VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. guest

    guest Guest

    so i think the self protection must recognize the situation, and maybe ask for a confirmation. shouldn't be hard to do :

    1- if process x is blocked from accessing service.exe and gui.exe is terminated = auto-lockdown
    2- if only gui is terminated = prompt user (with maybe password) = if no answer or wrong password = lockdown, if answered or correct psw = no lock.

    it is the only way i can think of to make it workable without annoyance; maybe others can give you ideas.

    and goodnight lol
     
  2. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    I think what Dan wants is similar to that of Advanced Disinfection Technology of Kaspersky. KL's ADT blocks all program launches until it finishes its job and the system is restarted. I got this from here: https://malwaretips.com/threads/kas...nly-no-ksn-ransomware-test.67685/#post-589342

    So, "locking the system when attacked" is not entirely new. If KL did a good job, it's absolutely possible for VS to implement this as perfectly as possible. :)
     
  3. Achelous

    Achelous Registered Member

    Joined:
    Mar 20, 2017
    Posts:
    10
    Location:
    UK
    No, I do not know Dan very well, I've only just started using VoodoShield on my system.

    No, this does not happen for me. When VoodoShield.exe and VoodoShieldService.exe are running, I can get rid of the service for VSScanner.sys without a problem and then there is no more protection on the system for monitoring the processes (obviously). This makes it useless for VoodoShield.exe and VoodoShieldService.exe to be running in the first place, because they will never have anything to scan or show for, the protection will be all gone...

    All of these problems could have been avoided if you had put in the time to actually research the topic of self-defense properly, and used a secure and reliable approach. In fact, there are plenty of details within this thread which it appears you have ignored, which demonstrate how you can implement exactly what you're looking for. Why you have ignored and gone for an approach like this is a mystery to me.

    Anyway, I look forward to the upcoming beta releases. Hopefully you will overcome this situation. :)
     
  4. Achelous

    Achelous Registered Member

    Joined:
    Mar 20, 2017
    Posts:
    10
    Location:
    UK
    If you use a secure and reliable approach, the same one that top AV vendors are all using (yes, they all more or less use the same methods), it won't matter if malware is trying over and over again. It will keep failing and will make absolutely no progress.

    If you use a secure, reliable and documented method such as ObRegisterCallbacks, and make sure to register it for both handle creation and duplication for PsProcessType and PsThreadType, then your processes will be protected against termination (and the threads within the process). The only way of bypassing it would be through loading a device driver.
     
  5. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    could not have said it better myself, well put :thumb:
     
  6. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,437
    Location:
    Under a bushel ...
    Has anyone tried 355beta3? Any issues?

    Personally I had not experienced any issues with 354 / 355, but did revert back to 353 for a while on Dan's advice. I am currently on 355beta2.
     
  7. plat1098

    plat1098 Guest

    Did I say right ON? No, I meant write ON. :) Never mind. Major discussion, very interesting.

    Is anyone with v.3.55 beta 2 installing the 3 beta in post 15040 even if the 2 is working exactly as intended? Rather not push my luck.
     
  8. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,979
    Just rebooted from install over the top with v3.55 beta3, and it is OK, for me, it seems.

    Some info from the log:

    [03-22-2017 21:10:32] [DEBUG] - DriverCommunicationService:disconnect
    [03-22-2017 21:10:32] [DEBUG] - DriverCommunicationService::Exit main loop
    [03-22-2017 21:10:32] [DEBUG] - DriverCommunicationService:disconnected
    [03-22-2017 21:10:32] [DEBUG] - DriverCommunicationService::Client disconnected
    [03-22-2017 21:11:08] [INFO ] - User Log Initialized
    [03-22-2017 21:11:08] [INFO ] - Snapshot file Initialized
    [03-22-2017 21:11:08] [INFO ] - Service started
    [03-22-2017 21:11:08] [INFO ] - Driver communication service started
    [03-22-2017 21:11:11] [DEBUG] - DriverCommunicationService::Connect 10 threads
    [03-22-2017 21:11:11] [DEBUG] - DriverCommunicationService::Enter main loop
    [03-22-2017 21:14:18] [DEBUG] - DriverCommunicationService::Client disconnected
    [03-22-2017 21:14:18] [ERROR] - VoodooShield has entered self-protection mode. | C:\Program Files\VoodooShield\Notify.exe | C:\Program Files\VoodooShield\VoodooShieldService.exe | True | False
    [03-22-2017 21:14:21] [ERROR] - VoodooShield has entered self-protection mode. | C:\Program Files\ReCrypt\ReHIPS\DesktopTools32.exe | C:\Program Files\ReCrypt\ReHIPS\HIPSAgent64.exe | True | False
    [03-22-2017 21:15:33] [INFO ] - User Log Initialized
    [03-22-2017 21:15:33] [INFO ] - Snapshot file Initialized
    [03-22-2017 21:15:33] [INFO ] - Service started
    [03-22-2017 21:15:33] [INFO ] - Driver communication service started
    [03-22-2017 21:18:10] [DEBUG] - DriverCommunicationService::Connect 10 threads
    [03-22-2017 21:18:10] [DEBUG] - DriverCommunicationService::Enter main loop
     
  9. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    V3.55 beta3 running clean and green on my Win 7pro x64 for several hours so far, several reboots etc.
     
  10. MrGump

    MrGump Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    406
    same here but i did notice that some third party applications would not start after first boot until i shutdown VS. once i shut it down the applications immediatly opened and now start normally when i reboot. i suppose they were whitlisted now but not sure why they weren't allowed to run but also weren't technically blocked by VS with warnings.
     
