VoodooShield

[ichito]

Niestety wciąż wersja na XP nie jest dopracowana mimo, że jest kolejny build 2.72, który wprowadza wg zapowiedzi poważne zmiany "pod maską" m.in
- nowy tryb "Scan & Allow" który jest czyms na podobieństwo trybu nauki - plik nie zostanie uznany za zaufany/uruchomiony zanim nie zostanie przeskanowany
- nowy filtr do skanowania fałszywych wskazań (FP)
- monitorowanie autostartu z systemem
Całość poniżej

Sorry I have been away, but I have made a lot of progress. This release seems to be super stable on Vista and above, although for some reason I cannot get the multithreading to work on XP like I want it to. I guess there is a chance that XP is just not capable of doing what I want it to do. It seems to be working great with XP, but if anyone who is running XP wants to try it and let me know how it does, I would appreciate it!

There are several new features. Now there is a "Scan & Allow" mode, that basically blocks the file and scans it. If the scan comes back clean, then it is auto allowed. So it is kind of like a training mode that scans. I was not sure what to call it, so for now I just called it Scan and Allow. Once you guys try it and become familiar with it, if you think of a better name to call it, please let me know. I was also thinking about calling it something like "IntelliScan", Safe Training, Training(Scan) or AVMode. Also, we probably do not want the users to run in this mode all of the time, but it would be a great way to safely train VS for the first couple of weeks. I also added a feature that automatically filters false positives, and alerts the user that although a threat was detected, VS believes it to be a false positive, and calculates the odds that it is a false positive or not, and lets the user know. I made the color of this prompts a cross between the Blue and Red, so it is Purple for now

[Aby zobaczyć linki, zarejestruj się tutaj]

. We can make it grey or some other color, or keep it purple, just let me know what you guys think.

I also added Java blacklisting. If Chrome is going to disable Java, we might as well blacklist it, right?

[Aby zobaczyć linki, zarejestruj się tutaj]

. I also added a feature where VS monitors Windows StartUp locations... I just added the main ones for now, but will expand this feature some more very soon.

As soon as I get a chance, I will catch up on the posts!

[Aby zobaczyć linki, zarejestruj się tutaj]

 

[Aby zobaczyć linki, zarejestruj się tutaj]

[ichito]

Nowa wersja beta 2.74

I will catch up soon, but here is the latest version with a few small bug fixes. I think this version is ready for public release, but if you guys find anything, please let me know. Thank you!

[Aby zobaczyć linki, zarejestruj się tutaj]

Dan po dyskusjach na Wildersach zapowiada prace nad powiązaniem VS z piaskownicą Cuckoo Sandbox...zapowiada się bardzo interesująco

[Aby zobaczyć linki, zarejestruj się tutaj]

Więcej o tych planach poniżej

[Aby zobaczyć linki, zarejestruj się tutaj]

[ichito]

Bez fanfar i zapowiedzi...VS zostało opublikowane w wersji stabilnej 2.75. Póki co żadnych list zmian, a jedyne info to komentarz Dana na Wildersach

Beat me to it

[Aby zobaczyć linki, zarejestruj się tutaj]

. Yeah, I just uploaded 2.75 to the public. I am going to go have a drink, but I will catch up with you guys soon and respond to the posts I missed. BTW, everything is going great with the new features

[Aby zobaczyć linki, zarejestruj się tutaj]

. Have a great weekend, thank you!

[Aby zobaczyć linki, zarejestruj się tutaj]

Na stronie VS jest już wersja stabilna do pobrania

[Aby zobaczyć linki, zarejestruj się tutaj]

[ichito]

Dan jak widać starał się mocno i po kilku dniach nieobecności ogłosił kolejną wersję - 2.77. Wprowadza oczekiwaną piaskownicę Cuckoo Sandbox, choć wie, że musi jeszcze nad nią popracować. Ta wersja niestety nie obsługuje Win XP, mam jednak nadzieję, że to przejściowy stan.

I got a little carried away with the new features

[Aby zobaczyć linki, zarejestruj się tutaj]

. The Cuckoo Sandbox is pretty much ready, although we will want to refine and tweak it a little in the next few days. There is still a little more work to do on the KMD, but it is getting there. I might even take a little break for a few days before finishing that up.

