VoodooShield discussion

Status
Not open for further replies.

Sunshine-boy

Level 28
Verified
Top Poster
Well-known
Apr 1, 2017
1,759
vs blocked this command automatically!
c:\windows\system32\rundll32.exe startupscan.dll,susruntask
I wanna know why is that?
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
Dan you mean exit VS then start it up again, or restart computer?
No Password user here.
Edit:
You meant log out from computer off course.
Like if you start the computer and there is no password, so your computer comes up straight to the desktop. VS will not start because you did not enter a password. At this point, do not start VS... just log out and log back in, and VS will start.

This is how I discovered the issue... I have passwords on all of my computers, so this has never been an issue for me. A little earlier, I had to redo a VM because it was a mess, and it did not have a password to log in (initially). I installed VS, and later rebooted, and noticed that VS 4.03b did not start on startup. I then looked at the log and noticed that none of the correct startup / session events were firing, so I knew immediately what the issue was.

That is the thing about software / betas... you can test for months in your own environment, but until other users start using the software, these types of problems remain hidden. Thankfully, they are almost always super easy to fix... kind of like "why did I not think of that a head of time" moments. So typically, the hard part is not fixing this issue, the hard part is reproducing the issue on my end, so I can figure out where the breakdown is occurring.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
I had this at reboot of a virgin install of VS 4.03b:
View attachment 167145
After that I removed VS again, (from files, registry ect.)
I reinstalled and all is cool now, if this happens again I will Email you the logs. PeAcE Mr.B :p
Very cool, yeah, please send me the logs from that error either way, thank you!
 

VecchioScarpone

Level 6
Verified
Well-known
Aug 19, 2017
278
Like if you start the computer and there is no password, so your computer comes up straight to the desktop. VS will not start because you did not enter a password. At this point, do not start VS... just log out and log back in, and VS will start.

No worries mate. I'll playing around until the random issue happen then apply what you suggest and report back.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
It still also looses registration at times, but were here for ya Dan :)
Hehehe, we are getting there ;). It is good to see that people are dedicated to VS through the thick and thin ;). In all fairness, it has only been just over a week ;). With the massive refactoring that was performed in VS 4.0... this could have easily gone on for a month or two. I mean, there were MASSIVE changes, but it looks like we are getting close.

See, it takes years to be able to figure out all of the pieces of the puzzle, and how to make everything work well with each other... not to mention that adding new features constantly only compounds the problems ;). But now that I can look back and see what VS was always supposed to be, it is much easier for me to structure the code in a way that makes sense, runs faster, and is easier to maintain. That is was VS 4.0 is all about. If I knew now what I knew 6 years ago, we would not have to deal with 1-2 weeks of beta hell... but obviously that is not a possibility.

I mean if we were creating a simple (pseudo) computer "lock" that attempted to meet the bare minimum end user usability / UX requirements by dangerously auto allowing by digital signature alone, then I could have written and debugged that code from scratch in an afternoon. But if you want to get serious and build a true lock that does not take the easy way out, you have to put the work in to make it happen.

BTW, I added another level of protection today, and hopefully you guys will NOT notice it ;). In addition to process name, process path, process hash, VS now also compares the parent process path, when checking to see if an item is on the whitelist snapshot or not. This does not sound like a big deal, but I believe it is. I would go into details, but this is already long enough. ;).

Anyway, thank you guys, we will be wrapping VS 4.0 up very soon, we are getting close, thank you for your help!
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
vs blocked this command automatically!
c:\windows\system32\rundll32.exe startupscan.dll,susruntask
I wanna know why is that?
It looks like it is from Microsoft\Windows\Application Experience, which must be a relatively new command line that is not yet hardwired in.

Actually, we need to start adding these to the new Command Line cloud feature, then they will not be blocked.

See, VS has TONS of hardwired command lines that are auto allowed, so the user is not burdened with these. Also, command lines from whitelisted processes should be auto allowed, assuming they did not originate from a potential exploit.

Either way, we need to add this, and yes, it is safe ;).
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
Dan
It look like you are getting somewhere. After a missed autostart, by logging out and back VS did start.
Yeah, I am sure that is what the issue is. I think I already have it fixed, but I just want to test it a little more, and fix any other potential bugs that people have mentioned, or that will appear the next day or so, and then release 4.04. After that, there still might be a small bug or two, but I think 4.05 will pretty much wrap it up. For the next month or so, there will be a few small bugs here and there, but I will be able to see them in the error reporting system, and fix them on the fly. So hopefully, in a month or two, VS will be 100% bug free. VS 3.59 was pretty darn stable, but I am certain that if we had the error reporting system for it... there would be some small bugs ;). That is just the way software is.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Thanks Dan for all the hard work, but I am staying put with v. 3.59 for the meantime, because early start is a very important feature to me. The earlier, the better. You know what they say, "The early bird catches the worm"
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Hey guys, here is 4.03… if you are running 3.59 or 4.02, you should be able to install over the top. If you are running 4.00 or 4.01, you really need to uninstall VS, click “yes” when it asks you if you want to delete the settings and log files, then reboot the computer, then install 4.03.

