VoodooShield discussion

Status
Not open for further replies.

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Yeah, there is nothing wrong with AutoPilot... it is great for some situations, and it would be really difficult to find something that can get through it, but it is not perfect.

I just personally believe that the computer should be locked as tight as possible when someone is doing something risky, like surfing the web or checking email.

Personally, for child's computers I would use Smart mode because it is the best of both worlds. In Smart mode, when VS is OFF, it behaves just like it does when it is on AutoPilot. But it also locks the computer when the child is doing something risky like browsing the web.

We added AutoPilot as an option for the users who wanted additional protection, but wanted to limit the frequency of user prompts to an absolute minimum. If you are also running a great AV with VS on AutoPilot, that is more than sufficient, but there are a lot of users (like myself), who only run VS, now that Windows 10 has become quite secure in its own right. In that case, I strongly believe the computer should be locked when it is at risk.

Thank you guys for letting me know about those bugs... I made quite a few changes to that part of the code in 4.03b, so it does not surprise me that there are a few bugs. They should be in the error reporting system, and they should be super easy to fix. The double type conversion bug should be extremely easy to find. Thank you guys!
Okay for using Smart mode for a child's computer I first have to train VS, because otherwise it would be a nightmare of prompts for the child.
They have YouTube open all the time while playing games or do other stuff on their computer. So it would be always locked.
For how long should I leave VS in Training mode or is running Autopilot mode for more than a month enough training?
 
  • Like
Reactions: frogboy

boredog

Level 9
Verified
Jul 5, 2016
416
Thank you guys for letting me know about the BD FP… I submitted a FP with them. In all fairness, there is live malware on our Cuckoo Sandbox site… I am surprised it took 3 or so years for anyone to notice .

Dan as I explained I'm previous posts. I downloaded a file and VS didn't like it. It did the popup asking allow, cookoo, block. Wne I clicked on cookoo, Window smart screen kicked up the warning about VS port 8080 site being reported to MS as bad. One of the other members sent the url to VT and found BD did flag that addy but in my case it was smart screen. I also posted the part of the log as to how the file got allowed after I ckicked block a few times then cookoo. For some reason VS went into either autopilot or off mode. This still baffles me.
 

Rainwalker

Level 1
Sep 7, 2017
22
Cool, I have not debugged VS while running as a guest account yet, but it is now on my to do list.

As far as the port is concerned... I do not know that one off the top of my head, but I can assure you that if it is coming from VS, it is legitimate. For example, the communication code for VoodooAi came directly from code that Microsoft Azure supplied.
OK..Thanks..It just makes me nervous to allow incoming TCP without loopback. So I should not be concerned?
TIA
 

VecchioScarpone

Level 6
Verified
Well-known
Aug 19, 2017
278
Great find (y) i have set an exception in CCleaner for voodooshield-token.json so it won't be deleted.
G_T_G, could you kindly tell me where I can find voodooshield-token.json file and how to set an exception in CCleaner?
I applied @plat1098 tweak but I may prefer others windows files to be cleaned.

Edit:
The considerate replies from @plat1098 and @Tarnak from Wilders did answer the questions I did put to you.
BTW All seems to be fine this morning, no registration prompt, no autostart issues. So I'll hold on apply any tweak for the time being.
Thanks anyway mate.;)
 
Last edited:
  • Like
Reactions: Gandalf_The_Grey
P

plat1098

@VecchioScarpone: here's the path:

vs json.png

Since this machine has very little temp, I felt comfortable skipping it in CCleaner's settings for now. I'll probably end up following Wolfbane's tip because the CCleaner setting is a temporary workaround, or until the next version eliminates the token there. Like everyone else, who wants temp files building up, right?

VoodooShield discussion
 

VecchioScarpone

Level 6
Verified
Well-known
Aug 19, 2017
278
@VecchioScarpone: here's the path:

View attachment 167190

Since this machine has very little temp, I felt comfortable skipping it in CCleaner's settings for now. I'll probably end up following Wolfbane's tip because the CCleaner setting is a temporary workaround, or until the next version eliminates the token there. Like everyone else, who wants temp files building up, right?

VoodooShield discussion

Your input is much appreciated and yes Dan seems to be close to solve most issues with the next beta.
 
