VoodooShield/Cyberlock

Hey Kees, I would really like to be able auto allow signed files, but I do not believe it is secure enough to take a chance. As far as VS goes, I am not willing to even take a calculated risk, and to me, auto allowing by signed files is a little more than a calculated risk. There are actually several more usability features that I will be adding (the new command line usability feature is super cool btw), but I am only going to add them if they are safe to do so. BTW, none of these usability features are significant on their own, but when you add them all up, it makes our lock user-friendly.

That is what VS is all about... we started with a lock, and over time have found safe ways to auto allow items, in order to make it user-friendly enough for everyone to use. And actually, I view VoodooAi as a usability feature rather than a security feature. I have seen the math, and the notion that one can use Ai alone to properly protect a computer is silly... and scary . That being said, when we combine Ai with the blacklist scan, I agree, the possibility of something slipping through is extremely small. Whereas, if VS were to only use Ai, approximately 7 out of 3000 will slip through, which is almost good enough, but I still believe that the computer should be locked when it is at risk .

Traditional application whitelisting on its own is extremely secure, but it is not user-friendly, and IT admins are extremely reluctant to deploy this technology on their networks. Machine learning and Ai on its own can be quite accurate and precise, but it will always be far from perfect. But when you combine user-friendly application whitelisting with Ai, they are such an amazing combination that now you have the best of both worlds. Thank you Kees!

 

Hey Cache... yeah, the test was performed with 3.45, and I am still working on VoodooAi 2.0, it is a lot more work than I thought it was initially going to be, but I am almost finished. So no, the test did not include any of the new features, including VoodooAi 2.0. And actually, VoodooAi 2.0 still is not ready, so the next release of VS will not include this, but hopefully it will be finished in 2-3 weeks.

I am pretty sure that AVLab left the blacklist scan enabled during the test... here is the email where I suggested that they might consider disabling the blacklist scan.


Hi AVLab,




Very cool, sounds great. Yeah, it all depends on how you want to test VS… for example, in the following video, I disabled the blacklist scanner and the application whitelisting lock (by using AutoPilot), and relied solely on our Machine Learning / Ai component (VoodooAi).


https://www.youtube.com/watch?v=bOXnpUHYD4Q


So however you think is best to test is great with me.




Thank you,

Dan


I would have also have liked to seen the results when the blacklist scan was disabled, but that is a lot to ask of AVLab, so I simply mentioned it to them. I have tested 3-4 million samples with the blacklist disabled, and the results are always around 7 out of 3000 slip through, when the blacklist is disabled. So only testing 28 samples, odds are VoodooAi would have blocked all of them, but you never know . This is why I posted one of the 3,000 sample set test videos. A lot of security software will maintain a 100% efficacy when the sample set is small, and therefore not representative. What I would like to see is a large scale test where 3,000+ samples are tested (so that all of the tested AV software is bypassed)... only then will we see the efficacy drop below 100%, and we will see the true efficacy of each tested software. Basically, the sample set size needs to be large enough so that all of the security products are bypassed, then we will see how they actually perform in the real world. The video above gives us an idea of the actually efficacy of the 3 tested security software's, since the sample set was large enough to break all three. (Keep in mind the blacklist scan was disabled for VS ).

The problem is, it would be extremely daunting for AV test labs to perform tests with such a large sample size... especially when testing ransomware. That is... once the computer that is being tested is severely infected, they would have to stop the test and start all over again, so that would be extremely difficult to do.

I have tested VS with 3-4 million samples with the blacklist scan and VoodooAi enabled, and so far I have not seen anything slip through, but I promise you, if I keep testing, something will slip through. I will catch up on the other posts asap, thank you!

 

The only difference I have seen is that SMART mode uses more CPU resources than ALWAYS ON, I imagine because it has to keep deciding whether it needs to turn itself to off. For this reason, I use ALWAYS ON.

When the icon goes red and shows OFF in either mode, as I understand it the computer is unlocked (Lock is OFF) but you are still protected by the VT blacklist scanners and the Ai. Essentially, when the lock is OFF, you are in AutoPilot mode.

Earlier in this thread, there was a discussion about the colours of, and the notations on, the icon. If you read that, you will see that I favour using LOCKED and UNLOCKED, rather than ON or OFF as I believe it would be more explanatory. Perhaps Dan will comment on this when he has time.

 

I think you misread what I said Dan. I was aware that the test used 3.45 Beta - I was just trying a little humour regarding the improvements that are yet to come, hence the smiley!

Also, AVLab stated that they tested with default settings for all the softs, so the balcklist scanners and Ai would have remained enabled.

 

Here is 3.46… I made some pretty serious changes under the hood, so I tested this version for 2-3 days… I hope I did not miss anything . For now, I am not going to release this to the public on our website, until you guys have tested this version for a few days.

The following should be fixed in this version (along with several other small bug fixes).

1. The “file that is inaccessible, or no longer exists” issue should be resolved… sorry that took so long, I wanted to make sure I did it right.

2. Powershell scripts should work well now

3. The majority of command lines are now auto allowed… but only when safe to do so.

Here are the items that I have not had a chance to look at yet:

1. “I noticed that when you sign in to one account, and VS turns on and shows the icon. When you switch users to another account, VS icon does not show in the second account that you signed into. Difficult to know if VS is still active.”

2. I'm having problems with VS switching to ON when a Truecrypt container is mounted.

And the last item is this…

1. Could you add an option/button in the popups to start the installer or training mode and a timer in the options to go back to previous settings in x min.?

VS already does something similar to this… I just need to read through all of posts where people made recommendations on how to handle this, and we will come up with something simple and cool!

