VoodooShield/Cyberlock

Yeah, I agree, VS needs to be as light as possible. If we removed the runtimes and a few other things, it would fit on a floppy disk. I always wanted to have a booth at CES and hand out VS on a floppy disk. Webroot can already do that without any adjustments!

 

Absolutely!

 

OMG, how funny... that is great!!! Except that really is a false argument because he is talking about removing core safety components that protect the user / driver in the event of a crash. What I am suggesting is removing the peripheral safety components that prevent the crash from happening, so that we can see what actually happens when there is a crash. If you know the author, Alejandro, you should pass my analogy off to him and see what his response is . That is really cool that you found that!

 

Nup, probably someone from the marketing department. I can't recall seeing him around the Norton forums.

 

Here is one from Webroot about there Mac Security Product: https://www.webroot.com/blog/2015/1...ction-of-our-mac-product-efficacy-you-decide/

 

That's an interesting read. A great example of real world testing. It seems Webroot have a similar mentality to real threats instead of just trying to pass tests. Thanks TH!

 

Interesting... yeah, I agree, it is very important to make sure the files are executable first!!! In the article, they say "In order to test the true efficacy of an antivirus product, AV testing companies should actually be installing the malware and executing the viruses in question, in order to see how the antivirus product handles an actual simulation of an end-user infection." and then later they say "The issue here is that none of the malware is actually executed or installed on the testing machine, nor does it constitute any kind of real threat to the system.", which I completely agree with.

I am a little confused though because they do not make the distinction between blocking the file pre-execution versus installing the malware and analyzing it post-execution... And what I mean by that is, if a security software can analyze and accurately detect the malware pre-execution, is that a valid test? It almost sounds like they are saying that in order to conduct a valid test, you have to actually install the malware, then analyze the sample (basically through behavioral analysis)... so then correctly blocking the malware pre-execution does not count? I think they are suggesting that either one is fine, but I would love to hear everyone's thoughts. BTW, if they are suggesting that every malware sample has to be installed, that might not work to well with some of the latest ransomware . Thank you TH!

 

Hey Logethica, nice to meet you, thank you for you kind words!

Yeah, the wilders users beat me up pretty bad, especially TH, Baldrick, Krusty13... the list goes on and on . Just kidding, they are all a lot of fun to talk to.

BTW, if you do not have a VS Pro license, please email me as support@voodooshield.com and I will set one up for you.

 

BTW, does anyone have access to be able to download files by SHA1 hash? If so, can you please download the following files and post the VoodooAi scores? There are a few other files, but I am most interested in these. Thank you!


4563f9e22e2ece489294195c2f5d2335d56718bf.exe

a11b592b7c15d5749eB6f96d607e7276b3633bf8.exe

a88f365aff8b34eetbbb3000cf91daf3d4a13b33.exe

 

Hello!

Is it correct to say that VS protects from all exploits? AFAIK VS stops exploit if it drops a payload and starts a new malicious process. Then this new malicious process just is stopped by VS.

Please bear with me as I'm not so knowledgeable in this sphere. But doesn't exist such exploits that hijack an already running process and manipulates it without dropping a payload? I mean already running process is forced to act maliciously. Then isn't VS (like any other anti-executable actually) helpless in such a scenario?

Thank you.

 

Hey Solarlynx,

Unless I missed something in the code, I think we are covered either way because in order for this to happen, the exploit would have to spawn the interpreter and run its shell code, but VS will block the interpreter long before it gets a chance to do so. I think we have everything locked down pretty darn tight... but I guess we will find out for sure when we are tested by the various AV testing labs. Thank you!

 

VoodooShield,

https://www.youtube.com/watch?v=PvfrS6_nyyM&t=0s

Just downloaded & watching the test. Looks good.

I guess this is the first comprehensive test video by you with VS & also other products, right?

I have posted the test on malwaretips. Hope no prob.

