give feedback to improve the new features
so VS should be more oriented to stop scripts rather than self protecting itself; since any kernel exploits would nullify self protection anyway.
In my opinion, if self-defense is ON, nothing should be able to close VS, unless the PC is being shut down.
If the user needs to manually close VS, he/she should disable self-defense first.
That's why I like this idea:
Exactly, except it was designed to lock up the whole PC. What you described is exactly what it should be.
mWave wrote about how to implement self-protection, but it goes beyond my understanding
3.55b2 was running ok until I ran BBC Iplayer and it kept stopping the download. Then installed Opera when it crashed. It resurrected itself but was not able to use it. Most of the computer was slow or locked up. The C drive disappeared from Explorer. Gone back to 3.53
Will send dev logs
I get that, but wouldn't a user have to allow the malicious script to run and therefore have complete control over what is able to infiltrate the system for that to happen in the first place. Unless I've missed something here I would never allow any unknown script to run if it wasn't originated from a known acceptable source.
Surely the whole point of VS in its original form is to lock the computer to unknown sources.
You won't , but Average Joe will surely allow it. Don't forget to always think about a product as a noob (if the product targets the basic users market).
From the video I posted here, you can see that the script was inside an excel macro.
So, of course the user has to manually enable the macro for the script to take its action, but with a self-protection the script won't be able to terminate VS and won't infect the system
That's fair comment and in which case let's hope Dan can get the self protection working to an acceptable operational state.
Then the self protection was poorly aimed. ERP can block scripts by making wscript a vulnerable process, Appguard can block execution of script executing programs like wscripit, HMPA would protect by use of it's application lockdown, but none of them to lock up the whole system.
Or if you want it that way give me an option to turn it off. That should solve the whole problem
We are on the same page
Where is Dan?
Dan's brain said "system failure, scanning operation initiated, approximated reparations time 1 week "
ROFL. Now that I can relate
Not to mention that the self protection is flawed, instead of targeting the processes you can target the service holding the device driver VSScanner.sys. Once this service has been stopped and deleted, the device driver is no longer executing in memory, which means there is no more process monitoring... Whether the VoodoShield.exe and VoodoShieldService.exe processes are still running or not does not come into question, since they are not responsible for the process monitoring. The lock down functionality will neither be triggered in this scenario.
Once you've unloaded the device driver you can target the processes and have them terminated, now VoodoShield will not be present in memory at all and there will be no lock-down triggered. In other words, the self-protection does not actually "protect" the software package in any shape or form, and should be re-considered in terms of functionality.
Alternatively, the VoodoShield team could just scrap the idea of the self-protection feature if they are unable to get a working and sufficient implementation which isn't flawed. I don't think that would matter too much, the team could focus on other aspects first for now... Especially since it's an anti-executable and not supposed to be a fully fledged security suite.
I recon most people use VoodoShield alongside their primary security solution anyway.
He obviously does not know Dan very well
He will get it, these are the bumps in the road. I am surprised so many are crying, in fact that disturbs me,
I will keep installing as he keeps pushing them out, and a dime to a dollar says things will be just fine
This is the learning, and trial and error crap that leads to a better product, and all of us know that, or should.
Keep at it Dan
The tunes will change once Dan logs on...I guess the guy is not only developing but has a personal life to live too...Nothing makes me laugh more than the on\off obsequious behaviour of a few regular members in this and other developer forums on WS.
I'm waiting for the self-defese property to be settled, as mine is a mission-critical box, and I'm becoming impatient as I need the user-switching module in 3.54++.
My system security is in my sig, but depends on only VS and then Avast as the software components. Avast has a "captcha" VS should look at:
which is presented when the user wishes to disable any shield or shut Avast down.
And I did read mWave's screed with great interest--I'm not a coder, but it all made a lot of sense.
I agree with the concept that VS should not lock the entire computer as part of the self-defense. As has already been stated, VS is an anti-exe, which means it should be able to block the offending app regardless of its nature. Perhaps an alert indicating the user should throw the app at the resident AV may be in order, I do not believe VS should be encumbered with 2 or 3 dozen AV scripts to decide how to do this for itself. But in any case, if the AV missed the app in the first place... what makes anyone think it will see it now?
Actually, VS is my primary security solution, Avast is backup. But yes, maybe self-defense should be removed and rethought while other features can be released to production.