Update VoodooShield 7.0

Thread Tags
  1. Developer is currently beta testing this product.

Gandalf_The_Grey

Level 62
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,109
Mail from @danb :
Hey Guys!

Here is the latest VS, there were a couple of small refinements and it should be ready for public release. If we do not find any bugs we will be releasing it to the public early next week.

It might be a good time to mention something. Do you guys know how I have been preaching for years that VS protects thousands of vulnerable processes, including essentially all Windows processes? Follina demonstrated the efficacy of our mechanism, so all that hard work finally paid off.

In other words, there is no need to add msdt.exe to VS’s vulnerable processes, it is already protected, and has been since March 2015. Along with thousands of other vulnerable processes, all automatically, all with zero configuration.

VS 7.14

https://voodooshield.com/Download/InstallVoodooShield714.exe

SHA-256: b6bb0fb426a6d2a13f4f4ded8bd6963195cdbacfb684826e94436b8cfe45077f

Thank you,

Dan
 

danb

From VoodooShield
Thread author
Verified
Top poster
Developer
Well-known
May 31, 2017
1,280
So, does this include all URI themes? Including the undocumented ones? Just me being curious again.
Not exactly sure what you mean, but should not be an issue. Do you have any examples that might be an issue? Thank you!
 

danb

From VoodooShield
Thread author
Verified
Top poster
Developer
Well-known
May 31, 2017
1,280
Maybe @danb can explain us in more detail how this works?
I was not able to respond with so many characters, so here is the first part...

VS's Antimalware Contextual Engine is an extension of the Anti-Exploit tech that we introduced back in March 2015. After working with VS for so long, I finally figured out that context is everything, and I mean everything in cybersecurity.

So over the years we have been building the Anti-Exploit rules, and one day about a year ago I figured out a way to combine them all in to one unified algorithm. It was quite funny because when I first started writing the code for the Antimalware Contextual Engine, I was like "OMG, this is going to be impossible". But after a few hours I started making progress and I was like "maybe this is possible".

Do you guys remember when we were working on DefenderUI together? That was really where the Antimalware Contextual Engine was born and optimized. It took TONS of work, and I mean TONS to get it right.

So essentially the Antimalware Contextual Engine is a highly optimized version of the original Anti-Exploit mechanism that we introduced in March 2015, the same mechanism that cybersecurity companies large and small have adopted since then. I might mention that none of them have adopted the mechanism correctly.
 

harlan4096

Moderator
Verified
Staff member
Malware Hunter
Well-known
Apr 28, 2015
8,019
@danb has sent me these text, since He is getting some issues to post:

"It really is all about context, here are a few examples...

1) If the user opens c m d . e x e, UAC block it. This is absurd. So the Antimalware Contextual Engine works in both directions, both to allow and to block.

2) Web apps should not be able to open vulnerable apps.

3) All Windows processes should be considered vulnerable. Technically it is not ALL, but is it almost all.

Basically, block what really needs to be blocked and allow what really should be allowed, according to the context of the execution flow / attach chain.

So the Antimalware Contextual Engine is a highly optimized set of rules that determines if each process execution flow / attach chain should be further inspected or not. I would give more examples, but that should be enough to give you an idea of how it works. But if you have any questions, please feel free to post or email me. I try to keep up with the posts by I always fall behind, but if you email me I will respond. Thank you!"
 

Mops21

Level 32
Verified
Helper
Content Creator
Oct 25, 2014
2,130
@danb has sent me these text

The only combo that does not work is running VS Pro and DefenderUI Pro together. It is serious overlap, as both products are quite similar under the hood.

I personally run VS Pro and DefenderUI Free.

I am not exactly sure which direction DefenderUI Pro is heading, but we should know soon 😉.

With best Regards
Mops21
 

Freki123

Level 11
Verified
Top poster
Aug 10, 2013
512
The Follina tests went great, and VS properly blocked the exploit with its Antimalware Contextual Engine / Anti-Exploit mechanism (as opposed to blocking the command line). It is okay to block exploits via suspicious command lines, but the only problem is that if there is not a rule for a certain suspicious command line, then there will be a bypass. This is why we prefer blocking by the Anti-Exploit mechanism, you are pretty much 100% certain it is going to block the attack.