  11. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,071
    Location:
    Ontario, Canada
    I honestly like it this way and it's no big deal to do a reboot to get back your system. Also this doesn't happen unless to are trying to shut down VS's processes otherwise it works as it should.
     
  12. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,071
    Location:
    Ontario, Canada
    Right! And again I like the new lock Down Feature and you only have to do a reboot to get your system back. Again Dan is following the theme of VS as a Computer Lock.
     
  13. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,437
    Location:
    Under a bushel ...
    Installed v3.55 beta 3 over the top of beta 2. Restart seemed a bit sluggish, shutting down and booting up.

    Though that could be a coincidence, I definitely concur with @Tarnak's observation here: https://www.wilderssecurity.com/threads/voodooshield.313706/page-602#post-2661489

    VS CPU usage went up to nearly 50% on booting and took some 5 minutes to settle down. Could be that it's a one-time issue, will have to monitor that.
    Noticed that with beta2 also, don't recall that it existed before that.
     
    Last edited: Mar 22, 2017
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Dan and all

    First lets think about your targeted market. How many times do you think they will be targeted for an attack. Come on. This is building a battleship to solve a row boat problem. To TH's comment, when I made the mistake I made which I think was accidently closing VS, the reboot time was a disaster. Put the feature in, but give us the ability to turn it off.

    The other factor is called layers. I am not worried about Dan's scenario. VS is not used alone, nor should it be.

    Let me put it this way, If this feature is there without the ability to turn it off, I will not install it. Most of the time it would be benign, but a a rare but very critical moment it was a disaster. Knowing it could happen again I can't chance it.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Locking the system is when it is being disinfected is totally different then what we are talking about here.
     
  16. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    I'm not saying that it's the same, but the "locking the system while being attacked" is similar. VS' planned self-protection already implies that the system may be attacked. So, when VS is attempted to be disabled by an unknown app (malicious), there is clear indication that something bad might happen to the system. Locking the computer, then, is a viable solution, just like what ADT does. :)
     
  17. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,071
    Location:
    Ontario, Canada
    I could not of said it any better. Now for users like Peter and others maybe a setting to disable the self protection but add a message to "do it at your own risk". I'm not saying that us Security Guru's would get infected but for the common/enterprise users well....
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    But seriously. I don't know if you notice whenever a new threat is mentioned I always ask how it got on the system. Even all these major attacks we read about start off by someone doing something they shouldn't have done. When I test VS for malware I have to turn off layers so the malware can get to VS.

    Also we all our human and make mistakes. I also test and assume I will make then. That's another reason for layers. If someone just runs VS, they are protected, but if they make a human mistake it could be bad. I just don't see the reason for this Draconian approach.
     
  19. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,071
    Location:
    Ontario, Canada
    Like I said above Peter.
     
  20. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    I totally agree with what you said. But Dan is accommodating the possibility of targeted attacks on VS' users. So, I think, as a developer, Dan just wants to cover all bases. Targeted or not, the user must be protected.
     
    Last edited: Mar 22, 2017
  21. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    I think you should continue on the path you're taking Dan...Perhaps it will work, perhaps not, at any rate it shows your commitment to continually enhance an already superb security software that is user friendly ;)
     
  22. Cache

    Cache Registered Member

    Joined:
    May 20, 2016
    Posts:
    432
    Location:
    Mercia
    I think that "user friendly" is the important bit here. I'm sure Dan knows what he is doing and let's all hope that he can resolve this satisfactorily. However I agree with Peter that the last thing the average user wants is to suddenly find his system locked up unexpectedly. It is far more likely that users will try to shut VS down inappropriately using Task Manager than they will be subject to a targeted attack against VS on their machine.
     
    Last edited: Mar 22, 2017
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    True, but EIS protects itself, Appguard protects itself, ERP protects itself, but they only protect themselves, not lock up the system. And they all have opt out options

    I agree it is up to Dan, but needs to carefully consider his whole user base.
     
  24. plat1098

    plat1098 Guest

    Well, it IS panic-inducing when your machine suddenly locks and it's correlated with a specific software. Regardless, there were methods like these posted to get around it, you're saying this is inappropriate? And with great respect to EIS, a total mess of my operating system requiring a complete Windows reinstall is more reason to move on than a temporary lock up you can work around.

    This new Self Protect feature is very welcome and wanted. It's also seeming to be a challenge, like any major software change. You vent and move on, hopefully to the next build.
     
  25. Achelous

    Achelous Registered Member

    Joined:
    Mar 20, 2017
    Posts:
    10
    Location:
    UK
    This is a good idea in my opinion, I think the problem is that Dan isn't aware of how to execute his own code while the termination request is calling but before allowing it to proceed. All the details on how he can protect the processes have already been given in the past few days on this thread. Using methods previously mentioned (some with more extensive detail provided by other members) he could prevent the termination of his processes in a reliable, secure and less-irritating manner, without requiring a "lock down" feature, but also add support for the good idea you've just suggested. If I recall right, Avast used to show a UAC-like alert before their protection was being shut down (it dimmed the screen too).

    Alternatively, he could replace the mechanism with a new one which does as it is currently, but instead of "locking down" the system it would obtain the process ID of the caller process trying to attack the VoodoShield process', and if that caller process is not genuinely belonging to Windows (e.g. TaskMgr.exe, other system processes), he could terminate the caller process. This means that the system does not end up going into a "lock down" mode which it seems many people dislike, but the actual attacker target is terminated from memory (and/or also blacklisted from being executed until further user interaction from within the GUI).

    Could be a nice implementation... if implemented correctly of course. :) :p
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.