VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. plat1098

    plat1098 Guest

    Yes, and perhaps instead of chatting on this forum, he's working on these issues (right ON).

    Edit: mine's also mission critical, but with measures I've taken, I took the leap and put 3.55 b2 on here. It's good, but too much in extremes for everybody. Too risky for some.
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    If you are refering to me I am not crying but stating unequivocally that what I experience was unacceptable.
     
  3. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    I should add I PAID for my VS subscription ;)...Not a freebie!
     
  4. Nitty Kutchie

    Nitty Kutchie Registered Member

    Joined:
    Apr 10, 2015
    Posts:
    160
    What hurting me with this whole lockdown and self protection issue is that someone spoke to dan about a script that can disable V.S he said he will create a beta with self protection and the folks at wilders can try it out an tell him if it is working or not and to give him feed back so he can make things better, he also explain how it will work, warning people not to put it on a production pc for he isn't sure that it is 100% safe, yet the way how people fussing you will swear he said it's a stable release. I have 1 question how do you feel he felt going out his way to fortify a product that now bring this type of backlash.:confused:
     
  5. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    Last edited: Mar 21, 2017
  6. VecchioScarpone

    VecchioScarpone Registered Member

    Joined:
    Aug 29, 2015
    Posts:
    341
    Location:
    Down Under the Southern Cross
    There is such a thing as "constructive criticism". From my dealings with Dan I got that he welcomes that, in fact he asked the community to give it a go at the releases following 3.53 and report.
    Some say potatoes some say potatos, It is pointless to debate on who is saying what and off topic too.
     
  7. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    I think constructive criticism is welcomed by all good developers..Nonconstructive condemnation serves no purpose and wastes space, move on to something that meets your needs or expectations.
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay I have to agree you guys are right. I guess part of the problem is Dan has done so well with the beta's that it's easy to forgot. So I will leave it this way. It's not good the way it is. Either it needs to change or just a switch to be able to turn it off.
     
  9. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Sorry I have been away, I have been busy with the business side of VS and trying to get the self-protection feature working correctly. There are just not enough hours in a day, but I should be caught up soon.

    As far as the self-protection feature is concerned, if we can get it to work as it is supposed to, I think it will be an amazing feature. Since no one has ever tried this before, we are in uncharted territory, and I have no example methods to reference, and honestly, I am not even sure it is possible, but it is worth a try.

    The only thing that I am sure of is if we can get this to work correctly, it will ultimately make it extremely difficult or impossible for blackhats, government agencies, or whoever to target AV software that implement this type of self-protection feature. Think about it for a second… in order for the attacker to find a bypass, they have to spend long hours trying to find a vulnerability in whatever security software they are targeting. Now, if the machine locks up and they are forced to reboot whenever they start messing with the AV software, they would most likely give up after a few tries.

    Think of it this way… if you do not lock up the machine when they are messing with your security software, all you are doing is giving the attacker unlimited attempts, until they succeed. I am assuming that a lot of you read the recent wikileaks documents. When I read the line “Comodo, as you may know, is a colossal pain in the posterior.”, it encouraged me to see what I could do to make things even more tricky for those who are interested in bypassing your security software and invading your privacy.

    Keep in mind, it has only been 8 days since I released the first version with the self-protection feature . And if we can get it to work right, no one will ever even notice that it is there… sure, we can make it optional in settings (like some of you guys suggested), but if this is done correctly, we will not even have to do that.

    So in the end, it might be a good idea, it might not be, but I figured we would at least give it a try. It will only take a few seconds to remove this feature if it turns out that it does not work well. If we did not try crazy new ideas like this, we would never make any real progress.

    Here is my next attempt. If you want to try it, I would appreciate that a lot. But if you want to run the stable version, that is cool too. Thank you!

    www.voodooshield.com/Download/beta3/InstallVoodooShield355beta3.exe
     
    Last edited: Mar 21, 2017
  10. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    When the gui and the service are running, the service is protected. When the gui is killed the service locks down (most of) the computer. Believe me, I have already thought of that, but thank you for mentioning it anyway!
     
  11. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,977
    I am noticing a CPU issue with the latest VS beta, in that at boot it takes a couple of minutes before it settles.