Here is the latest version with the Cuckoo Sandbox integration. So far I have not been able to get it to work with XP (and it may not ever), but it seems to work great with everything else. So if you are running XP, there is no reason to upgrade to this version.

This version is all about the Cuckoo Sandbox / Remote Sandbox. So either drag and drop a file, or have VS block a file, then choose “Sandbox”, then “Cuckoo”.

If you want to watch the analysis in real-time, in a remote desktop session, just make sure you check the option “Watch Cuckoo Sandbox analysis in a Remote Desktop session in real-time”, before you click the “Cuckoo” button. I was going to have it enabled by default, but I did not want to scare one of our other users that have no idea about the RDP features

[Aby zobaczyć linki, zarejestruj się tutaj]

. Besides, the more bandwidth (among other things) we can conserve, the better.

[Aby zobaczyć linki, zarejestruj się tutaj]

I have not tested the Cuckoo server other than just running internal tests, but I think it will do quite well. It estimates that it can perform 13,000+ analysis per day (or 525+ per hour), but I guess we will see

[Aby zobaczyć linki, zarejestruj się tutaj]

. For now I limited the RDP sessions to 1 every 5 minutes, just to make sure I did not overlook something... and we end up crashing the server

[Aby zobaczyć linki, zarejestruj się tutaj]

. There are a lot of "moving parts" between VS and the Cuckoo Sandbox, and a lot of things that could potentially go wrong, but I think everything is pretty darn stable at this point. Hopefully there will not be any firewall issues, but I think since it is just a standard RDP, it should be fine.

Hopefully I will be able to catch up on the posts I have missed this weekend... then after these last few features are finished, hopefully things will go back to normal. Thank you, talk to you soon!

[Aby zobaczyć linki, zarejestruj się tutaj]

[ichito]

Poprawka głównie pod Win10 ale zalecana właściwie wszystkim użytkownikom VS

Even if you are not running Windows 10, I highly recommend upgrading anyway... there was a bug that could cause stability problems / crashing with VS, but it is fixed now.

[Aby zobaczyć linki, zarejestruj się tutaj]

[Aby zobaczyć linki, zarejestruj się tutaj]

[ichito]

Wersja 2.82 jest od kilku dni dostępna...poprawiona i rozbudowana funkcja ochrony wybranych folderów (Custom Folders). Zamiast pojedynczych pól do oznaczenia jako blokowane wprowadzono drzewo folderów, co widać na obrazku poniżej.

[Aby zobaczyć linki, zarejestruj się tutaj]

Funkcja jest domyślnie wyłączona,a uruchamia się poleceniem "Enable/Disable Custom Folders" i współpracuje z opcją (w ustawieniach) automatycznego zezwalania - domyślnie "Program Files" i ewentualnie własne lokalizacje...te lokalizacje będą nieoznaczone (puste) w drzewie folderów.

Źródło

[Aby zobaczyć linki, zarejestruj się tutaj]

[ichito]

Wersja 3 przybliża się i mamy kolejną próbną (wg zapowiedzi ostatnią)

Here is the last VS 2.0 beta release. We may never release it as a full release because I am thinking VS 3.0 will be ready before then. This version does not include the 4 new web apps that you guys recommended, but I already added them to VS 3.0 (PDFXChange, Cyerfox, Waterfox and Yandex).

[Aby zobaczyć linki, zarejestruj się tutaj]

BTW, I finished up my part of VS 3.0 and Vlad is working hard on his part... he is doing truly amazing work! Hopefully we will have a beta for you guys within a week!

[Aby zobaczyć linki, zarejestruj się tutaj]

[F4z]

VoodooShield 3.00 Beta

Hello, I'm glad to announce that the first 3.00 Beta version of VoodooShield is ready and available for downloading and trying.
You can download it from 

[Aby zobaczyć linki, zarejestruj się tutaj]

 
It's recommended to turn off or uninstall any old versions of VoodooShield prior to installing the new version.

System requirements:

• Windows Vista sp1 and above (XP wasn't tested!)
  
