VoodooShield/Cyberlock

Cool, thank you. One of the big things I am doing is fixing the prompts so they make a lot more sense. And hopefully VoodooAi will be working great in Croatia soon... I think Vlad already fixed that, but that is on my list to check out.

 

Thank you Kees! I am not sure what USP means, but it sounds like a compliment though, so thank you! I hope our "blacklist scan" provider decides to utilize our VoodooAi API... we could do some amazing things with all of Ai "training files" and data they have. That is, we could retrain our machine learning models from their data set, and the results would be amazing. See, I could only collect so many clean and malware files for our training data sets on my own, but they have like 1000 times more than VoodooAi will ever have, and they would be truly random samples which would only improve the results.

Either way, the infrastructure is in place now, and worst case scenario, the new VoodooAi cloud will be gathering tons of random meta data, so in a couple of months I will be able to retrain the Ai models for even more accurate and precise results.

 

Thank you mood! Yeah, at this point I do not think it is safe to auto allow by publisher in general, after seeing all of the signed malware when building VoodooAi. Besides, with the VoodooAi cloud, we will not need to do this anyway... it is hard to explain how it works, but hopefully one day I will be able to explain it better . So for now, VS temporarily allows by publisher... that is, if the user clicks allow, and that file is signed, then subsequent "blocks" that have matching digital signatures are temporarily allowed.

 

Hehehe, I am confused on this discussion, I have no idea what you guys are talking about . Please let me know what you guys mean and I will try to help!

 

I'd imagine it is unique selling point.

 

@Elwe Singollo (correct ) and @VoodooShield sorry for the buzzword, I help startups (private/venture capatalist funding) and 'second phase jumps' (prepare for Initial Public Offering) with marketing & sales

 

I reply to what Djigi said:

"Try to install Cyberghost VPN.
VoodooShield pop-up, threat not detected, AI said is Safe, file is digitaly signed, everything is clean - so way pop-up"

 

Now I know why you are always crabby...

 

Has anyone seen this video
http://v.youku.com/v_show/id_XMTUyMDA2NDAyNA==.html

 

@Tomin2009

No, looked at it but could not figure out which security software was tested. So tell us what it shows.


@hjlbx,

Thank you for your valuable feedback. I always read your posts with the interest and value your opinion. When more people were as committed to true and open candour as @hjlbx the world would be a more enjoyable place to live in.

 

Spyshelter,VoodooShield,Comodo,ESET…

In a word, they can block *.exe, but can not stop dll injection.

 

But something has to inject the DLL

 

That video cracks me up... why would anyone post a video that clearly shows the payload being blocked at 6:55 in the video? If they showed the payload execute along with ransom demand, I would be concerned. BTW, please note the SUPER HIGH VoodooAi results .

Even though it is not necessary, the new VS that I am working on now will actually block the child processes of the exploited web app (conhost.exe, etc.), so it should block all shell code as well. The main reason I am doing this is because AV test labs used to only evaluate based on if the payload is allowed to execute, but now some are also evaluating on whether shell code is allowed to run or not. And since it will only make VS safer, there is no reason to not implement this new feature. Think of it this way... here is a quick and dirty test... open Internet Explorer, then go to File / Open, and try to open powershell or a command prompt. Even though the payloads from these interpreters would be blocked, it is probably better to just block the interpreters.

The new mini filter kernel mode driver that VS 3.0 uses actually can monitor dll's... we just have not implemented this yet since it is not a high priority, because as Baldrick said, something has to inject the dll.

 

Very cool! If VS happens to grow on you, please let me know and maybe we can talk .

 

At one end of the spectrum there are those that find Windows Defender acceptable security while at the other end there are those that obsess about sophisticated attacks - especially memory attacks - and want to monitor\control *.dlls.

Faronics Anti-Executable has *.dll monitoring. If you enable it, then you will see a definite system resource and speed impact.

