Author Topic: VoodooShield v4 STABLE Thread  (Read 141481 times)

Offline schmidthouse

  • Jr. Member
  • **
  • Posts: 66
  • Do not confuse Kindness for Weakness
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #1095 on: November 11, 2018, 12:21:05 am »
Is update check turned on? No notice w/4.64 running.

Maybe because it's only offered here at present?
I got 4.64 from the website, as well as 4.65, so we can rule that out.

FWIW the 4.65 installer file identifies itself as 4.50.0.0 with a mouse hover.

Yup noticed that myself
4.65 running great on latest Win 10  OS's
***HP ENVY 15K LT  W10 Pro 64Bit/750GB HD/ 16GB Ram/Avast Prem.bc/VS 5/Secureline VPN/SANDBOXIE/Prey Project
**HP Compaq Buisness LT W10 Pro 64Bit/1TB HD/ 8GB Ram/Avast Prem. 19.4.2374/VS 5/Avast Secureline/SANDBOXIE/Prey Project     
*Dell Inspiron  xpSP4 PRO 32 Bit/Avast (since 2002)/Comodo FW 3.14/OSA/Comodo Ice Dragon/Avast Secureline
LAYERED SECURITY SOFTWARE PROTECTION on all OS's
When you think you know, Think Again

Offline Triple Helix

  • Administrator
  • Sr. Member
  • *****
  • Posts: 412
  • Truth is more of a stranger than fiction.
    • View Profile
    • Webroot Community Supporter
Re: VoodooShield v4 STABLE Thread
« Reply #1096 on: November 13, 2018, 06:49:08 pm »
Hi Dan just noticing if I set to Disable/Install mode and upon reboot it goes back to Smart mode and before it use to stay in Disable/Install mode until I change it back to Smart Mode. v4.65

TIA,

Daniel
Microsoft® Windows Insider MVP - Windows Security
Webroot SecureAnywhere Complete & VoodooShield Pro
Alienware 17R5 Laptop with the new i9-8950HK Processor, 32GB of RAM and 2 Samsung NVMe 960 Pro's.

Offline Mx

  • Youngling
  • *
  • Posts: 29
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #1097 on: November 13, 2018, 10:12:00 pm »
Hi Dan,

I wonder if voodooAi could detect a malicious .dll in a APT like this?
https://www.virustotal.com/en/user/CYBERCOM_Malware_Alert/
« Last Edit: November 14, 2018, 06:42:08 pm by Mx »

Offline ColonelMal

  • Youngling
  • *
  • Posts: 19
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #1098 on: November 14, 2018, 05:28:37 pm »
Version 4.65 is working fine on Windows 10 Pro 1803 Build  17134.376.

Offline Shmu26

  • Jr. Member
  • **
  • Posts: 55
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #1099 on: November 14, 2018, 05:32:07 pm »
Hi Dan,

I wonder if voodooAi could detect a malicious .dll in a APT like this?
~snip No MT links here. snip~
VS does not monitor dll files as such, instead it controls the processes responsible for loading the dll.

Offline Mx

  • Youngling
  • *
  • Posts: 29
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #1100 on: November 14, 2018, 06:52:49 pm »
Hi Dan,

I wonder if voodooAi could detect a malicious .dll in a APT like this?
~snip No MT links here. snip~
VS does not monitor dll files as such, instead it controls the processes responsible for loading the dll.

Hi Shmu,

I don't remember but I think that VoodooAi scans dll, tmp, bat files. I'm not sure, I hope that Dan can clarify this.

Online oldschool

  • Jr. Member
  • **
  • Posts: 69
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #1101 on: November 14, 2018, 09:10:33 pm »
Hi Dan,

I wonder if voodooAi could detect a malicious .dll in a APT like this?
~snip No MT links here. snip~
VS does not monitor dll files as such, instead it controls the processes responsible for loading the dll.

Hi Shmu,

I don't remember but I think that VoodooAi scans dll, tmp, bat files. I'm not sure, I hope that Dan can clarify this.

