Update VoodooShield Latest

danb

From VoodooShield
Verified
Developer
May 31, 2017
1,107
6,491
@danb does VS alert user to new Not Safe items detected on WLC scans without tray icon running? :unsure:

i.e. with "Show WhitelistCloud try icon" > Off and "Notify me when new Not Safe items are detected on scans" > On?

I've never seen a notification other than WLC tray icon.
I see what you mean... thank you OS! It appears that when the WLC tray icon is disabled, and the "Notify me when new Not Safe items are detected on scans" is enabled, WLC is not alert properly for automatic scans. Should be an easy fix, I will look at it right now, thank you!
 

Gandalf_The_Grey

Level 53
Verified
Trusted
Content Creator
Apr 24, 2016
4,231
41,237
Hi what is best thing to do with non safe items under whitelist cloud section?
Is the cpu spikes up to 35% normal while scanning under whitelist or opening VS?
Do you have the latest version 6.07 (from the post above yours) installed?

Judging non safe items can be a challenging task and I believe most of those are unsigned programs.
They are normally allowed by VoodooShield, but now blocked by the WhitelistCloud part.
This can be a reason to not use the WhitelistCloud part.

I recommend copying the hash and look them up in VirusTotal:
@struppigel made a video about VirusTotal:
 
Last edited:

danb

From VoodooShield
Verified
Developer
May 31, 2017
1,107
6,491
Hi what is best thing to do with non safe items under whitelist cloud section?
Is the cpu spikes up to 35% normal while scanning under whitelist or opening VS?
Yeah, as @Gandalf_The_Grey recommends, if you do not know off the top of your head what these two items are, then it is a good idea to figure out exactly what they are, and VT should help with this.

35% seems really high to me... my main machine peaks at 2% for VoodooShield.exe and 4% for VoodooShieldService.exe. If you have an old whitelist from several versions back, I bet resetting your whitelist in Settings would fix the issue. If not, please let me know and we can see what else might be causing this. Thank you!
 

Tutman

Level 10
Verified
Apr 17, 2020
486
3,077
Would you say that Malwarebytes Anti exploit tool (beta) overlaps and does the some of the same features that VoodooShield does or do they compliment each other?
 

Lenny_Fox

Level 22
Verified
Oct 1, 2019
1,127
6,457
@Tutman

Only two feature (of the many of MB anti-exploit) overlap with VoodooShield:
1. Spawning of executables by MBAE protected apps
2. Execution of files downloaded by MBAE protected apps

So where the last protections of MBAE end, the protection of VS starts. VS does not try to stop the intrusion (there are so many vectors), only the result (execution of code from disk or memory).

Nowadays Microsoft products have a lot of build-in exploit protection features, e.g. Edge does not allow non-Microsoft DLL's to load in its renderer processes and Microsoft Defender has Attack Surface Reduction rules which prevents browser and mail client to spawn down loaded executable code and Office programs to start other programs. Also Windows 10 has more advanced anti-exploit features than Windows 7 which covers the Windows 7extra EMET-protection features by default..

Windows Defender ASR rules even work when you use another Antivirus, so to be honest, the protection of MBAE is great when you use Windows7 but is marginal when you use Windows 10 with Configure Defender (to enable ASR easily) and VoodooShield (when everything else fails).

Consumer grade intrusions shifted from exploits and lacking memory protections to using Windows build-in execution options (also called sponsors and Living of the land binaries). VS does a good job in restricting Sponsors/LOLbins. So I would not use MBAE anymore in Windows10+VoodoosShield setup.
 
Last edited:

Tutman

Level 10
Verified
Apr 17, 2020
486
3,077
That was very informative, thanks for info. So I guess MBAE will be disabled! Another question for anyone that may know: It seems Voodoo Shield also acts as a go between windows firewall with the create rule? So one would not need another third party firewall for alerts as this will notify you of programs trying to run and or accessing the internet and you would only need Windows Firewall running? (Along with a traditional AV of course!)
 

oldschool

Level 63
Verified
Mar 29, 2018
5,244
38,265
It seems Voodoo Shield also acts as a go between windows firewall with the create rule?
VS's WhitelistCloud component can create "block" rules for "unsafe" items but that is its only interaction with Windows Firewall.
So one would not need another third party firewall for alerts as this will notify you of programs trying to run and or accessing the internet and you would only need Windows Firewall running?
WF will not alert you.

