VoodooShield/Cyberlock

yep , my first idea was to let VS automatically decide when enable/disable the Parent Process feature based on the mode.

Then Dan had another idea , which is removing the feature from the settings and replacing it by an "Allow All" button in the initial prompt , then i gave some input on it.

 

Our views really don't differ that much. Whitelisted parent process feature already allows non-whitelisted child processes to execute (and custom folders allows execution) in user folders, so your smart lock is not a dead lock but a whitelist

I suggested to put less emphasis on Anti-Executable lock (because AE is small and mature market) and more emphasis on whitelist and Artificial Intelligence (because Next Gen is evolving and attractive market) and make SMART mode a little smarter.

By building a signed programs whitelist at System Snapshot Scan, the vendor signature whitelist is tailored to the user's PC. The smaller the trusted vendors list, the lower the chance you might stumble upon a signature obtained by malware writers.

All mainstream software is signed and the 'whitelisted parent process' feature should prevent 99% of the sloppy installers (signed installers having unsigned components) to be blocked (which increases usability and user friendliness).

Slightly different SMART MODE (changes in red) to sell VS as Next Gen Hybrid solution offering best of both worlds (white and blacklist) using proven and next generation technology (AV and AI double check).

1. Always ON
   This is the current Always ON mode
2. SMART mode
   In SMART mode ONLY signed programs of the trusted vendors list are allowed to run in user folders with the additional double cross check that BOTH AV-blacklist and AI-engine rate the new signed program as SAFE.
3. AUTO(pilot) mode
   Is current auto pilot mode.
4. OFF mode
   Is current OFF mode

Paid versus free
Paid unlocks features in the GUI, free only has two modes (SMART and OFF). Cuckoo Sandbox is also disabled in free (only few experts use it). I also suggest to keep the gazillion advanced options of VS on default and simplify and clean up the user interface

Simplify user interface:

1. Basic settings (related to core functionality)
   - Register
   - Notification: silent, notification, mini-prompt, full-prompt
   - Enable or disable log
   - Set AI sensitivity level
   - Enable or disable whitelisted parent-process allow
   - Enable or disable anti-exploit child process block
   - Enable or disable AV blacklist scan
   - Enable or disable AI engine
   - Enable or disable Command line block
   - Enable or disable Cuckoo sandbox
   - (New) Enable or disable Build trusted vendors list at system snapshot
   (disabling this new feature would bring back 'old' smart mode block all behavior)
   
   
2. Separate tabs for major features
   - Quarantaine (list of blocked programs) = existing feature
   - Internet Apps (option to add vulnarable programs) = existing feature
   - Custom folders (option to add exclude olders) = existing feature
   - Commands lines (option to add blocked command lines) = existing feature
   - Trusted vendors list (option to add or remove trusted vendors from trusted signed programs) = new feature
   - Trusted antivirus engines list (option to select or exclude certain AV-engines) = new feature

This limitation to ONE free protection mode (SMART) has the advantage that youtube-testers can only test VS properly (how it should be used by average user). You simply don't have the means and manpower to deal with the noise and possible bad publicity generated by those well intended but often incorrectly executed tests of youtube-testers.


Regards Kees

 

Yes, it is. Look at it with a hex-editor and you can see some notes from the author. I copy&pasted some of it:

 

This is the problem with adding more to an already well working application. Placing an "Allow All' button next to an "Allow" button will only confuse average users. There is already an option in advanced settings "this is for Advanced users" and placed exactly where it should be, in a place average users will think twice of messing with.

Im not for a change like this, it is not necessary, and came about from a supposed bypass that does not exist.

@VoodooShield your product is golden the way it is out of the box, i would not implement anything more into the prompts then what you already have. Just my two cents from a user that works with average users a lot around my area.

 

Thank you mood, I was looking for some notes from the author, but was unable to find them in the source code... "It was intended for submission to the User-Made Malware Youtube series"... it all makes sense now.

I am going to get back to work on VS .

 

Cool, thank you, I appreciate that! Yeah, any change we make will be a subtle change, and we will discuss it on here first.

 

I agree Kees! I just think that VS's application whitelisting component and Ai are a great combo and compliment each other very, very nicely.

Thank you for all of the suggestions!

