VoodooShield/Cyberlock

Cool, thank you! I tried GU, and it seemed to work great for me, but please let me know if you have any other issues!

 

Very cool, thank you Krusty!

BTW, there is a new RanSim out that tests for even more types of ransomware.

If you test VS, make sure to disable the Parent Process Feature and the Digital Signature feature . And you need to allow the initial Launcher.exe file that VS blocks, otherwise none of the tests will run.

https://s3.amazonaws.com/ransim/downloads/RanSimSetup.exe

BTW... it took about 7 minutes to run when testing with VS... but it blocked all 10.

 

Very cool to know, thank you Paul!

 

Sure.

Running VS 3.49 now. Did some uninstalling of few old software versions, reinstalled the update versions. Installed a couple of new software. All sweet...
(BTW Running VS along side with MBAE and CryptoPrevent)

Cheers

 

I do not understand why the VS in the Auto-Pilot Mode gives warning when installing Google Chrome?



If you want to enable easy use for less experienced users think that things like this should not occur.

 

Right...
https://www.virustotal.com/hr/file/...3218e4cdf4c8eee05ca6b99a296efee5737/analysis/

https://www.virustotal.com/hr/file/...ef1e503b583d1cd2487f0e81/analysis/1482838219/

 

v1.10 it will have premium features.
But it's a long way to 1.10, so there is enough time to decide

You had a similar situation some time ago: #11543 but with a Ai-Score of 0.000
It seems that a prompt is always displayed if a file is unknown, independently of the Ai-score.

 

@VoodooShield
Log is still populating rapidly
Did you see these posts and any comment on this behaviour please.
https://www.wilderssecurity.com/threads/voodooshield.313706/page-536#post-2640891
https://www.wilderssecurity.com/threads/voodooshield.313706/page-536#post-2640896

Thanks in advance

 

I notice that the previously whitelisted applications are now not allowed to run freely anymore. It shows prompts every single app that I allowed before. I reset the whitelist and started everything again

 

This is not problem for me (i will allow it) but if they want easy use for less experienced users, my thinking is, things like this should not show in Auto-Pilot mode for known apps.

 

Very cool, this is a great example of a worst case scenario… let me tell you what I think, and then please tell me what you think, and if we need to make changes, let’s certainly do.

First, this is an unknown file… so it must be the absolute latest Chrome installer. Your question is “I do not understand why the VS in the Auto-Pilot Mode gives warning when installing Google Chrome?”, which if I am reading into your question correctly, I am assuming that you are suggesting that since this file is a file from Google, you are perplexed as to why this file was blocked. Keep in mind, this is a brand new, unknown file, that is not yet in the blacklist database, so it is completely irrelevant that this file is a common file distributed by a tech giant… the reality is, it is an unknown file, so it should be blocked until it is a known file… which will happen quickly since it is a common file from a tech giant.

And please keep in mind, in all fairness, I believe the prompt explains correctly what user actions should take for this particular block, and most likely, a novice would read the prompt to fully understand why the file was blocked. At that point, if they knew that they were trying to install the latest version of Chrome, they would click allow, which is the correct response for that scenario. If they were not trying to install the latest version of Chrome, they would click block, which is also the correct response for that scenario. Then in a day or so, when the file is known to the blacklist, when Chrome tries to update itself again, the user will be presented with a blue prompt that fully recommends that they allow the file.

Keep in mind… not every single file needs to run on every endpoint. To me, ALL unknown files should ALWAYS be blocked… it is not the end of the world if an unknown file is blocked.

Sure, we could easily add an option to allow by digital signature for the top 100 or so software distributors, which would alleviate this situation, but I do not believe this is safe to do so.

This is a very tricky scenario, but I believe that VS handled it correctly, but if you have some ideas on how we can optimize the prompt for the unknown file situation, please let me know! Thank you!

 

Cool, thank you, I put that on my to do list... I will reduce the logging for the next version... sorry I forgot about that .

 

Yeah, exactly, thank you mood. In a few months, once VoodooAi 2.0's accuracy is a little more "road tested" and proven, we should be able to auto allow files, if for example, the VoodooAi score is less than 0.2500.

And actually, now that I think about it... what we might be able to do is if the file signed by a tech giant AND it has a super low Ai score, then we should be able to allow the file, even if it is unknown. This is what I mean by adding usability features to VS as we go... I think something like this would be great to add. But we need to give VoodooAi 2.0 a little more time... I still need to do a little optimizing since it is so new. For example, I think the thresholds are pretty close, but we might be able to tweak them a little more.

 

Hmmm, that is odd... what is VS blocking? Can you please give me more details? Thank you!

 

Yeah, exactly... and also if it is signed by 100 or so of the top software distributors, something like that? Thank you!

 

@VoodooShield
Re: Excessive logging, Thanks muchly

 

I see what you are saying, and that certainly makes sense to me... we have time to think about it while we refine VoodooAi 2.0 a little more over the next couple of months. Either way, we want to be absolutely safe, and if that means that we are required to block unknown files from time to time, then I am ok with that . Thank you!

 

T

This is legit download from google and try to install Chrome x64.
It's not so new version so it should be already in database.
Lets asume VS check 3 things:
Signature
Vir. Total
Ai

If 2/3 (66%) are safe then maybe it should be Allowed.
What use is of Ai if his score is Clean but final recommendation is Block?

 

Yeah, I totally agree, there are a lot of little tweaks we can do over the next couple of months that will be really cool... everyone, please keep the ideas coming!!!

 

sorry for my bad explanation. I mean the previously whitelisted apps are not read by Voodooshield after the update from 3.48. The whitelist is there, the app is in the whitelist but voodooshield still shows a prompt to allow/deny the app that I use everyday (1/56 on VT). After I allowed it, it could run without prompt the next times. I use autopilot mode

I decided to empty the whitelist (the whitelist is not read by VS, no point to keep it) and now everything is working fine

 

I definitely see what you are saying... maybe we can do something like this... https://www.wilderssecurity.com/threads/voodooshield.313706/page-539#post-2641148

Keep in mind, even if it the file is blocked, Ai is still an extremely useful file insight feature for the end user . To me, file insight is absolutely critical... it is best to provide as a much information to the end user, so they can make the correct decision, in the event of a block.

 

Thank you for letting me know... I better test this so that users who upgrade to the newest version do not experience this .

 

Very cool, thank you Kees, these are all great ideas! After 3.50 is released in a few days, we can wait a month or so before adding new features, just to make sure all of the bugs are completely worked out, then I will get to work on my "Kees to do list" .

 

@VoodooShield
Hi Dan This might not be a top priority but towards the end of October there was a discussion about the the GUI and the meaning of OFF in the various modes (Training mode OFF = truly off whereas OFF in Smart and Aways On = Unlocked).

You very nicely clarified how VS operates in these various modes but it was left in the air about whether you felt any changes were necessary. It may well be that this is in hand but if it has slipped under the radar I hope you don't mind my "bumping" it up for you attention.