VoodooShield discussion

Status
Not open for further replies.

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
Hi Dan I get a VoodooAi error when trying to run hitmanpro_x64.exe portable from my downloads folder:

View attachment 167439
See, this is the PERFECT type of bug that I would love for you guys to watch me debug, so you can understand what is going on behind the scenes, which is why it would be super cool to do live debugging / coding sessions with you guys.

I am not exactly sure what is up yet, but algo 1, algo 2 and algo 3 are all correct, but the VoodooAiComposite is stuck on -1... so I think most likely when that file was uploaded to the VoodooAi database, something went wrong and the composite score was stuck on -1. I will delete all of the -1 composite scores and see what happens ;).
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Hi Dan got another error for you when trying to create a snapshot:
Zie het einde van dit bericht voor meer informatie over het aanroepen
van JIT-foutopsporing (Just In Time) in plaats van dit dialoogvenster.
************** Tekst van uitzondering **************
System.ServiceModel.CommunicationObjectFaultedException: Het communicatieobject, System.ServiceModel.Channels.ServiceChannel, kan niet voor communicatie gebruikt worden, omdat het de status Faulted heeft.

Server stack trace:
bij System.ServiceModel.Channels.CommunicationObject.ThrowIfDisposedOrNotOpen()
bij System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
bij System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
bij System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
bij System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
bij System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
bij VoodooShield.VoodooShieldService.IVoodooShield.TakeSnapshot()
bij VoodooShield.Main.﷠(Object ﷐, EventArgs ﷑)
bij System.Windows.Forms.ToolStripItem.RaiseEvent(Object key, EventArgs e)
bij System.Windows.Forms.ToolStripMenuItem.OnClick(EventArgs e)
bij System.Windows.Forms.ToolStripItem.HandleClick(EventArgs e)
bij System.Windows.Forms.ToolStripItem.HandleMouseUp(MouseEventArgs e)
bij System.Windows.Forms.ToolStrip.OnMouseUp(MouseEventArgs mea)
bij System.Windows.Forms.ToolStripDropDown.OnMouseUp(MouseEventArgs mea)
bij System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
bij System.Windows.Forms.Control.WndProc(Message& m)
bij System.Windows.Forms.ToolStrip.WndProc(Message& m)
bij System.Windows.Forms.ToolStripDropDown.WndProc(Message& m)
bij System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
bij System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