 

I think this is a really excellent idea @guest

 

thanks @askmark , this is the less intrusive option, since the basic user has nothing to do.

 

It is why i proposed to let VS automatically disable the "parent process" thingy when the user decide to go "Always On" and re-enable it when back on Smart Mode.

The best example i can see it , is when the user download/test an unknown executable ; moving on Always On will disable "parent processing" making the system safer, then once done with the executable, the user will move back to Smart Mode (and the Parent Processing will be automatically re-enabled). Easy to implement and use, non-intrusive/confusing, transparent, and safe.

 

Is there a way to hard wire this pop up from Troy Smith. It keeps popping up and freezes Cyberfox until it is allowed.

 

can't be whitelisted manually?
VS Free or Paid?
Which mode are you using?

 

Paid & Smart Mode

 

That file is auto whitelisted for me.

 

does G: is your system partition where VS is installed too? (just asking to be sure)

 

Hello,

I purchased some licenses of the Pro version of VS about a half an hour ago. Should I be waiting for product keys or is the email / password method of activation just the same? If I retire old hardware and want to move the Pro licenses to new is it as easy as removing the computer from the VS online account (assuming IDed by machine ID?), uninstalling for old hardware and registering on new hardware? I purchased multiyear so it would be helpful if I could move the license when needed. Looking forward to using VS. Thanks.

 

Same user, tested VS again, this time he left the internet connection on and the sample is not sandboxed and finds it suspicious he has different results.

He stated and quote

This user has no business testing, as he does not comprehend evidently how to do so. It also has wasted the time of the developer. Maybe someone left over at the "other site" can explain to the Admin why allowing videos done by these users is not wise and wastes many peoples time with misinformation.

new test: Comodo FW bypass malware the sandbox (sandbox hips off + on) and voodooshield (autopilot)

 

Hello,

The ability for a user to "test" an application in a compromised state is more often than not indication of a shortcoming in the UX of the program and less about actual feature capability. As the UX in VS stands now it seems to be quite easy to make somewhat deceptive videos because VS is not really giving the right feedback in the right place. You won't change the cutthroat nature of the security market, but you can certainly change your UX in all areas to make it nearly impossible to not know the state of the application.

In a way the "tester" has done you a service. If he is able to make a video that seems to indicate a poor result by settings only there is a possibility that the average user could work himself into that sort of situation as well. The lack of clarity and state awareness is very risky when it comes to security.

 

This tester did nothing but waste time. Sure a user could actually click "Allow" instead of block or quarantine, they could even mess with the settings just enough to disable important aspects of protection by the product and find themselves in the same kind of situation, this can be done with any product. The developers of the products are not responsible for how a user chooses to use their product, and if done incorrectly, it is on the user. No security in the world can protect a user from themselves.

It is very obvious he does not know either product and what and how each do things, and he combined them to make a video Had he learned this application first, then tested it properly by itself, he would not have come to the conclusion he did, and there would not be several pages already started here in this thread on it let alone the one still rolling over at the other site.

 

Hello,

I happen to have a different perspective on the matter @LucentWarrior . The issue for me in this case with the VS UX is that it is not apparent that the "tester" has not compromised the application by using it in a fashion that it was not intended for.

The responsibility to do this falls on the developer for the sake of having his product represented in the correct fashion at the very least.

Whether this "test" (I'm using the term lightly in this case) was done in an uninformed or malicious fashion isn't material, the fact that they were able to make it appear that the security was enabled when it in fact was compromised is a big problem for any security product.

Thinking of this from a social aspect, what if someone called a VS user up and was able to convince him to change settings within the product to compromise security? Without appropriate feedback and program state the unscrupulous individual could use that failing of the UX to his benefit. See your shield is still blue, you can trust me, right?

Something to remember is that you have to craft user experience for everyone, even the person who has trouble tying his shoes. It's expecting too much to think someone will learn an application, read a manual, and interact with the developer of a product before testing. Over 100 people viewed that video and it hasn't been downranked into oblivion, so when someone comes across that video what is their impression of VS going to be? Chances are that they won't give VS a second thought, because they saw it being "compromised" on Youtube. Is it fair? Not at all, but that is the current state of how the average prospect evaluates product today.