  
• .NET 2.0/3.5 and above
  

What's new in VoodooShield 3.00 Beta:

• AppCertDlls mechanism was replaced by Kernel mini-filter driver + service
  
  
• Improved logic of the new process handling. Fixed many bugs there, especially in handling command lines and approving by parent process
  
  
• Version update flow was changed
  
  
• Installer improvement - no more internet connection is needed for downloading VC++ runtime and .NET.
  
  
• No any additional .NET installation is required
  
  
• Bugs were fixed
  

There are still some features missing in the first beta, but they will be implemented in future versions. 
I will be available for the next 3-4 days for your questions or comments regarding 3.00 Beta functionality/issues/bugs and will be happy to get some feedback. 

[Aby zobaczyć linki, zarejestruj się tutaj]

[ichito]

Najnowsza wersja wprowadza nowości, ale nie ustrzegła się niedoróbek...poniżej info o kolejnych wersjach

VoodooShield 3.01 Beta Release
Accidentally the 3.00 version didn't contain some last minute fixes. They were added to this one. As well some of the bugs that were reported also fixed in this version
You can download it from

[Aby zobaczyć linki, zarejestruj się tutaj]

It's recommended to turn off or uninstall any old versions of VoodooShield prior to installing the new version.
Due to auto-update bug, version 3.00 could not be autoupdated to higher version! So it is recommended to update manually to version 3.01. The next releases will be updated automatically

System requirements:

• Windows Vista sp1 and above (XP wasn't tested!)
  
• .NET 2.0/3.5 and above
  

What's new in VoodooShield 3.01 Beta:

• Fixes that were missed in 3.00 - Sandboxie fix, disable Custom Folders
  
• nircmd.exe fix
  
• chrome update bug fix
  
• probably registration fields fix (I'm not sure, because never was able to reproduce it)
  
• Autoupdate version fix
  

There are still some features missing in the first beta, but they will be implemented in future versions.

Release notes:

- Updated link

- Fixed reported bypasses

[Aby zobaczyć linki, zarejestruj się tutaj]

- Fixed auto-quarantine issue

- Fixed sending script/registry/command line files to blacklist scan (wrong hash was sent before)

- Added wildcard ability to command line (* - any chars, ? – any single char). User is responsible to edit wildcard manually. There are still some questions on wildcard feature (i.e. the order of wildcard checks and so on), so need to get a feedback from the users.

- Rewritten command line handler, behavior now:

o If command is like cmd.exe /c script.bat , then it handled as process script.bat

o If command is like cmd.exe /c ping … (any cmd), then it handled as command line.

o Only command line part is added to command line list (without cmd.exe or something like that)

- Improtant! Due to command line fixes it is recommended to delete all previous command lines from the Command Line tab!

[Aby zobaczyć linki, zarejestruj się tutaj]

[ichito]

Ostatnie wieści...wciąż trwają prace nad poprawkami w wersji 3 beta...ale to nie wszystko. Dziś Dan ogłosił, że w VS zapowiada się spora zmiana związana z  zaimplementowaniem całkiem nowej technologii...jest nowa nie tylko dla samego programu, ale nowa jest jako samodzielna dziedzina nauki związana ze sztuczną inteligencją - to tzw. "systemy uczące się" lub inaczej "uczenie maszynowe".
Nieco więcej o tej dziedzinie np tu

[Aby zobaczyć linki, zarejestruj się tutaj]

A wracając do programu...fragment opisu zamieszczonego na Wildersach

VS is going to have a new feature soon, and there will probably be a few questions, so I figured that I would tell you as much about it now so that you will know what it is all about. The new feature is called “Voodoo Ai” for now, and if anyone has a better, less pretentious name, please let us know and we will change it

[Aby zobaczyć linki, zarejestruj się tutaj]

