VoodooShield/Cyberlock

And one that blocks an item when you are not at risk .

 

Thanks Dan - that is a very clear explanation of the process.

I have an AV (WSA) that automatically updates its versions and has done so twice in recent days and uses a unique exe file each time so that the process cannot be whitelisted. I use Always On mode. On the first occasion, I was not at my computer and the lock was off with the GUI turned red and showing OFF. When I checked the VS user log, I saw that VS has scanned and allowed the update process. Yesterday I was working at my computer when WSA updated a second time. On this occasion I had a prompt that I allowed manually (I have unchecked the "Deny by Default" setting).
This ties in with how VS is expected to work as I see it.

The point that a few of us were making recently is that we are not in agreement with the GUI turning red when it shows that the lock is OFF because VS still scans any new items and blocks/allows as appropriate. Red when in Training mode IS appropriate because we are at risk and not protected by VS in Training mode. This is what I called truly OFF in one of my posts.

So I think there is confusion about what OFF means. In some modes (Training) you see a red OFF GUI and VS is not protecting the computer. When in Always On mode for example, as long as the user has left the "Automatically deactivate after x minutes of system Idle" checked, then when VS toggles off you also see a red OFF GUI - but here the computer is still protected. The two OFFs mean different things.

 

I think a few of you are over complicating this. I have a 70 year old retired farmer using this application with no issues now, it cant be that confusing

Just blocking with no prompts, is not a good idea at all. Why not use policy restriction if you want to go that route. The prompts and information for averages users is what sets this apart from other anti executable's.

The color scheme is also fine right now, as i stated, in one 20 minute session, i set up and taught an elderly man how to use this, and it has been almost a week, no issues, he loves it.

Dan i hope you keep in mind, these are less then a handful of users here, and that average users are not going to use this product if it gets over complicated, to which i see this conversation turning. The product is fine the way it is other then the few bugs you mentioned need ironed out. Please do not let these users pick it apart until until you no longer recognize the awesome product you have right now.

I can not suggest users around my area to use appguard, as the GUI is to complicated for them, i do not want to see this product end up in that list.

 

This solidified the issue for me, just have to accept the color and its meaning in this context. Now I'm over here:

I think I'm cool now.

 

I haven't been having any issues with the latest Beta Voodooshields. No freezing or dismhosts alerts. I do get Voodooshields trying to block Webroot when Webroot tries to update and I just hit a low false positive. Otherwise running smoothly!

 

yes , it is what i meant, same "display" for 2 different things effects; which may be confusing for some.
In my case , i don't mind much, i can live with it, since i know the exact details. But i like to have things differentiated very clearly.

 

you got me indeed i like an apps to also have a full "Lockdown" mode, block everything unless i personally whitelisted it. One reason i like VS, is the possibility to use it in a kind of "Paranoid" mode.

I am a big fan of Appguard and ERP because of this "total Lockdown" but if this is not an option in VS , i won't mind

 

I totally understand... and I want to make sure that it is not confusing to anyone, so it is great that everyone is discussing this... thank you guys for your help!

 

Hehehe, you are funny . You said "So based on your explanation; shouldn't ON block automatically the process without asking a prompt?" You actually can put VS in Always ON mode and change the settings so that VS does not prompt, and also change the setting so that VS does not deactivate when the computer is idle.

The really funny thing is this... before we added the blacklist scan and Ai, no one EVER discussed false positives in VS. But as soon as we added these file insight tools, all of a sudden, false positives are supposedly and issue . It is ironic because the blacklist scan and Ai actually reduces false positives... that is, in Smart and Always ON mode, anything that is determined to be "squeaky clean" is automatically allowed, assuming that a web app is not running (Smart Mode).

 

Yeah, exactly, VoodooAi 2.0 will add these files to the training data set automatically, after the blacklist scan verifies that the file is clean. Then when the models are retrained, since these files are included in the training data set, the accuracy and precision will continue to improve even more. That is a big part of what I am doing with VoodooAi 2.0... it is taking a while to do all of this, but the goal is to be able to quickly and easily retrain the models once a month or so. Thank you!

 

Very cool... yeah, once everyone is finished discussing the whole gui thing, we might tweak VS a little, so that it makes sense to everyone.

This is the way VS is currently:

When the desktop shield gadget says ON: VS's lock is ON. All new, non-whitelisted executable code is blocked. The file is scanned with the blacklist and Ai to provide file insight to the user.

When the desktop shield gadget says OFF: VS's lock is OFF. The file is scanned with the blacklist and Ai, and if it is squeaky clean, it is auto allowed.

Neither of these apply to Training Mode... so should we make the desktop shield gadget say "Training" when it is in Training mode?

Whatever makes the most sense, I am all for... it will be super easy to change. Thank you!

 

I totally agree... we need to keep VS as simple as possible. I know what you mean about the 70 year old farmer... I have TONS of VS users who completely understand VS in about 2-3 minutes. There are some small usability tweaks that we can continue to implement, but yeah, we need to keep it as simple as possible. Thank you!

