VoodooShield discussion

[danb]

v4.06...
Clipdiary loads with Windows. It is whitelisted by Snapshot. But each time I boot up I have to allow it. This was a clean install.View attachment 169277

FWIW, I had to disable Kaspersky Total Security (similar to Kaspersky Internet Security) to get the install to complete without a gazillion warnings.

Hmmm, this is odd, I will have to see if I can reproduce this bug. I see they have an installable and a portable version. Can you please post a link to the version that you use? You can always write a rule for this folder as well.

 

[danb]

It seems as though apps white-listed by snapshot don't behave if they are auto-started with windows. I have clipdiary (mentioned above), btvstack, a Samsung SSD program (and another I just forgot) that have to be allowed with each bootup. I deleted their snapshot whitelist entries, manually launched the apps and allowed each, and now when I reboot, all is quiet.

I had a similar issue with Q-Dir. I mapped Q-Dir to launch from a hardware button on my pc. The first time I used the hardware button I had to allow Q-Dir. Yet I noticed that although the hardware button launched without further notifications, when I launched Q-Dir manually from its shortcut I always got a VS notification. So I deleted its whitelist entry and instead of launching initially from the hardware button, I used the file shortcut. Then allowed. Now Q-Dir launches without notification from either its shortcut or the hardware button.

So my "lesson learned" seems to be this... whenever there is a problem with repeated notifications, delete the whitelist entry, then launch manually and allow the app. That has solved 5 out of 5 repeat notification problems I have with v4.06 so far.

EDIT1: Add WinRAR, 7Zip, and NitroPro to the bunch. If the app opens without notification, launching it by an associated file (rar, zip, pdf) begins the notification issues... all these were snapshot whitelisted. Delete the snapshot entry and recreate it manually by launching the app from its shortcut link.

This is just a guess... but this issue might be caused by the addition of the parent process check that I added a few versions back. I really do not think that we need that check anyway, so I will remove that check for 4.07 and we will see how it goes. Thank you!

 

[danb]

Quoting my post from v4.05. No change for v 4.06 for AirVPN client. 4 notifications to start, 4 notifications to quit. These appear under "Command Lines" but don't seem to be considered.

The odd thing was that I made a VPN connection right after installing VS and got no notifications. Now several reboots later, the notifications persist.

I will just have to test this and see... it should be an easy fix. Is there any way you can post a link to this installer as well?

 

[danb]

Create a custom Allow rule for My Computer when On,Off, or Autopilot, untick the box for digital signature & blacklist, leave the Ai settings as is. This solved all Command line issues for my VPN & other software. Works now like 3.59.
credit to Raka Daku who started a thread on custom rules

Cool, thank you for letting me know! I downloaded windows10manager.exe the other day, but I could not figure out how to get the showhideknownfileextension.vbs script into the windows directory... actually, I had no idea where to find the script. If you have a chance, can you please give me step by step instructions how to reproduce this bug and I will fix it for the next version? Thank you!

 

[danb]

OK... I'm getting an idea here... Just had another notification. This time I downloaded a "7z" file using Chrome. When the download completed I launched it from Chrome...BOOM... Notification. Closed that out and launched the same file from Explorer... NO NOTIFICATION. Back to Chrome again... BOOM... Notification.

@danb Apparently, VS doesn't like me launching programs from other programs (Chrome, Thunderbird, Everything, XYplorer... all confirmed. Others?).

That seems to be the common source of my notification problems for programs already whitelisted.

Yes, VS will block all new, non-whitelisted executables from web apps by default. If we did not do this, there would certainly be bypasses .

 

[gorblimey]

might be caused by the addition of the parent process check that I added a few versions back. I really do not think that we need that check anyway,

Hi Dan - I'm not sure removing a Parent Process check is a good idea. (Unless I'm misunderstanding your intentions )

VS had a lot to say about Zemana Antimalware auto-update as detailed in ZAM Free : fundamentally, the update files had no visible parent plus "random" filenames and being launched from Appdata\Local\Temp. Essentially behaving like malware. So IMHO VS did exactly what I expected it to do: stopped malware in its tracks. (And if ZAM does it again, it leaves my establishment.)

Please, keep checking for parents, it will save their children!

