VoodooShield/Cyberlock

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    Also is it intentional that the download link labeled as v2.20 actually is the 3.48 beta?

    It is the 3.48 beta I had these issues with, it also never offered me a free trial.
     
  2. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    I guess I had better chime in here- My coinflip analogy had absolutely nothing to do with VS, which I feel with both the not letting things run with the Network disabled as well as the sandboxing functionality to confirm maliciousness or validity are brilliant ideas.

    My complaint is when a zero-day malware file and something valid but not signed (like VT uploader or Seamonkey browser) are treated in exactly the same way and the only option is for the user to click Yes to run or No to not run. This a a casino-approach to security where a wrong choice will end in tears. It saddens me when a promising product will opt for this approach. Yeah, it will look good in testing when the tester knows in advance what is good and what is bad, but in the real world in my opinion is unacceptably lacking.

    Finally there seems to be a developer that understands and is putting out a product which in my opinion is quite exceptional (I'd say that a video on it is forthcoming, but such amateur riff-raff is not allowed here).
     
  3. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hmmm, I am not sure what link you are referring to... please send it to me and I will check it out.

    It sounds like there is some kind of software on your system that is not allowing VS to communicate with the internet. If you figure out which software it is, please let me know, thank you!
     
  4. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Oh, I know you were not specifically referring to VS ;)... I simply found your comment intriguing and wanted to possibly discuss it publicly... I think it is important! I certainly respect your experience and opinion, which is why I was curious of what you thought about all of this.

    Please keep in mind a couple of things...

    First, there have been several "filter" products that have been released over the last couple of years (including "next-gen Ai" technologies) that attempted to create a filter that approached 100% efficacy... and in the end they figured out that it was an impossibility, so they ultimately implemented a lock.

    Second, digital signatures should only be used as a guideline... basically one of 400 or so features, when determining the maliciousness of a file. Relying on digital signature alone is dangerous. And file insight is absolutely vital.

    Third, it is no exaggeration to say that even complete novices (hundreds locally, tens of thousands worldwide), simply no longer end up in tears when they lock their computer when it is at risk.

    Think about where malware actually comes from... it essentially pretty much always come from malicious email attachments or malicious links (yeah, I know USB drives as well, but we can ignore that for now, even though what I am saying applies to USB drives as well). When a user, even a complete novice, clicks on a malicious email attachment or link, if they are unsure of the attachment or link, the hairs on the back of their neck stand up, and when VS blocks the file, it at least gives them a second chance to remain uninfected... as opposed to using a filter, which may or may not allow the file. This is why VS is so effective in the real world.

    I wish an AV test lab would do a six month real world study with 3,000 or so random endpoints... then we would all know how effective the various security solutions are in the real world. I have seen first hand how well VS does in the last 5.5 years, and I am extremely happy with the results.

    I understand that you are not a huge fan of the user prompt... neither am I ;), but it is certainly better than the alternative... relying on a filter that leads to infection. File insight on the user prompt is key.

    My point is this... until someone can create a filter that approaches 99.99% efficacy (which I believe is mathematical impossibility), the computer needs to be locked when it is at risk. And even if someone does create such a reliable filter, it still does not hurt to lock the computer when it is at risk anyway ;). The thing is... when a new product comes out and is unable to achieve 99.99% efficacy, they end up implementing a lock, which basically gets us nowhere.

    If you are interested... I have a malpack that I can send you that will demonstrate my point. You can use it to test the promising new product(s). My tests confirmed that the computer still needs to be locked when it is at risk.

    All of this would not bother me so bad, except I am really tired of my personal information being stolen because I did business with a place that does not understand the importance of properly protecting their computers when they are at risk. I am also tired of home users not properly protecting their computers... resulting in DDoS attacks that interrupt my Rocket League games ;).

    If we do not get a grip on this soon, things are going to become really bad, really quick.

    BTW, I am certainly not trying to start a war here ;). The problem is that we keep searching for the ever-elusive filter that will solve all of our problems, and in the end, figure out that a filter is not sufficient, and ultimately implement a locking mechanism... so I think it is important that we discuss this publicly, if that is cool with you ;). Thank you!
     
  5. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hey Kees,

    I see what you are saying, but I just do not believe that the digital signature is that useful in determining the maliciousness of a file… for a lot of reasons.

    First, there are A LOT of unsigned executables… everything from native Microsoft Windows files to a lot of the open source stuff… man, there are a lot of unsigned files. So if the digital signature is a strong indicator of maliciousness, what do you do with the unsigned files?

    The new VoodooAi evaluates 20 features of the digital signature (this is out of the roughly 400 total features)… and even with 20 features, I am still not comfortable with considering the digital signature a greater indicator of maliciousness as we currently do. But that is where Ai comes in… it is smart enough to figure all of that out for us.

    It will be interesting… when I am finished training the machines, we will have stats on 2-3 million malware files, and we will be able to see each of the 20 features, and how they correlate to the study that you found. We will actually have all kinds of interesting data to ponder… for example, we will know the top 500 or so most common imported libraries that malware utilizes.

    All of this stuff is super interesting… we will see in a week or two!

    Thank you Kees!
     
