Author Topic: VoodooShield v5 STABLE Thread  (Read 5958 times)

Offline Shmu26

  • Jr. Member
  • **
  • Posts: 67
    • View Profile
Re: VoodooShield v5 STABLE Thread
« Reply #90 on: June 13, 2019, 09:18:58 am »
... It might be relying on the signature, which can be stolen or purchased illegally. And if the file is new enough, it will have a low VT rating, too.
...

Why so much reliance on signatures?  When will people wake up to the concept that malware devs can do everything that bonware devs can do?  It is not hard to get a genuine, legitimate Certificate, even an Extended Certificate.

AND, we know that the entire Certificate system is at best rickety, completely dodgy at worst.

Much better to rely on the author's hash...  Although, wasn't there a security house that had its download repository invaded and compromised?  The one that Avast was purchasing?

This is where it pays to run an on-demand scanner over the suspect.
Digital sigs help a lot in detection. An unsigned file can be slightly modded a thousand times, and that makes it hard to detect, because the hash changes every time. They just pack some random, garbage code into the file, and send it out again.
But you can't mod signed files, because it breaks the sig. So once a signed file reaches an acceptable prevalence and age, it is pretty well fingerprinted and under control.

Offline gorblimey

  • Full Member
  • ***
  • Posts: 106
    • View Profile
Re: VoodooShield v5 STABLE Thread
« Reply #91 on: June 13, 2019, 03:19:29 pm »
...
Digital sigs help a lot in detection. An unsigned file can be slightly modded a thousand times, and that makes it hard to detect, because the hash changes every time. They just pack some random, garbage code into the file, and send it out again.
But you can't mod signed files, because it breaks the sig. So once a signed file reaches an acceptable prevalence and age, it is pretty well fingerprinted and under control.

Ahhhh, of course!  How to pack a hash into the download  8)  Yessss!  Ease of automation :)

But given the fragility of the Certificate System, I think I'll stay with copying a hash off the author's home page.  And passing the on-demand scanner over it...
____________________
Win7 HPx64 SP1, VoodooShield, WFC

Offline Shmu26

  • Jr. Member
  • **
  • Posts: 67
    • View Profile
Re: VoodooShield v5 STABLE Thread
« Reply #92 on: June 16, 2019, 07:52:13 am »
I got a block today for mpcmdrun.exe
I understand better why this happens. It runs from a random path in Programdata:
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1905.4-0\MpCmdRun.exe

It is for updating Windows Defender.

Offline Geri123

  • Jr. Member
  • **
  • Posts: 74
    • View Profile
Re: VoodooShield v5 STABLE Thread
« Reply #93 on: June 16, 2019, 08:58:47 am »
But given the fragility of the Certificate System, I think I'll stay with copying a hash off the author's home page.  And passing the on-demand scanner over it...

How do you know the author's site is not compromised and a phony file with matching hash replaced the "good" file? The next step would be to get the hash from the author's homepage and the file from a well respected download site to see if they match and Virus Total of course (given they just replaced an existing version). But somewhere along the road you will end up with a headache :D

Got the same "ask block" for Windows Defender like Shmu26 did.

Offline Shmu26

  • Jr. Member
  • **
  • Posts: 67
    • View Profile
Re: VoodooShield v5 STABLE Thread
« Reply #94 on: June 16, 2019, 09:14:30 am »
Got the same "ask block" for Windows Defender like Shmu26 did.
Fortunately, VS allows the process to run, most of the time. It only gets blocked every once in a while, according to what I see in the log. :)

Offline gorblimey

  • Full Member
  • ***
  • Posts: 106
    • View Profile
Re: VoodooShield v5 STABLE Thread
« Reply #95 on: June 16, 2019, 11:21:44 am »
But given the fragility of the Certificate System, I think I'll stay with copying a hash off the author's home page.  And passing the on-demand scanner over it...
How do you know the author's site is not compromised and a phony file with matching hash replaced the "good" file? The next step would be to get the hash from the author's homepage and the file from a well respected download site to see if they match and Virus Total of course (given they just replaced an existing version). But somewhere along the road you will end up with a headache :D

Actually I addressed this at https://calendarofupdates.org/index.php?topic=4512.msg11067#msg11067.  (I was simply too lazy to look up the breach at that time.)  IIRC that was CCleaner soon after the sale to Avast, but before it was formally announced.  And some people still don't fully trust the CCleaner product.

But given that the digital signature is simply a method of stitching a hash to the file, how do we know blah blah blah?  The answer is, we don't.  At This Moment, there is no good way of determining the cleanliness of a given download other than emailing the author and asking for the correct hash.  If the author will respond in a timely fashion...