. Voodoo Ai utilizes 3-4 machine learning / artificial intelligence algorithms along with other “features” of the portable executable (PE) binary (exe’s and dll’s) to assist users in making the correct decision (block or allow) when VS prompts them. Machine learning / artificial intelligence is kind of the latest “craze” in security software, and it differs from behavior blocking / heuristics in that the analysis all occurs pre-execution. VS is not the first to offer this (there is at least one other company specializing in this), and in the last 4-5 years there have been a lot of academic studies that have accessed the viability of machine learning and artificial intelligence in detecting malware, and as it turns out, while it will never be 100% perfect, it is quite accurate.
(...)
This new feature is not quite as complex or impressive as it might sound, but so far it does seem to be quite accurate. For example, when I analyzed all of the executables in several of the Windows and Program Files directories that were known to be safe, it was 100% accurate, with the exception of 6 files from an ATI display driver. I looked at these 6 files a lot closer, and let’s just put it this way… if it was not obvious that they were from the ATI display driver, I would think they were malicious as well… one example is that they were not digitally signed. Not that I am picking on ATI, but really, these should be signed, along with the other “features” that should have been handled properly.

[Aby zobaczyć linki, zarejestruj się tutaj]

[ichito]

Pokazała się kolejna wersja próbna w linii "oficjalnej" bety - 3.04 i jeśli dawniej nie bylo pewne, czy XP jest wspierane (używano określenia "nietestowane"), to teraz już wiadomo, że XP już nie będzie obsługiwane w kolejnych wydaniach

System requirements:

    Windows Vista sp1 and above (XP is not supported!)
    .NET 2.0/3.5 and above

What's new in VoodooShield 3.03 Beta:

    Fix closing notification without prompt
    Fix synproc issue
    Fix exception on exit
    Cleanups improvement on application exit

[Aby zobaczyć linki, zarejestruj się tutaj]

[ichito]

Kolejna wersja 3.06...i wciąż beta

System requirements:

• Windows Vista sp1 and above (XP is not supported!)
  
• .NET 2.0/3.5 and above
  

What's new in VoodooShield 3.06 Beta:

This release contains the fixes for the following bugs

• Starting application from some browsers download window is allowed
  
• Showing propmt for applications started from the Start menu freezes on the shield flashing (win

  [Aby zobaczyć linki, zarejestruj się tutaj]

• After ~30 days of working the auto-deactivation feature becomes unavailable
  
• Starting cmd.exe only shows prompt for command line, rather than for blacked list item
  

Known issues

• Windows 7 - VoodooShieldService.exe crashes on Windows restart. Impact - fills event log with crash events + crash dumps. Still under investigation
  

Have a good day,

[Aby zobaczyć linki, zarejestruj się tutaj]

[ichito]

Pokazała sie wersja próbna VoodooAI

Here is a quick portable beta version of VoodooAi. There is still a little more tweaking that needs to be done, but this will give you an idea of how well VoodooAi is going to do.

THIS BETA PORTABLE VERSION REQUIRES .NET 4.5!!!

Vlad is integrating VoodooAi into VS, and will convert it to 3.5 during this process so this will not be a requirement soon. Originally, VoodooAi was going to be a web app, not unlike VirusTotal, so that is why I started it in .net 4.5. Then I thought it would be cool to have a standalone app, and obviously to integrate it into VS.

A little more about VoodooAi… it has an amazing ability to detect files that contain code that could be used maliciously, but it does not try to figure out the intent of the code… like did the author intend for the code to be malicious. As a result, a lot of system utilities and virus removal tools will be classified as Unsafe. Then again, maybe that is a better approach anyway… Instead of trying to guess whether the author intended to harm your computer, maybe it is better to just let the user know that the file they are about to allow contains code that has the potential to be malicious. Maybe that is where the AV industry went wrong… they were trying to guess the intention of authors, when really they should have just been examining the code to see if it has the potential to do something malicious? Just a thought.

Pobieranie

[Aby zobaczyć linki, zarejestruj się tutaj]

Źródło

[Aby zobaczyć linki, zarejestruj się tutaj]

[Aby zobaczyć linki, zarejestruj się tutaj]

[ichito]

Nowa wersja 3.07

VoodooShield 3.07 Beta Release
You can download it from

[Aby zobaczyć linki, zarejestruj się tutaj]

System requirements:

• Windows Vista sp1 and above (XP is not supported!)
  
