Author Topic: VoodooShield v4 STABLE Thread  (Read 46091 times)

Offline ssherjj

  • Global Moderator
  • Jr. Member
  • *****
  • Posts: 91
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #735 on: July 15, 2018, 01:01:49 am »
Here is 4.51beta! 

The only practical way of fixing the VPN bug was to upgrade VS to .net 4.5.  Since .net 4.5 is native to all recent Windows versions except Windows 7, this should work out really well since .net will not need to be installed on any endpoints except for Windows 7.  Besides, I imagine at this point most Windows 7 computers have .net 4.5 installed anyway, so VS will just skip the .net install.

Hopefully the VPN bug is fixed, but if not, please let me know.  Upgrading the SignalR dll will also allow us to do some really cool things with the Web Management Console.

There were only small changes to the actual VS code, so I do not think there will be any bugs with the VS code.  However, there were massive changes to the installer and the dependencies, so I would not at all be surprised if we see a few bugs… although I tested the heck out of it to ensure this version was as bug free as possible, since there were so many changes.

Overall, to me it looks like VS runs even faster and smoother under the 4.5 runtime compared to the 3.5… please let me know if you guys experience this as well.  You might notice that the installer grew significantly in size… this is a result of the increased size of the dependencies that are packaged with the installer.

SHA-256: 3fa2a59e81bf9d43511a5751cb7ea24d4a38bb8e3a41c9dd4ecb5cb5da3183b2

www.voodooshield.com/Download/InstallVoodooShield451beta.exe

Have a great weekend, thank you guys!

Thank you Dan! I just installed the VS451beta!  :)
Microsoft® Windows Insider MVP - Windows Security 
Webroot® SecureAnywhere™ Expert Product Advisor Webroot Forum Gold VIP  (Beta Tester)
VoodooShields  v4.54

Offline gorblimey

  • Jr. Member
  • **
  • Posts: 59
    • View Profile
Re: VoodooShield's Shield USB indicator
« Reply #736 on: July 15, 2018, 01:57:00 am »
... I have no active USB devices present ...

I'm assuming you have W10 there, but Windows generally is rather iffy in handling USB ports.  Generally, if the port has a non-stick in it, it treats whatever is in the port as a HDD, so doesn't raise a flag.  For example, if I stick my scanner in the USB, or plug my Bluetooth in for charging, W7 treats those as "not a device".  And my multi-card reader (it also writes!) is seen by W7 as 4 unused HDDs, and I had to give them drive letters; also, VS does not see them as USB devices.

When VS sees a USB flag, it automatically locks the box, hence the blue shield.  BTW, I'm still only using 4.20, so you may have VS features I don't know about.  But I'm pretty sure you're suffering from W10-itis  :(

EDIT:  Having just completed my morning Caffeine treatment, I realise that that the only action you need to take is the routine "If in doubt, just Block it.  If you do recognise it, Let it Run."
END EDIT.
« Last Edit: July 15, 2018, 02:08:46 am by gorblimey »
____________________
Win7 HPx64 SP1, VoodooShield 4.20, WFC

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 331
    • View Profile
    • VoodooShield
Re: VoodooShield v4 STABLE Thread
« Reply #737 on: July 15, 2018, 03:09:24 am »
Curious here... a few of my programs bring up the "Install" option when I first run them... particularly Paint.NET (portable) and Evernote (installed version).

Why?
Thank you guys for letting me know that the new framework is doing well... that is great to hear.  I am going to just reply to the posts have have questions to save a little time... thank you guys for all of your help ;).

VS has an installer detector that detects if a new, non-whitelisted item is a standard executable or an installer.  That way, if VS detects the new item as an installer, the Install button is displayed instead of the Allow button, so that VS will toggle to OFF during the installation.

We do need to add a few more definitions to our installer detector, and I should be able to do that soon.  Thank you!

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 331
    • View Profile
    • VoodooShield
Re: VoodooShield's Shield USB indicator
« Reply #738 on: July 15, 2018, 03:13:51 am »
This is prolly vague... but sometime yesterday my shield decided to change to USB status. I have no idea why. Maybe I mounted something... but still today it's there and everything is normal. I'm pretty sure a reboot will clear it, but I'm wondering why the USB indicator at all??? How does that inform the user... besides.... hey... you gotta a USB device plugged in. OK... So what?

