VoodooShield discussion

[danb]

Yes, I've read & tried http://voodooshield.ddns.net:8080/analysis/9126/
The connection has timed out
The server at voodooshield.ddns.net is taking too long to respond.
Thanks
#940 , #941

Hmmm, that is odd, do you have a firewall that is blocking Cuckoo?

 

[danb]

Hello,
Has Local Sandbox been fully implemented. I've had a few Prompts where I've selected Sandbox....just to see what happens (yes: I've read User Guide March 2016). And there was nothing to see...?
Has Remote Sandbox been fully implement. I've had a few Prompts where I've selected Cuckoo...just to see what happens (yes: watch Cuckoo sandbox analysis is checked). And there was nothing to see...?
Thanks v3.59

Yes, both of the sandboxes are fully implemented... the local sandbox will fail for files that require admin privileges... which is quite typical. The local sandbox is not our best feature .

 

[danb]

v3.59 does indeed "install for all users" as standard, there is no specific install setting that I remember, but it does not allow per-user settings which is a shame. On a Guest account I would not want the user to even see VS, while some other users should never be allowed to fiddle with settings. I do understand setting this level of user-friendliness is not as easy as it may seem, but if VS is to become mainstream it must be done.

VS 4.0 does offer per user settings, and it works quite well. I tested the guest account, and it is going to take some work to make that happen. Basically, on the guest account, the privileges are extremely limited, so any code that does not run correctly using the guest account must be moved to the VoodooShieldService. So far, I only found one subroutine that needs to be moved... and hopefully there will not be anymore. Once VS is ready for public release, I can take a look at the guest account issues again.

 

[danb]

Security 101: The Rise of Fileless Threats that Abuse PowerShell - Security News - Trend Micro USA
Can vs block this?I wanna know

This should not be a problem at all for VS .

 

[danb]

Getting a sudden cascade of alerts for software I thought I'd whitelisted already. Could the server reconfiguration be the explanation? Whew, what an undertaking. Somebody is way overdue for a relaxing vacation on a secluded beach with numerous cold drinks in the cooler, right? :barefoot:

VoodooShield discussion

I looked in the logs and there were a few other people that experienced this as well... I just need to figure out how to reproduce this bug and it will be an easy fix.

 

[danb]

Does it support fast-user switching now? I love Voodooshield but it was only working for one account. If I would switch users it wouldn't protect the other account unfortunately :/

Yes, VS 4.0 should work well with fast user switching and multiple accounts. I spent hours testing this feature, and it should work great, but if you have any problems, please let me know!

 

[danb]

I tried the beta on my fresh installed Windows but a few bugs mentioned here took place, specially the consuming up to 30%. Now using lastest stable version and working great.

@danb do you use VS on your main system?

Hehehe, of course I use VS on my main system... I use it on every system .

 

[danb]

FWIW, program updaters (ex. SUMo) use the "File version" to detect available updates. FWIW the VS beta executable appears as 3.10.108.0View attachment 168320

Cool, thank you, I will make sure it is correct for the final release.

 

[danb]

Quick question, does anyone know how to fix this?
every time i open Firefox, it keeps wanting to block reg.exe

Hmmm, this is a plugin of some kind. Is there a chance that you can disable some of your plugins to narrow down which one it is, so I can reproduce the error? VS should handle this correctly... I wonder why it is doing this. But if you can tell me which plugin it is, it will be an easy fix, thank you!

 

[danb]

I havent had that one yet, just the un-registering (repeatedly) but I havent installed this latest yet. I will in the morning, gives me something to do with the morning coffee.


Dan can correct me if I am wrong but I believe it does not "unless" something tries to execute, and it is watching the external drive once it indicates "USB" in the Shield.

Yep, that is how it works, thank you guys!

 

[danb]

Probably registry entries.

If one uninstalls with Revo Uninstaller, it will run VS' own uninstall, then scan for registry entries and allow them to be removed, (similarly any related folders not already removed by the uninstaller).

Cool, thank you... btw, VS 4.0 should not create any reg entries on its own (unless I am forgetting something). All of the VS reg entries are automatically created by windows, so there should not be that many.

 

[danb]

@danb
Whats the different between sig valid and verified?I asked this question before you didn't answer.
Verified means you said its an acceptable sig?but where I can set this verified signature?

This could get into a very, very long discussion, and I am not a cryptology expert, but this is how I understand it...

