Author Topic: VoodooShield v4 STABLE Thread  (Read 157056 times)

Offline acooldozen

  • Most Valuable Member
  • Youngling
  • *
  • Posts: 49
  • "Quid Me Anxius Sum"
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #435 on: April 08, 2018, 12:36:12 am »
Tell me you are kidding?
.........and make yourself a Great Day! Cheers, Lyle

Offline khanyash

  • Jr. Member
  • **
  • Posts: 66
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #436 on: April 08, 2018, 02:34:36 am »
Ok try this:

Without any browser open, plug in your smart phone to the USB port to charge. The desktop icon will turn blue with USB on it.
Now open Edge and unplug the USB cord. The USB will go away. Now plug the USB cable back in a on my machine the USB never comes back.

Step 2: Now shut down Edge and wait a few min. The desktop icon remains blue with no USB. Now unplug the USB and it should go to off. Now plug the USB back in and you will see blue with USB again.
I am just wondering if this is just my machine or other see this too.

ON and USB are same i.e computer locked and protected.

ON - when a web app is running.
USB - when a USB is inserted.

ON - when a web app is run first and then a USB is connected.
USB - when a USB is connected first and then a web app is run.

The above is my understanding.
« Last Edit: April 08, 2018, 03:44:51 am by ya5hkh4n »

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 495
    • View Profile
    • VoodooShield
Re: VoodooShield v4 STABLE Thread
« Reply #437 on: April 08, 2018, 03:34:41 pm »
4.26 working great Win 10 64bt

I'm not a smart man , Dan, but i do know what love is. I love you..
How funny, thank you Mr.Gump ;).  Usually people just say they love VS, but this is cool too ;).

Offline boredog

  • Jr. Member
  • **
  • Posts: 79
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #438 on: April 08, 2018, 04:50:28 pm »
Ok try this:

Without any browser open, plug in your smart phone to the USB port to charge. The desktop icon will turn blue with USB on it.
Now open Edge and unplug the USB cord. The USB will go away. Now plug the USB cable back in a on my machine the USB never comes back.

Step 2: Now shut down Edge and wait a few min. The desktop icon remains blue with no USB. Now unplug the USB and it should go to off. Now plug the USB back in and you will see blue with USB again.

Ok but still seems strange to me. I won't mention it again.



I am just wondering if this is just my machine or other see this too.

ON and USB are same i.e computer locked and protected.

ON - when a web app is running.
USB - when a USB is inserted.

ON - when a web app is run first and then a USB is connected.
USB - when a USB is connected first and then a web app is run.

The above is my understanding.

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 495
    • View Profile
    • VoodooShield
Re: VoodooShield v4 STABLE Thread
« Reply #439 on: April 08, 2018, 04:58:19 pm »
how would one know to allow or block the msiexe.exe file? what does it do?  attch is info for dan

It's the Microsoft Installer package.  It's almost certainly "protected", but in any case just leave it alone.

If you think it might be compromised, exit all of your AV suites: turn them off/disable them, then run an offline scan.  msiexec lives in many locations, this could take time.

I see your security app mentioned the program could be a hijack candidate.  The bad news is that almost any exe file is a hijack candidate: notepad, calculator, wordpad...

This sort of thing brings up the subject of Security 101: "Never assume your box is clean.  You must assume it has already been penetrated, and your task is to mitigate the damage."  Ideally, you start (over) with a fresh clean offline OS install.  Then you add the security system of choice, and only then do you add your productivity apps/suite(s) and maybe register the OS online.  At this stage you are desperately hoping the security suite is uncompromised...

Having said all that, assuming VS is installed on a clean box, it will protect you because anything that hijacks msiexec is not on the whitelist.  It is possible that msiexec is also not whitelisted but OTOH it is a system file and gets close attention from VS anyway.

My personal experience is that all of these wonderful security suites are a complete waste of time on a good day and a major hazard on all other days.  I use ZAM Free and MBAM Free separately to scan the system once a month, after which both are totally disabled (they have services) and VS is re-enabled to hold my hand for the rest of the month.  As soon as Glasswire gets multi-user capabilities I'll install it, light up Windows Firewall, and enjoy the best protection on the planet.
Absolutely... I am not going to turn VS into a security suite or a Swiss Army Knife.  I just think it would also be cool to add post execution behavior analysis to VS in a very unique way, especially since it is not like we are going to have to redesign VS from the ground up like we did in VS 4.0, which cause a lot of bugs.  There will actually be very, very few new bugs introduced.  Basically, now that VS is stable, there is not a chance that I am going to put the users or myself through a massive debugging process again.