What's the purpose of the USB indicator? What action should a user take when it's there?
The USB label indicates that VS detected the insertion of a USB drive so that people are not curious why VS does not toggle to OFF when all of their web apps are closed.  Basically, the USB label is indicating that a USB drive was inserted, and VS toggled to ON when the USB drive was inserted.

I hope that makes sense, but if not, please let me know.  BTW, the USB label works pretty well for the most part, but I think we can do a little tweaking on it so it will be a little more refined.

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 331
    • View Profile
    • VoodooShield
Re: VoodooShield v4 STABLE Thread
« Reply #739 on: July 15, 2018, 04:48:48 am »
Hi all!
VS 4.50 on Win 10 alongside Avast Free set to Agressive mode - which should mean all execution attempts are compared to Avast Cloud Whitelist. Ie when I updated VS Avast chipped in to block so I had to manually allow exception for VS. Now VS set as exception in Avast. (Might be I have left free Avira for good.)

- Maybe overkill to have two whitelist progs?
- VS doesnt start every time anymore. Last Win 10  update could be the problem? Dan will fix?
- I would like to see ie "Voodooshield ver 4.50 in Smart Mode" when I hoover over the icons.
- Can Malware be set to execute say one hour after arrival? If so, will Smart Mode protect me if I have shut down Chrome and Outlook and VS is Off? Is always ON the only way?

Like VS very much so far. Ordinary user with more interest than knowledge when it comes to security.
Nice to meet you WhyNot! 

VS's whitelisting feature is quite different from all of the other whitelisting products.  We have several proprietary and patented features that allows VS to do things that other products cannot do.  Well, if they do, please let me know ;).  Anyway, VS is not actually an application whitelisting utility... it certainly shares some similarities, but it is much more appropriate to classify VS as a user-friendly toggling computer lock.  There are not any other user-friendly toggling computer lock, so there is probably not a class to put VS in, which is probably why most people just classify it as an application whitelisting utility.

Let me explain how I came up with the idea / concept for VS, and that will help explain what VS is all about, and how it is so incredibly different from all of the other products.  The night I came up with the idea, it was 3am and I was removing malware for 2 different clients on 2 different laptops.  At that time, I had been a computer consultant for 13 years, and the one question people kept asking me over and over again was “I have antivirus software, how did I get a virus?”.  For the longest time, it was difficult for me to explain to my clients why they were infected even though they had antivirus software installed.  I knew innately why it was so… but I just could not put it into words… especially words that they would understand.  I love my clients, but most of them are extreme computer novices, and they would never understand such things 😉. 

Anyway, it was 3am and I started removing the malware, and the first thing I did was to bring up the task manager so I could start investigating the malware.  When I opened the task manager, the malware immediately killed it, and simply would not let me open the task manager or any other software.  Out of pure frustration, I said out loud “man, if I could just do what the malware is doing to the computer / me, but be first, so that I was in control… then we would not have this problem”.  So then I was thinking… man, we just need to take a snapshot of all of the running processes, and not let anything else start unless we allowed it.  Then 20 seconds later I thought to myself… no, that would be a huge pain to have to manually allow everything… a fulltime lock is certainly not the answer.

Then a few minutes later, I was looking down at the clock because I knew it was getting late, and that is when I happened to imagine a desktop shield gadget / computer lock, that the user could manually click on the toggle the computer lock from OFF to ON.  So then I was thinking… you know, there might be something to this.

Then another few minutes later, once I was actually able to start programs without the malware killing them, I opened a web browser, and out of shear coincidence, I happened to imagine the lock / desktop shield gadget toggling from OFF to ON as I opened a web browser.  And I was like… “That’s it!!!  Whenever I am doing something risky on the computer, it needs to be locked.  Then when I am not doing anything risky, the protection will automatically toggle to OFF.”

So then I started to get excited about this concept and called an acquaintance (who was a developer for Hallmark Cards at the time) the next day to tell him the idea.  He loved the idea and we got to work immediately on VS.

