VoodooShield/Cyberlock

it sound like your red and blue are reversed. It is supposed to turn red after a period of inactivity...

 

Yes, it's an easy way to add executable to the whitelist instead of answering the prompts. But before installing "unknown/new" software i turn it ON. I don't want VS to automatically whitelist Malware,...you never know
And i've seen that too, a lot of tools from NirSoft are declared as malware.
Edit: small correction

 

There is no black and white when it comes to tools that can be used for good or bad, that area is all grey, and since many of those tools that can be used this way are often used by the cybercriminals, they get flagged, this does not mean it is a false positive if you intend to use them for legit reasons. Personally i would prefer them to be flagged and allowed upon that users consent.

 

Very interesting,

Spoiler: Comodo FW + VS

https://www.youtube.com/watch?v=oie6nzCK6KU

 

You are correct of course. I suppose that I should have explained that I only use the "Training Mode" to whitelist files if they were prevously flagged up by a VS Scan when installing. After investigation if I determine that the file is actually safe then I use "Training Mode" to whitelist it. VS is not perfect yet but I'd much rather get a few false positive detections along with the real detections than none at all.

RE: Nirsoft products. You would not want some of them installed unknowingly by other users but if I want to install or run them for my own purposes I don't see any problem.

 

And here we go again https://malwaretips.com/threads/com...hips-off-on-and-voodooshield-autopilot.64977/

I tested the same file from the video that hamo posted, and guess what? All 3 of the "big name" Ai products determined this file to be clean as well. VoodooAi scored the file 0.4775, which is just under the 0.500 threshold for VS to block the file in AutoPilot mode. The new VoodooAi 2.0 will probably do better, but either way, Ai will never be perfect, and I still stand behind my initial conclusion from 5+ years ago... if the computer is at risk, it needs to be locked.

Also, keep in mind, VS will auto allow sandboxed processes from other security apps (Comodo in this case), unless the Parent Process feature setting is disabled in VS... so if you are going to test VS, please do it properly. Of course, when tested with Comodo not installed, VS blocked the file perfectly.

When I tested the file in AutoPilot Mode, VS blocked it because the blacklist scanner detected 7 threats. If there are any threats detected, or if the file is unknown, VS will automatically block the file in AutoPilot mode.

Having said that... YES, IT IS POSSIBLE TO BYPASS VS IN AUTOPILOT MODE... here are 7 bypasses that I posted a couple of months ago: https://www.youtube.com/watch?v=bOXnpUHYD4Q
The bypasses were also a result of me disabling the blacklist scanner and only relying on VoodooAi... Ai is not perfect, and never will be.

But yeah, if you can find a file that has 0 / 57 blacklist detections and not unknown, and a VoodooAi score is less than 0.5000, then VS will allow the file in AutoPilot mode. I do not think this is what happened in this case... I think the issue was that VS auto allowed the Comodo sandboxed process, since this option is enabled by default. We can disable this option by default if it is an issue.

One last thing... if anyone is going to test VS while lowering its protection levels (AutoPilot Mode), then test other security products and raise its security levels... well, I guess I should take that as a compliment and say thank you!

@hjlbx... now that you know the whole story, is the evidence still irrefutable? . BTW, you are completely wrong about suspended processes.

@Kees... are you still suggesting that the computer should not be locked when it is at risk? .

Thank you hamo!

 

Here, I have switched to Comodo HIPS, sandbox, etc. voodooshield and locked into lock down mode and the same succumbed .-)
In the case six minutes.
https://youtu.be/oie6nzCK6KU?t=412

 

@VoodooShield Will VS ever be able to block bad extensions from installing like mentioned here? https://www.youtube.com/watch?v=V8oh5Wf89_k @12:52 in video BTW

 

I got it.

But, if disable Parent Process feature setting , I will many alerts. am I right?

Thanks Dan.

 

Probably not... for A LOT of reasons.

1. Each browser handles extensions differently, so it is not as easy as it sounds.

2. Most or all modern browsers actually block these extensions (it is their job to do so)... and actually, this extension was blocked with an affirmative prompt twice in the video 12:51 and 12:57, and it probably is not advantageous to block it a third time.

3. Modern browsers handle extensions MUCH better then they did a few years ago... back in the day when BHO made everything a total mess. So now they are quite easy to remove.

4. All of this would add a lot of unnecessary complexity and bloat to VS, which we obviously do not want... we want it to be lean and mean.

