VoodooShield discussion

[danb]

About automatically deleting non-existent items: The majority of the time, it is a great idea. But if you are like me, then you have some software that spawns a couple processes in a temp folder in appdata, while it is doing its job, and then it deletes them immediately afterwards. So VS alerts me about it next time, even though I already whitelisted it.
What can we do about this?

Hmmm, great point, thank you. Well, we can make it a button instead of auto running this feature. I can think of several complicated ways to fix it, and still keep it automatic, but let me think about this.

 

[danb]

@danb ... bug or quirk... I set User Log to display "full screen" (I think that's the term). Then I cleared the User Log. BUT... after clearing the log I can't "X" out from VS. The blank User Log screen won't go away. I have to stop service and then kill VS via task manager.

Same issue with Command Lines at full screen

Did this 3x, so it seems repeatable. Can anyone duplicate?

I did not try this with white list, but I expect same behavior as User Log & Command Lines.

Oops, that is a bug, thank you for finding that, it is an easy fix, I will add it to my to do list.

Also, for that feature, Maximize only means maximize to the size of the gui... not to the size of the desktop.

 

[vtqhtr413]

DanB, Man don't you wish we all had the superhuman power to erase anything we said at any given time, if we did, if I did I would have deleted several posts that I've made here recently, like you said their gonna be here a long time but back to reality, big fan of yours and your Voodoo Shield. Give it all you got man.

 

[vtqhtr413]

CyberGhosT, Good on you, I remember your post. You usually make the most sense in the heat of a moment.

 

[danb]

DanB, Man don't you wish we all had the superhuman power to erase anything we said at any given time, if we did, if I did I would have deleted several posts that I've made here recently but back to reality, big fan of yours and your Voodoo Shield. Give it all you got man.

Thank you, I appreciate that! Yeah, the only perfect soul I know is my dog Molly. Well, that is not exactly true, she pulls too hard when we go for walks.

Neither of my 2 mistakes made any difference in the outcome... they were silly mistakes. And it is great that Opcode admitted that he made a mistake too. I think part of the problem is that it is difficult for people to understand each other with only text. Anyway, thank you guys!

 

[shmu26]

I think part of the problem is that it is difficult for people to understand each other with only text.

Yeah, emoticons should include hand gestures and shoulder shrugging and all that body movement stuff. Except we won't know how to use it, because we don't even realize ourselves what our body language is.

 

[Mr.Gump]

c:\windows\system32\rundll32.exe startupscan.dll,susruntask

any idea what it is and if it should be blocked? It's being auto-blocked

 

[shmu26]

c:\windows\system32\rundll32.exe startupscan.dll,susruntask

any idea what it is and if it should be blocked? It's being auto-blocked

Dan answered that question over here:
VoodooShield discussion
In short, it is safe, and will be automatically allowed in future versions of VS.

 

[Mr.Gump]

Dan answered that question over here:
VoodooShield discussion
In short, it is safe, and will be automatically allowed in future versions of VS.

thanks

 

[l0rdraiden]

Where I can download the latest beta?

 

[codswollip]

Where I can download the latest beta?

VoodooShield discussion

 

[dg17]

Hi Dan

Don't know if this has been requested before but in case it hasn't here goes

When there is a pop up there is very little information there to see whether it is not benign. So is it possible to provide a link in the pop up to display the file's properties. I may have missed it if it is implanted but could not see anything.

Regards

David

 

[Gandalf_The_Grey]

Hi Dan another pair of dimhost blocks I can't whitelist:

2-11-2017 20:41 User Blocked dismhost.exe c:\users\xxxx\appdata\local\temp\3b9f7330-2a35-4567-9bc5-5a75dd95e707\dismhost.exe B8037C46D0DB7A8CEE502407469B0EE3234D3365 c0fc152db24708d0be657d65232d6bd61a22bed4404ffe4337c82fd18bfc59dd c:\users\xxxx\appdata\local\temp\3b9f7330-2a35-4567-9bc5-5a75dd95e707\dismhost.exe {abbd296a-9f71-4f08-9a4e-24d825cf4f1e} 143072 cleanmgr.exe c:\windows\system32\cleanmgr.exe xxxx