  • Like
Reactions: Gandalf_The_Grey

codswollip

Level 23
Content Creator
Well-known
Jan 29, 2017
1,201
Edit: ran into registration issue again so this time I set the voodooshield-token.json to read-only so CCleaner doesn't dump it again.
That might cause greater problems in the long run. Just go to CCleaner Options, and make an exclusion for the token file. I'm testing that now.

EDIT1: Now this is odd. After cleaning my drive w/CCleaner (and ignoring the json token file) the GUI starts on boot even with my system that boots straight to desktop w/o login password. I'm wondering if a leftover temp file from earlier release 3.59? may have prevented the v4 GUI from auto-loading at startup. Either that, or Dan is doing stuff on his side, and this is just a coincidence.

EDIT2: Another oddity, possibly unrelated. I have 3 programs that auto-start. Each time I reboot VS asks approval for these. Eben though I allow them, they never make it to the whitelist, AND they don't appear in the User Log.
 
Last edited:
  • Like
Reactions: Gandalf_The_Grey

DotNet

Level 1
Verified
Sep 4, 2017
34
I use Yamicasoft Windows 10 manager to add right click options to the menu. Using VS 4.03, when I right click & select "show hidden files" VS pops up & I allow it. Now the "accepted" option is not used when I try the exact same menu item. Everytime VS pops up appears as if never white listing it. I let it deny as to get a log entry otherwise no log entry is there. When I try to whitelist the denied entry from the user log it crashes and/or freezes. I reverted back to 3.59. This is the entry from 3.59 command lines entry "c:\windows\showhidehiddenfile.vbs" & "c:\windows\showhideknownfileextension.vbs" & "wscript.exe" "c:\windows\selectall.vbs". I tried a fresh install of VS 4.03 several times with the exact same results.
 

Attachments

  • denied.png
    denied.png
    34 KB · Views: 348
Last edited:
  • Like
Reactions: Gandalf_The_Grey

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
Registration & auto start is fixed with 4.03. Broken are the rules. Any new rule or edit to existing rules locks up the pc when the save button is pressed. Also vpn is popping up in voodoo & no matter how many times I click allow, no rule is created in smart or autopilot. User log has no activity for items being blocked. Going back to 4.02.

opposite here, I open and connect my vpn, and that kills vs_4.03b, but the vs_service keeps running. reopen vs after the vpn has connected and vs seems fine.

is there an explanation of 4 user choices in the new create rule feature, or is it so obvious even I should be able to figure it out eventually?
 
P

plat1098

Does anyone have both HMP Alert and VS beta at the same time? Just inst. HMP-A v. 604 (release) and now maybe there's a clash at startup. The %appdata% AppData/temp is wiped out x2 so the VS registration box is appearing again. Alert also starts with Windows, right? Back to v. 3.59 for now, no problems with that.
 
Last edited by a moderator:
  • Like
Reactions: Gandalf_The_Grey

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
What I don't understand is why all works well most of the time, then randomly the registry and autostart issue happen again when restarting the computer. Joy of beta testing...o_O
Well, it is about to all make sense ;).

I am not sure if you guys have noticed, but sometimes when you visit voodooai.net, you will notice that you will receive a 503 error, or the page will not load. There are also registration errors in VS. So I contacted our web host a couple of days ago to find out why, and basically, we need to upgrade the server and also limit connections to the server as much as possible, because it is having a difficult time keeping up.

There were certainly bugs in the registration code for VS, but I believe those are all fixed now, and once we figure out the server situation, we should be good to go.

On somewhat of a side note...

itman on wilders was concerned that "The connection via port 1433 remains in an "established state" way too long." What he does not understand is that we use a well known, secure and established method for the connection. Also, the free version of VS includes VoodooAi.

Also, as far as our temporary site (voodooai.net) being http and not https... can one of the fearmongers please show me a man in the middle attack that can occur outside of a LAN, without the use of malware (which VS would stop). The reality is this... if someone is on a public wifi network, they should not be visiting any website that require passwords anyway, whether the site is https or not, simply because there are now mitm attacks now that are successful with https as well. Until very recently, https was used mainly for e-commerce sites, but there has been a recent push to use it for all websites. So now around 50% of websites use https, and 50% use http.

@Trooper... I was under the impression that you were running VS free. You cannot log in to the web management console with a VS free account, so why is the following even a concern in the first place? VoodooShield ?

I am working hard to get everything in place, and I imagine that most people would prefer that my focus is on wrapping up VS 4.0, rather than non-issues.
 
F

ForgottenSeer 58943

Hey Dan, thanks for your hard work as usual.