But I did find two optimizations that I implemented in 7.13. First, when VS was OFF, it did not block Follina. This could go either way, simply because when the user downloads the exploit, they will either be running a web browser or email client. But just to be sure, VS now blocks exploits when it is OFF. And actually, before the Antimalware Contextual Engine, VS did block potential exploits even when it was OFF. I just never got around to implementing the potential exploit feature into the Antimalware Contextual Engine. The other change I made is that now when VS blocks a potential exploit, it will show the appropriate user prompt that does not provide VoodooAi or WhitelistCloud verdicts. Again, this is how VS used to work as well, and the reason we do not want to provide VoodooAi or WhitelistCloud verdicts is, for example, if VS blocks calc.exe via a potential exploit, then the VoodooAi or WhitelistCloud verdicts will both be Safe, making the user think that it is okay to allow.
So out of curiosity VS < 7.13 could get in Follina trouble in Smart mode (when it would/could toggle off)?
 
  • Like
Reactions: show-Zi and danb

Gandalf_The_Grey

Level 62
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,109

danb

From VoodooShield
Thread author
Verified
Top poster
Developer
Well-known
May 31, 2017
1,280
So out of curiosity VS < 7.13 could get in Follina trouble in Smart mode (when it would/could toggle off)?
It is difficult to say without testing, and the last thing I want to do is test some more ;). What I do know for sure is that in earlier versions, when VS toggled to OFF, it would not have blocked msdt.exe, which is really where this attack needs to be blocked. It might have have blocked something further down the attack chain, but in my opinion, it is irrelevant because it really should have blocked msdt.exe from ever executing in the first place. We could have gone either way on this, simply because the malicious document will arrive either through a web browser or email client, but out of an abundance of caution, the best thing to do is to always block this attack at the msdt.exe stage.

And of course when VS was ON, this attack has always been blocked at the msdt.exe stage.

why i cant found setting tutorial (youtube) for voodooshield ?
for novice or new user with 7.xx
and when new GUI theme is like old software ?
or rather what settings do you use?
We tried to make the new UI look like the DefenderUI interface. If you have any suggestions please let us know, thank you!
 
Last edited:

Freki123

Level 11
Verified
Top poster
Aug 10, 2013
512
Hey Guys!

Here is the latest VS, there were a couple of small refinements and it should be ready for public release. If we do not find any bugs we will be releasing it to the public early next week.

It might be a good time to mention something. Do you guys know how I have been preaching for years that VS protects thousands of vulnerable processes, including essentially all Windows processes? Follina demonstrated the efficacy of our mechanism, so all that hard work finally paid off.

In other words, there is no need to add msdt.exe to VS’s vulnerable processes, it is already protected, and has been since March 2015. Along with thousands of other vulnerable processes, all automatically, all with zero configuration.

VS 7.14

https://voodooshield.com/Download/InstallVoodooShield714.exe

SHA-256: b6bb0fb426a6d2a13f4f4ded8bd6963195cdbacfb684826e94436b8cfe45077f

Thank you,

Dan
Post 221 "In other words, there is no need to add msdt.exe to VS’s vulnerable processes, it is already protected, and has been since March 2015"
is a bit confusing when VS 7.13 isn't even a month old and for VS <7.13 you said:
What I do know for sure is that in earlier versions, when VS toggled to OFF, it would not have blocked msdt.exe, which is really where this attack needs to be blocked. It might have have blocked something further down the attack chain, but in my opinion, it is irrelevant because it really should have blocked msdt.exe from ever executing in the first place. We could have gone either way on this, simply because the malicious document will arrive either through a web browser or email client, but out of an abundance of caution, the best thing to do is to always block this attack at the msdt.exe stage.
Since smart mode is the default setting which by default toggles off after some time (when there is no internet). It seems contradictory for me.
That beeing said 7.14 running so far good here.
 
Last edited:

danb

From VoodooShield
Thread author
Verified
Top poster
Developer
Well-known
May 31, 2017
1,280
Hey Guys!

Here is the latest VS, there were a couple of small refinements and it should be ready for public release. If we do not find any bugs we will be releasing it to the public early next week.

It might be a good time to mention something. Do you guys know how I have been preaching for years that VS protects thousands of vulnerable processes, including essentially all Windows processes? Follina demonstrated the efficacy of our mechanism, so all that hard work finally paid off.

In other words, there is no need to add msdt.exe to VS’s vulnerable processes, it is already protected, and has been since March 2015. Along with thousands of other vulnerable processes, all automatically, all with zero configuration.

VS 7.14

https://voodooshield.com/Download/InstallVoodooShield714.exe

SHA-256: b6bb0fb426a6d2a13f4f4ded8bd6963195cdbacfb684826e94436b8cfe45077f

Thank you,

Dan
Post 221 "In other words, there is no need to add msdt.exe to VS’s vulnerable processes, it is already protected, and has been since March 2015"
is a bit confusing when VS 7.13 isn't even a month old and for VS <7.13 you said:

Since smart mode is the default setting which by default toggles off after some time (when there is no internet). It seems contradictory for me.
That beeing said 7.14 running so far good here.
It is not contradictory at all. The only way the user is going to encounter Follina is if they are running an email client or web browser, in which case VS will be ON and block msdt.exe. I made changes to VS in the unlikely event that the user performs the following steps in this order...