************** Geladen assembly's **************
mscorlib
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.50727.8794 (WinRelRS2.050727-8700)
CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v2.0.50727/mscorlib.dll
----------------------------------------
VoodooShield
Assembly-versie: 3.10.108.0
Win32-versie: 3.10.108
CodeBase: file:///C:/Program%20Files/VoodooShield/VoodooShield.exe
----------------------------------------
Microsoft.VisualBasic
Assembly-versie: 8.0.0.0
Win32-versie: 8.0.50727.8784 (WinRel.050727-8700)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.VisualBasic/8.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualBasic.dll
----------------------------------------
System
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.50727.8800 (WinRelRS2.050727-8800)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Windows.Forms
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.50727.8784 (WinRel.050727-8700)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.50727.8784 (WinRel.050727-8700)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Runtime.Remoting
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.50727.8801 (WinRelRS2.050727-8800)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Runtime.Remoting/2.0.0.0__b77a5c561934e089/System.Runtime.Remoting.dll
----------------------------------------
System.Configuration
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.50727.8784 (WinRel.050727-8700)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Configuration/2.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Xml
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.50727.8784 (WinRel.050727-8700)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
mscorlib.resources
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.50727.8794 (WinRelRS2.050727-8700)
CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v2.0.50727/mscorlib.dll
----------------------------------------
System.ServiceModel
Assembly-versie: 3.0.0.0
Win32-versie: 3.0.4506.8799 (WinRelRS2.030729-8700)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.ServiceModel/3.0.0.0__b77a5c561934e089/System.ServiceModel.dll
----------------------------------------
SMDiagnostics
Assembly-versie: 3.0.0.0
Win32-versie: 3.0.4506.8799 (WinRelRS2.030729-8700)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/SMDiagnostics/3.0.0.0__b77a5c561934e089/SMDiagnostics.dll
----------------------------------------
System.WorkflowServices
Assembly-versie: 3.5.0.0
Win32-versie: 3.5.594.8795
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.WorkflowServices/3.5.0.0__31bf3856ad364e35/System.WorkflowServices.dll
----------------------------------------
System.ServiceModel.Web
Assembly-versie: 3.5.0.0
Win32-versie: 3.5.594.8795
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.ServiceModel.Web/3.5.0.0__31bf3856ad364e35/System.ServiceModel.Web.dll
----------------------------------------
System.Runtime.Serialization
Assembly-versie: 3.0.0.0
Win32-versie: 3.0.4506.8799 (WinRelRS2.030729-8700)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Runtime.Serialization/3.0.0.0__b77a5c561934e089/System.Runtime.Serialization.dll
----------------------------------------
System.IdentityModel
Assembly-versie: 3.0.0.0
Win32-versie: 3.0.4506.8799 (WinRelRS2.030729-8700)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.IdentityModel/3.0.0.0__b77a5c561934e089/System.IdentityModel.dll
----------------------------------------
System.Core
Assembly-versie: 3.5.0.0
Win32-versie: 3.5.30729.8795 built by: WinRel
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Core/3.5.0.0__b77a5c561934e089/System.Core.dll
----------------------------------------
0d669f0756c2447e8209902c3216fb52
Assembly-versie: 3.10.108.0
Win32-versie: 3.10.108
CodeBase: file:///C:/Program%20Files/VoodooShield/VoodooShield.exe
----------------------------------------
log4net
Assembly-versie: 1.2.13.0
Win32-versie: 1.2.13.0
CodeBase: file:///C:/Program%20Files/VoodooShield/log4net.DLL
----------------------------------------
System.ServiceProcess
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.50727.8784 (WinRel.050727-8700)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.ServiceProcess/2.0.0.0__b03f5f7f11d50a3a/System.ServiceProcess.dll
----------------------------------------
VoodooShield.API
Assembly-versie: 1.0.0.0
Win32-versie: 1.0.0.0
CodeBase: file:///C:/Program%20Files/VoodooShield/VoodooShield.API.DLL
----------------------------------------
Nivot.SignalR.Client.Net35
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.0.0
CodeBase: file:///C:/Program%20Files/VoodooShield/Nivot.SignalR.Client.Net35.DLL
----------------------------------------
System.Data.SQLite
Assembly-versie: 1.0.94.0
Win32-versie: 1.0.94.0
CodeBase: file:///C:/Program%20Files/VoodooShield/System.Data.SQLite.DLL
----------------------------------------
System.Data
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.50727.8800 (WinRelRS2.050727-8800)
CodeBase: file:///C:/Windows/assembly/GAC_64/System.Data/2.0.0.0__b77a5c561934e089/System.Data.dll
----------------------------------------
System.Transactions
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.50727.8784 (WinRel.050727-8700)
CodeBase: file:///C:/Windows/assembly/GAC_64/System.Transactions/2.0.0.0__b77a5c561934e089/System.Transactions.dll
----------------------------------------
System.EnterpriseServices
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.50727.8784 (WinRel.050727-8700)
CodeBase: file:///C:/Windows/assembly/GAC_64/System.EnterpriseServices/2.0.0.0__b03f5f7f11d50a3a/System.EnterpriseServices.dll
----------------------------------------
Newtonsoft.Json
Assembly-versie: 10.0.0.0
Win32-versie: 10.0.2.20802
CodeBase: file:///C:/Program%20Files/VoodooShield/Newtonsoft.Json.DLL
----------------------------------------
system.runtime.serialization.resources
Assembly-versie: 3.0.0.0
Win32-versie: 3.0.4506.8795 (WinRel.030729-8700)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Runtime.Serialization.resources/3.0.0.0_nl_b77a5c561934e089/System.Runtime.Serialization.resources.dll
----------------------------------------
System.Threading
Assembly-versie: 1.0.2856.102
Win32-versie: 1.0.2856.0
CodeBase: file:///C:/Program%20Files/VoodooShield/System.Threading.DLL
----------------------------------------
System.Web.Extensions
Assembly-versie: 3.5.0.0
Win32-versie: 3.5.30729.8795
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Web.Extensions/3.5.0.0__31bf3856ad364e35/System.Web.Extensions.dll
----------------------------------------
System.Windows.Forms.resources
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.50727.8784 (WinRel.050727-8700)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Windows.Forms.resources/2.0.0.0_nl_b77a5c561934e089/System.Windows.Forms.resources.dll
----------------------------------------
system.servicemodel.resources
Assembly-versie: 3.0.0.0
Win32-versie: 3.0.4506.8795 (WinRel.030729-8700)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.ServiceModel.resources/3.0.0.0_nl_b77a5c561934e089/System.ServiceModel.resources.dll
----------------------------------------
Features
Assembly-versie: 1.0.0.0
Win32-versie: 1.0.0.0
CodeBase: file:///C:/Program%20Files/VoodooShield/Features.DLL
----------------------------------------