Keep in mind application whitelisting was very uncommon back then and there were very, very few application whitelisting products on the market.  The only one that I heard about was Faronics Anti-Executable (there were others but they are no longer around)… and the only reason I heard about it was because our patent attorney found their patent during the patent search.  Luckily the concept of VS did not infringe on their patent at all… and the reason is quite simple… VS is not an application whitelisting product… it is a toggling computer lock 😉.

As far as global / cloud whitelisting is concerned… it is definitely a worthwhile security mechanism, but it certainly is nowhere nearly as effective as locking the computer.  First, look at the link below… there are roughly 3.5 times the number of safe files compared to malware.

https://www.virustotal.com/en/statistics/

This cracks me up… the industry has been saying now for a very long time that “Antivirus cannot keep up with all of the new malware.”  Ummm… if they cannot keep up with the blacklist or signatures, how are they going to keep up with a whitelist that is roughly 3.5 times larger?  Not only that, but how do they absolutely guarantee that a file they are adding to the global cloud whitelist is 100% safe.

Also, keep in mind, I currently have 220 items on my whitelist (I just checked 😉)… compare that to millions or billions of items on a global cloud whitelist.  I mean, if you are a bouncer at a bar, you can handle 220 people… but you cannot handle millions or billions. 

See, AV companies have malware detection machines (sandboxes) running 24x7 to continually analyze all of the new samples.  These machines are quite similar to Cuckoo Sandbox, but I am certain that most of them are much more sophisticated and accurate.  No offense to Cuckoo… it is a phenomenal product, but a lot of AV companies have a massive budget and research / development team that is able to create some really cool stuff.

But anyone who has been working with malware long enough will tell you that even the most sophisticated malware detection machines have limitations… severe limitations.  This is equally true for the machine learning / Ai products.  The cybersecurity companies also have malware researchers who supplement the automatic analysis performed by these machines, but it is a massive workload and they can never keep up.  Not only that, but from my experience, all malware detection mechanisms can be tricked… including VoodooAi.

And since they can be tricked, if security is important enough to the end user, the only reasonable solution is to install a deny-by-default product, as opposed to an allow-by-default product.  I prefer VS because it is not a constant lock as it offers the end user multiple levels of protection.  Think of it this way… do you use an umbrella when it is not raining?  No, that would be a huge pain, right?  For the very same reason, computers should not be locked fulltime. 
VS is the only product that is able to automatically and dynamically adjust the level of protection based on the end user’s activities.  If the end user is engaging in risky behavior, the security product should be more aggressive (well, the computer should be locked).  If the end user is playing Microsoft Solitaire, writing a letter, using Quickbooks, etc., the level of protection should be lowered.

Since its inception, the security industry has only focused on HOW users become infected, and as far as I know, VS is the only product that also focuses on WHEN the user becomes infected.  Having said that… the security industry has come a very, very long way in the last 6-7 years, and there are tons of truly amazing products on the market now.  They all offer one level of protection (unless the user manually changes a setting or disables the product), which is more than sufficient for when the end user is not engaging in a risky activity such as browsing the web or checking email.  But when the user is engaging in risky activity, I think it is wise to automatically lock the computer with VS 😉.  Besides, VS complements all AV’s very, very nicely… and actually, with most AV products, when VS toggles to OFF, it should actually stop all protections and not block anything… and basically let the AV do its thing.  At some point we will implement this, but a lot of users are now running just VS with Windows Defender, because it has improved drastically over the last couple of years… and basically, I am just being a little extra cautious for now.

So back to my originally story.  If a user were to ask me today “I have antivirus software, how did I get a virus”, I would simply say… “because your computer was not locked when you were at risk”.