Having said that... I was actually trying to think of the best, or actually any software that does block this kind of stuff. I googled for a while and come up with nothing, but I am certain there is something on the market that does block this kind of stuff... if there is, please let me know, I would love to try it out and combine it with Webwroot and VS for my local clients. I think a lot of standard security software blocks some of this stuff, but they are extremely careful what they block when it comes to PUP's because they are afraid of being sued by the PUP / toolbar crooks... and it happens a lot. Anyway, if you guys can recommend something, that would be cool.

I always wondered why adwcleaner did not come out with something to block this kind of stuff... it is an amazing product that is extremely effective in removing this kind of stuff, so I would think that they would be rather adept at developing something that would block this stuff in the first place. Who knows, now that Malwarebytes bought them, maybe they will create something really cool soon.

 

This option does reduce the amount of alerts quite a bit, but mainly when you are installing new software. I am not sure, you should try it for a while and then tell us what you think!

I will catch up on the other posts soon, thank you guys!

 

BTW, if anyone would like the sample from the video, please let me know. It would be nice to see other people test as well, instead of just watching videos and drawing the incorrect conclusion . Time after time. After time.

 

Yes, sent me a link for that sample.

 

The funny thing is that David (the tester) and I have emailed each other, and he is FULLY AWARE that VS's parent process feature has to be disabled if you are going to test Comodo with VS, but yet he fails to mention it on MT.

BTW, fun fact... when testing AV software, it is probably not a good idea to test two security apps together.

Is anyone NOT AWARE that security software has a tendency to conflict with each other?

 

Cool, check your pm's. Please share with whoever. The password is infected.

 

I love it when the gauntlet is thrown down.

 

Spoiler: No comment !!!

http://cloud.screenpresso.com/7c3G/2016-10-31_02h13_00.png
http://cloud.screenpresso.com/0GoQf/2016-10-31_02h14_50.png

 

@hjlbx... I hear you are now formally an employee of one of VS's competitors.

If this is true, you might consider making absolute certain that your comments are true, otherwise there will be very serious consequences.

In the future, you might consider taking the time to run a 10 minute test for yourself, instead of simply watching videos and drawing the wrong conclusion.

I ran the test, it took all of 10 minutes. Have Barb ask one of the developers to run the same test in the morning. They will experience the same result that I did. If you need the file, please let me know.

 

Hello,

@guest , thank you for taking the time to show me to answer my questions. I have a higher degree of confidence that VS is going to allow me to have greater control of that traffic that exits through encrypted connections, saving me from breaking security with a questionable benefit.

On a side note is it possible to customize the notification icons? Personally I don't think the terminology is exactly clear and would like to modify if possible. Thanks.

 

@hjlbx

You know you are wrong, once again, and your only defense is free speech?

Free speech does not give you the right to trample on other people’s rights or property. You are free to speak your mind, and if what you are saying is true, then you have nothing to worry about. If what you are saying is not true, then you do have something to worry about. For the same reason, you are not allowed to yell “fire” in a crowded theater.

These childish episodes that you engage in are extremely annoying… you even stated “It's very fun to watch and even more easy to goad people into it.” Really? How old are you, 11? I am genuinely sad for you that one of your great enjoyments in life is to pull pranks on security forums.

Most people are on MT and Wilders to discuss and learn about malware… not to be tricked or duped by your childish antics. Keep it up and no one is going to take you seriously.

Since you did not want to bother running a valid test, I ran one for you.

www.voodooshield.com/artwork/hjlbxfail.mp4

 

Hi OSTexo, nice to meet you! Are you talking about changing the actual verbiage on the prompts? Please give us some more details and we will let you know, thank you!

 

I have a better idea Davidov and guest, why not test VS Free properly, without Comodo? Is that not a better solution .

 

Really? come on... testing an apps and modifying its default setting without notifying the watchers is ridiculous... i usually dislike devs who "deny" a flaw/bug even when proofs are in front on their eyes , i likewise feel the same with "testers" that "forget" to mention things in their tests.

you are welcome

 

At the moment , i won't even recommend Comodo because their "rules disappearance" bug that exist since years and still not fixed.

I like only anti-exe (and strong HIPS, like comodo) , so actually there is only 2 (stable and regularly developed) apps that meet my criterias and i can recommend : Appguard and VS. ; i recommend AG for advanced users and VS for the Average Joe.

 

Hehehe, you are forgetting one VERY important thing... CS tested the sample PROPERLY with Comodo, and Comodo handled the file correctly, there was no infection.

What do you suppose would have happened if she would have also been running VS Free on AutoPilot?

If it is an issue, we can always disable the Parent Process feature by default.