New Update VoodooShield CyberLock 7.0

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,648
Thanks Dan, don't envy you if you have to do the false positive procedure manually.
Yeah, correcting false positives manually took forever, which I was always behind. I actually just finished adding the User False Positive feature to our WhitelistCloud monitoring software, so correcting false positives will only take 5 or so minutes a day total. The same goes for the other features like Digital Signatures. So probably less than 10 minutes a day for everything, besides manually resetting user's passwords for them ;).

Having said that, I have a few thousand false positives to go through, and that will take a little while. I will start with the ones with the most reported false positives and work my way down. It could take a week or so before all of them are corrected, but after that it will be super quick.
 

Digmor Crusher

Level 23
Verified
Top Poster
Well-known
Jan 27, 2018
1,246
Yeah, correcting false positives manually took forever, which I was always behind. I actually just finished adding the User False Positive feature to our WhitelistCloud monitoring software, so correcting false positives will only take 5 or so minutes a day total. The same goes for the other features like Digital Signatures. So probably less than 10 minutes a day for everything, besides manually resetting user's passwords for them ;).

Having said that, I have a few thousand false positives to go through, and that will take a little while. I will start with the ones with the most reported false positives and work my way down. It could take a week or so before all of them are corrected, but after that it will be super quick.
Excellent, thank you.
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,648
Hi Dan! Your product is great, but I despair at the thought of the amount of headaches involved in maintaining it. Lately I've noticed a few types of malware that on first glance (and a VERY quick glance at that) seem to legitimate certificates. For instance:

View attachment 267917
Although the lack of a counter-signature is sort of a giveaway that something is amiss, I wonder is something like this one, if just released into the Wild, would be flagged immediately due to the improper certificate pathway.
Hey CS! We have several protections in place to mitigate bad sigs. First, VS does not auto allow by digital signature at all... unless the sig is already in the endpoint's tiny, customized whitelist. And of course we exclude certain sigs for this feature for obvious reasons.

The second layer is what I call VoodooVerified. We have a list of roughly 15,000 of the most common sigs we have collected the last 10+ years that have all been verified. So if a file is signed and verified by the issuer, but is not verified by our list, then the user will get a prompt like this...

prompt.PNG


So even if VoodooAi and WLC determine the file to be safe, and even if the file is signed and verified by the issuer, the user is still warned that "The digital signature cannot be verified by VoodooShield".

We have a couple of other minor protections in place, but I would have to look through the code to remember what they are. But by far VS's most important protection for digital signatures is simply not allowing by sigs alone ;).

I have not thought of checking the counter-signature before, but that would be a really great idea to do as well, thank you for the suggestion! BTW, if you need a license let me know. Thank you!
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,089
I totally agree that the VS settings can be overwhelming, especially for users who are trying VS for the first time. The last couple of years we have eliminated a few options, but it would be great if we could eliminate even more, or somehow organize them better. If anyone has any suggestions on how we might be able to do this, please let me know.
My suggestion is to have a simple GUI with only essentials and a switch = "Advanced settings".

As an example, Brave browser has a new Shields UI that shows a tracker count, a switch "Shields Up/Down" and a button = "Advanced controls" drop-down. Some users hate the new UI because they want instant access to individual settings so the former UI is available as a flag.

So my suggestions is to think of something along these lines ...

Simple UI =
Code:
VS Mode
Security Posture
Select Language
Notify me when a new version is available

More Controls (switch) =
Code:
The rest of what is now Basic settings

Advanced settings (switch) =
Code:
Same as current
 
Last edited:

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,089
@danb V. 7.22 still blocking ConfigureDefender after selecting "Install" option. CD reports "Error. PowerShell cannot gather information about Micorosoft Defender. Possibly, another security application restricts PowerShell or Defender is disabled".

Defender is not disabled, no other security apps installed and no OS hardening e.g. PowerShell on this machine.
 
Last edited:
  • Like
Reactions: danb

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,648
My suggestion is to have a simple GUI with only essentials and a switch = "Advanced settings".

As an example, Brave browser has a new Shields UI that shows a tracker count, a switch "Shields Up/Down" and a button = "Advanced controls" drop-down. Some users hate the new UI because they want instant access to individual settings so the former UI is available as a flag.

So my suggestions is to think of something along these lines ...

Simple UI =
Code:
VS Mode
Security Posture
Select Language
Notify me when a new version is available

More Controls (switch) =
Code:
The rest of what is now Basic settings

Advanced settings (switch) =
Code:
Same as current
Thank you for the suggestions OS! Yeah, something like this would work really well.
 
  • Like
Reactions: Gandalf_The_Grey

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,648
@danb V. 7.22 still blocking ConfigureDefender after selecting "Install" option. CD reports "Error. PowerShell cannot gather information about Micorosoft Defender. Possibly, another security application restricts PowerShell or Defender is disabled".

Defender is not disabled, no other security apps installed and no OS hardening e.g. PowerShell on this machine.
Thank you for letting me know! The next time this happens you might want to check C:\ProgramData\VoodooShield\DeveloperLog.log.

