VoodooShield 5.50

Forums VoodooShield Support Forum VoodooShield Releases VoodooShield 5.50

  • Post
Viewing 15 replies - 31 through 45 (of 914 total)
  • Replies
    Gandalf
    Participant
    NL

    gorblimey: @gandalf – Do the dimhost.exe entries all have the same qualified path?  And on a similar theme, are they all called in the same way?  This is important, as VS doesn’t just rely on the exe name.

    They don’t have the same path but all came from c:\users\gandalf\appdata\local\temp with parent process cleanmgr.exe

    0
    0
    GrDukeMalden
    Participant
    US
    “Old guys”? Does that include me? I’ve been using VS since before voodooAI was a thing.
    |VPN(paid)| VoodooShield(Paid)| ComodoFW(free)| HitmanPro.Alert!(Paid)|
    0
    0
    gorblimey
    Participant
    none

    Gandalf:
    They don’t have the same path but all came from c:\users\gandalf\appdata\local\temp with parent process cleanmgr.exe

    One method used by malware is a variable string in the otherwise qualified path, for example %appdata\local\temp\1337534k\dimhost.exe%, where 1337534k\ will always change. If this string changes, then VS will ping the call. As far as I’m concerned, any soft that uses this method–no matter how legitimate it says it is–is using malware methodology and will be kicked off my system.

    You, as opposed to VS which is just doing its job, must make a decision based on faulty information, because you can never be completely sure that cleanmgr has not been compromised, or in fact that cleanmgr actually did call dimhost.

    You could of course feedback to cleanmgr devs that you are unhappy and they should change their ways…

    _________________________________

    Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall"]
    0
    0
    Triple Helix
    Participant
    CA

    GrDukeMalden: “Old guys”? Does that include me? I’ve been using VS since before voodooAI was a thing.

     

    I was using it since the first version and if I remember correctly it was in .88 versions in 2011 then version 1 came out. https://www.wilderssecurity.com/threads/voodooshield.313706/page-6#post-1998001

    Microsoft® Windows Insider MVP - Windows Security - VoodooShield Pro - Webroot SecureAnywhere Complete - Glasswire Elite
    1
    0
    Dan
    Keymaster
    US
    Hey guys, here is the latest version., we are getting super close but I am sure there will be a few bugs we have to work out.  Integrating a complex component like WLC, which is basically a complete realtime scanner in 3-4 weeks is simply not possible without experiencing a few bugs.  In all fairness, it is not like we are developing an AutoIt script or something…  and whenever we do something ambitious like this, there are going to be issues.  But VS would not be nearly as advanced as it is today if we would not have been ambitious and added sophisticated features and mechanisms throughout the years.  We could lock the computer and call it a day or rarely update our software, but that is not going to change anything.  If you want the world to use your computer lock, you have to make it user-friendly for them.

    About the WLC icon… WLC is FULLY implemented into VS.  The WLC icon is simply there to let the user know at all times that only known, safe files are running on the endpoint.  It is also there for quick access to the WLC tab in VS settings.  Either way, the WLC icon is completely optional.  In fact, all of WLC options are completely optional.  If you only want to allow WLC items, and not have it create firewall rules or alert you with the WLC icon and mini prompt when a new Not Safe item is detected, you can do that.  You can configure WLC exactly how you want… it is incredibly flexible and elegant.

    Besides any remaining bugs, we will also have to figure out what to do about temp folders.  As we all know, malware loves to hide in these folders, and the problem is so do legitimate apps, and a lot of these legitimate apps do not have a Safe file reputation.  So the issue is that there will be a few files in temp folders that appear at Not Safe files.  WLC will automatically remove these files when they no longer exist, but some temp files hang out longer than they should.  The obvious answer is to have VS automatically cleanup the temp folders… this would fix everything, and keep the temp folders sparkling clean all of the time.  Can anyone see a disadvantage in doing this?

    There are some other usability tweaks we will implement in WLC soon, for now I just wanted to get the implementation up and running.  For example, in the user prompt, we will probably remove the VoodooAi result and replace it with the WLC.  The whole goal is to reduce VS’s dependence on VT as much as possible, while replacing it with a mechanism that fits VS even better.  But we had to get to this point before we even thought about refining the implementation.  VT is great, but really VS should only utilize it for instant preliminary results while waiting for the WLC results, assuming the file is a not seen before file.  Yes, I agree that when a file has not yet been analyzed by WLC, it takes a while to upload and analyze the file (mainly the upload).  But once that hash is in the database, all subsequent lookups / scans will be super quick.  Once we release VS to the public, the database will grow massively and there will be even less not seen before files that require the file to be uploaded.

    And really, the full WLC feature set are mainly intended for SMB / enterprise, and for security enthusiasts / pros, with the goal of letting admins know on a continual basis that only safe files are executing on their endpoint… all at a glance.  But some features of WLC will be super cool for home users as well… especially the ability to automatically allow Safe WLC files.  The unwanted VS blocks will be essentially nonexistent.

    In 5.51 beta, you will notice that I added Inbound and Outbound columns the WLC tab.  Obviously, those are firewall rules, which can be applied or removed at any time… EVEN IF THE ITEM IS SAFE 😉.

    Thank you for letting me know about the handful of Windows files false positives (like dismhost)… I will fix those in the cloud in a day or so, and when you reset your whitelist it will be fixed.

    BTW, if you installed the 5.50 beta, you will need to uninstall VS then install the 5.51 beta.  If you are running the 5.02 or 5.04, you should be able to install over the top with 5.51 beta.

    https://voodooshield.com/Download/InstallVoodooShield551beta.exe

    SHA-256: e05cb8ac0a89edaade7c3543c4717955c451efb2f953be3874f2bbad8e1cecdb

    Please let me know about the remaining bugs and I will start figuring out the usability and start refining the WLC implementation.  Thank you guys!