VoodooAi 2.0 is not included in this version… I still have 2-3 more weeks of work to do on it!

https://voodooshield.com/Download/beta3/InstallVoodooShield346.exe

Thank you guys, have a great weekend!

 

Yeah, that is exactly what is up... Smart Mode / OFF is busy detecting web apps and stuff, so the CPU utilization is a little higher. The timer for this part of the code is currently set to 250ms... we could change it to 500ms or something, and that would reduce the CPU utilization even more, but then VS would not activate quite as quickly when it detected a web app. Maybe I will set it to 500ms on the next beta version, just to see what you guys think.

Yeah, I understood what you were saying, and I certainly smiled when I read that . Thank you!

 

Dan @VoodooShield awesome job on the testing! Keep up the great work!

Daniel

 

Best+++ superior

 

Dan, every time I open Chrome I am getting prompted for this:



But it is the Norton Toolbar as I mentioned last time I used VS. If I put VS in Training Mode Chrome and the Norton Toolbar open fine. If I put it in Smart Mode and open Chrome I get prompted again.

Thanks.

 

Hello,

I got the same promote but for "Kaspersky Protection" and "Kaspersky Password Manger" add on .

1- I allowed the operation.
2- Did not close your browser .
3- Reset VS "White list" , VS will "training" all your running process and whit list all, and never ask you again. This success for me.

 

Hello,

@Cache , thanks for the info. I'm noticing some odd behavior with VS when I'm in Smart Mode. I specifically delete portable network apps to test (e.g. Skype). For some reason they are allowed to run while in Smart Mode despite being deleted from the whitelist.

This seems to be nonstandard behavior to me given I've explicitly removed the program from being whitelisted. Thoughts? Thanks.

 

I just noticed that the Secunia PSI 2 tray icon never showed up on three machines after installing VS and restarting.

Sorry Dan, but it looks like VS still isn't quite ready.

Hi,

That may of worked but I've had to remove VS for now and will wait for a newer version. That said, we shouldn't have to reset the whitelist for these issues.

 

Hi Dan

Hope that you are well? Have just picked up on the .46 release. Have installed it and as far as I can tell it is working fine at the moment. WIll post back if I come across anything untoward.

Have a great weekend.

Regards, Baldrick

 

Not sure why you consider this nonstandard behaviour. If a program is not whitelisted , then VS will scan with the blacklist scanners and VSAi. If all is well it will be allowed to run. I would expect that in Smart Mode, it would also get whitelisted again.

 

Yeah, there might be a couple of issues that we need to fix, but they should be pretty quick and easy.

Can you please post a link to the Norton toolbar and also to Secunia? I just installed Secunia PSI, and it seems to be working great for me, so I want to make sure we are testing with the same software. Thank you!

 

There are a couple of things that could cause this... first, was VS in Smart Mode / OFF, or was it ON? If VS was in Smart Mode / OFF, the file will be scanned with the blacklist and VoodooAi, and if it is determined to be super clean, it will be automatically allowed. When VS is in Smart Mode / ON, the file should be blocked either way, and you should see a prompt.

Also, a lot of the portable apps, especially skype, will continue to run in the background, so if you are going to remove it from the whitelist to test, you might also want to make sure skype is not running in the task manager.

I just tested skype portable, and it seemed to work as expected, but what other portable apps are you having problems with? Can you please post some links and I will test them? Thank you!

 

Hello,

The only reason I'd consider it so is because I explicitly deleted it. I was figuring that VS would have that sort of intelligence that would prioritize those actions above machine Ai.

 

Dan, to ensure you've got the same version of the Norton toolbar you'll need to install the latest Norton Security.

www .norton.com/latestns Install Norton, run Live Update, restart if required, until no more updates are available. Now open Chrome (x64). You will be prompted to install both the Norton Toolbar and Identity Safe. You may also be prompted to install a couple of others but you don't need them for this exercise.

PSI 2 can be downloaded here - http ://secunia.com/PSI2Setup.exe

I had PSI set to delayed start in Norton's Startup Manager found under the Performance tab if it matters.

Thanks.

 

Hello,

@VoodooShield , Smart Mode was ON. I made sure the background processes were killed. I can consistently recreate this using something like Skype portable keeping Smart Mode ON, deleting the processes from the whitelist and simply booting into Skype with no blocking. Now when I turn the Mode in VS to Always ON and delete the processes from the whitelist I get the expected blocking behavior.

 

Yeah, I see what you are saying, and that does make sense. But also please keep in mind that if, for example, skype was the last allowed process, and nothing had been blocked since then, the temporary allowed digital signature is the one from skype... so it will be auto allowed, even if you remove it from the whitelist. You can disable this option in Settings / Basic "Temporarily allow by Publisher / Digital Signature until reactivation" if you want to test this to see if it is the reason it is being allowed. And we can always change any of this if we need to. Thank you!

 

Cool, thank you, I am downloading them now, and I will let you know!

 

Cool, thank you, I will test it some more and see!

 

Hello,

@VoodooShield , I'll try the suggestion and report back, thanks.

 

Hello,

@VoodooShield , your setting suggestion seems to have done the trick. Forgive me if this method is a bit new to me, I am used to software locking down the platform and then opening bit by bit only what is necessary. To me having machine Ai overriding an explicit command performed by a human isn't usually the best option in my opinion, at the very least if that was to happen there should be an appropriate dialog indicating the change the machine Ai made so the user wouldn't be lulled into a false sense of security.

That said I am glad that there is an option to correct this action. Thanks.

 

Very cool, thank you... actually, while looking into this issue, I found a little bug that needs to be fixed. It does not put anyone at risk, but basically, when you remove an item from the whitelist, it is not doing everything properly, so I will have that fixed soon... thank you for pointing this out!