Valid means that the file was signed within the valid period of the digital signature. If a signature is valid from Jan 2016 to December 2017, was the file signed within that time period.

Verified means that various attributes of the digital signature are verified to make sure they are legit... it is a more involved processes than simply checking the validity.

Either way, both are vital .

 

[danb]

When uninstalling VS v. 4.0.x there is a message at the end of the uninstallation process that some elements could not be removed and to remove them manually. What are these elements and where can one find them in order to remove them?

Yeah, I think that is a bug in Inno Setup or our installer script. I have tried in the past to figure out what was not being uninstalled, and could not find anything. I have also researched this issue to see if anyone else has this problem, but so far no luck. Some day I will revisit this and see what I can figure out.

What I can tell you is that VS should uninstall very cleanly, and if anyone finds something that it leaves behind, please let me know!

 

[danb]

Same here. All related to DNS flushing for the most part. I have 4 command lines whitelisted, but the popups continue.

"cmd.exe" /c net stop dnscache
"cmd.exe" /c net start dnscache
"cmd.exe" /c ipconfig /flushdns
"cmd.exe" /c ipconfig /registerdns

I'm going to try training mode and see if that helps.

Thank you guys for reporting these blocks... please keep in mind that VS is deny by default . Having said that, obviously, we need to limit the blocks as much as possible when it is safe to do so, but there will be blocks from time to time.

 

[danb]

So I caught up on a few pages... about 20 more or so to go, I will get to them asap . Once VS 4.0 is released to the public, it will be much easier to keep up.

 

[Unauthorized pilot]

Hmmm, this is a plugin of some kind. Is there a chance that you can disable some of your plugins to narrow down which one it is, so I can reproduce the error? VS should handle this correctly... I wonder why it is doing this. But if you can tell me which plugin it is, it will be an easy fix, thank you!

Hey Dan,
Yes I've sent you an email on the 29th of September. We figured out it was kaspersky plugin and you wanted to know what version of Kaspersky i'm using. All details you requested is in the email mate

 

[shmu26]

A general question/s:
Besides flipping VS to "on" mode, do web apps have any special mitigations/restrictions that apply to them?
And why aren't office apps, like MS Word, considered web apps, seeing as PDF readers are so considered?

Hi Dan, I wanted to bump this question.

 

[gorblimey]

Yeah, I think that is a bug in Inno Setup or our installer script.

It's OK Dan I see this frequently on other software uninstalls. For me, it's only an irritation, not an annoyance any longer. FWIW, very few uninstallers get everything. There's always stray Registry keys, this is very common. Occasionally the app folder is left because it's got a file which wasn't in the manifest for whatever reason. But all I need is 10 minutes alone with the Registry... :devil: and we're good.

 

[Gandalf_The_Grey]

It should be working... but what we really need to do is this...

Karl was not available to meet me at the data center last week to install the new server, but hopefully he will be able to this week.

There are only a handful of bugs remaining in VS 4.0, and we should be able to finalize these by the end of the week. The only bugs that should be difficult are the regional bugs. So if you and a couple of other users who are running a non-english version of windows can run a special version of VS 4.06 in the next day or so, we should be able to fix the regional issues permanently. If so, please email me at support at voodooshield.com, and I will send you a link tomorrow or Tuesday at the latest.

So then hopefully by the time the new server is installed, these issues will be fixed. Then I will fix the other issues and we should be good to go. Thank you guys!

Hi Dan, I've sent you an email.

 

[codswollip]

Hmmm, this is odd. Have you tried to exit out of VS and delete all of the .db files in C:\ProgramData\VoodooShield, to reset VS?

OK... I did this many times just now. The problem seems to involve "Advanced Snapshot"

1. Exit VS
2. Delete all db files
3. Open VS, take advanced snapshot.
4. Double click *.rar file. Notification appears. "Allow"
5. Close WinRAR.
6. Double click *.rar file. Notification appears. "Allow"
7. Close WinRAR.
8. Check Settings/Whitelist. Find winrar.exe (allowed by snapshot). Delete from whitelist.
9. Double click *.rar file. Notification appears. "Allow"
10. Close WinRAR.
11. Double click *.rar file. No Notification appears.

ADVANCED Snapshot whitelist seems to be broken for WinRAR (and others.. for example, I have the same problem with 7zfm.exe)

If I delete all db and then allow only regular snapshot all seems to work fine.