    3
    0
    Dan
    Keymaster
    US

    Triple Helix:

    GrDukeMalden: “Old guys”? Does that include me? I’ve been using VS since before voodooAI was a thing.

     

    I was using it since the first version and if I remember correctly it was in .88 versions in 2011 then version 1 came out. https://www.wilderssecurity.com/threads/voodooshield.313706/page-6#post-1998001

    How funny TH… as you know, the WLC implementation is easy compared to what we used to go through a few years back ;).  My, how times have changed ;).

    1
    0
    Dan
    Keymaster
    US

    GrDukeMalden: “Old guys”? Does that include me? I’ve been using VS since before voodooAI was a thing.

    Oh, I have no idea who it all includes, but a lot of guys have stuck with VS since the very beginning, and I obviously appreciate it very much ;).

    When we first started VS, we thought “really, how hard could it be to build a user-friendly toggling computer lock?”.  Well, it turns out, if you are going to make it easy enough for novices and average users, it is extremely difficult. 😉

    0
    0
    Dan
    Keymaster
    US

    Mr.GumP: Whitelist Cloud found 13 items. I am pretty sure they are all safe. Is there any disadvantage however, to leaving them all on the not safe list? As it pertains to performance or any possible complications…

     

     

    Thanks!

    Wow… 13 items is a lot, you must run a lot of indie software ;).

    0
    0
    Dan
    Keymaster
    US

    VecchioScarpone: I uninstalled WhiteCloudC after its integration with VS. The only thing I noticed so far is, the average memory reading went from 20% now to 28%.

     

    Would it be considered high?

     

    Hopefully you mean mb instead of % ;).  If so, that is tiny.

    0
    0
    Dan
    Keymaster
    US

    gorblimey: @gandalf – Do the dimhost.exe entries all have the same qualified path?  And on a similar theme, are they all called in the same way?  This is important, as VS doesn’t just rely on the exe name.

     

     

    @Mr.GumP – How long have you had those 13 items?  If they haven’t been pinged for antisocial behaviour before, they’re probably safe.

    However, I strenuously suggest the use of a reputable firewall set to default deny all outbound, so you can make sure your softs are only talking to permitted people.  I use and recommend Windows Firewall, and Windows Firewall Control by https://www.binisoft.org/wfc which will automatically rework Microsoft’s Stupidity Settings plus it’s FREE from MalwareBytes.

    Windows Firewall is shipped as part of Windows…

    WFC is certainly cool and a lot of people will want to lock the firewall down in the way you described.  I think for VS and WLC, blocking only Not Safe items is not only smart and secure, but also elegant.  Please play around with it and let me know what you think!  We do not want to go crazy with the new VS / WLC firewall features, but if we think it is a good idea to develop this feature a little more or add a few things, then maybe we should ;).  At this point it will be super simple to do… the hard part is over.

    1
    0
    Dan
    Keymaster
    US

    oldschool: I just installed the latest Beta. The introductory pages during installation are very nice. It’s been analyzing files forever, some of them Windows processes. Using lots of CPU and disk. What’s up with this?

     

    I realize change can be difficult but I’ve never experienced this with VS. It appears you have integrated WLC completely into VS which changes it into a completely different animal.

    Ask TH… this is nothing compared to what we used to go through ;).

    If there is no struggle, there is no progress.

    1
    0
    Dan
    Keymaster
    US

    SudoJudo: I’ve had some issues with this, also I have some confusion…

     

    Installing both, it said unsafe file and was red. Clicked it, it said everything was fine.

    Also I am becoming very confused as to what VS and WLC are now, and how they interact. If I am confused, I think others may be as well. I guess I would put it like this;

    1) Is a separate icon necessary?

    2) Is WLC necessary if I have a third party firewall installed? If so why? If not, should that be stated somewhere?

    3) How does WLC activated in VS change how VS operates? What are the pros and cons of having it activated or not?

    To me, I thought WLC was going to be integrated entirely into VS so it was rather seamless, and basically replaced the VirusTotal aspect of VS to be more reliable and less false positive prone. Not integrated as another, potentially confusing layer of the product.

    Others can weigh in, but honestly I think WLC should just be fully integrated. No new icon. Then the firewall rule aspect could be enabled/disabled depending on if a third party FW is installed. WLC at that point would function like a VT authentication of good/bad files?

    Maybe someone can help alleviate my confusion.

    Yes, these are the exact types of concerns that made the WLC implementation so incredibly freaking difficult, all while without adding unnecessary bloat. Hopefully with 5.51, the implementation that I envisioned for WLC is starting to become more clear to everyone. It is not perfectly refined yet (but will be soon), but at least you guys can see what WLC is all about and where we are going with it. That, and you guys will be able to make suggestions as we go. Thank you guys!

    2
    0
    Dan
    Keymaster
    US
    BTW, if VS asks you to register after reboot, please let me know, I am testing the timeout on the internet connection check.

    Also, all you have to do is go to VoodooShield Settings / Register tab and click the Confirm Registration button (until I fix it for good in the next version).

    1
    0
    Gandalf
    Participant
    NL
    Dan, can you add the new chromium based Edge to the web apps?

    “C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe”

    I have now added it myself through auto detect additional running web apps.

    0
    0
    VecchioScarpone
    Participant
    AU
    Dan I was unable to post a screenshot. Still running VS with integrated WLC,  all good and thanks.

     

    ______________________________________________________

    "Today is yesterday's future"

    0
    0
Viewing 15 replies - 31 through 45 (of 914 total)
  • You must be logged in to reply to this topic.