Session state timeout duration on 1433 isn't an issue. Anyone sniffing Chrome knows Chrome leaves sessions open, sometimes for entire days even after the browser is closed. It's a non issue IMO.

As for HTTP and external MiTM from the lan, it happens and is probably more common than people realize. Up until recently a lot of ISP's redirected HTTP to Paxfire servers and in years before that NBU servers, these days they use something different and are very quiet about it. One should assume HTTP is aggressively sniffed. You can often see this with NX mistyped domains redirected to ISP correction portals when using HTTP.

Not a big deal but something to consider. The FUD over on Wilders is incredible, which is why I don't visit that place.

For raw statistics, traversing (WAN/LAN) my network about 40% of all traffic is HTTPS, 60% is HTTP. Any panic about HTTP is probably ignoring that fact that most likely - 60% of any users traffic is HTTP.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
Hey Dan, thanks for your hard work as usual.

Session state timeout duration on 1433 isn't an issue. Anyone sniffing Chrome knows Chrome leaves sessions open, sometimes for entire days even after the browser is closed. It's a non issue IMO.

As for HTTP and external MiTM from the lan, it happens and is probably more common than people realize. Up until recently a lot of ISP's redirected HTTP to Paxfire servers and in years before that NBU servers, these days they use something different and are very quiet about it. One should assume HTTP is aggressively sniffed. You can often see this with NX mistyped domains redirected to ISP correction portals when using HTTP.

Not a big deal but something to consider. The FUD over on Wilders is incredible, which is why I don't visit that place.

For raw statistics, traversing (WAN/LAN) my network about 40% of all traffic is HTTPS, 60% is HTTP. Any panic about HTTP is probably ignoring that fact that most likely - 60% of any users traffic is HTTP.
Cool, thank you for your insight! Yeah, if https accounted for 75%+ of the traffic, and was the industry standard, then our temporary site would be https as well.

From my understanding, https is subject to BGP hijacking as well, so in the end, it probably does not make a difference anyway, right? I mean, an attacker who is that sophisticated surely will not have an issue either way. And besides, as you mentioned, this type of attack is not exactly stealth.
 

DotNet

Level 1
Verified
Sep 4, 2017
34
VS 4.03 will not remember allow rule for browser when a link is clicked in Tweeten & Mailbird. Feeddemon work as expected. Both are built with electron.
 

Attachments

  • 2017-09-15_120546.png
    2017-09-15_120546.png
    57.9 KB · Views: 352
  • 2017-09-15_120611.png
    2017-09-15_120611.png
    55.6 KB · Views: 333
  • 2017-09-15_120640.png
    2017-09-15_120640.png
    37.3 KB · Views: 347

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
VS 4.03 will not remember allow rule for browser when a link is clicked in Tweeten & Mailbird. Feeddemon work as expected. Both are built with electron.
Thank you for letting me know... yeah, that is fixed in VS 4.04, along with a couple of other things I accidentally broke in 4.03 ;). 4.04 is ready, but I am going to run it for 12-24 hours to make sure there are no other errors like this. I think we are getting close... the only bugs I am concerned about now are the non-english type bugs. These are always difficult for me to track down because I am running the English version of Windows, so I cannot debug these errors quickly... I just kind of have to guess based on the error message, which also needs to be translated because it is not in English ;).
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
Yeah, there is nothing wrong with AutoPilot... it is great for some situations, and it would be really difficult to find something that can get through it, but it is not perfect.
From day 1 Helix advised me as well as Dan that Smart mode was optimal, and that's
where it has been for me for years. reliable ole safe mode (y)
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
From left to right = more security / From right to left = less user prompts
OFF > Autopilot > Smart(recommended) > Always ON

From what I remember autopilot was designed to significantly reduce user prompts while giving the user a decent amount of protection. However it won't offer the same amount of protection Smart mode offers
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Thank you for letting me know... yeah, that is fixed in VS 4.04, along with a couple of other things I accidentally broke in 4.03 ;). 4.04 is ready, but I am going to run it for 12-24 hours to make sure there are no other errors like this. I think we are getting close... the only bugs I am concerned about now are the non-english type bugs. These are always difficult for me to track down because I am running the English version of Windows, so I cannot debug these errors quickly... I just kind of have to guess based on the error message, which also needs to be translated because it is not in English ;).
If you need any help translating Dutch (Nederlands(e)) error messages or need more logs. Just let me know.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top