In general, what I mean by this new feature that implements post execution behavior analysis is this...

First of all, from a high level, computers are machines that essentially perform one function... execute code.  The only practical way to keep them safe is to only allow them to execute the code that you knowingly want them to allow.   If you consider most or all of the non-Windows operating systems, they pretty much all operate on this principle, and typically require SU rights (e.g. password) in order for new executable code to be introduced / executed.  Somehow, the cybersecurity industry as a whole, has abandoned this model in favor of a more user-friendly model, and somehow actually believe that they are able to sufficiently protect the system.  This is where the cybersecurity industry went wrong, and the end result has been massive breaches and massive growth in malware in the wild.... 6 years ago there were 15,000 new malware today, now there are 300,000-1,000,000.

For example, have you ever noticed how a lot of the anti-ransomware tools start off as post-execution behavior blockers, and eventually evolve into anti-executables?  Well, there is a reason for that ;).  If you ask me, this is exactly backwards.  If all I ever run on my computer is Microsoft Word (to write letters), games, Quickbooks, Photoshop, etc., and never launch a web browser or email client (or USB), the computer is simply never going to become infected.  It is only when you are connected to the internet and start browsing the web and checking email, that you are at risk for infection. 

And this is exactly what a lot of people do not understand about VS.  They do not understand that if you simply block all known and unknown executable code when the user is engaged in risky activity, you have pretty much eliminated the problem.  I mean really, why would anyone ever allow new, non-whitelisted executable code when the user is browsing the web or checking email?

So you start with locking the computer when it is at risk.  But it would also be nice to monitor post-execution behaviors, such as ransomware, cryptominer, MBR, etc.., in the event the user accidentally allowed something they should not have.  Basically, VS will be performing similar post-execution behavior analysis that the anti-ransom tools currently perform, but only after most of the bad items have already been filtered out by our lock.

Here is where things get interesting... if the user introduces new code while they were browsing the web or checking email, because of our initial patent, only VS can offer multiple levels of protection.  Basically, if a new item is allowed while the computer is at risk, it will be examined more closely by our post-execution behavior blocker than, for example, medical software that was installed when the computer was not at risk.  In OSX, there is warning "This is an application downloaded from the Internet. Are you sure you want to open it?"  Well, this new feature will take this one step further... VS will simply mark / flag the item as being introduced while the user was doing something risky, if and only if, the new item actually originated from a web app.

For example, I am sure that most of us have a folder where we store all of our favorite utilities / installers, much the same way SMB and enterprises store these items on a network share.  These items, and their associated child process will either not be subject to examination by the behavior blocker at all, or if they are, they will be examined less aggressively.

So basically any new executable code that originated from the internet, and was actively downloaded during the session, will be subject to close(r) examination by VS's post-execution behavior blocker.  Essentially what we will have is a behavior blocker that is aggressive when it needs to be, and far fewer false positives than traditional behavior blockers.  It is going to be seriously cool.  And trust me, there is not a chance that I will do anything to introduce tons of new bugs ;).

BTW, I think it is important to elaborate on the distinction between pre-execution and post-execution behavior blockers.  Examples of pre-execution "behavior" blockers are technologies like VS on AutoPilot (and when VS is in Smart OFF mode)... and another example is OSArmor.  When VS is ON (Always ON, Smart ON), it does not need these "behavior" blockers, simply because all new executable code should be blocked when the lock is on (usually because the computer is at risk).  This new behavior blocker feature will all happen post-execution, and will be a similar technology to the other security products that are focused on behavior blocking.  The main difference will be VS should have far less false positives, because it will only closely monitor dangerous new items, as described above.

Either way, we will continue to offer the current version of VS until everyone is happy with the end result ;).  I am going to keep everything extremely simple... that is the whole point of VS ;).  Thank you!

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 495
    • View Profile
    • VoodooShield
Re: VoodooShield v4 STABLE Thread
« Reply #440 on: April 08, 2018, 04:59:36 pm »
Ok try this:

Without any browser open, plug in your smart phone to the USB port to charge. The desktop icon will turn blue with USB on it.
Now open Edge and unplug the USB cord. The USB will go away. Now plug the USB cable back in a on my machine the USB never comes back.

Step 2: Now shut down Edge and wait a few min. The desktop icon remains blue with no USB. Now unplug the USB and it should go to off. Now plug the USB back in and you will see blue with USB again.
I am just wondering if this is just my machine or other see this too.

ON and USB are same i.e computer locked and protected.

ON - when a web app is running.
USB - when a USB is inserted.