 

I have to go for now, but I will catch up on the other posts soon, thank you guys!

 

Okay, success, training mode works
I did a clean install of version 3.45 and put it in training mode.
Printed a file on my Epson printer.
Them I put VoodooShield in smart mode and printed another file without getting a prompt.
Couldn't get that to work without training mode, I always got a prompt when printing.
So Dan please keep the training mode.

 

You don't want to hear this, but . . .

Typical AE/whitelist adepts are happy with an AE which blocks all programs spawned by vulnarable programs and suspicious command invokations. They would be happy campers with VS2

CNET review states that VS3 is a sort of cross over of AE and (next gen) AV. So this attracts new users which have different expectations on False Positives.

So looking at it from developers point of view it seems that adding extra features that actually reduce false positives triggers an increased level of critism in regards to false postives.

So you are standing at a crossroad: develop VS as the user friendliest whitelist solution and remain a niche market product or cross over to the next gen AV market.

Will VS4 be the better consumer version of Faranics Anti Executable or better consumer version of Cylance protect?

 

In Training Mode OFF means OFF and, on reflection, I think the gadget shield should remain as it is, Red and reading OFF.

However when VS is in Smart or Always On Mode, we could change from the current ON/OFF labels to read "LOCKED" or "UNLOCKED". This would I believe be a lot clearer as to what is going on under the hood and avoid any confusion as there will then only be one OFF. When VS toggles to UNLOCKED, perhaps we could have another colour, maybe yellow, just to easily see that VS has changed but we are not in danger.

 

Didn't it used to be this way?

 

Hi Dan,

The toggling of Locked mode on the basis of Web Apps is not good enough. Windows 10 has a few executables that access the internet in the background. Any of those can be attacked, even though I know that their execution times can not be pre-determined. Here's programs that I have found :

wermgr ( in system32 and syswow64 )
taskhostw ( only in system32 )
backgroundtaskhost ( in system32 and syswow64 )
backgroundtransferhost ( in system32 and syswow64 )

I don't know what exactly that these programs do, but I block them anyways, seeing that I primarily want nothing to access the internet without my explicit permission. The only observable outcome of my blocks seems to be that Windows Spotlight ( the lock screen background pictures ) do not get updated.

What do you think?

 

Hello,

I've come across VoodooShield in a search for a good HIPS component to layer into my system. The more I read up on SSL inspection the more it worries me to run what amounts to a MITM to inspect the traffic flowing to mail clients.

If malicious code makes it through the mail server and I decide not to inspect that traffic will VS be able to prevent that code sent to the endpoint mail client from executing and delete/quarantine the offending code?

Additionally, are there any known issues using VS alongside a sandboxing application like SandBoxie?

My interest is in the Pro version of VS, not the Free version. Thank you in advance for any insight you can provide.

 

Yes exactly what i did from the start but in my posts earlier ,i was impersonating an Average Joe. (my way of beta testing ^^ )

Btw, i attached my settings, there is some more things i should do to increase the lockdown?

i'm satisfied with your BL scan and Ai , give me some infos when i come across not so well known apps/processes

 

Not sure to understand your question clearly, but VS should react if the malicious code would execute a process (on your system) not whitelisted. VS doesn't monitor network traffic.

i don't get any at the time i used both together.

 

Hello,

Thank you for the information guest. It sounds like VS is what I'm looking for if it prevents malicious code execution at the endpoint. I have used the old Sana PR in a commercial setting before they were snapped up by AVG and was very happy with that solution. Cracking open SSL to inspect traffic before it reaches it's intended recipient seems to cause as many problems as it solves, and I'd prefer to keep that link intact and stop any code from getting a foothold on client PCs that makes it past scrubbing from mail servers.

Also good to know that you haven't seen any compatibility issues using VS with Sandboxie.

 

So VS will be useful to you, with the pro settings (i put screens of my own settings in my posts above , you can look at them) , you will tailor VS to block unwanted executables to be launched while getting some infos from the cloud and AI in case you are not sure what to do when the prompt ask you to take a decision.

Sandboxie isolates while VS blocks, so theoretically no incompatibilities should occurs. if SBie is installed first , then during VS installation, Sbie's processes will be whitelisted automatically (and you can even whitelist all running processes on the fly)

 

Will VS have same problem like SecureAPlus, to be banned from VirusTotal?

 

Personally,
I`am still using V3.44 (Auto mode) + Windows Defender _ on Windows 10 64bit system. Never have any issue for 1 month or more !!!!

I can deal with any message from VS .
I tested many many malware from every where & I confirm that VS provided me excellent protection with WD , for both scan or run malwares .

I enhance my protection by using:
Comodo Firewall (Automatic sandbox enabled)
+
Zemana Anti-logger(real time) + Adguard (protect bad URL and ads) + MBA exploit (protect zero day browser exploit)

thanks,,