As far as your other questions / recommendations go… 😉

- VS doesnt start every time anymore. Last Win 10  update could be the problem? Dan will fix?
   This should be fixed in 4.51, but if not, please let me know!
- I would like to see ie "Voodooshield ver 4.50 in Smart Mode" when I hoover over the icons.
   Interesting… do you mean when you hover over the desktop shield gadget?  Thank you for the suggestion… we might be able to do something really cool with that 😉.
- Can Malware be set to execute say one hour after arrival? If so, will Smart Mode protect me if I have shut down Chrome and Outlook and VS is Off? Is always ON the only way?
   No… this should not be a concern.  I guess technically someone could hack a website and create a timer that would fire in an hour or so, but this is highly unlikely.  Besides, even when VS is OFF, it is VERY protective when it comes to web apps, and VS should easily block something like this.  Now, if you are talking about a standard malware executable… remember, the executable has to run first in order to be able to start a timer 😉.

Wow… longest post ever 😉.  Hopefully the other ones will go a little quicker 😉.  Thank you!


Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 331
    • View Profile
    • VoodooShield
Re: VoodooShield v4 STABLE Thread
« Reply #740 on: July 15, 2018, 04:51:52 am »
Every now and then VS 4.50 icon shows "off" when selected "always on" mode on win 7 64bit.
The screenshot is after a fresh reboot, i just opened the settings to show mode!
When i change modes to whatever and back to "always on" the icon is ok again.

Just a bit irritating to see off when you ecpect on :D
There is an option on the VS Settings / Basic tab... Second from the bottom... Automatically deactivate after 10 mins of system idle.  Is this what you are talking about? ;)

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 331
    • View Profile
    • VoodooShield
Re: VoodooShield v4 STABLE Thread
« Reply #741 on: July 15, 2018, 04:54:22 am »
Thanks Dan!
So one little problem i've experienced with 4.51beta. I clicked to install Voodooshield and Kaspersky has flagged it as a PDM:Trojan.Win32.Generic.
I'll send file to Virus total so check if other engines flag it as a trojan
Cool.. thank you for letting me know!  Yeah, False Positives happen.  It is getting harder and harder to distinguish good files from bad, so everyone is making their engines and mechanisms a little more aggressive... so I imagine FP's will only increase in the coming years.

You know, sometimes I think it would just be easier to lock the computer when it is at risk ;).  Kinda takes the guess work out of the whole thing, huh? ;).

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 331
    • View Profile
    • VoodooShield
Re: VoodooShield v4 STABLE Thread
« Reply #742 on: July 15, 2018, 05:03:54 am »
... but I have had some issues with the installer.  My Pascal is a little rusty… well, it is super rusty ...

Pascal? ??? :o  Last time I saw that was early '70s, and nobody had a good word to say about it.  The most frequent polite comment I heard was along the lines of "What in the name of Algol are you doing with that?"

So, if you need a decent installer, take a dekko at https://www.gammadyne.com/centurion.htm.

ANYHOO, I have a different problem.  I need absolutely to whitelist C:\Windows\hh.exe.  I have a number of programs that use compiled HTM help files, and having to allow hh.exe each time is... annoying.  Very.  I have tried setting an Allow Rule, but the blacklist seems to be hardcoded.  FWIW, being a halfway good citizen, I have disallowed hh.exe outbound to everywhere, and in addition it has never been pinged even by Avast! when I was using that.  Is there any way I can get hh.exe to run without having to go through the "Allow" procedure?  I'm still using 4.20, but I'm considering an upgrade.
begin

Thank you... we actually use InnoSetup, which is an amazing installer... it is one of the installers that a lot of devs use.  It has a special code section that is highly flexible and allows you to do some really cool stuff for your installer, but it is all in pascal, which I am not good with at all.

That is funny that you mention hh.exe... please try 4.51, there is a chance that it is fixed.  I accidentally clicked on Help and Support the other day and VS blocked hh.exe, so I fixed it... well, I think it is fixed.  The only thing is, there might be a different parent process that triggers hh.exe, and if so I will need to add it as well.

Which reminds me... a lot of people forget that in addition to name, hash, and path comparison, VS also does parent process path comparison, which really freaking locks down the system with a super robust lock.  It initially cause massive problems and unwanted blocks for 4-5 months while I worked everything out, and I have to say, it was worth it. 

end

(I hope the old pascal people spot my pascal joke ;))

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 331
    • View Profile
    • VoodooShield
Re: VoodooShield's Shield USB indicator
« Reply #743 on: July 15, 2018, 05:04:46 am »
What's the purpose of the USB indicator? What action should a user take when it's there?