Agreed! @shmu you are far more knowledgeable than I, but I'd still like to hear from Dan to improve my understanding of VS.
« Last Edit: November 15, 2018, 01:31:48 am by oldschool »
"... still trying to find the answers to life's persistent questions..." - Guy Noir, Private Eye

W10 1809 Windows Defender + VoodooShield Pro

Offline simmerskool

  • Jr. Member
  • **
  • Posts: 65
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #1102 on: November 15, 2018, 02:47:48 am »
Hi Dan,

I wonder if voodooAi could detect a malicious .dll in a APT like this?
~snip No MT links here. snip~
VS does not monitor dll files as such, instead it controls the processes responsible for loading the dll.

not to disagree with shmu26, perhaps the question is unclear... I just right clicked a .dll file from \system32 and VS / VAi reports back VoodooAi 0/100 so probably me not understanding the question. 

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 456
    • View Profile
    • VoodooShield
Re: VoodooShield v4 STABLE Thread
« Reply #1103 on: November 15, 2018, 07:35:37 am »
Hey Guys... I am still sorting out the FP issue with MS.  For some odd reason, when I name the downloadable file InstallVoodooShield456.exe (or any other version number), then there are no issues with FP's.  But when the file is simply named InstallVoodooShield.exe, then sometimes I still get a FP.  I think it is getting better though because I just installed VS on a client's computer after installing the latest Windows 10 release... I think it was 1809, and there were no FP's for either file.  Either way I will keep an eye on it.

As far as dll's go... since dll's are portable executables just like standard exe files, VoodooAi (and other ML/Ai products) are capable of analyzing dll's as well.  The only thing is that it might not be quite as accurate as standard .exe files, simply because the training data sets do not include nearly as many dll's.  I think what Shmu26 is talking about when he says "VS does not monitor dll files as such, instead it controls the processes responsible for loading the dll." is not so much about the ML/Ai analysis, but rather how the dll is executed, and how VS handles dll's in general.  In other words, dll's cannot be executed directly, they must be called from a another executable, which is why most dll malware utilizes rundll32.exe to execute the malicious code.  So basically, VS stops the infection long before it even has a chance to run the malicious code.  VS could easily monitor dll's directly, but if we did so, we wouldn't gain anything from a security perspective, and it would certainly slow down the system and create FP's.

This is the exact reason VS does not bother with monitoring memory.  VS does not have to monitor memory, simply because it prevents the infection pre-execution.  I have tested certain SRP products that boast memory protection, and as an example, their product might let a signed executable installer run, and then block an action based on memory protection right in the middle of the installation.  So at that point, the installer has already potentially made changes to the system, and was subsequently interrupted right in the middle of the installation, and it has the potential to turn into a huge mess. 

The key is to not let the new non-whitelisted item run in the first place.

Furthermore, installers and other executables should not be bothered once they are determined to be safe and allowed to run.

I think a lot of times people falsely conflate VS with traditional deny-by-default products, so they end up completely overlooking what VS is all about.  I can tell you on no uncertain terms where the industry went wrong years ago.  They have been focused on what causes a system to become infected, and somehow forget to focus on why the system is infected.  In other words, the industry focus has been on detecting malware or malicious actions (such as monitoring memory, signatures, srp rules, etc.), which is what causes the system to become infected.  Instead, what VS does is focus on why the system is infected.  In almost all cases, the system was infected because the user was browsing the internet or checking email and they stumbled upon a malicious link or attachment.

Here is another example... I have always believed that it is absolutely ridiculous for UAC to block cmd or regedit right after the computer is booted, and before the user is browsing the web or checking email.  This is one of the key things that really bugged me that led me to have the idea for VS.  Now, if the user is browsing the web or checking email and the parent process of the cmd or regedit process is suspect... then by all means block the item.  But don't lock the computer down and block everything blindly... and certainly do not interrupt an installer in the middle of an installation after it has had the chance to potentially make changes to the system.  It just cracks me up when people automatically assume that VS is a full time lock that will blindly block anything and everything.