 

Well, I test stuff all of the time, it is kind of what I do for fun. But that was the first truly random, comprehensive and documented test that I have done so far. Once the freeze bug is fixed, I am going to do some more.

It will be fine on malwaretips... thank you!

 

Hello, Dan!

I'm from Brazil and I recently updated to Windows 10. I previously used Comodo Internet Security, but for now I've decided too keep Windows firewall and Defender, plus Malwarebytes and others similar softwares just for on demand scans.

I'm trying to keep my system as light as possible.

But I've been reading wilderssecurity's posts, I also watched your video on youtube, and I started thinking about adding VoodooShield to my real-time arsenal. From what I read since now, It would run on my computer in a low resources basis, is that right?

By the way, congratulations for your good work and attention with all users!

 

Well that Sophos movie is impressive, congratulated the guys from Sophos

Talk to you when you have time, good luck tracking down the freeze bug.

Regards Kees

 

Without getting into it too much in a thread which is and should be about VoodooShield, it has to be noted Webroot have always said their SecureAnywhere product does things differently to other traditional AVs and consequently have not taken part in AV-C testing for some time. The best thing I can do is to suggest you read this blog post they published after AV-C's June 2012 Real World Protection Test.

 

Nice to meet you jeffsilve, and that you for the compliment! Sure, VS is super lite on resources, so it should make a great addition to your arsenal.

 

Yeah, it is a great video, and both Sophos and Cylance are great products... It will be interesting to see Cylance's response. I would also be curious to learn what features Cylance quietly turned off in their competitor's products (@ 1:33 in the video)... especially since Mr. Schiappa suggested this during the "Executable Malware" portion of the test, which is a recreation of the tests that Cylance performs during their "Unbelievable Tour". Obviously, all of the security products should be tested with their default settings, and disabling, for example, a url filter would not change the outcome of this portion of the test... so I would be curious what was disabled.

Speaking of url filters, I believe most enterprise level firewalls have some of the best url filters (I have no evidence to support this), but this is possibly why Clyance is not concerned with filtering url's in their end point product. Because in all fairness, Mr. Schiappa did suggest @ 2:51 in the video that "And we know that the earlier that you detect and block threats, the better off you are." If this is the case, detecting and blocking malicious url's at the perimeter is earlier then detecting these threats on the end point. So in my view, that is similar to blaming security products for not blocking malicious phishing emails, or even spam. No doubt we need multiple layers of protection, but for me, I simply want to know how effective the security products deal with malware once they appear on the endpoint. And honestly, either way it probably makes the most sense to filter malicious urls at the perimeter. Thank you Kees, talk to you soon!

 

Same as WSA as there are so many Exploits WSA doesn't concern itself with them but the payload they try to download and execute! WSA and VS is the Perfect Combo IMO, very light no bloat and minimal resources.

Daniel

 

I'm glad everyone has there own Opinions as I don't care for Cylance until it supports full control for Consumers.

Daniel

 

Thank you Tony... very interesting. Especially this part "The first piece focuses on ensuring WSA is able to reverse all system changes made by a new unknown file and to prevent any irreversible changes from taking place. For example, if a newly discovered program makes file system, disk, registry, or memory changes, these are recorded and analyzed in real time. WSA then checks frequently with the cloud while the program runs to see if an updated classification is available for the unknown files on a system. During this period, the program is able to change the system, but it is under a transparent sandbox where all of the changes taking place are not only being analyzed for behavior correlation, but are also being recorded to see the before-and-after view of every modification to the system. If at any point the cloud comes back and indicates a file is malicious, WSA will automatically remove the infection and restore the system perfectly to a pre-infection state."

I guess TH and Baldrick were right after all... WSA and VS is a phenomenal combo... sounds almost bulletproof to me!

 

That's funny, I was posting something quite similar at the same time... it really is a great combo.

 

Yeah, I can see where that would be an issue for consumers and SMB, but apparently they are going to be offering a GUI very soon... so we will see how much control the user is given.

 

Is it just me, or did the Sophos video just go private?

 

It's private now