ON - when a web app is run first and then a USB is connected.
USB - when a USB is connected first and then a web app is run.

The above is my understanding.
That sounds about right to me... let me read through the various posts on the USB toggling and revisit this feature.  The last post took a lot longer than I expected, and I am running late, but I will catch up soon, thank you!

Offline Mx

  • Youngling
  • *
  • Posts: 29
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #441 on: April 08, 2018, 07:42:31 pm »
Dan,

This means that with the new post execution behavior analysis that VS will have, it will be able to block attacks like the ccleaner?
That is, supposedly "trusted" applications (3rd party/OS) that with an update become bad ( Keylogging, Data exfiltration, Code injection, etc.)

I am right?

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 495
    • View Profile
    • VoodooShield
Re: VoodooShield v4 STABLE Thread
« Reply #442 on: April 08, 2018, 11:14:01 pm »
Dan,

This means that with the new post execution behavior analysis that VS will have, it will be able to block attacks like the ccleaner?
That is, supposedly "trusted" applications (3rd party/OS) that with an update become bad ( Keylogging, Data exfiltration, Code injection, etc.)

I am right?
Pretty much, yeah... but we will need to handle automatic software updates a little differently (since most do not utilize a web app to perform the update) , but yeah, the whole point of this new feature is to mitigate attacks like you mentioned.  I have a couple of ideas on how to handle automatic software updates... it should be quite easy.  Thank you!

Offline gorblimey

  • Full Member
  • ***
  • Posts: 106
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #443 on: April 09, 2018, 03:45:15 am »
I have a couple of ideas on how to handle automatic software updates... it should be quite easy.  Thank you!

You need to take things like Zemana Anti Malware into account.  See https://www.wilderssecurity.com/threads/zam-free.395690/#post-2700849 for a really bad example.  IMHO VS handled the problem with flair and aplomb.

Ummmm... Of course.  Screenshot somewhere.  What ZAM does is generate a randomly named tmp update file (exe?) into %appdata\temp%, and then ┬┐executes? it.  I have now locked down %appdata\temp% on all accounts plus Program Data with a small set of Rules, so that will never happen again.

(Ummmm, yes.  On the Rules, is it possible to have something in the Rule name that looks like a qualified path to the folder/file of interest?  ATM it appears like I am referencing the same folder several times.)
____________________
Win7 HPx64 SP1, VoodooShield, WFC

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 495
    • View Profile
    • VoodooShield
Re: VoodooShield v4 STABLE Thread
« Reply #444 on: April 09, 2018, 07:56:28 am »
I have a couple of ideas on how to handle automatic software updates... it should be quite easy.  Thank you!

You need to take things like Zemana Anti Malware into account.  See https://www.wilderssecurity.com/threads/zam-free.395690/#post-2700849 for a really bad example.  IMHO VS handled the problem with flair and aplomb.

Ummmm... Of course.  Screenshot somewhere.  What ZAM does is generate a randomly named tmp update file (exe?) into %appdata\temp%, and then ┬┐executes? it.  I have now locked down %appdata\temp% on all accounts plus Program Data with a small set of Rules, so that will never happen again.

(Ummmm, yes.  On the Rules, is it possible to have something in the Rule name that looks like a qualified path to the folder/file of interest?  ATM it appears like I am referencing the same folder several times.)
A while back, I mentioned that at some point I was going to write some malware (I had never done this before, honest ;)), and since I had some time, I decided to do so.  Obviously, the whole purpose of this adventure was to see how well security products do against true zero day malware.

Of course I had to make this a ransomware type malware, so I started my malware project with a typical VisualStudio winforms project and wrote some simple code to rename the extensions of the files in the My Pictures folder, and borrowed some online code to encrypt the files.  This took all of 15 minutes.

So I played around with all of this and performed a lot of tests. It turns out that a lot of security products rely highly upon digital signatures.  This is truly sad because you can buy one for $80 or so, and make $100,000 with ransomware.  I am actually not that familiar with the details of obtaining a digital signature, so please ignore my last statement.  But please do not ignore this... SECURITY SOFTWARE SHOULD NOT RELY ON DIGITAL SIGNATURES, and it should not rely on cloud based reputation / global whitelists (those are simply pre-approved items that were scanned with the blacklist and executed in a sandbox... especially when the average time to discovery is like 231 days (I could be wrong about 231, but it is something like that).

Anyway, my whole point to all of this... Zemana actually did the best out of all of products that I tested.  Most of the anti-ransomware products did really well too.  I was surprised that the behavior based anti-malware products completely missed it.  Just lock the computer when it is at risk, and then there is no guessing.