1) Is running VS on Smart Mode
2) Encounters and downloads Follina to their download directory
3) Closes all of their web apps
4) Navigates to their download directory and launches Follina

This is extremely unlikely to happen, but we fixed it just in case.
 

Freki123

Level 11
Verified
Top poster
Aug 10, 2013
512
For me only point 2 sounded unlikely. The rest I could achieve with just a food break (and turning the pc off) before resuming where I left off some time later (step 4) :D
Thanks for the detailed answer and good that it is fixed just to be on the safe side.
 
  • Like
Reactions: danb

Gandalf_The_Grey

Level 62
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,109
Mail from @danb :
Hey Guys!

Since I was out of things to work on for VS, I started thinking about long term features for VS. We have always wanted to make VoodooAi local instead of cloud based. So now VoodooAi is 100% local! The models and dependencies are all built in to VS now. In doing so, ML.NET required that we transition VS to 64 bit only, which was a great idea anyway since none of our users run 32 bit Windows, and that allowed us to remove a lot of legacy code. For example, the VS installer used to be around 31mb, now it is around 20mb, including the new ML.NET dll’s. Microsoft is abandoning all 32 bit systems soon anyway.

In short, VS is now pure 64 bit and the ML/Ai is 100% local. We might add a VoodooAi full scan at some point. In the meantime, all of the VoodooAi results for whitelisted items are displayed in the VS Settings / Whitelist tab.

The ML.NET exceeded my expectations on so many levels. First, it is extremely accurate and fast. The ML/Ai platforms and algos have come a very long way since we first introduced VoodooAi using the Azure Machine Learning Studio Platform late 2015. Since we now have WhitelistCloud, we were able to make the new local VoodooAi much less aggressive than it was before, so there will be significantly less false positives now. I personally believe the new VoodooAi and WLC are an amazing combo. I am still tweaking the models, but I am extremely happy with the current models in the 7.17 beta.

WhitelistCloud is still cloud based, and a few people have asked why the user prompt displays the WLC verdict, even though the WLC Realtime Scan is disabled in VS Settings. Well, there really is no reason, and we can go either way on this. Since VoodooAi is 100% local now, maybe it would be a good time to create an option to enable / disable WLC on the user prompt.

So the new VoodooAi implementation should be complete. Although I am going to do some really cool things with VoodooAi and WLC in the cloud that will further increase the efficacy of WLC.

This version should be completely stable, but I did mark it as a beta since there were massive changes. So if you guys find anything, please let me know!

VS 7.17 beta

https://voodooshield.com/Download/InstallVoodooShield717beta.exe

SHA-256: f8c46997c4369edb37776f7ad6b9264c3087d12e2b88836aa2812ca25c769812

Thank you guys!

Dan
 

danb

From VoodooShield
Thread author
Verified
Top poster
Developer
Well-known
May 31, 2017
1,280
@danb....you're out of things to work of with VS??!? What about getting the rules section working correctly finally? A more granular rules section has been a requested feature for a long time now.
Ooops, great point, I forgot about that, thank you for reminding me. If you can think of specific ways to improve the rules feature, please let me know. Otherwise I will just play around with it and see what I can come up with. The rules feature is kind of odd. It is kind of difficult to make it so the various components of the feature make sense to everyone (if that makes any sense ;)).
 

danb

From VoodooShield
Thread author
Verified
Top poster
Developer
Well-known
May 31, 2017
1,280
Calling MT Malware hunters! Maybe a new round of testing will be in order once the new VS ML/Ai is finalized and out of Beta. Testing with WLC disabled would be my preference.
Absolutely!

BTW, I noticed that we need to do some work on the user prompt. Basically, when VoodooAi was cloud based, VS would check for an internet connection, and if there was not one, would let the user know that they need to be connected to the internet to scan with WLC and VoodooAi. Now that VoodooAi is local, we can remove the internet connection check for VoodooAi, but keep it for WLC. Once this is finished, if you want to test just VoodooAi, all you will have to do is disable your internet connection.

From what I have seen, the best pure ML/Ai engines have around a 95% efficacy, and I expect VoodooAi to be roughly in that range as well. In other words, to properly protect a computer, you really need WLC and VoodooAi. So I personally would like to see an AutoPilot test with WLC and the new VoodooAi. I have already tested it quite a bit and found some malware slip past VoodooAi, but I have not yet found any that will slip past both WLC and VoodooAi.

FYI, the reason I wanted to use ML.NET is because it is what Microsoft Defender uses for its ML/Ai…