New Update VoodooShield CyberLock 7.0

[danb]

Thanks Dan, don't envy you if you have to do the false positive procedure manually.

Yeah, correcting false positives manually took forever, which I was always behind. I actually just finished adding the User False Positive feature to our WhitelistCloud monitoring software, so correcting false positives will only take 5 or so minutes a day total. The same goes for the other features like Digital Signatures. So probably less than 10 minutes a day for everything, besides manually resetting user's passwords for them .

Having said that, I have a few thousand false positives to go through, and that will take a little while. I will start with the ones with the most reported false positives and work my way down. It could take a week or so before all of them are corrected, but after that it will be super quick.

 

[Digmor Crusher]

Yeah, correcting false positives manually took forever, which I was always behind. I actually just finished adding the User False Positive feature to our WhitelistCloud monitoring software, so correcting false positives will only take 5 or so minutes a day total. The same goes for the other features like Digital Signatures. So probably less than 10 minutes a day for everything, besides manually resetting user's passwords for them .

Having said that, I have a few thousand false positives to go through, and that will take a little while. I will start with the ones with the most reported false positives and work my way down. It could take a week or so before all of them are corrected, but after that it will be super quick.

Excellent, thank you.

 

[danb]

Hi Dan! Your product is great, but I despair at the thought of the amount of headaches involved in maintaining it. Lately I've noticed a few types of malware that on first glance (and a VERY quick glance at that) seem to legitimate certificates. For instance:

View attachment 267917
Although the lack of a counter-signature is sort of a giveaway that something is amiss, I wonder is something like this one, if just released into the Wild, would be flagged immediately due to the improper certificate pathway.

Hey CS! We have several protections in place to mitigate bad sigs. First, VS does not auto allow by digital signature at all... unless the sig is already in the endpoint's tiny, customized whitelist. And of course we exclude certain sigs for this feature for obvious reasons.

The second layer is what I call VoodooVerified. We have a list of roughly 15,000 of the most common sigs we have collected the last 10+ years that have all been verified. So if a file is signed and verified by the issuer, but is not verified by our list, then the user will get a prompt like this...

So even if VoodooAi and WLC determine the file to be safe, and even if the file is signed and verified by the issuer, the user is still warned that "The digital signature cannot be verified by VoodooShield".

We have a couple of other minor protections in place, but I would have to look through the code to remember what they are. But by far VS's most important protection for digital signatures is simply not allowing by sigs alone .

I have not thought of checking the counter-signature before, but that would be a really great idea to do as well, thank you for the suggestion! BTW, if you need a license let me know. Thank you!

 

[oldschool]

I totally agree that the VS settings can be overwhelming, especially for users who are trying VS for the first time. The last couple of years we have eliminated a few options, but it would be great if we could eliminate even more, or somehow organize them better. If anyone has any suggestions on how we might be able to do this, please let me know.

My suggestion is to have a simple GUI with only essentials and a switch = "Advanced settings".

As an example, Brave browser has a new Shields UI that shows a tracker count, a switch "Shields Up/Down" and a button = "Advanced controls" drop-down. Some users hate the new UI because they want instant access to individual settings so the former UI is available as a flag.

So my suggestions is to think of something along these lines ...

Simple UI =

VS Mode
Security Posture
Select Language
Notify me when a new version is available

More Controls (switch) =

The rest of what is now Basic settings

Advanced settings (switch) =

Same as current

 

[oldschool]

@danb V. 7.22 still blocking ConfigureDefender after selecting "Install" option. CD reports "Error. PowerShell cannot gather information about Micorosoft Defender. Possibly, another security application restricts PowerShell or Defender is disabled".

Defender is not disabled, no other security apps installed and no OS hardening e.g. PowerShell on this machine.

 

[danb]

My suggestion is to have a simple GUI with only essentials and a switch = "Advanced settings".

As an example, Brave browser has a new Shields UI that shows a tracker count, a switch "Shields Up/Down" and a button = "Advanced controls" drop-down. Some users hate the new UI because they want instant access to individual settings so the former UI is available as a flag.

So my suggestions is to think of something along these lines ...