************** JIT-foutopsporing **************
Als u JIT-foutopsporing wilt inschakelen, moet in het configuratiebestand voor deze
toepassing of computer (machine.config) de waarde
jitDebugging in het gedeelte system.windows.forms zijn ingesteld.
De toepassing moet ook zijn gecompileerd terwijl foutopsporing
was ingeschakeld.

Bijvoorbeeld:

<configuration>
<system.windows.forms jitDebugging="true" />
</configuration>

Wanneer JIT-foutopsporing is ingeschakeld, worden onverwerkte uitzonderingen
naar het JIT-foutopsporingsprogramma gestuurd dat op de computer is geregistreerd
en worden niet door dit dialoogvenster verwerkt.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
Hi Dan I get a VoodooAi error when trying to run hitmanpro_x64.exe portable from my downloads folder:

View attachment 167439
Hehehe, lucky guess this time... but try it now, it will work. There were a total of 37 analysis that had a VoodooAiComposite of -1... I am not sure why, but I will keep an eye on it. Thank you for letting me know!
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Hehehe, lucky guess this time... but try it now, it will work. There were a total of 37 analysis that had a VoodooAiComposite of -1... I am not sure why, but I will keep an eye on it. Thank you for letting me know!
No VoodooAi error any more but I get an alert form VS twice and have to allow the file every time to get it to run:

Hipmanpro VS alert.JPG
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
No VoodooAi error any more but I get an alert form VS twice and have to allow the file every time to get it to run:

View attachment 167440
Ok, that sounds like the Region / Conversion bugs are not quite fixed yet... you are in Europe somewhere, right? I really need to go to bed, but we will figure this out soon, thank you!

BTW, it will be in the error reporting system logs, so it should be an easy fix.
 
Last edited:

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Hmm, odd. This will show up in the error reporting logs, but please post the exact procedure you followed to produce the error, and I will take a look at it in the morning, thank you!
VS in Smart mode. Right click the tray icon. Left click on Take snaphot. Click yes at the prompt. Then you see in the right bottom of your screen "Taking Snapshot" and in the middle of your screen the Microsoft .Net Framework error
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Ok, that sounds like the Region / Conversion bugs are not quite fixed yet... you are in Europe somewhere, right? I really need to go to bed, but we will figure this out soon, thank you!
Yes I'm in Europe (The Netherlands). Have a good night sleep! Here it is 09:35 in the morning.
 
P

plat1098

Re: shutdown: Program Manager This app is preventing shutdown.

If task manager is open, that doesn't shut down cleanly either. If VS is exited beforehand, it takes maybe 2 or 3 sec. Only one tiny internal SSD with 84% free space. No Windows system or application errors to speak of, no hardware issues. Fast startup is disabled. Doesn't look like any conflict with EAM and HMP Alert any more. Shutdown can "drag" to 8 or 9 seconds otherwise.

For comparison, another machine has release 3.59 with both fast startup and quick boot disabled and no internal SSD/HDD. It's like VoodooShield isn't there--shutdowns are about 4 sec either way. :coffee:

Edit: Here is a command line alert which was allowed: I've reported it as a false positive prev.

vs command.png
 
Last edited by a moderator:

ColonelMal

Level 3
Verified
Well-known
Jul 5, 2017
109
I installed v.4.0.5 over 4.0.4b but the same problem that I had mentioned in this posting continues. So, I had to go back to v. 3.59b again. Version 3.59b doesn't cause the programs freezing.
 
  • Like
Reactions: lowdetection

codswollip

Level 23
Content Creator
Well-known
Jan 29, 2017
1,201
I'm still seeing occasion non-responsiveness (varies... 1 to 5 seconds) to the pop-up notifications when I click Allow.
 