    VS_3.55 beta_04.JPG

    VS_3.55 beta_05.JPG
     
  12. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,977
    A few lines from DeveloperServiceLog when I booted up a little while ago:

    [03-22-2017 13:22:09] [INFO ] - User Log Initialized
    [03-22-2017 13:22:10] [INFO ] - Snapshot file Initialized
    [03-22-2017 13:22:10] [INFO ] - Service started
    [03-22-2017 13:22:10] [INFO ] - Driver communication service started
    [03-22-2017 13:22:30] [DEBUG] - DriverCommunicationService::Connect 10 threads
    [03-22-2017 13:22:30] [DEBUG] - DriverCommunicationService::Enter main loop
     
  13. guest

    guest Guest

    @VoodooShield Dan, can you (in a simple way) explain clearly the mechanism of the self-protection you are designing?
    Originally i thought it was just a method to protect the service to avoid attackers to shut it down, hence terminating VS.
    Now from your quote :
    So it seems that you want your self-protection to lock the system when the GUI is down? if yes, this is too much and unnecessary in my opinion and will lead to more issues. The GUI isn't necessary to the security of the soft, it should be killed anytime by the user in case of a display bug, lag or freeze. Self-protection is about the service/agent; those are meant to be protected because those make the security mechanism of the soft to operate.

    How can they have unlimited attempts, if they do , means they have access in the system via a RAT already running in the system (so the security soft failed) or via a vulnerability of the OS or installed softs ...and if an attacker have access to the system, no security apps will protect the system anymore. Self-protection is made to avoid scripts/malware or a non-admin to terminate the soft.

    If you implement a self-protection, made it to protect the service only so it can't be shutdown by anyone except the admin, put a password option, etc... but don't make it lock the system.
     
    Last edited by a moderator: Mar 22, 2017
  14. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,977
    ....Agree guest, locking the system seems a step to far. It could lead to problems with rebooting the system.
     
  15. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,519
    Location:
    Paris
    Paul- just as an FYI, a targeted ransomware sample that Kaspersky just discoverd the other day utilizes a Sleep function that will extend 90-120 minutes. Considering that many malware researcher drones will have to analyze 50 or more samples per shift, it's easy to understand how malware with such a delay can go unnoticed and can be more effective than an anti-sandbox or anti-VM thingy.

    In my opinion the anti_VM stuff has been lowered to script-kiddie malware; the true Blackhats have seen the light that comes from Sleep.
     
  16. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,285
    Location:
    Among the gum trees
    Dan, I'm not exactly sure what you mean by "locks up", if you mean VS will make my machine totally unusable until I restart, then I do not want any program doing this.
     
  17. russ0408

    russ0408 Registered Member

    Joined:
    May 16, 2010
    Posts:
    38
    Location:
    On. Canada
    I've downloaded everyone of Dan's beta updates. Never had a problem with any of them.
     
  18. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    When the gui and the service are up and running, the service is well protected. If malware targets the gui, the service kicks in and locks down the system. Otherwise, you are giving the attacker unlimited opportunities to successfully defeat your security software.

    Keep in mind… the self-protection will ONLY occur in the highly unlikely event that malware is targeting VS. And if we can get this to work correctly, this will never happen because the attacker will be unable to create a targeted attack that works.

    Also, files that are required to reboot the system (which is only a small handful) are allowed, so this will not be an issue.

    Let me ask you this… if the gui is killed in the task manager or by targeted malware, should the service block everything or allow everything? (Trick question ;))
     
  19. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    This is ONLY if malware is specifically targeting VS. We do not have to do it this way, but if we do not, then the attacker will have unlimited attempts at defeating VS.
     
  20. guest

    guest Guest

    yes it is what he meant.
     
  21. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK


    And again, please read, its a work in progress and not a confirmed feature.
     
  22. guest

    guest Guest

    i got your point, but if i want terminate the GUI myself for whatever reason, should i be locked out of my system? my answer is "damn no"
    Protecting the GUI is irrelevant for the security of VS, only the service matters. Most security apps have a service self-protection, GUI protection isn't needed, even you kill the GUI, the apps still protect.
    And as you said , it may happen only if VS is bypassed...
    Anyway it is your baby , so i will let you decide ;)

    That is why we discuss about it with Dan so he will have the full picture and feedbacks.
     
  23. guest

    guest Guest

    this method of self-protection exist already for corporate applications since years.
     
  24. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    So it sounds like you are saying that the service should allow all new items when the gui is killed in the task manager or the service, is this correct? If you do this, you are simply begging for a bypass.

    The alternative is to have the service block all new items, which is what we are doing. Sure, we can reconnect the gui to the service, but if you do so, there is most likely a small window where malware can infect the system... especially in a targeted attack. So why not just reboot the system ONLY WHEN IT IS TARGETED MALWARE ;).

    I agree, that is why we discuss issues like this, so we can collectively figure out what is best for VS, and I appreciate all your guy's input and opinions.
     
  25. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    "in order for the attacker to find a bypass, they have to spend long hours trying to find a vulnerability in whatever security software they are targeting. Now, if the machine locks up and they are forced to reboot whenever they start messing with the AV software, they would most likely give up after a few tries."


    I don't know of any software that has used this approach?....However I would imagine its a clever approach and I doubt it would be a regular occurrence in reply to those that say they don't want it, just how often do these type of attacks happen during daily use?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.