VoodooShield discussion

Status
Not open for further replies.

Windows_Security

Level 23
Verified
Trusted
Content Creator
Mar 13, 2016
1,308
@danb

Dan good to see VS is close to fnal release. V4 has a lot of improvements over V3.

I did have a look at shadowserver, they tell on their website that "Each vendor can run anywhere from ten times to over a hundred depending on the quantity of binaries and the capability of the scanner." So it does not seem to execute the samples, but only scan the samples. Also with all vendors sharing samples, running the scanner at different intervals, increases the chance that another AV product has put the sample on VT, so the tested scanner might block it. This probably disturbes the results of the scan also.

But I agree with your message: it is better to whitelist than to blacklist.

Regards Kees
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
878
I know its lil off topic but I am glad your here even over at Wilders you made me laugh, a great addition to the MT community imho.
**And no, he did not pay me to say that,.
PS I will shoot you my PayPal info later, :p
Yeah, people in general need to relax and quite being so uptight and uppity ;).

And work a little harder instead of complaining that things did not work out as they expected ;).
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
878
@danb

Dan good to see VS is close to fnal release. V4 has a lot of improvements over V3.

I did have a look at shadowserver, they tell on their website that "Each vendor can run anywhere from ten times to over a hundred depending on the quantity of binaries and the capability of the scanner." So it does not seem to execute the samples, but only scan the samples. Also with all vendors sharing samples, running the scanner at different intervals, increases the chance that another AV product has put the sample on VT, so the tested scanner might block it. This probably disturbes the results of the scan also.

But I agree with your message: it is better to whitelist than to blacklist.

Regards Kees
Hey Kees ;),

How are you? I certainly agree... and the actual number falls somewhere in the middle ;).

But please keep in mind, as in our "recent project", not executing the samples is the exact same as the sandbox not having the dependencies / other files to run the malware.

The file is still malware.

It has malicious code. It is malware.
 

Gandalf_The_Grey

Level 46
Verified
Trusted
Content Creator
Apr 24, 2016
3,533
Hey everyone… here is 4.09. The two main issues fixed in this version are:

1. The 32 bit bug should be fixed
2. I think most of the unnecessary blocks that people were experiencing were command line blocks… this should be fixed as well.

https://www.voodooshield.co/Download/InstallVoodooShield409beta.exe

Thank you everyone, have a great weekend, talk to you soon!

BTW... the multi-user settings feature has been implemented since 4.00... it is under Settings / Utility... then it is the big ass button at the bottom ;).
Thanks Dan, 4.09 Beta is running fine here, no issues to report.
Have a great weekend(y)
 

shmu26

Level 85
Verified
Trusted
Content Creator
Jul 3, 2015
8,042
Hey everyone… here is 4.09. The two main issues fixed in this version are:

1. The 32 bit bug should be fixed
2. I think most of the unnecessary blocks that people were experiencing were command line blocks… this should be fixed as well.

https://www.voodooshield.co/Download/InstallVoodooShield409beta.exe

Thank you everyone, have a great weekend, talk to you soon!

BTW... the multi-user settings feature has been implemented since 4.00... it is under Settings / Utility... then it is the big ass button at the bottom ;).
Running well on fall creators update.
I really like the multiple users settings, which I didn't even know about until you mentioned it.
If I untick allow program folders or windows processes, it slows down launching of processes.
 

shmu26

Level 85
Verified
Trusted
Content Creator
Jul 3, 2015
8,042
I see a lot of new windows processes in the Fall Creator's Update, like when UAC is supposed to open I get system32\consent.exe, and many others for different areas, are these added / going to be added to the allowed "specific critical Windows processes" (not automatically with some rule like if they come from system32 or syswow64 but actually reviewed if they're really needed)? Cuz we saw what happened with lsass.exe, I don't want things automatically allowed if I don't actually use them, but I also want things that I do actually use automatically allowed
Hi, I am just trying to understand the behavior you want to see.
When VS is toggled "On", by default it monitors the majority of the areas in the Windows folder, but not system32 or syswow64. When it is toggled "Off", it does not monitor the Windows folder, only user space.
I only saw prompts for system32\consent.exe and things like that when I unticked "specific critical Windows processes".
Are you saying that you want to untick "specific critical Windows processes", but still have automatic whitelisting for common Windows processes? I personally think that would defeat the purpose of unticking it. A person would only untick that setting if he was a tester or a paranoid, and he loves prompts, the more the merrier.
 

_CyberGhosT_

Level 53
Verified
Trusted
Content Creator
Aug 2, 2015
4,298
I only saw prompts for system32\consent.exe and things like that when I unticked "specific critical Windows processes".
Exactly, and this is how Dan designed it, he may want to leave that ticked, and untick the auto allow from Program files option, if i am understanding what he is getting at.
 

_CyberGhosT_

Level 53
Verified
Trusted
Content Creator
Aug 2, 2015
4,298
Only issue I am having is the process use seems excessive, no app or MS process uses what VS is displaying as far as system impact.
Even DA is using between 6 & 23MB, see SS. (I have never seen DA above 23MB)
This is a relatively new OS installation and a clean VS install so some of the more common causes can be dismissed, anyone else seeing similar numbers ?
TM_SS.png

This is not effecting my system in a negative manner, I have tons of memory, but for those that don't, VS will cause issues with that high consumption ?
@danb
I never allow Process Lasso to monkey with or restrain VS but I think for now I am going to make an exception and set its max usage to something like 60MB then start throttling back ?
What number do you suggest Dan ?
 

_CyberGhosT_

Level 53
Verified
Trusted
Content Creator
Aug 2, 2015
4,298
@_CyberGhosT_ high reading yes.
This are mine.

View attachment 170584
Look rofl:
TM_SS2.png

From creating this in Process Lasso, seems VS is happy having a baby sitter :p
PL_SS.png
This is this easy to do with Process Lasso and VS seems to not mind.
PS: I do not recommend doing this for the "service" I am only messing with the .exe or "app"
NOT the service ;)
 
Last edited:
Status
Not open for further replies.
Top