 

[Raka Daku]

Rules feature disabled, VS will work like it use to, right?
I think if Rules feature disabled then "create rule" should not be there on the alerts.

And I think "Register" section should not show product key or email/pass.

 

[codswollip]

Yes, VS will block all new, non-whitelisted executables from web apps by default. If we did not do this, there would certainly be bypasses .

@danb For executables, fine, but I'm not talking "non-whitelisted executables".

Launching associated files like pdf, zip, 7z, etc from Chrome, Everything, Thunderbird, and so on is unbearable. For each and every pdf attachment to an email launched from Thunderbird, why must I get a notification? This never happened in 3.59. If these notifications are necessary, why can I launch these exact same files from Desktop or Explorer without notification? Something isn't right.

 

[codswollip]

I will just have to test this and see... it should be an easy fix. Is there any way you can post a link to this installer as well?

AirVPN Eddie client
FWIW, I'm using a slightly earlier version (2.11, this is 2.13) in a 64bit, Win 8.1 environment. I don't know if this executable will help much since a login is required (3 days costs 1 Euro)

 

[danb]

Hi Dan - I'm not sure removing a Parent Process check is a good idea. (Unless I'm misunderstanding your intentions )

VS had a lot to say about Zemana Antimalware auto-update as detailed in ZAM Free : fundamentally, the update files had no visible parent plus "random" filenames and being launched from Appdata\Local\Temp. Essentially behaving like malware. So IMHO VS did exactly what I expected it to do: stopped malware in its tracks. (And if ZAM does it again, it leaves my establishment.)

Please, keep checking for parents, it will save their children!

Yeah, I totally agree... and if we do not have to remove the parent process check, we certainly will not.

Anyone can feel free to correct me if I am wrong, but I do not believe that any deny-by-default / application whitelisting product on the market performs a check on the parent process. VS 3.59 did not perform the parent process check either... it was something that I added a couple of versions back in VS 4.0.

I added several features like this to VS 4.0, to strengthen our locking mechanism even more, which is why VS 4.0 currently has more blocks than 3.59. The thing is, we just need to figure out if adding each of these features actually produces a higher level of protection, or if they simply produce unnecessary blocks / prompts.

Either way, it is super easy to remove or add these checks, and as I go through the logs that lists the blocks, it should become clear which ones we should keep and which ones we should remove.

And please remember, I always err on the side of caution .

 

[danb]

Rules feature disabled, VS will work like it use to, right?
I think if Rules feature disabled then "create rule" should not be there on the alerts.

And I think "Register" section should not show product key or email/pass.

Correct... yeah, I agree, I will change that right now, thank you.

The Register section hides the password, but it currently shows the email address / product key. I believe some security software shows the product key and some do not, and I think we can go either way on this.

 

[danb]

@danb For executables, fine, but I'm not talking "non-whitelisted executables".

Launching associated files like pdf, zip, 7z, etc from Chrome, Everything, Thunderbird, and so on is unbearable. For each and every pdf attachment to an email launched from Thunderbird, why must I get a notification? This never happened in 3.59. If these notifications are necessary, why can I launch these exact same files from Desktop or Explorer without notification? Something isn't right.

Cool... as a test, I just opened outlook and opened a word email attachment, and VS did not block it. I think this probably has to do with your program files folders being on the D drive.

I think it will be better for me to reproduce your environment so I can reproduce these errors.

What OS are you running?
Do you use a registry tweak or other program to change the location of your program files?

 

[danb]

AirVPN Eddie client
FWIW, I'm using a slightly earlier version (2.11, this is 2.13) in a 64bit, Win 8.1 environment. I don't know if this executable will help much since a login is required (3 days costs 1 Euro)

Great, thank you, I will debug these 3 errors later on today. Do have a link to Clipdiary?

 

[codswollip]

Cool... as a test, I just opened outlook and opened a word email attachment, and VS did not block it. I think this probably has to do with your program files folders being on the D drive.

I think it will be better for me to reproduce your environment so I can reproduce these errors.

What OS are you running?
Do you use a registry tweak or other program to change the location of your program files?

a) Win 8.1-64bit
b) No tweaks. Many installers allow you to prescribe the installation path. I just replace "C" with "D" for the most part. For programs that don't allow users to define the installation path (ex VS) I just live with that.