2-11-2017 20:41 User Blocked dismhost.exe c:\users\xxxx\appdata\local\temp\3b9f7330-2a35-4567-9bc5-5a75dd95e707\dismhost.exe B8037C46D0DB7A8CEE502407469B0EE3234D3365 c0fc152db24708d0be657d65232d6bd61a22bed4404ffe4337c82fd18bfc59dd c:\users\xxxx\appdata\local\temp\3b9f7330-2a35-4567-9bc5-5a75dd95e707\dismhost.exe {abbd296a-9f71-4f08-9a4e-24d825cf4f1e} 143072 cleanmgr.exe c:\windows\system32\cleanmgr.exe xxxx

2-11-2017 20:41 User Blocked dismhost.exe c:\users\xxxx\appdata\local\temp\3b9f7330-2a35-4567-9bc5-5a75dd95e707\dismhost.exe B8037C46D0DB7A8CEE502407469B0EE3234D3365 c0fc152db24708d0be657d65232d6bd61a22bed4404ffe4337c82fd18bfc59dd c:\users\xxxx\appdata\local\temp\3b9f7330-2a35-4567-9bc5-5a75dd95e707\dismhost.exe {abbd296a-9f71-4f08-9a4e-24d825cf4f1e} 143072 cleanmgr.exe c:\windows\system32\cleanmgr.exe xxxx

2-11-2017 20:41 User Blocked dismhost.exe c:\users\xxxx\appdata\local\temp\3b9f7330-2a35-4567-9bc5-5a75dd95e707\dismhost.exe B8037C46D0DB7A8CEE502407469B0EE3234D3365 c0fc152db24708d0be657d65232d6bd61a22bed4404ffe4337c82fd18bfc59dd c:\users\xxxx\appdata\local\temp\3b9f7330-2a35-4567-9bc5-5a75dd95e707\dismhost.exe {abbd296a-9f71-4f08-9a4e-24d825cf4f1e} 143072 cleanmgr.exe c:\windows\system32\cleanmgr.exe xxxx

Error:

Zie het einde van dit bericht voor meer informatie over het aanroepen
van JIT-foutopsporing (Just In Time) in plaats van dit dialoogvenster.

************** Tekst van uitzondering **************
System.InvalidCastException: De conversie van tekenreeks naar type Integer is ongeldig. ---> System.FormatException: De indeling van de invoertekenreeks is onjuist.
bij Microsoft.VisualBasic.CompilerServices.Conversions.ParseDouble(String Value, NumberFormatInfo NumberFormat)
bij Microsoft.VisualBasic.CompilerServices.Conversions.ToInteger(String Value)
--- Einde van intern uitzonderingsstackpad ---
bij Microsoft.VisualBasic.CompilerServices.Conversions.ToInteger(String Value)
bij VoodooShield.Settings.﷐﷨(Object ﷐, EventArgs ﷑)
bij System.Windows.Forms.ToolStripItem.RaiseEvent(Object key, EventArgs e)
bij System.Windows.Forms.ToolStripMenuItem.OnClick(EventArgs e)
bij System.Windows.Forms.ToolStripItem.HandleClick(EventArgs e)
bij System.Windows.Forms.ToolStripItem.HandleMouseUp(MouseEventArgs e)
bij System.Windows.Forms.ToolStrip.OnMouseUp(MouseEventArgs mea)
bij System.Windows.Forms.ToolStripDropDown.OnMouseUp(MouseEventArgs mea)
bij System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
bij System.Windows.Forms.Control.WndProc(Message& m)
bij System.Windows.Forms.ToolStrip.WndProc(Message& m)
bij System.Windows.Forms.ToolStripDropDown.WndProc(Message& m)
bij System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