In the end, it boils down to what you said: well-respected download site, and hope the author is customer-oriented.
« Last Edit: June 16, 2019, 11:32:50 am by gorblimey »
____________________
Win7 HPx64 SP1, VoodooShield, WFC

Offline gorblimey

  • Full Member
  • ***
  • Posts: 106
    • View Profile
Re: VoodooShield v5 STABLE Thread
« Reply #96 on: June 18, 2019, 03:56:56 am »
I understand better why this happens. It runs from a random path in Programdata:
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1905.4-0\MpCmdRun.exe

It is for updating Windows Defender.

Isn't it amazing.  Security software that runs just like a malware.  Talk about Secret Police!

I ditched ZAM Free for this behaviour...  VS wouldn't let it self-update  8)
____________________
Win7 HPx64 SP1, VoodooShield, WFC

Offline Telos

  • Jr. Member
  • **
  • Posts: 87
    • View Profile
Re: VoodooShield v5 STABLE Thread
« Reply #97 on: June 20, 2019, 09:30:03 pm »
Typo...


and this too...

Offline Geri123

  • Jr. Member
  • **
  • Posts: 74
    • View Profile
Re: VoodooShield v5 STABLE Thread
« Reply #98 on: June 21, 2019, 07:10:28 pm »
Random feedback: Updating adguard (paid) from stable to release candidate came down to "do I trust adguard?" (Update was done from within adguard by changing channel from stable to beta)
After 3 (or maybe more) VS 5.00 prompts for *.tmp with no blacklist info and a high ai score I put VS to install....


Offline oldschool

  • Jr. Member
  • **
  • Posts: 86
    • View Profile
Re: VoodooShield v5 STABLE Thread
« Reply #99 on: June 21, 2019, 08:53:01 pm »
@Geri123 - Notifications followed from your update to Adguard  beta. IDK what mode you normally use, but if you're installing something you know, changing to Install/Disable is the way to go. Adguard is writing to your temp file as well, so you know VS is watching.  8)
« Last Edit: June 21, 2019, 11:47:33 pm by oldschool »
"... still trying to find the answers to life's persistent questions..." - Guy Noir, Private Eye

W10 1903 AVG Free Beta + VoodooShield Pro

Offline Geri123

  • Jr. Member
  • **
  • Posts: 74
    • View Profile
Re: VoodooShield v5 STABLE Thread
« Reply #100 on: June 21, 2019, 10:05:35 pm »
@oldschool Switching between "smart" mode and "autopilot".  For me most programs install just fine while on "autopilot". So I try to avoid installing programs in "install mode". A few programs seem to need a lot of tmp files for whatever reason to install sadly :/
So it's either VS is watching and with bad luck lots of prompts or VS only watches the newly installed exe's when I enable it again?
I feel a bit guilty guilty pleasure trying to use VS as a second safety net along Windows Defender for installs ;D  (thanks oldschool)
« Last Edit: June 22, 2019, 07:54:26 am by Geri123 »

Offline oldschool

  • Jr. Member
  • **
  • Posts: 86
    • View Profile
Re: VoodooShield v5 STABLE Thread
« Reply #101 on: June 21, 2019, 11:50:53 pm »
Switching between "smart" mode and "autopilot".  ;D

It's definitely the writing to temp that is the culprit.

I think you mean guilty pleasure ... !  ;)
"... still trying to find the answers to life's persistent questions..." - Guy Noir, Private Eye

W10 1903 AVG Free Beta + VoodooShield Pro

Offline djg05

  • Youngling
  • *
  • Posts: 42
    • View Profile
Re: VoodooShield v5 STABLE Thread
« Reply #102 on: June 24, 2019, 10:53:12 am »
VS 5.01 running smoothly on Win 8.1 pro. Not yet committed to Win 10

Offline Triple Helix

  • Administrator
  • Sr. Member
  • *****
  • Posts: 416
  • Truth is more of a stranger than fiction.
    • View Profile
    • Webroot Community Supporter
Re: VoodooShield v5 STABLE Thread
« Reply #103 on: June 25, 2019, 12:22:39 am »
Microsoft® Windows Insider MVP - Windows Security
Webroot SecureAnywhere Complete & VoodooShield Pro
Alienware 17R5 Laptop with the new i9-8950HK Processor, 32GB of RAM and 2 Samsung NVMe 960 Pro's.

Offline oldschool

  • Jr. Member
  • **
  • Posts: 86
    • View Profile
Re: VoodooShield v5 STABLE Thread
« Reply #104 on: June 25, 2019, 02:10:11 am »
Some users are reporting issues with USB showing/not showing as intended and/or Smart Mode not toggling as it should. Please post here if you are one them and send DeveloperLog.log in C:\ProgramData\VoodooShield folder to Dan. Help keep VS on the move.  8) 
"... still trying to find the answers to life's persistent questions..." - Guy Noir, Private Eye

W10 1903 AVG Free Beta + VoodooShield Pro