You will need a 3rd party firewall front-end for WF, e.g.WFControl, etc. or a totally separate 3rd party FW like TinyWall (built on Windows Filtering Platform) to be notified of outgoing connection attempts.
 

Tutman

Level 10
Verified
Apr 17, 2020
486
3,077
VS's WhitelistCloud component can create "block" rules for "unsafe" items but that is its only interaction with Windows Firewall.

WF will not alert you.

You will need a 3rd party firewall front-end for WF, e.g.WFControl, etc. or a totally separate 3rd party FW like TinyWall (built on Windows Filtering Platform) to be notified of outgoing connection attempts.
Ok thanks much for clearing that up!
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
1,107
6,491
Hey guys, here is the latest...

VS 6.07c
SHA-256: d84573c3c3e8b17423414e77c62d49f4af00f265e60ea8cc6fb6351fe6a1f1f4

Signed malware is handled a little better in this version, but in all fairness, I do not expect the Relaxed security posture to block nation state grade signed malware ;).

Having said that, it does look like signed malware is on the rise and it is something we are going to have to address moving forward. Just google "how common is digitally signed malware" and you will see what I mean, there is a lot of interesting info on signed malware. It is not going to be possible to only auto allow reputable certificate authorities, simply because there is not enough of them, and they all have this issue at least to a certain extent. But there are a lot of other options to deal with signed malware, but it will take a little time.

BTW, Chronicle only found 3,816 signed malware samples on VirusTotal in 365 days last year, so it is probably not a huge problem yet, but it looks like it is certainly on the rise.
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
1,107
6,491
Hey guys, here is a version that should fix the signed malware issue. There are currently only 6,000 signers on the list and over the next week or so I am going to add tons more, so there might be a few more false positives than usual for a week or so. We will probably want to tweak the user prompt a little after you guys make suggestions (it is a little aggressive as it currently is), but overall the new signed malware feature is complete and working well.

VS 6.07d
SHA-256: 1edab4c2185a3133bb56887c886e5e43093f56382ecb8ff750181bbdcb98c21e

I really like how this new signed malware feature worked out, thank you guys for testing VS and helping to make this happen. If you get a chance, you might try some of the previously tested malware that slipped through before, just to see what happens. It should not matter what security posture VS is in... it should be blocked either way.

Thank you guys, have a great weekend!
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
1,107
6,491
Oops, there was a little bug when a file was manually scanned (drag and drop or right click VoodooShield Scan) the correct file insight info and recommendations were not displayed. This issue is now fixed, and the manual scan user prompts should match the on execution user prompts.

VS 6.07e
SHA-256: 8b051b0937d52f88bb3a7a04bd42629ffea7d7635c298329bb8b77e42c0953b3

I think we are pretty close to a public release, thank you guys for your help!
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
1,107
6,491
Thankfully that was an easy fix, thanks again @harlan4096. This version should be ready for public release, but we will wait a couple of days just in case you guys find something else ;). I also updated the mini prompt to show when a file is Not Safe (and made the text red) to hopefully deter users from even opening the full user prompt.

VS 6.08
SHA-256: 9c8386bcc23e6ec480034dec2370d91181fc159d953270618bcb17d1d50423c9
 

Gandalf_The_Grey

Level 53
Verified
Trusted
Content Creator
Apr 24, 2016
4,231
41,237
Hi @danb Why did I get an userprompt for filecoauth.exe ?
User Prompt: c:\users\gandalf\appdata\local\microsoft\onedrive\20.201.1005.0009\filecoauth.exe | 0 |
[12-20-2020 20:21:08] [INFO ] - VoodooShield Blocked: c:\users\gandalf\appdata\local\microsoft\onedrive\20.201.1005.0009\filecoauth.exe | "c:\users\gandalf\appdata\local\microsoft\onedrive\20.201.1005.0009\filecoauth.exe" -e
 
Top