************** Geladen assembly's **************
mscorlib
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/mscorlib.dll
----------------------------------------
VoodooShield
Assembly-versie: 3.10.108.0
Win32-versie: 3.10.108
CodeBase: file:///C:/Program%20Files/VoodooShield/VoodooShield.exe
----------------------------------------
Microsoft.VisualBasic
Assembly-versie: 10.0.0.0
Win32-versie: 14.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Microsoft.VisualBasic/v4.0_10.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualBasic.dll
----------------------------------------
System
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Core
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll
----------------------------------------
System.Windows.Forms
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Configuration
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Xml
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
System.Runtime.Remoting
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Runtime.Remoting/v4.0_4.0.0.0__b77a5c561934e089/System.Runtime.Remoting.dll
----------------------------------------
System.ServiceModel
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.ServiceModel/v4.0_4.0.0.0__b77a5c561934e089/System.ServiceModel.dll
----------------------------------------
System.ServiceModel.Internals
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.ServiceModel.Internals/v4.0_4.0.0.0__31bf3856ad364e35/System.ServiceModel.Internals.dll
----------------------------------------
SMDiagnostics
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/SMDiagnostics/v4.0_4.0.0.0__b77a5c561934e089/SMDiagnostics.dll
----------------------------------------
System.ServiceModel.Web
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.ServiceModel.Web/v4.0_4.0.0.0__31bf3856ad364e35/System.ServiceModel.Web.dll
----------------------------------------
System.Runtime.Serialization
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Runtime.Serialization/v4.0_4.0.0.0__b77a5c561934e089/System.Runtime.Serialization.dll
----------------------------------------
System.IdentityModel
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.IdentityModel/v4.0_4.0.0.0__b77a5c561934e089/System.IdentityModel.dll
----------------------------------------
198e92b87b954c4a94fd434575a85dc0
Assembly-versie: 3.10.108.0
Win32-versie: 3.10.108
CodeBase: file:///C:/Program%20Files/VoodooShield/VoodooShield.exe
----------------------------------------
System.ServiceProcess
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.ServiceProcess/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.ServiceProcess.dll
----------------------------------------
VoodooShield.API
Assembly-versie: 1.0.0.0
Win32-versie: 1.0.0.0
CodeBase: file:///C:/Program%20Files/VoodooShield/VoodooShield.API.DLL
----------------------------------------
Nivot.SignalR.Client.Net35
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.0.0
CodeBase: file:///C:/Program%20Files/VoodooShield/Nivot.SignalR.Client.Net35.DLL
----------------------------------------
log4net
Assembly-versie: 1.2.13.0
Win32-versie: 1.2.13.0
CodeBase: file:///C:/Program%20Files/VoodooShield/log4net.DLL
----------------------------------------
System.Data.SQLite
Assembly-versie: 1.0.94.0
Win32-versie: 1.0.94.0
CodeBase: file:///C:/Program%20Files/VoodooShield/System.Data.SQLite.DLL
----------------------------------------
System.Data
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_64/System.Data/v4.0_4.0.0.0__b77a5c561934e089/System.Data.dll
----------------------------------------
System.Transactions
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_64/System.Transactions/v4.0_4.0.0.0__b77a5c561934e089/System.Transactions.dll
----------------------------------------
System.EnterpriseServices
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_64/System.EnterpriseServices/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.EnterpriseServices.dll
----------------------------------------
Newtonsoft.Json
Assembly-versie: 10.0.0.0
Win32-versie: 10.0.2.20802
CodeBase: file:///C:/Program%20Files/VoodooShield/Newtonsoft.Json.DLL
----------------------------------------
mscorlib.resources
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/mscorlib.resources/v4.0_4.0.0.0_nl_b77a5c561934e089/mscorlib.resources.dll
----------------------------------------
System.Management
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Management/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Management.dll
----------------------------------------
System.Numerics
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Numerics/v4.0_4.0.0.0__b77a5c561934e089/System.Numerics.dll
----------------------------------------
System.Threading
Assembly-versie: 1.0.2856.102
Win32-versie: 1.0.2856.0
CodeBase: file:///C:/Program%20Files/VoodooShield/System.Threading.DLL
----------------------------------------
System.Data.resources
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Data.resources/v4.0_4.0.0.0_nl_b77a5c561934e089/System.Data.resources.dll
----------------------------------------
System.Windows.Forms.resources
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms.resources/v4.0_4.0.0.0_nl_b77a5c561934e089/System.Windows.Forms.resources.dll
----------------------------------------
System.RunTime.Serialization.resources
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Runtime.Serialization.resources/v4.0_4.0.0.0_nl_b77a5c561934e089/System.Runtime.Serialization.resources.dll
----------------------------------------
Microsoft.VisualBasic.resources
Assembly-versie: 10.0.0.0
Win32-versie: 14.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Microsoft.VisualBasic.resources/v4.0_10.0.0.0_nl_b03f5f7f11d50a3a/Microsoft.VisualBasic.resources.dll
----------------------------------------
Accessibility
Assembly-versie: 4.0.0.0
Win32-versie: 4.7.2556.0 built by: NET471REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Accessibility/v4.0_4.0.0.0__b03f5f7f11d50a3a/Accessibility.dll
----------------------------------------