If it matters most of my Windows profile folders (Documents, Downloads, Videos, Pictures, etc.) reside on "E drive". Again that is done simply by changing the "Location" setting under folder properties.

I can't be the only one putting my program installations outside the OS partition. Doing so simplifies imaging backups.

Great, thank you, I will debug these 3 errors later on today. Do have a link to Clipdiary?

Take full control over your clipboard history

 

[gorblimey]

VS 3.59 did not perform the parent process check either...

Ahhh, OK. For some reason I thought it did. OTOH, with all the versions being released and discussed, it is quite easy to confuse me

HOWEVER, just because other apps don't is no reason for you not to... Certainly if I had seen that ZAM was the responsible app for those update files I might have allowed them. But unaccompanied minors... No way.

some security software shows the product key and some do not,

What's the probability that malware could read the email or password from the VS exe folder? I'm prepared to believe that some script-kiddie has something that can read text off the screen images, but so long as we don't expose the Register Screen for more than a few seconds...

 

[danb]

a) Win 8.1-64bit
b) No tweaks. Many installers allow you to prescribe the installation path. I just replace "C" with "D" for the most part. For programs that don't allow users to define the installation path (ex VS) I just live with that.

If it matters most of my Windows profile folders (Documents, Downloads, Videos, Pictures, etc.) reside on "E drive". Again that is done simply by changing the "Location" setting under folder properties.

I can't be the only one putting my program installations outside the OS partition. Doing so simplifies imaging backups.


Take full control over your clipboard history

I see what you mean now... yeah, anything outside the built in Program Files folders is going to be scrutinized much harder than the built in / environmental variable ones. But for example, if there was a reg edit that allowed you to change the built in path, VS would automatically assume that these folders on the D drive are your program file folders.

BTW, I figured out why the AirVPN command lines are being blocked... it is as easy fix. It will be included in the next release. AirVPN is pretty cool btw, I have never tried it before.

 

[danb]

Ahhh, OK. For some reason I thought it did. OTOH, with all the versions being released and discussed, it is quite easy to confuse me

HOWEVER, just because other apps don't is no reason for you not to... Certainly if I had seen that ZAM was the responsible app for those update files I might have allowed them. But unaccompanied minors... No way.



What's the probability that malware could read the email or password from the VS exe folder? I'm prepared to believe that some script-kiddie has something that can read text off the screen images, but so long as we don't expose the Register Screen for more than a few seconds...

Yeah, exactly... we only want to add additional checks (like the parent process check) if it actually makes the system more secure. If we are just blocking something for no reason, then that is not good .

The .db / .dat files are all encrypted, so they are quite secure. Also, VS should block any kind of malware that would let the attacker read anything off of the screen.

 

[codswollip]

Hi Dan... a picture is worth a thousand words so here is a video.
Ge.tt | Gett sharing (expires in 30 days)

I downloaded a zip file via Chrome. When I launch it via Chrome I get a notification for 7zip. Allowing the notification has no effect. But when I open an explorer window (via Chrome) holding the file, I can launch/load 7zip without notification.

 

[danb]

I forgot to mention that our new temporary site that VS 4.06b communicates with is now voodooshield.co (not com… it's co). It used to be voodooai.net. In a couple of weeks, I will move everything over to voodooshield.com and then we will be finished.

With VS 4.0, we added a web management console and completely rebuilt the website from the ground up, with security in mind. And while it took a little time to get everything into place, the voodooshield.co is now secure with SSL / HTTPS, and all of the modern security protocols.

Here are the Mozilla Observatory results:

Observatory by Mozilla

Here are the nmap vulnerability scan results: (Thank you MM!)

https://www.voodooshield.co/Download/ScanResults1.PNG

https://www.voodooshield.co/Download/ScanResults2.PNG

 

[danb]

Hi Dan... a picture is worth a thousand words so here is a video.
Ge.tt | Gett sharing (expires in 30 days)

I downloaded a zip file via Chrome. When I launch it via Chrome I get a notification for 7zip. Allowing the notification has no effect. But when I open an explorer window (via Chrome) holding the file, I can launch/load 7zip without notification.

Cool, thank you, I will download the video and watch it after dinner, thank you!