So I stick with my assertion that this "tester" did VS a service, because he revealed a weakness in the product that can be easily exploited. I have no doubt that this exploit can be fixed so that it doesn't happen again, it will just take some thought on how to properly address these sort of situations from a UX perspective.

 

I think you do not understand as well. VS takes a snapshot of the system when first installed, everything on it is whitelisted. From that point forward he would have to have the sample introduced to the system, meaning more then likely the internet connection would be on, meaning VoodooAi and the blacklist would also be used. Secondly, VS also allowed the file because it was sandboxed by another product that happened to allow it also because it marked it as trusted.

Nowhere did i see a VS bypass in that video, the product responded as it should have. Had the firewall also included in the video not trusted the sample "im not going to give you a history lesson on the Vendors in the trusted list" the sample would have been contained. Had the user tested just VS it would have been contained, there is not an exploit in this scenario, and it is not up to the Developer to try and stop many youtube testers that have no clue what they are doing from making videos that represent that. It is up to the audience and the Admins of forums to stop videos with misinformation from existing. As for users going to Youtube and watching, it is up to them to use common sense and take videos with a grain of salt, especially when they see the user clearly does not understand the products he is trying to attempt to make a test with.

Now, can i claim this product is 100% bullet proof, no i can not, but can i claim that i have tested this product against many scenarios and more malware in each test then an average user will see in a lifetime, well, yes i can and still to this date have not bypassed this product, that speaks for itself.

 

That goes or many things, not just program tests.

 

Hello,

@LucentWarrior , it doesn't take a rocket scientist to understand that this is not a legitimate "test", but it does take someone with a certain mindset to see the video for what it is.

You not seeing a VS bypass is coming from the perspective of an experienced user, again how many people do research and read documentation nowadays? How many people are truly interested in educating themselves on the products they use?

I'm not doubting the effectiveness of the feature set of VS at this point, I wouldn't have put down money for it if I had. I don't think it's reasonable to expect users, forum admins or anyone else to police content, that doesn't work and is sure to quickly destroy any confidence in your product. I do think that developers have the power to improve their product from a feature and usability standpoint so videos like this can be seen for what they may truly be by a larger percentage of prospective users.

It's easy to go with the "blame the user" line of thought, but that doesn't contribute anything to bottom line revenue for a business. It is possible to respond to those sort of videos by improving the clarity, usability and state awareness of your product so viewers will dismiss the video instead of your product.

This type of protection is elegant and effective in its simplicity, I wouldn't get would up at all over these sort of videos, it can always be viewed as an opportunity to improve the product.

 

Today already test was ok. As a free version as well as a full autopilot with modifications youth. I like voodooshiel and I'm glad it solved quickly.I cheer that projects such good luck
https://malwaretips.com/threads/com...ff-on-and-voodooshield-autopilot.64977/page-7

 

So if these users will not take the time to do so, then them seeing the video is of no concern correct?

I do believe the Developer already did so when the first video was posted already, hence the Here we go again post of his, yet that conversation is still on going and many still viewing it as a bypass over there. As for videos on VS if a user can not enable themselves to read the guide or look through some research results in google search, there are a few of those out there as well. If there was 50 users testing and having this issue, i could understand your thought process, but it is one user, that incorrectly tested a sample with two products, so yes, blaming that user for not knowing the product before testing it is how it should be handled. No tester should ever test without first learning the product being tested, nor should they do so if they are not experienced at handling malware and containing it properly, as you can clearly see he did this on a live machine and not in a VM. Now to add insult to injury over where this is taking place, a few youtube testers are there that test incorrectly, and everyone there encourages it, even some Vendors because the tests ultimately make their product shine, even though incorrect, it adds up to revenue. There is a reason this website does not allow those kind of tests here, and why many here in this site, look down on youtube tests, because a handful of users doing so have no clue what they are doing, and are making the rest of them look bad, as well as the sites allowing them. So no matter what this Dev does here "which is a lot, guy is a machine i think" there will always be another tester come along that half asses a test and calls it legit, and he/she will need to be proven wrong, such as the case here, but this knowledge is not making it over there, with the exception of the few of you that are over here as well.

Now, if the Dev has to keep stopping to contain these "so called bypasses" then this means he is not spending that time fine tuning the product that is not released to stable yet, and with this, we all lose. So picking up some slack and helping the Dev deal with this and set things straight actually helps us all move on.