VoodooShield/Cyberlock

Sure... command lines are sometimes used by programs to perform certain tasks, but they are also used by malware to start their payloads, so they have to be protected since they can be dangerous. For example, a program might need to kill a task for some reason, so they would use a taskkill command line... something like this: taskkill /f /im notepad.exe

I hope that brief description gives you enough info, if not, please let me know.

On the logs... mine seems to be working great, but I will keep a close eye on them. I will check to see about updating the allowed time... that makes sense, and is something we should fix. Thank you!

 

Now I am totally confused . Can you please help me understand what you mean?

 

Yeah, the more I think about it... it should have one entry for the blocked time and one for the allowed time. Does that sound right to you guys? I will check it out and see... I have not played with the logs in over a year.

 

Hmmm, thank you for letting me know... is this whether the "Hide the desktop shield gadget when another program is full screen" is checked or not?

 

Cool, thank you for your input! Yeah, please keep in mind that VoodooAi and AutoPilot is very, very new, and there are a few things we need to do to make them a little more user-friendly. I am not sure what all suggestions you are recommending, so can you please make a list and I will see what I can do?

I think you would be surprised how well complete novices can easily use VS. I have VS installed on 300-400 machines (my local clients), and they hardly ever have an issue with VS, even the complete novices. But that being said, I agree, we need to make it as user-friendly as possible, so I would appreciate any suggestions that anyone has.

 

Any program you run & get alert...there are 2 entries for that program in the logs...1 as blocked & 1 as allowed, is this by design?

 

I meant in previous versions Scan & Allow Mode was blacklist scan & VoodooAi only. I never got cmd, scripts, etc... alerts on Scan & Allow Mode. So I liked Scan & Allow Mode & think roger too for the same reason.

 

I have mentioned the options in few of my posts here on the thread.
1. Detection level for blacklist scan i.e ex- set to "3" VS will alert on detection by 3 or more AVs.
2. VoodooAi alert option i.e show alerts for Unsafe only.
3. Scan & Allow Mode - should be Blacklist scan & VoodooAi only. No cmd, scripts, etc... alerts should be there in S&A Mode.

 

Yeah, that way you can tell that the file was initially blocked, and later allowed. I see what you are saying though... if the user allows the file on the initial block, we probably do not need to log the block.

 

It must have been a bug... if the item is not whitelisted, it should be blocked, even if you try to run it from a command prompt, right? But once the item is whitelisted, then it is no longer blocked, whether you double click on the file or run it from a command line, right?

 

Cool, thank you for the suggestions... I will put these on my to do list and look at each one closely.

 

That would be good, right? If allowed on alert then logs should show allowed & if blocked on alert then logs should show blocked.

 

If it was a bug I loved it.

VS has Default Smart Mode & Always ON Mode for strong & maximum protection.

Why not keep Scan & Allow Mode kinda AV Mode of VS i.e Only Blacklist scan & VoodooAi protection?

 

Yeah... I see what you mean. The block event is being logged because technically the file is blocked before it is allowed. So we might be able to make it so the blocked event is not logged if the user allows the file.

 

Hehehe, how funny.

Are you saying that you want to be able to launch anything from a command prompt, even if it is not whitelisted? I do not think there is a safe way to do that.

 

I am not talking about safe way to do that, etc...

I am simply saying VS already have anti-exe mode, Smart Mode & Always ON Mode...These Modes protects everything & are anti-exe mode.

So why dont have an AV Mode too in VS that protects with blacklist scan & VoodooAi only? And Scan & Allow Mode can be that AV mode in VS.

 

Hehehe, good point... give the little guy some credit, huh? .

I think what yesnoo is saying is that if the user allows the item, then the blocked entry should not be in the log. I think for now we can keep it the way it is and we can figure it out at some point. Thank you!

 

That is pretty much what AutoPilot is... we probably just need to refine it a little more.

In the AV Mode, would non-whitelisted items launched from a command line be automatically allowed?

 

S&A Mode should work with blacklist scan & VoodooAi only. So that would be AV mode in VS.
i.e if blacklist scan & VoodooAi not detect malware then allow & if detect malware then block. Programs allowed/blocked only on the basis of blacklist scan & VoodooAi. No other monitoring.

 

Hmmm, it seems to be working for me in VS 3.16. I put VS on AutoPilot, then launched a non-whitelisted app from a command line, and it was a clean file so it was automatically allowed. Then I tried to launch a file from the command line that has 8 blacklist hits, and it was blocked. Is this what you mean?

 

Yes, that option is selected, as it works as intended.

I apologize, I wasn't very descriptive in my last post, But, what I actually meant to say was, shouldn't the VS gadget re-appear once I exit full screen? Because in version 3.16, it stays hidden after exiting.

 

I guess I am not able to explain it well. Let me try again -

Auto/Scan & Allow Mode - I mean a program execution allowed should be completely allowed & no further alerts should be there whether the program further runs cmd, scripts or whatever.

 

@VoodooShield

Dan, VS has froze on me once again. I have two .DMP files for you but they are pretty big. I'll send you a PM with a link to download them.

 

I'm sorry, but in its current state VS is not usable for me. Every time I get a prompt VS freezes not long after, regardless of if I allow or block the program or command line. What is the point of a security program that needs to be killed in Task manager to become functional again?