• .NET 2.0/3.5 and above
  

What's new in VoodooShield 3.06 Beta:

This release contains the fixes for the following bugs

• Windows 7 - VoodooShieldService.exe crashes on Windows restart. Impact - fills event log with crash events + crash dumps.
  
• Small GUI bugs
  

[Aby zobaczyć linki, zarejestruj się tutaj]

[ichito]

Niestety mam na Viście błąd, który objawia się dwoma rzeczami, które udało mi się zaobserwować
- znane i uruchamiane programy, które były na listach w chmurze, z którą VS się łączy i synchronizuje ustawienia, były "odpytywane i blokowane, ponieważ
- komunikat, który dla nich dostawałem był kompletnie pusty - tylko szare tło okna bez żadnej grafiki...ponieważ domyślną akcją jest blokowanie po zaskoczeniu czasu oczekiwaniu na decyzję, to i programy nie mogły się uruchamiać
Nie chciało mi się bawić w ręczną edycję reguł, więc VS niestety musiał zostać usunięty.
Błąd jest zgłoszony i zobaczymy, czy do naprawienia.

[ichito]

Ukazała się oficjalny przewodnik po programie - datowany na marzec 2016 do wersji 3...nareszcie, bo ewidentnie brakowało tego typu informacji zebranych w jednym miejscu.

[Aby zobaczyć linki, zarejestruj się tutaj]

[ichito]

Kolejna wersja - wprowadziła do programu na stałe moduł AI

VoodooShield 3.10 Beta Release

System requirements:

    Windows Vista sp1 and above (XP is not supported!)
    .NET 2.0/3.5 and above

What's new in VoodooShield 3.10 Beta:

This release contains:

    New! VoodooAi integrated
    Fix! User log and Whitelist crashes fixes
    Fix! Gray prompt fixed
    Fix! dismhost bug fixed
    Added time to whitelist grid
    Edit command line dialog improvement - dialog size, handle Enter/Esc
    Added support for SHA256 installer signature - in the next release the installer will have SHA256 signature as well to support Win10


Known issues

    User log entries require improvement:
        some entries are not added
        for cmd entries only "Blocked" added
        for cmd entries only cmd.exe process added, without command line itself

[Aby zobaczyć linki, zarejestruj się tutaj]

[ichito]

Minął miesiąc i kolejna wersja 3.11...instalator mówi o wersji 3.10, ale tak ma być (na razie )
Sporo zmian opisanych przez dewelopera w cytacie poniżej

Here is the latest version, hopefully I did not forget anything, if so, please let me know

[Aby zobaczyć linki, zarejestruj się tutaj]

. If you have any problems, please delete the files in your C:\ProgramData\VoodooShield directory… but please do not do this first… please test it as it is to see if other users might experience issues.

I think just about everything is fixed and the user prompt and mini prompts are in great shape.

The only outstanding bugs that I know of are:

1. Windows 10 Remote Sandbox not working (should be an easy fix)

2. We need to double check that the Custom Folders is working the way everyone would like them to. Vlad made some really cool changes to this feature, and I just want to make sure they work as everyone expects.

Most or all of the vulnerable processes are hardwired in, but there is a space in Settings / Advance where I am going to add a feature to customize these. I just have not figured out exactly the best way to do it yet

[Aby zobaczyć linki, zarejestruj się tutaj]

. I will work on that while you guys check out this version.

The user prompt has a lot of new features. Please check out the folder icon next to the Process Path at the top, and the details button.

You will at times see a progress circle and it will say “Calculating VoodooAi”. If that file has already been analyzed by VoodooAi, it is stored in the database, so the progress circle is skipped when this file is analyzed again, since retrieving data from the database is a lot faster than uploading the file for analysis. The question is… do we show the “Calculating VoodooAi” graphic when the file is already in the database, just so users will not wonder why the graphic is not being displayed? Please let me know what you think! Also… I am just using a simple animation for this screen for now… I would love to what really cool ideas you guys might have to replace this animation. I was thinking kind of like a heartbeat monitor type graph, going across the screen, and drawing the peaks for each of the algorithms. Anyway, I just used a simple plain one for now, we can easily add a really cool one soon.