Simple UI =

VS Mode
Security Posture
Select Language
Notify me when a new version is available

More Controls (switch) =

The rest of what is now Basic settings

Advanced settings (switch) =

Same as current

Thank you for the suggestions OS! Yeah, something like this would work really well.

 

[danb]

@danb V. 7.22 still blocking ConfigureDefender after selecting "Install" option. CD reports "Error. PowerShell cannot gather information about Micorosoft Defender. Possibly, another security application restricts PowerShell or Defender is disabled".

Defender is not disabled, no other security apps installed and no OS hardening e.g. PowerShell on this machine.

Thank you for letting me know! The next time this happens you might want to check C:\ProgramData\VoodooShield\DeveloperLog.log.

Basically, each time you launch CD, VS will log the event whether it blocks it or not, like this:

[07-10-2022 07:15:18] [INFO ] - RuleID: 00 | True | c:\windows\temp\101749311059017213\6261\configuredefender_x64.exe | "c:\windows\temp\101749311059017213\6261\configuredefender_x64.exe" | c:\users\dan\desktop\configuredefender.exe | 0

[07-10-2022 07:15:18] [INFO ] - RuleID: 23 | True | c:\windows\system32\windowspowershell\v1.0\powershell.exe | c:\windows\system32\windowspowershell\v1.0\powershell -noninteractive -windowstyle hidden $preferences=get-mppreference;$path='hklm:\software\policies\microsoft\windows\safer_hard_configurator\defender\temp'; new-itemproperty -path $path -name 'preferencestest' -value $preferences.disablerealtimemonitoring -propertytype string -force | out-null; function setregistrykey ([string]$name){$svalue=$preferences.$name;new-itemproperty -path $path -name $name -value $svalue -propertytype dword -force | out-null}; s | c:\windows\temp\101749311059017213\6261\configuredefender_x64.exe | 2

| True | - This means VS allowed the event
| False | - This means VS blocked the event

I just launched CD and it seems to be working for me, but I will try it again several times throughout the day just to make sure. Thank you!

 

[danb]

BTW, I have fixed several thousand false positives but we still have 1,500 or so that I need to fix, and these are going to take some time because they are kind of tricky ones. I should be able to do at least 100-200 a day, so it might take a week or two to catch up. So if there are any that you want me to fix first, just let me know the process name and I will fix them first.

 

[oldschool]

Thank you for letting me know! The next time this happens you might want to check C:\ProgramData\VoodooShield\DeveloperLog.log.

I just tried it again, CD threw another error. Here's the VS log entry:

[07-10-2022 09:45:42] [ERROR] - Exception in NewProcessHandler_HandleProcess: Access to the path 'c:\windows\temp\031555380359015213\8600\configuredefender_x64.exe' is denied..    at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.FileInfo.get_Length()
   at VoodooShield.NewProcessHandler.HandleProcess(ProcessInfo processInfo)

 

[danb]

I just tried it again, CD threw another error. Here's the VS log entry:

[07-10-2022 09:45:42] [ERROR] - Exception in NewProcessHandler_HandleProcess: Access to the path 'c:\windows\temp\031555380359015213\8600\configuredefender_x64.exe' is denied..    at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.FileInfo.get_Length()
   at VoodooShield.NewProcessHandler.HandleProcess(ProcessInfo processInfo)

Thank you for letting me know. I am guessing you are running a SUA? If so I will have to figure something out.

 

[oldschool]

I am guessing you are running a SUA?

Yes.

 

[ForgottenSeer 69673]

Auto block . Internet was not connected at the time

 

[omidomi]

Hm...

 

[danb]

Yes.

Thank you OS, it should be fixed in this version. This should also fix any odd issues that users encountered while running VS on a SUA.

For the users not running on a SUA, it is probably worth upgrading to 7.23 just for the heck of it.

VS 7.23

https://voodooshield.com/Download/InstallVoodooShield723.exe

SHA-256: e27761f264aeecc7d76162691302fd359c04c2864c294d0d38991b723286fc99

 

[danb]

Auto block . Internet was not connected at the time

Thank you Tickle, I will keep an eye on this.