  6. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    The main download link on the VS website.

    http://voodooshield.com/download/

    Also please check the PM from me, thank you.

    I gave voodooshield access to the internet, although I assume it accesses the internet itself not using runndll32 or something else as I block rundll32.
     
  7. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    I actually have no issue with this approach, the alternative is for the executable to be ran first in some kind of testing mode to observe its behaviour but this is not a good idea as some experienced security bods have pointed out. Not to mention the hit on performance (this is one reason I am ditching EAM). An alternative approach is a cloud trust system which might be acceptable but then that will be behind on zero day stuff anyway.

    With that said tho I think the option to auto approve signed binaries from trusted vendors should be in VS, even if a warning from the dev pops up when its enabled.
     
  8. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    chrcol

    pm dan and ask for a free lic. and begin testing the beta's :thumb:
     
  9. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Dan,

    Are we any closer to 3.49 or will you be adding Ai 2 to the next version?

    Thanks.
     
  10. Dan, maybe this is the confusion or misunderstanding. I don't want to use signatures to determine whether it is malicious, on the contrary I want to use it to determine whether it is safe and reduce False Positives by building a signature whitelist of already installed programs during snapshot scan. VoodoodShield already allows user space executions of child processes triggered by trusted parent programs, so what is the difference?


    In ALWAYS on and SMART mode any executable in user space would be blocked (like current situation). In AUTO-pilot unsigned executables and signed executables not on the trusted signatures list are evaluated by AI-engine and checked with AV-Blacklist scan (like in current situation). So this is the answer. The same as VS does now.

    Executables with signature of already installed program are still checked by blacklist scan (as always), but are handled differently by the AI-engine (in AUTO pilot mode). I am only suggestion to weigh-in signatures of already installed programs. We are not talking about static signatures in general but signatures specifically limited to the installed programs. This context specific exception is not any different from the allow parent process exception (installed parent program versus installed vendor).
     
    Last edited by a moderator: Dec 5, 2016
  11. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,614
    Location:
    Milan and Seoul
    Does VS play well with Sandboxie? TIA
     
  12. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,933
    Location:
    UK
    It does for me.
     
  13. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    I did but no reply.
     
  14. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    He's pretty busy but you could try an email. Just include your username for these forums.

    support@voodooshield.com
     
  15. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hey Krusty, yeah, things are a little crazy right now, but if things go right, everything should be calm in the next day or two, and I will be able to catch up the posts and PM's.

    I am not sure if I am going to release 3.49 with or without VoodooAi 2.0... I would like to have that one odd bug fixed (which I am still working on), so if VoodooAi 2.0 is going to take longer than a few days, I will definitely release a 3.49 version before then. It looks like everything is going to go really well from here on out, but only time will tell ;). Thank you!
     
  16. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Sorry about that, please check your pm's and email me!

    I will catch up on everything asap... we are getting close!!!
     
  17. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Hey Dan, just a request I made earlier - https://www.wilderssecurity.com/threads/voodooshield.313706/page-526#post-2631340 ;)

    Cheers!
     
  18. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    yep replied :)

    will assist in testing here.
     
  19. Gillor

    Gillor Registered Member

    Joined:
    Jul 12, 2013
    Posts:
    86
    Location:
    UK
    In my experience the Pro version of Voodooshield works fine within Sandboxie providing you disable "Automatically allow by parent process" in Advanced Settings.

    However, the free version of VS doesn't, as the settings are not adjustable.

    I suppose the next question is... in the real world, is there an actual need to run VS and Sandboxie together?
     
  20. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,614
    Location:
    Milan and Seoul
    Thanks Stapp... VS seems to be an important layer to have, I'm still on the fence as I had anti executables in the past but sometimes they were indirectly responsible for Windows quirky behaviour, but VS seems to be the right stuff...
     
  21. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,614
    Location:
    Milan and Seoul
    Thanks for the info, the free version is not configurable therefore there might be some conflicts, and I agree SB already works as an AE when properly configured, but I thought those results against all these ransomware families were quite impressive for WS...
     
  22. Gillor

    Gillor Registered Member

    Joined:
    Jul 12, 2013
    Posts:
    86
    Location:
    UK
    Just to clarify...

    Not so much that there might some conflicts - the free version of VS simply doesn't function within Sandboxie.

    Sorry, my previous wording wasn't particularly clear - I didn't mean to question the use of both programmes together on the same machine (i.e. either/or), just querying whether there was any serious disadvantage for free version users who are limited to running VS outside of Sandboxie.
     
  23. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,614
    Location:
    Milan and Seoul
    @Gillor Thanks I see what you mean.
     
  24. Lagavulin16

    Lagavulin16 Registered Member

    Joined:
    Nov 26, 2014
    Posts:
    195
    Location:
    Emerald City
    Please share the app's name (assuming you had something in mind other than VS) and when/where we can access the video. A thousand thank you's in advance. ;)
     
    Last edited: Dec 5, 2016
  25. Lagavulin16

    Lagavulin16 Registered Member

    Joined:
    Nov 26, 2014
    Posts:
    195
    Location:
    Emerald City
    "when"/where... what part of "when" do you not understand ya goof. :rolleyes:

    p.s. love your kitty avatar btw..
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.