Offline gorblimey

  • Full Member
  • ***
  • Posts: 106
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #445 on: April 09, 2018, 10:11:26 am »
But please do not ignore this... SECURITY SOFTWARE SHOULD NOT RELY ON DIGITAL SIGNATURES, and it should not rely on cloud based reputation / global whitelists (those are simply pre-approved items that were scanned with the blacklist and executed in a sandbox... especially when the average time to discovery is like 231 days (I could be wrong about 231, but it is something like that).

+1

I chose ZAM because it is held in very high esteem.  But any Anti-Malware that behaves like a malware will have a very short stay on my box.
____________________
Win7 HPx64 SP1, VoodooShield, WFC

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 495
    • View Profile
    • VoodooShield
Re: VoodooShield v4 STABLE Thread
« Reply #446 on: April 11, 2018, 02:23:51 pm »
Hey everyone, I just released 4.28 to the public, you can download it here:    https://voodooshield.com/Download/InstallVoodooShield.exe

Or it will auto update when VS starts.

I was going to post 4.28 on here, but there were only a few very small changes... one was a change that will further limit command line blocks, one was fixing an issue with git.exe since it is treated as a vulnerable process (all of the github type apps should work great with VS now), and a user suggested that if a password is enabled in VS, that the user is only prompted when they try to change to a less aggressive mode.

SHA-256: ca76e36595e83605ae07d76f15f6fcc3cf7ec77b60aced1d9f8b94c6feca25a5

Thank you guys for all of your help!  That should be it for now.  I am going to take a couple weeks break from coding and work on some marketing items (unless some major bug appears out of nowhere).  This will give me time to think about what VS 5.0 should look like, and then you guys and I will discuss everything to make sure we are on the right path.

Offline Triple Helix

  • Administrator
  • Sr. Member
  • *****
  • Posts: 416
  • Truth is more of a stranger than fiction.
    • View Profile
    • Webroot Community Supporter
Re: VoodooShield v4 STABLE Thread
« Reply #447 on: April 11, 2018, 02:39:43 pm »
Hey everyone, I just released 4.28 to the public, you can download it here:    https://voodooshield.com/Download/InstallVoodooShield.exe

Or it will auto update when VS starts.

I was going to post 4.28 on here, but there were only a few very small changes... one was a change that will further limit command line blocks, one was fixing an issue with git.exe since it is treated as a vulnerable process (all of the github type apps should work great with VS now), and a user suggested that if a password is enabled in VS, that the user is only prompted when they try to change to a less aggressive mode.

SHA-256: ca76e36595e83605ae07d76f15f6fcc3cf7ec77b60aced1d9f8b94c6feca25a5

Thank you guys for all of your help!  That should be it for now.  I am going to take a couple weeks break from coding and work on some marketing items (unless some major bug appears out of nowhere).  This will give me time to think about what VS 5.0 should look like, and then you guys and I will discuss everything to make sure we are on the right path.

Thanks Dan installing it now!
Microsoft® Windows Insider MVP - Windows Security
Webroot SecureAnywhere Complete & VoodooShield Pro
Alienware 17R5 Laptop with the new i9-8950HK Processor, 32GB of RAM and 2 Samsung NVMe 960 Pro's.

Offline schmidthouse

  • Jr. Member
  • **
  • Posts: 69
  • Do not confuse Kindness for Weakness
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #448 on: April 11, 2018, 04:27:00 pm »
V. 4.28 Auto Update, very smooth.
VS has been running without 'any' issues on my OS's for quite some time now.
Thanks Dan. :)
***HP ENVY 15K LT  W10 Pro 64Bit/750GB HD/ 16GB Ram/Avast Prem 19.5.2378/VS 501/Secureline VPN/SANDBOXIE/Prey Project
**HP Compaq Buisness LT W10 Pro 64Bit/1TB HD/ 8GB Ram/Avast Prem. bc/VS 501/Avast Secureline/SANDBOXIE/Prey Project     
*Dell Inspiron  xpSP4 PRO 32 Bit/Avast (since 2002)/Comodo FW 3.14/OSA/Comodo Ice Dragon/Avast Secureline
LAYERED SECURITY SOFTWARE PROTECTION on all OS's
When you think you know, Think Again

Offline topo

  • Youngling
  • *
  • Posts: 17
    • View Profile
Re: VoodooShield v4 STABLE Thread
« Reply #449 on: April 11, 2018, 07:55:49 pm »
win10 w/ windows defender   auto-update 4.28 installs without a peep     win7 w/ norton ns   auto-updated triggered norton firewall but still installed. i love vs.  attach is info for dan