Basically, each time you launch CD, VS will log the event whether it blocks it or not, like this:

[07-10-2022 07:15:18] [INFO ] - RuleID: 00 | True | c:\windows\temp\101749311059017213\6261\configuredefender_x64.exe | "c:\windows\temp\101749311059017213\6261\configuredefender_x64.exe" | c:\users\dan\desktop\configuredefender.exe | 0

[07-10-2022 07:15:18] [INFO ] - RuleID: 23 | True | c:\windows\system32\windowspowershell\v1.0\powershell.exe | c:\windows\system32\windowspowershell\v1.0\powershell -noninteractive -windowstyle hidden $preferences=get-mppreference;$path='hklm:\software\policies\microsoft\windows\safer_hard_configurator\defender\temp'; new-itemproperty -path $path -name 'preferencestest' -value $preferences.disablerealtimemonitoring -propertytype string -force | out-null; function setregistrykey ([string]$name){$svalue=$preferences.$name;new-itemproperty -path $path -name $name -value $svalue -propertytype dword -force | out-null}; s | c:\windows\temp\101749311059017213\6261\configuredefender_x64.exe | 2

| True | - This means VS allowed the event
| False | - This means VS blocked the event

I just launched CD and it seems to be working for me, but I will try it again several times throughout the day just to make sure. Thank you!
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,648
BTW, I have fixed several thousand false positives but we still have 1,500 or so that I need to fix, and these are going to take some time because they are kind of tricky ones. I should be able to do at least 100-200 a day, so it might take a week or two to catch up. So if there are any that you want me to fix first, just let me know the process name and I will fix them first.
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,089
Thank you for letting me know! The next time this happens you might want to check C:\ProgramData\VoodooShield\DeveloperLog.log.
I just tried it again, CD threw another error. Here's the VS log entry:
Code:
[07-10-2022 09:45:42] [ERROR] - Exception in NewProcessHandler_HandleProcess: Access to the path 'c:\windows\temp\031555380359015213\8600\configuredefender_x64.exe' is denied..    at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.FileInfo.get_Length()
   at VoodooShield.NewProcessHandler.HandleProcess(ProcessInfo processInfo)
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,648
I just tried it again, CD threw another error. Here's the VS log entry:
Code:
[07-10-2022 09:45:42] [ERROR] - Exception in NewProcessHandler_HandleProcess: Access to the path 'c:\windows\temp\031555380359015213\8600\configuredefender_x64.exe' is denied..    at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.FileInfo.get_Length()
   at VoodooShield.NewProcessHandler.HandleProcess(ProcessInfo processInfo)
Thank you for letting me know. I am guessing you are running a SUA? If so I will have to figure something out.
 
F

ForgottenSeer 69673

Auto block . Internet was not connected at the time
 

Attachments

  • Screenshot 2022-07-11 021105.png
    Screenshot 2022-07-11 021105.png
    68.4 KB · Views: 102
  • Like
Reactions: danb

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,648

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,648
@danb Most of the blocks I see are by WhitelistCloud and because of a file is not signed.

Is there still an advantage to leave WC enabled?
I will keep an eye out for this to see if I can notice what you are talking about, in the meantime, can you please send me a couple of examples?

One thing to keep in mind that I have always want to discuss, which everyone knows but are usually not cognizant of. If a file is not signed (and verified), it should never be ran on any computer unless you know EXACTLY where that file came from. In other words, when you execute an unsigned file, you are running executable code on your machine that you have no idea who wrote or where it came from. This is why VS does not automatically allow by sigs alone. It reminds me of the early days with my VIC 20 and C64 when I would log into BBS's to download games and other programs. I remember always thinking "I have to be careful what I download because they might play a trick on me." I should have started VS then ;).

We definitely need WLC enabled in the User Prompt because it is extremely adept of catching what VoodooAi might miss. But as far as the WLC realtime scan, you can go either way on this. Basically, the idea of the WLC realtime scan is to let the end user know at any given time that only safe items are executing on their machine. It is also useful in discovering malicious files that originate from an insider or supply chain attack, although these attacks are quite uncommon.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,556
At the moment VoodooShield is still analyzing antivirus_removal_tool.exe
SHA256 (zip): 7992DEB12CAB920DFA3EEAA82CCDC90532B98C384F31FCDEE7D02668DA33EF3A
Another file is the Farbar Recovery Scan Tool
SHA-256: b76d88d9b1b05ffed63375cca029a597f4f82c2a5a24a8ad60640e438c29729e

Is there a problem with VS at the moment because both files are still being analysed by VoodooAi and WhitelistCloud without a verdict?
Schermopname (20).png
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,648
At the moment VoodooShield is still analyzing antivirus_removal_tool.exe
SHA256 (zip): 7992DEB12CAB920DFA3EEAA82CCDC90532B98C384F31FCDEE7D02668DA33EF3A
Another file is the Farbar Recovery Scan Tool
SHA-256: b76d88d9b1b05ffed63375cca029a597f4f82c2a5a24a8ad60640e438c29729e

Is there a problem with VS at the moment because both files are still being analysed by VoodooAi and WhitelistCloud without a verdict?
View attachment 267954
Yeah, one of our analysis machines crashed so there is an issue we are fixing. We should have a permanent fix soon as well. This started happening when we moved all of the WLC servers to new servers and has happend 2-3 times... I think I know what the issue is and it is a very simple fix.

But yeah, when WLC is stuck on analyzing the file insight doesn't really tell you much. Thank you!
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top