Forum Replies Created
I believe the new code base version of VS is ready for public release. Please let me know if you find anything, thank you guys!
RandomGuy: What if I disconnect my ssd and hdd from my motherboard, connect my old ssd that I no longer use and install W10 on it, would that along with shadow defender be sufficient to protect my machine? Are there like firmware or malware that can persist this way? When I wanna switch to my pc, I will simply disconnect the old ssd for testing, connect my new ssd and hdd and everything should be back, right?
Sure, that should work great. And vertigo brings up a great point… make sure there are no other computers on the same network when you are testing.00Yeah, this forum is a mess. If you have suggestions, please email them to support at voodooshield.com, thank you!00Hey guys,
Here is the latest. Baldrick found a bug in the Custom Folders feature that created a lot of unnecessary blocks, but that is fixed now. There are also a few more refinements to the Rules and other features. I think we are getting close, thank you guys!
RandomGuy: Hey dan, I saw the thread in malwaretips, all those malware tests massively boosted your defence of VS, that’s really nice.
Now, I am not an expert, but I like VS so I wanna test it against random samples I found on the internet (such as this https://zeltser.com/malware-sample-sources/ ) , the ones in malwaretips are prob hand picked but I still wanna see how VS will do against these random ones (I also wanna test other programs for my personal setup). What would you recommend to use to test em? Virtual machine? Can shadow defender work? What about sandboxie?
If possible, it is best to test on an old bare metal test machine. A VM like virtualbox is a good second choice, just make sure that the Shared Folders is disabled when you start testing. SD and SBIE are great programs, but I personally would not take a chance, especially if you are testing on your main machine.00I just saw this and felt obligated to comment…
SAP was probably in Auto mode. Interactive mode should have easily blocked this. Then again, I have tested SAP for all of 10-20 minutes in total, so this is just a guess based on how things are supposed to work with application whitelisting.
If SAP is in Auto mode, then yeah, just like with VS on AutoPilot, it can be bypassed. It is not easy, but it is possible. But that just proves that the computer should be locked when it is at risk.
But to answer bellgamin’s question on whether this would bypass VS, assuming it is ON? Not a chance. Zero. Zip.
Then again, I think people in cybersecurity 20-30 years from now will look back and say “can you believe people used to not lock their computer when it was at risk?” The exact same way NAT was applied to literally every router.10BTW, the forum is really screwed up. I just noticed 133 posts from tons of members that have not been posted because they need to be “approved”. There does not seem to be a way to approve all of them at once, so I started approving each one, and it screwed up the forum even worse ;).
Here is the latest…
SHA-256: bff577cc3fa035367ff1c3f576c6a2b54a13b24f44be487d7b52b65a6325279520Hey guys,
I think we are getting close, here is the latest!
Have a great weekend, thank you guys!10The beta versions are not included in the auto update, but I will be releasing a new beta version soon that has tons of small refinements, many that you have suggested. For example the items 3, 4 & 5 you suggested are fixed. A lot of your suggestions are already features in VS Pro, but if there is something that I am missing or did not fix correctly please let me know. I think you will like the new search box… basically if there are items remaining in the search that match the current search pattern, then the search list remains the same (minus the item you deleted), and the search box retains the previous search. If there is only one item in the search list, and that item is deleted, then the list is repopulated and the search box is reset. It is basically the best of both worlds and I think you will like it… please let me know what you think.
I think the digital signature rule and focus issues are fixed as well, again, please let me know what you think.
What do you mean by “a mechanism for telling VS to no longer block an item”. Do you mean that if an item keeps trying to spawn and the user has to keep blocking that item? If so, what do we do, block it silently?
BTW, there are FAR fewer bugs than I was anticipating so I am going to post the next version on here. It is actually going so well that I think we are going to skip the 6.22 public release and go with the new code base version sometime next week. So posting the beta version publicly will help verify there are truly almost zero bugs. You guys should see the error reporting log… there are essentially zero significant bugs or exceptions, and with this next release I am hoping there will be zero. Thank you guys!10
gorblimey: @vertigo – my experience with v611 was that any Silent Block Rule would generate a Silent Block for unintended apps. In addition, Silent Block Rules in any User Account would apply globally.
If you have enabled Custom Folders, then its default if VS is ON or OFF is to Block the entire %users% folder “if not already whitelisted”.
If you have set VS in Utility>”Use same settings for all users”, then (un)doing any settings must be done in each UA separately, even though all “user-specific” settings are globally visible.
Another thing to watch is how exactly you invoke the app in question. Is this done directly from a menu shortcut? Or indirectly from a script of some description, or perhaps even finding it in Windows Explorer and double-clicking?
VS is probably the best security app out there, but rather like a certain AC75 yacht the other day in Auckland, it is probably wise to not push the boundaries without a complete understanding of the underlying principles and a strong backup plan in place
Currently using the free version, so not using custom folders or any of the settings on the utility page. Also no silent block rule; the only rule set is the default one. As for the app that’s blacklisted, it’s run once per session to activate it then it again to perform its function when selecting its entry in the file manager context menu, and that’s what was being blocked (I didn’t try actually running the exe directly, since if it’s being blocked one way, it would logically be blocked the other). Bottom line is any anti-malware app should provide a straightforward way to tell it to unblock something it’s blocked, and I’ve tested several different products on PC and Android and ditched many of them due to issues with this, and in fact it’s one of the reasons I don’t like Windows Defender, as that has a tendency to corrupt files so even after restoring them they’re useless. And asking as much from an AW app isn’t pushing the boundaries, it’s expecting basic functionality.