Anyway, that is what VS is all about.  It has been a very long road to get where we are, and we can always use a little more refinement to reduce the unwanted blocks even more.  BTW, I think the new user prompts really turned out well.  Complete novices have always handled VS remarkable well, especially if you simply tell them... "If VS blocks something out of the blue, just ignore it and assume it is a virus.  But if VS is blocking something you want to run, then allow it if the prompts say it is safe to do so".  Now that the verdict in the user prompts are extremely clear to the end user, I think it would be extremely difficult to find anyone who cannot use VS properly.  Especially considering that UAC offers absolutely no assistance or file insight, and no one complains about novices having issues using UAC properly.

Anyway, now that we are in great shape, if anyone has any suggestions for improvements or new features, please let me know!  Thank you guys, talk to you soon!

Offline Shmu26

  • Jr. Member
  • **
  • Posts: 55
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #1104 on: November 15, 2018, 08:13:21 am »
Dan, thanks for the great explanations!

Getting back to @Mx's original question: VS would handle a dll attack like the one described not by scanning the dll in Ai, but rather by blocking the processes that try to load the dll. Correct?
 

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 456
    • View Profile
    • VoodooShield
Re: VoodooShield v4 STABLE Thread
« Reply #1105 on: November 15, 2018, 03:12:28 pm »
If a new non-whitelisted executable imports a malicious dll, then the new non-whitelisted executable itself should be considered malicious (along with the dll), which VS will block pre-excecution.

This is why malware often utilizes Rundll32.exe to execute malicious dll's... which VS will obviously block.

In either scenario VS will block the malicious dll long before it has a chance to execute the malicious dll code. 

If anyone can provide a malicious dll POC that VS does not block, please post it publicly.

Just talking about this made me think of something pretty cool we might be able to add to VS.  In the case of Rundll32.exe and similar attacks, I can instruct VoodooAi to analyze the dll so provide this file insight to the user, instead of simply displaying a command line block.  I will play around with it, this might be really cool.

Offline Shmu26

  • Jr. Member
  • **
  • Posts: 55
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #1106 on: November 15, 2018, 03:28:23 pm »
Thanks Dan, and I really like your creative thinking!

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 456
    • View Profile
    • VoodooShield
Re: VoodooShield v4 STABLE Thread
« Reply #1107 on: November 15, 2018, 03:40:19 pm »
Hi Dan just noticing if I set to Disable/Install mode and upon reboot it goes back to Smart mode and before it use to stay in Disable/Install mode until I change it back to Smart Mode. v4.65

TIA,

Daniel
Hey TH... please download the latest version from our website.  It should be fixed, but if not, please let me know, thank you!

https://voodooshield.com/Download/InstallVoodooShield465.exe


Offline Triple Helix

  • Administrator
  • Sr. Member
  • *****
  • Posts: 412
  • Truth is more of a stranger than fiction.
    • View Profile
    • Webroot Community Supporter
Re: VoodooShield v4 STABLE Thread
« Reply #1108 on: November 15, 2018, 05:26:47 pm »
Hi Dan just noticing if I set to Disable/Install mode and upon reboot it goes back to Smart mode and before it use to stay in Disable/Install mode until I change it back to Smart Mode. v4.65

TIA,

Daniel
Hey TH... please download the latest version from our website.  It should be fixed, but if not, please let me know, thank you!

https://voodooshield.com/Download/InstallVoodooShield465.exe

It's the same file and same hash. Maybe time for a clean reinstall?
Microsoft® Windows Insider MVP - Windows Security
Webroot SecureAnywhere Complete & VoodooShield Pro
Alienware 17R5 Laptop with the new i9-8950HK Processor, 32GB of RAM and 2 Samsung NVMe 960 Pro's.

Offline Mx

  • Youngling
  • *
  • Posts: 29
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #1109 on: November 15, 2018, 07:07:33 pm »
which is why most dll malware utilizes rundll32.exe to execute the malicious code.

Thank you Dan, but there is a chance that another exe may import/launch the malicious dll?