Also, on the Details panel, there are 3 graphs that show the raw VoodooAi probabilities for each algorithm… this serves several purposes. First, the composite VoodooAi score includes several other factors that are not included in the VoodooAi raw data. For example, if the blacklist scan detects 45 hits, the VoodooAi composite graph will be adjusted… but only to a certain extent. That is… if the VoodooAi score is super low, it will not affect the composite score nearly as much. See, we want to protect the user, but we do not want to automatically peg the composite VoodooAi score whenever there are 7 or more hits. That would be cheating, and it messes up the results, so that is why I chose to display the raw VoodooAi scores. The raw VoodooAi scores will also be helpful because you guys will be able to tell me which algorithms are doing well, and which ones are not. There are a lot of algorithms we can choose from, (neural network, decision forest, decision jungle, support vector machine, etc), but showing the 3 algorithm results will really help us fine tune VoodooAi.

The auto decision worked out really well, although I need to dial it back a little… it is a little too over protective. But this is easy and I can work on this while you guys are checking out this version.

For a while there has been an issue with VS freezing from time to time on certain systems. I think I know what is causing it, and I think it is fixed in this version. If not, at this point I at least have a very good idea what is up with this issue, and it should be an easy fix. Just please let me know if you experience this issue… most users do not.

In the interest of simplifying VS, there are a few silly old options in settings that I removed. If there is something that I removed that you guys really, really want me to put back, please let me know.

There were a few really cool recommendations or bugs that were post on wilders the last couple of weeks, but I have not had a chance to respond to them yet. Anyway, those are added or fixed, and I will respond to the post soon to let them know that it was been fixed or added.

Please install over the top of your current VS and see how it goes! If you run into issues, please uninstall this version and reinstall it. If that still does not work, just uninstall it and install the old version

[Aby zobaczyć linki, zarejestruj się tutaj]

.

BTW, the version number is still 3.10… long story, I will fix it

[Aby zobaczyć linki, zarejestruj się tutaj]

.

[Aby zobaczyć linki, zarejestruj się tutaj]

[Aby zobaczyć linki, zarejestruj się tutaj]

[ichito]

I poprawki małe czyli wersja 3.12

[Aby zobaczyć linki, zarejestruj się tutaj]

[ichito]

U nas dłuuugi weekend, a tymczasem VS ma nową wersję 3.16 beta

Here is VS 3.16... This should fix most of the Windows 10 issues. I have not heard back from Vlad yet (he has a lot going on at the moment), but I think this is the way he would have fixed it, but I guess we will see for sure soon

[Aby zobaczyć linki, zarejestruj się tutaj]

.

[Aby zobaczyć linki, zarejestruj się tutaj]

BTW, I added some new file details to the user prompt... some of them may not be correct yet (long story), but that is on my list to fix. It is a very easy fix, but it is going to take a little time. I also have not fixed the Threats Blocked count so that it does not include clean files, and a few other things. But I wanted to get the Windows 10 fix out asap... I am not sure if the Windows 10 Egdehtml issue is fixed or not, so if it is not, please let me know.

[Aby zobaczyć linki, zarejestruj się tutaj]

Kilka nowości w "ujęciu graficznym"...znaczy się screeny
- proces instalacji kończy się "kreatorem", w którym nowością jest wybór poziomu ochrony
"AutoPillot Mode" - czyli bazujący na automatycznych predefiniowanych ustawieniach, optymalnych dla ochrony i nie wymagających zbytniej ingerencji użytkownika
"Aplication Whitelisting Mode" - tryb bardziej restrykcyjny, bazujący na ustawieniach użytkownika i dający więcej interakcji użytkownika z programem

[Aby zobaczyć linki, zarejestruj się tutaj]

- a ewentualnej zmiany tych trybów można dokonać z menu programu z zasobnika systemowego, które teraz wygląda tak

[Aby zobaczyć linki, zarejestruj się tutaj]

- ponadto nowa opcja związana z wprowadzoną sztuczną inteligencją (VoodooAi) - po jej włączeniu możemy określić wrażliwość tego modułu czyli w jakim stopniu będziemy polegać na decyzjach AI odnośnie zaufania i blokowania

[Aby zobaczyć linki, zarejestruj się tutaj]