Oddly enough, after having it disabled for a while, after reenabling it the app triggered the balloon pop-up again instead of being silently blocked. So on top of the issue of not being able to tell VS to unblock it, it’s not even consistent, seemingly randomly changing its mind about it.
This silent blocking issue was a direct result of me adding the new features for when another app is full screen, but it should be fixed now. The reason it was not consistent was because the top most app did not have a Window title when it was blocked silently, but later when the top most app had a window title, there was no longer a silent block. But as I was saying, this is now fixed in the code, so that the silent block should never occur, whether the window title is null or not.00
vertigo: Ran into another issue. Trying to run an exe, VS keeps silently blocking it, so at some point I must have told VS to block it, though I don’t remember doing so. So either I accidentally clicked block on a pop-up or maybe it’s set to auto-block if the balloon isn’t clicked, which is definitely not a behavior I care for. Not to mention I personally don’t like the idea of a silent block period, both because it causes frustration not realizing why something isn’t working when it’s intended and because it doesn’t allow you to see when something is trying to do something it shouldn’t, leaving you unaware of possible misbehaving software.
But on top of those issues, the real problem here is that I can’t figure out how to unblock it. It’s not showing in quarantine, and the only place I see it is in the log, but there’s no method to use that to tell VS to stop blocking it. Even trying to create a rule, which is an extremely cumbersome and inefficient way to unblock something, doesn’t work as expected, since I tell it to create a rule from a recently blocked item, select the exe, and select simple digital signature, thinking it will automatically import the signature from the file to help with the rule creation, but then the signature box is empty, so I can’t create the rule.
Also, the rules creation wizard window doesn’t come into focus when clicking on its taskbar button when it’s in the background. You have to minimize/move any windows in front of it and click on the window itself.
The silent blocking issue has been fixed since 6.22 / 6.30. The “Create a rule from a recently blocked item” only works for the Digital Signature Rule type. If you look at the other Rule Types, it would be difficult to apply a single item block to any of the other Rule Types, with the exception of the Folder Rule Type, which I can add in a future version. Thank you!00
HempOil: Hi Dan,
I was wondering if you would consider a small change to make a VS scan result more user friendly. When the scan window pops up and the user clicks on details, I think it would be helpful if the details could be color-coded when the results are good (green) or bad (red). I realize that not all the detail results are binary, but for those that are, it would make it easier to glance over.
I notice you did this on the WhitelistCloud window: I have Comodo firewall enabled, so you have color-coded the “Off” to the right of “Windows Firewall:” to red.
Sure, something like this would be really cool. What all should we make red? Thank you!00BTW, I finally finished up the version of VS with the all new code base today and will be releasing an early beta sometime this week to everyone on the beta test group list. Overall there should not be any major bugs, but there might be a missing button or two here or there and I just need help finding anything that I might be overlooking. The gui and service were completely redone from scratch, then I simply converted and pasted in the code. It was certainly the long way to do the conversion, but it resulted in super clean code throughout the code base. Thank you guys!30As I was saying, if you have one computer on a network with an internet connection, and the computer is on but no one is using that computer, then it is not going to become infected. It is only when the user starts browsing the web and checking email that they might become infected. Now, if you have several computers on the network and one and not being used but another is browsing the web and checking email, THEN then all computers are exposed. But that is why you put VS on all of the endpoints, and any one that is browsing the web and checking email is locked when the infection might occur.
This reminds me of a discussion I had a while back with someone on MT. They thought someone had figured out a way to bypass VS with some boot time malware. My response was something like “that’s a little late to be blocking malware, don’t ya think?”. My point is, VS was going to block the infection LONG before the boot time code would have executed. So I challenged them to get the code to run and infect the computer so that the boot time code would run. Obviously VS was not going to let that happen ;).
Sure, a user can download a file and not execute it until later. But in this scenario, the user is intending to execute a specific file, not just wildly clicking on the web or while checking emails. So there is no reason to block the file unless it is considered Not Safe, simply because the user is intending to install that specific file and is going to allow it anyway. Makes sense, huh?
In all fairness, if AutoPilot is good enough for full time use, why not use Smart Mode and automatically lock the computer when it is at risk?
The main reason why all cybersecurity products should implement dynamic levels of protection is simple. All products besides VS have one single static security posture (unless the user manually adjusts the security posture). The reason this is problematic is because at any given moment, the security posture is either too relaxed or too aggressive. If however, any given cybersecurity product automatically adjusted its security posture based on the user’s activities at the time, then the security posture would much closer match to what it ideally should be at that moment.
For example, UAC blocks regedit.exe full time… even when the computer is not connected to the internet!!! There is a smart way and a dumb / lazy way to lock down a computer. The dumb / lazy way is to lock it down full time, with zero regard for usability, just call it a day and simply let the user suffer. The smart way is to dynamically adjust the security posture on the fly, which increases efficacy, decreases false positives, and makes the lock more robust and easier for the end user to use properly. Having one single static security posture means that at any giving time, it will either be too relaxed or too aggressive, resulting in increased infections. It really is that simple.00