 

[danb]

Hm...
View attachment 267952

Thank you, the latest tor.exe has been whitelisted, and there are several more that I need to go through. If it is still not working on your end, please post the SHA-256 hash and I will whitelist it as well.

 

[Gandalf_The_Grey]

Hm...
View attachment 267952

@danb Most of the blocks I see are by WhitelistCloud and because of a file is not signed.

Is there still an advantage to leave WC enabled?

 

[danb]

@danb Most of the blocks I see are by WhitelistCloud and because of a file is not signed.

Is there still an advantage to leave WC enabled?

I will keep an eye out for this to see if I can notice what you are talking about, in the meantime, can you please send me a couple of examples?

One thing to keep in mind that I have always want to discuss, which everyone knows but are usually not cognizant of. If a file is not signed (and verified), it should never be ran on any computer unless you know EXACTLY where that file came from. In other words, when you execute an unsigned file, you are running executable code on your machine that you have no idea who wrote or where it came from. This is why VS does not automatically allow by sigs alone. It reminds me of the early days with my VIC 20 and C64 when I would log into BBS's to download games and other programs. I remember always thinking "I have to be careful what I download because they might play a trick on me." I should have started VS then .

We definitely need WLC enabled in the User Prompt because it is extremely adept of catching what VoodooAi might miss. But as far as the WLC realtime scan, you can go either way on this. Basically, the idea of the WLC realtime scan is to let the end user know at any given time that only safe items are executing on their machine. It is also useful in discovering malicious files that originate from an insider or supply chain attack, although these attacks are quite uncommon.

 

[Gandalf_The_Grey]

At the moment VoodooShield is still analyzing antivirus_removal_tool.exe

Antivirus Removal Tool - The technician friendly tool to detect and completely remove antivirus software.

Antivirus Removal Tool (freeware) is a portable program to detect and completely remove antivirus software. It will help you to identify current and past installations, and it will provide you with the official specialized uninstallers.

antivirus-removal-tool.com

SHA256 (zip): 7992DEB12CAB920DFA3EEAA82CCDC90532B98C384F31FCDEE7D02668DA33EF3A
Another file is the Farbar Recovery Scan Tool

Download Farbar Recovery Scan Tool

Farbar Recovery Scan Tool, or FRST, is a portable application designed to run on Windows XP, Windows Vista, Windows 7, Windows 8, and Windows 10 in normal or safe mode to diagnose malware issues.

www.bleepingcomputer.com

SHA-256: b76d88d9b1b05ffed63375cca029a597f4f82c2a5a24a8ad60640e438c29729e

Is there a problem with VS at the moment because both files are still being analysed by VoodooAi and WhitelistCloud without a verdict?

 

[danb]

At the moment VoodooShield is still analyzing antivirus_removal_tool.exe

Antivirus Removal Tool - The technician friendly tool to detect and completely remove antivirus software.

Antivirus Removal Tool (freeware) is a portable program to detect and completely remove antivirus software. It will help you to identify current and past installations, and it will provide you with the official specialized uninstallers.

antivirus-removal-tool.com

SHA256 (zip): 7992DEB12CAB920DFA3EEAA82CCDC90532B98C384F31FCDEE7D02668DA33EF3A
Another file is the Farbar Recovery Scan Tool

Download Farbar Recovery Scan Tool

Farbar Recovery Scan Tool, or FRST, is a portable application designed to run on Windows XP, Windows Vista, Windows 7, Windows 8, and Windows 10 in normal or safe mode to diagnose malware issues.

www.bleepingcomputer.com

SHA-256: b76d88d9b1b05ffed63375cca029a597f4f82c2a5a24a8ad60640e438c29729e

Is there a problem with VS at the moment because both files are still being analysed by VoodooAi and WhitelistCloud without a verdict?
View attachment 267954

Yeah, one of our analysis machines crashed so there is an issue we are fixing. We should have a permanent fix soon as well. This started happening when we moved all of the WLC servers to new servers and has happend 2-3 times... I think I know what the issue is and it is a very simple fix.

But yeah, when WLC is stuck on analyzing the file insight doesn't really tell you much. Thank you!