The problem with monitoring and controlling *.dlls is that even intermediate and a lot of advanced users will not know enough about *.dlls. Of course, they can learn if they are so inclined to do so. And therein lies the problem: how many users are security soft enthusiasts and sec-geeks.

An implementation that involves user-defined *.dll rules is a tough one; it takes a lot of time and effort. At the same time, for the developer it requires the same horrendous amount of time and effort so *.dll monitoring and rules creation isn't an easy implementation in that regard.

It's one thing to talk about the most sophisticated malware attacks - it's all interesting stuff - but from a practical day-to-day perspective what is the likelihood that a user will actually encounter one ?

I know there is the school of paranoia that wants absolute security = if something can pwn a system, then it needs to be defended against. I get that and on most points I don't disagree. However, at some development and usability point, it just gets to be too much for most everyone involved.

Perhaps there is a way to implement *.dll monitoring for only the most exploitable programs - browsers being at the top of the list. Even if that is implemented, there are other memory attack vectors and vulnerabilities.

I'm just mentioning all this for thoroughness. A lot of people won't use Faronics and the old Malware Defender (32 bit only super-HIPS) with *.dll monitoring enabled because it noticeably slows things down.

 

Well said, I could not agree more! Yeah, those are all great reasons to not implement dll monitoring anytime soon. I think the way VS’s new way of handling this is every bit as effective, without all of the headaches of the alternative. As they say... there is more than one way to skin a cat .

Yeah, some people like to lock their computer down as tight as possible, and others do not want it to be locked down at all… it is a personal choice. About half of the people say VS locks the computer too tight, and the other half say it does not lock it tight enough, so I think we are pretty close to a happy medium .

And yeah, it is a personal choice for user’s own computers, but when it comes to business and government computers that hold our personal information, I think the computer should be locked down pretty tight. If it bothers the user a little that they have to click on a prompt from time to time, so be it, as long as our personal information is safe.

 

Any chance to have some kind of slider in program for auto-settings (something like: Light-Medium-Hard) for n00b users?
...or is it stupid idea?

 

Yes, monitoring DLL's can be "too much".
If only a few program are started within seconds, VS has to check maybe hundreds(?) of DLL's within this time.

I had DLL-monitoring enabled with Applocker, but it slowed down my system. So i decided to turn it off.
But if i have a faster computer, i'll turn it on again.

 

I am not exactly sure what you mean, but it sounds intriguing... please explain more!

Right now I am working on the prompts, and I added a "Recommended" label to help novices quite a bit. That has always been one of the big criticisms of VS (and rightfully so), that it did not let the user know how they should respond to a prompt. Scan & Allow will basically do the same thing, but it will just automatically decide for the user.

Here is a sample... once we release this version, please let me know if I messed up on any recommendations . I am going to try to get them all correct on the first time, but there are so many combinations, there might be a recommendation or two that does not make sense, and we will need to fix it.

voodooshield.com/artwork/prompt.PNG

 

Great to know, thank you!

 

I think VS has very good balance between system lock-down and usability - even at maximum settings with all security features and settings enabled.

Plus, user can customize VS - from reasonably loose to lock-down for all users - so there shouldn't be any complaints.

The protection to usability ratio is as close to (1) as anyone is going to get in a product; high protection:high usability.

VS is one of best all-around options to lock-down system. I don't understand complaints. All of us that actively participate have put a lot of work into making suggestions to improve VS security and Dan and Vlad have implemented virtually all of them.

So, as finished product, it is very usable with high security for typical use.

 

The user clicked on allow for all of Eset's prompts. How is that testing Eset? I will go back, and watch the video again to see if I missed something.

 

I watched the video again. The user clicked on allow to all of Eset's prompts so they did not test Eset. I wonder if that site is still infected. I really wish I had a test machine available

 

ESET passed!

 

ESET passed the test! I just want to figure it out that ESET can detcect injection to C:\Windows\explorer.exe, but others can't.