VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I looked at your logs and could not identify the command line that is being blocked, but they look great. None of the changes since 3.53 should have affected this either way, but if the command line is blocked again, can you please send me the specific command line? Thank you!
     
  2. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Thank you for letting me know... if this happens again, you might want to exit out of VS and delete the snapshot3.dat file in C:\ProgramData\VoodooShield, then start VS again to see if this issue is corrected (this will reset your whitelist though). If this still does not fix the issue, then can you exit out of VS and delete the settings3.dat file (this will reset your settings).

    This has been happening everyone once in a great while to a handful of users, and usually I just have them delete all of the .dat files. But if we narrow down which one is causing this issue, by deleting them one at a time, it will give us an idea why this is happening. Thank you!
     
  3. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,437
    Location:
    Under a bushel ...
    Dan - sent you a PM.

    Btw no issues with 3.56.
     
  4. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,374
    Location:
    Among the gum trees
    I've sent you the log from my other machine too, Dan.

    Thanks.
     
  5. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,603
    Location:
    South Wales, UK
    Hi Dan

    Thanks, but not sure what it is you are saying here as I am finding this behaviour perfectly normal and in fact the RAM & CPU usage with this version are some of the lowest that I have seen. I am not understanding what problem you may think there is with my installation of VS?

    Apologies If I have missed something salient here. :oops:

    Regards, Baldrick
     
  6. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    916
    Location:
    The Netherlands
    Version 3.56 running great here in autopilot mode.
    I got a popup of an unsigned command line being blocked.
    Can I allow it or not?
    rundll32 c:\windows\system32\generaltel.dll,runinusercxt 4bo2pkuo3ekbohor.1.2.2 {2852722e-9f72-44f7-b8e8-c6d43b0ca6a5} {42c6c866-5749-a068-0bba-7cec123c1282} isadmin wamaccountcount officeaddins
    That's the only problem I have. Sometimes I don't know how to answer a popup like this...
     
  7. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Sorry about that... I thought you were having a high CPU utilization usage issue with VS. If so, you can try the procedure above. If not, we do not have to worry about it, thank you!
     
  8. Gillor

    Gillor Registered Member

    Joined:
    Jul 12, 2013
    Posts:
    84
    Location:
    UK
    Hi Dan,
    I did raise this back in January post (#14245 – page 570) – but perhaps not very clearly looking back at it.
    The auto quarantine function on my set-up doesn’t appear to be working.

    Voodooshield.jpg

    Taking positive action in response to this message is fine but if I take no action e.g. NOT clicking the message or NOT clicking X, VS blocks the threat but doesn’t auto quarantine it.
     
  9. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, command lines can be tricky for anti-executables, especially since there is no blacklist or VoodooAi file insight to help the user decide. Just imagine if users did not have file insight for ALL of the blocks... especially for the novice users.

    VS typically automatically allows the non-malicious command lines in several ways. First, most of the common command lines are hard coded. Second, command lines spawned by a whitelisted process are auto allowed. Third, we are going to add a cloud based command line system, which will help a lot too. I am always amazed how many command lines VS automatically adds without prompting me. I have to reset my whitelists and command lines daily for dev reasons, and I hardly ever get a block. For example, in the last 12 or so hours, 20 were automatically added without prompting me.

    That particular block looks like some kind of an office addin. Do you have some kind of addin for Outlook or Word?
     
  10. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,603
    Location:
    South Wales, UK
    Hi Dan

    Absolutely no need to apologise. :) I am grateful for the concern and it was most likely by uncleasr explanation that caused the misunderstanding/wasted your precious time. :oops:

    I will hang on to what you have stated...for use should I ever notice high CPU usage...but for now everything is going swimmingly well at this end re. VS...in fact better than ever. :D

    Methinks this latest version of VS may be prime time ready. ;)

    Regards, Baldrick
     
  11. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    916
    Location:
    The Netherlands
    I have only the built in add ins for Microsoft Office 365. Didn't add something myself.
     
  12. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, just so everyone knows what CS is talking about, here is the original link:

    https://www.wilderssecurity.com/threads/cybergenic-shade-sandbox-tool.380371/page-6#post-2661225

    I believe she is discussing how some malware will utilize a timer for sandbox evasion. For example, one way a lot of AV vendors create definitions for malware is to run the file in a sandbox... somewhat similar to Cuckoo, and sometimes even Cuckoo. So malware will start, but delay the actual malicious code for several minutes or hours, to trick the sandbox into thinking that it is not malicious. With VS, you should not have to worry about that since the file will be blocked.
     
  13. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Sorry I missed that post... yeah, that is a bug, it was easy to reproduce. It will be an easy fix, and I will fix it in the morning for the next release. Thank you for finding that!
     
  14. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hmmm, that is a tricky one. We need to identify where it is coming from somehow. Let me think about it.
     
  15. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    916
    Location:
    The Netherlands
    Ok, thanks :thumb:
     
  16. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    The reference to generaltel.dll would suggest to me it's something to do with sending telemetry data to Microsoft. I've seen the same on my PC and just allowed it.
     
  17. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    916
    Location:
    The Netherlands
    Thank you, for now I will do the same. :thumb:
     
  18. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    The commonality is we both have Office 365 - it's probably why the command line is additional to what you've seen, unless that is, you have it aswell.
     
  19. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,072
    Location:
    Ontario, Canada
    The Snapshot you posted showed high CPU usage and I have never seen that before so that's why I questioned it nothing more. Do you know why it was that high at that time and do you see it go up that often?
     
  20. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,603
    Location:
    South Wales, UK
    Nope, Daniel...have never really seen it before so I suspect that it may just have been a blip. No idea why it was high at the time but will look to keep an eye out for it as and when it happens again. Generally I am seeing CPU at running between 0% - 1% usage.

    But if I spot anything I will post back here with details.

    Regards, Baldrick
     
  21. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Thank you, all you guys who looked into this, I will hardwire these into VS today.

    When I was researching the topic last night, the ironic thing is that HJLBX requested that we hardwire these command lines a long time ago ;).

    https://www.wilderssecurity.com/threads/voodooshield.313706/page-282#post-2493571
     
  22. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, it is uncommon, but it does happen every once in a blue moon. Deleting all of the .dat files fixes the issues, but I figured it would be best, when this happens again, to delete one at a time, that way it will give us an indication where the issue might be. So if it does happen to anyone, please delete your .dat files one at a time until we see which one is causing it, thank you!
     
  23. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    916
    Location:
    The Netherlands
  24. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, thank all of you guys! I hardwired the command lines and fixed the auto quarantine issue, for the next release. So far, the latest beta looks pretty good, so I think we are close, but Krusty might have an issue on one of his three computers, so we will wait and see what everyone else says. If for some reason it is still not working, we can remove that feature for now, and revisit it later... Alex and I really need to focus on finishing the web management console and new website (even though it is going to look the same). Have a great weekend!
     
  25. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    BTW, here is a great video that explains some really cool stuff about this topic. The part everyone was discussing starts at 44:25, although the whole thing is interesting.

    https://www.youtube.com/watch?v=NkvjDitkDpM
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.