I temporarily slowed down the VS startup slightly… I am not sure if you guys will notice it or not, but once this final startup bug is resolved, I will be sure to change it back. I added logging to the startup code to see why VS is not starting for some users.

There is a small chance that the startup issue is fixed, but if not, the extra logging should guide us in the right direction.

Also, after Sunshine-boy mentioned the blacklist scan not being available everywhere, I started to look into this a little more. I noticed that there were quite a few small bugs when the blacklist scan was disabled, so I believe those are all now fixed, but if you guys see anything, please let me know. But really, if the blacklist scan is not available, there is not much I can do on my end… but really, if you simply disable the blacklist scan and rely on VoodooAi, you should be in great shape. I probably would not keep VS on AutoPilot if you disable the blacklist scanner, unless you are running a great AV along with VS. Actually, AutoPilot is not really designed to be used on a daily basis, even with the blacklist and VoodooAi enabled… if you ask me, the computer needs to be locked when it is at risk .

But if you were really wanting to run on AutoPilot, a rule or a few rules might be very, very handy in this situation… maybe something like (I am sure we can come up with something better than this):



Block All files on My Computer when VoodooShield is AUTOPILOT

If VoodooAi is greater than or equal to 33.



I am not sure if you guys have noticed, but VoodooAi has become amazingly accurate the last 6-9 months, and it is only going to get better as it goes. Usually when I am analyzing and testing malware or potential false positives, I take 3 factors into consideration. 1. The overall blacklist scan results, 2. VoodooAi, 3. Cuckoo Sandbox. A lot of times they all 3 agree, so the sample is either obviously benign or obviously malware. But when one of these 3 analysis do not agree with the other 2, from my experience, VoodooAi typically does not let me down… although it can be wrong from time to time.

Then again, if VoodooAi (or any other malware engine) were perfect, there would not be a need for VS .

And the false positives are now at an all-time minimum… just go to any download type site and try it for yourself. But the reason I bring this up is that new technologies need a little time to improve and mature. So for example, I am really excited to see what happens with the new rules feature a year from now.

There were a lot of other bug fixes and changes in this version… I think we are getting close.

http://www.voodooshield.com/Download/beta4/InstallVoodooShield403beta.exe

Thank you guys for letting me know about the BD FP… I submitted a FP with them. In all fairness, there is live malware on our Cuckoo Sandbox site… I am surprised it took 3 or so years for anyone to notice .

BTW, thank you guys for all of your input, and responses… If I had time to respond to each one, I would, but as you know, things are kind of crazy right now . After we track down these last couple of bugs, we will be in great shape though. I do read everything though, and I really appreciate your help!
Hi Dan, I installed 4.03b over de top of 3.59. Will let you know if I run into any issues.
You don't recommend autopilot mode, but I was using it for quite some time and it is also on the laptops of my kids because that mode reduces the amount of prompts they get and potentially can answer wrong. Why is it still available and what mode do you recommend now for people like my young kids?
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
Hey, Does voodooshield have some Behavior blocker?

That sounds like a great idea in theory (and believe me, I have thought about this a lot), but in practice, it is not quite what it seems.

I have installed security products with the absolute best behavior blockers on the market, in combo with VS on several client’s computers. I was absolutely shocked to find that VS had significantly less alerts than the industry leading behavior blockers.

I do not specialize in behavior blocking, but I cannot imagine a scenario where I would be able to build something that could outperform their years of dedication and hard work. But the problem is… if FP’s are that high, you might as well just block everything (kinda like VS is supposed to do, but somehow it has less FP’s).

Try it for yourself, you will see.

For obvious reasons, VS will not be implementing behavior blocking any time soon… but never say never… now that you have me thinking about it, who knows what will happen .

I am not a Star Wars fan, but it really comes down to “Do or do not. There is no try”. Because obviously if you can avoid a single line of malicious code from running in the first place, you are light years ahead… Fabian taught me that .

But what it really comes down to is this…

Should the computer be locked when it is at risk?

Yes

Should the computer NOT be locked when it is not at risk?

Yes. Why would you bother the user when the computer is not at risk?
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
Yeah, I was also kind of taken by surprise by that one.
Maybe this is new advice for version 4?
Hehehe, VS is all about locking the computer when it is at risk... and I have mentioned this sooooooo many times.

AutoPilot is fine, but my preference is to lock the computer when it is at risk.

In all fairness, have you not heard me say that the computer should be locked when it is at risk? ;).
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top