************** JIT-foutopsporing **************
Als u JIT-foutopsporing wilt inschakelen, moet in het configuratiebestand voor deze
toepassing of computer (machine.config) de waarde
jitDebugging in het gedeelte system.windows.forms zijn ingesteld.
De toepassing moet ook zijn gecompileerd terwijl foutopsporing
was ingeschakeld.

Bijvoorbeeld:

<configuration>
<system.windows.forms jitDebugging="true" />
</configuration>

Wanneer JIT-foutopsporing is ingeschakeld, worden onverwerkte uitzonderingen
naar het JIT-foutopsporingsprogramma gestuurd dat op de computer is geregistreerd
en worden niet door dit dialoogvenster verwerkt.

 

[lowdetection]

dg17

From VodooShield Alert:

Details--> VodooAi:Unsafe Algorithm 1,2,3 score that is different from version 3, to 4, I remember old post Dan changed the space from 0-1 to 0-100 or so on.
More Details-->SHA256, DEP, ASLR, Version Info, Hidden file, Hidden extension, Version info count, Digital signature valid, Digital signature verified, and so on...

You may find useful also the use of pestudio for more informations.

 

[paulderdash]

Regarding re-registration issue, this posted on Wilders: VoodooShield ?

Concerning the issue of re-registering in V4.09, voodooshield-token.json is again put under the temp file.

Once a temp file cleaner is run & wipes it out, user will need to re-register.

Would someone kind enough to inform Dan (I don't have access to the other forum)?

Thank you!

 

[paulderdash]

Regarding re-registration issue, this posted on Wilders: VoodooShield ?

Concerning the issue of re-registering in V4.09, voodooshield-token.json is again put under the temp file.

Once a temp file cleaner is run & wipes it out, user will need to re-register.

Would someone kind enough to inform Dan (I don't have access to the other forum)?

Thank you!

Edit: I have checked and mine is actually under C:\ProgramData\VoodooShield, but I still have the problem.

 

[danb]

Hi Dan

Don't know if this has been requested before but in case it hasn't here goes

When there is a pop up there is very little information there to see whether it is not benign. So is it possible to provide a link in the pop up to display the file's properties. I may have missed it if it is implanted but could not see anything.

Regards

David

Hi David, I see lowdetection has already replied (thank you lowdetection), but I was curious about a few things. I agree that file insight is absolutely vital to the end user, and for executable blocks, VS should provide plenty of file insight. For command line blocks, there is a lot less file insight that VS is able to provide.

So I am curious what is being blocked that is not providing proper file insight? Thank you!

Hi Dan another pair of dimhost blocks I can't whitelist:


Error:

Very cool, thank you!

Regarding re-registration issue, this posted on Wilders: VoodooShield ?

Concerning the issue of re-registering in V4.09, voodooshield-token.json is again put under the temp file.

Once a temp file cleaner is run & wipes it out, user will need to re-register.

Would someone kind enough to inform Dan (I don't have access to the other forum)?

Thank you!

Thank you for letting me know! I will test with some file cleaning utilities and see what happens. There very well could be a couple of things that are causing the same issue.

 

[paulderdash]

Thank you for letting me know! I will test with some file cleaning utilities and see what happens. There very well could be a couple of things that are causing the same issue.

Dan, I can confirm that after registration and befor CCleaner'ing there are two voodooshield-token.json entries. One in programdata, and another in c:\users\xxxx\\appdata\local\temp\

 

[boredog]

Dan, I can confirm that after registration and befor CCleaner'ing there are two voodooshield-token.json entries. One in programdata, and another in c:\users\xxxx\\appdata\local\temp\

I have the token file in both of those locations. My CCleaner setup is default except for I have it set to clean after closing either IE or Edge. I do not have the registration problem and CC does not delete either token file upon closing browser or manual clean.

 

[boredog]

If we download the beta version, what license do we get? Like, do we have to enter our product key from 3.59 or what?

I used my same product key without any problem.