P

plat1098

Curious if VS would have detected the Floxif malware embedded in CCleaner's 32 bit version 5.33 6162 where the certificate was reportedly signed by the author (after some Piriform carelessness). Anyone have this CC version to try?

Adding: Yes, after the CCleaner brew ha-ha, I got Wise Disk Cleaner 9 on here and after using it, VS cannot connect to Internet to check files--in this case, regedit. I'll look into this more, it's probably something minor. I hope. A restart and VS is back in business.

vs no int conn.png
 
Last edited by a moderator:

codswollip

Level 23
Content Creator
Well-known
Jan 29, 2017
1,201
Each time I reboot these 2 programs are flagged:
2017-09-18_11h23_05.png 2017-09-18_11h23_17.png

They are both listed in the Whitelist with Action = Snapshot
Both apps autorun at boot. My system goes straight to Desktop on boot (no login/password).
I rebooted 4 times with the same result. Interestingly, the GUI User Log does not record these notifications.

FWIW, on one of these reboots, I was required again to register my license.
v4.05b, Smart mode
 
  • Like
Reactions: Gandalf_The_Grey

ColonelMal

Level 3
Verified
Well-known
Jul 5, 2017
109
Each time I reboot these 2 programs are flagged:
They are both listed in the Whitelist with Action = Snapshot
Both apps autorun at boot [...]
v4.05b, Smart mode
If it's at all useful, the problem that I face (freezing) has to do with a program that is listed in the Whitelist = Snapshot and autoruns at boot.
I cannot add it to the VS Allowed programs list whenever I try to do so.
 
  • Like
Reactions: vtqhtr413
P

plat1098

@danb post 838
VoodooShield discussion

Wise Disk Cleaner 9 is deleting something of VoodooShield's that causes VS to think it's not connected to the Internet (Internet is intact). I looked thru the Wise interface and nothing jumped out to uncheck.

Or, if someone has past experience with this, please can you post your solution? :)
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
Interesting that Ai does not detect it.
Yeah, this would be pretty much impossible for Ai of any kind to detect, which turned out to be the case, since CCleaner is most likely part of the various Ai training data sets. Basically, there is going to be a super close match to the safe CCleaner, so there is not a chance this will be detected as unsafe. Now, if an attacker packed CCleaner or monkeyed with the file the usual way, that is a totally different story... it would almost certainly be detected by most or all Ai products.

BTW, the log still looks pretty good, but it looks like a few people are still experiencing a couple of bugs. If so, please do the following:

1. Start VS 4.05b, and go to VoodooShield Settings / Register, and click the big “Reset Registration” button at the bottom. VS will reset the registration and exit.
2. Uninstall VS, and click “Yes” when it asks if you want to delete the Settings and Logs
3. Reboot the computer
4. Install VS 4.05b
5. You will need to register one last time, but hopefully this really is the last time.

I see there are a couple of other bugs that are not yet resolved, but I will look at them soon, thank you!
 

codswollip

Level 23
Content Creator
Well-known
Jan 29, 2017
1,201
If it's at all useful, the problem that I face (freezing) has to do with a program that is listed in the Whitelist = Snapshot and autoruns at boot.
I cannot add it to the VS Allowed programs list whenever I try to do so.

Based on that, I removed one of the 2 troublesome SNAPSHOT allowed programs from the Whitelist. Then I exited the program and relaunched it manually. When I got the notification, I hit Allow and now it appears in the User Log and Whitelist. Again, I exited the program and manually launched... No Notification (GOOD!). Tomorrow I'll reboot and see if it loads without triggering a Notification. If that's the case, there's something wonky with the Whitelist = Snapshot entry.

EDIT1: I couldn't stand the suspense so I rebooted now. And Clipdiary loaded without notification.

So it seems that you might delete troublesome Whitelist = Snapshot entries and manually invoke the program. So I'm off to unwhitelist the Samsung program that notifies with each boot. And just FYI... on reboot I had again to register. I suspect Dan is doing the purposely, or else the registration randomly drops.


EDIT2: OK... deleted 2 more troublesome Allowed by Snapshot Whitelist entries. Rebooted and Allowed both. Rebooted again, and all is quiet. Altogether 3 boots and again I lost my registration. That's all for today.

5. You will need to register one last time, but hopefully this really is the last time.
:X3::X3::X3:
 
Last edited:
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top