USB devices are recognised infection vectors, particularly the ubiquitous sticks, aka "thumbdrives".  The infection happens when (older) OS's see an autorun.inf file and obey its instructions.  W7++ are supposed to have blocked this avenue, but: thumbdrive controllers can be infected as well, which is much more difficult to detect before the catastrophe.

Remember the Stuxnet virus?  And how it got onto Iranian computers?  So Dan has done exactly the right thing.
Thank you... that too ;).

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 331
    • View Profile
    • VoodooShield
Re: VoodooShield v4 STABLE Thread
« Reply #744 on: July 15, 2018, 05:06:28 am »
Thanks again everyone... sorry I only replied to the questions... enjoy the rest of your weekend!

Offline gorblimey

  • Jr. Member
  • **
  • Posts: 59
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #745 on: July 15, 2018, 07:27:11 am »
That is funny that you mention hh.exe... please try 4.51, there is a chance that it is fixed.  I accidentally clicked on Help and Support the other day and VS blocked hh.exe, so I fixed it... well, I think it is fixed.  The only thing is, there might be a different parent process that triggers hh.exe, and if so I will need to add it as well.

Er, unfortunately, no, it's not.  Most times I'm invoking Help directly from the program UI, but the problematic ones I'm calling help from the Start Menu.  The attachment shows that I shortcut the .chm, and Windows figures out everything else.  In these cases, there is generally not a Program UI to play with (or I don't want to light up the app) so no Parent Process...  I have assumed that hh.exe will only be called to chaperone .chm files?

ALSO, Advanced Settings does not properly clean the previous view from underneath the Anti-Exploit list. (W7, Classic Desktop, "Classic Start Menu").  I tried to show a screen-shot, but that didn't show the unswept bits :(
____________________
Win7 HPx64 SP1, VoodooShield 4.20, WFC

Offline Geri123

  • Youngling
  • *
  • Posts: 40
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #746 on: July 15, 2018, 09:54:40 am »
Every now and then VS 4.50 icon shows "off" when selected "always on" mode on win 7 64bit.
The screenshot is after a fresh reboot, i just opened the settings to show mode!
When i change modes to whatever and back to "always on" the icon is ok again.

Just a bit irritating to see off when you ecpect on :D
There is an option on the VS Settings / Basic tab... Second from the bottom... Automatically deactivate after 10 mins of system idle.  Is this what you are talking about? ;)
I forgot to mention i disabled the "automaticly disable". I want VS to work 24/7 and thats why i was so confused to see"OFF"
I disabled the "automaticlly disable" and VS was on "always on" still VS got to "OFF" as shown on screen.

Offline djg05

  • Youngling
  • *
  • Posts: 26
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #747 on: July 15, 2018, 11:38:39 am »
Just installed 4.51 and double clicking the icon is not working. Win 8.1 Pro.

Noticed that it has gone back to just putting it in the task bar. I run with the T/B on auto hide.
 
David

Offline Telos

  • Youngling
  • *
  • Posts: 37
    • View Profile
Re: VoodooShield's Shield USB indicator
« Reply #748 on: July 15, 2018, 05:15:05 pm »
What's the purpose of the USB indicator? What action should a user take when it's there?
The USB label indicates that VS detected the insertion of a USB drive so that people are not curious why VS does not toggle to OFF when all of their web apps are closed.  Basically, the USB label is indicating that a USB drive was inserted, and VS toggled to ON when the USB drive was inserted.

I hope that makes sense, but if not, please let me know.  BTW, the USB label works pretty well for the most part, but I think we can do a little tweaking on it so it will be a little more refined.
Great answer. Thank you.

I get USB "FP's" when I open MakeMKV to rip a DVD. After ripping and closing MakeMKV, the USB notification remains present until I quit VS (reboot or otherwise).

Maybe you can duplicate that.

Offline simmerskool

  • Youngling
  • *
  • Posts: 45
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #749 on: July 16, 2018, 12:05:46 am »
I did clean install of 4.51_beta on win7x64.  I've been running about 12 hours with vpn and no crashes! No issues to report.
Thanks Dan.