VoodooShield/Cyberlock

Dan,

You mean, if similar POC is created for, for example Kaspersky And I disable Realtime Shields or allow the POC, Kaspersky will be uninstalled, m I right?

 

Yeah, either way it will be optional... I might even skip the self-protection for now... I am really tired of dealing with it. Besides, implementing self-protection properly, and making sure that everything is patched correctly will most likely require someone who has a lot of experience in this area. I like to work on the GUI and AI stuff... the other stuff bores me.

Besides, there is only one macro that presents a problem for VS at all anyway... otherwise, VS does a great job protecting itself with everything else.

 

Yeah, or quite simply, the Kaspersky uninstaller.

Let me ask you this... which is the more valid test?

Creating an executable that disables the driver or uninstalls VS, which the user has to click Allow... so it has been whitelisted.

OR

Test against a real world "bypass" like the macro? The macro test proves that the self-protection mechanism is working.

 

Pete, if the malware is the AV's uninstaller, and you allow it, the AV will be uninstalled. Show me one security product that monitors the behavior of its uninstaller, and I will buy you a beer in Vegas .

 

You made it clear all along that it was only a notion you were experimenting with Dan...VS is a fantastic product and the VAST majority of its users will continue to support you through its evolving versions, more heed to generous developers like you who are few and far between.

 

VS is a Computer Lock. Period.

 

Thank you clubhouse1, TH, and everyone else who understands my point.

 

Thank you, thank you so much. This is now a tautology, a moot point.

Edit: This isn't the finished product, is it? Besides, maybe you can exercise good judgement and control under duress, but more inexperienced users may want the software to make the decision. And if it's opt in or out, every user needs to clearly understand what that means and what the ramifications are. That's not going to happen. This is a tuff subject, no wonder the developer is sick of it. lol!

 

This is not about layers.

What happens when you intend to uninstall, so you click Allow? Do you expect the driver to disconnect, the service to stop and the software to be uninstalled? Or do you expect the software to magically continue behavior monitoring, even though it is being uninstalled?

 

Noob question. I know that if I don't put VS in install mode I will get pop-ups asking my permission to proceed. Can I just check that it's OK to install programmes without using install mode? It just stop/starts the install process awaiting my input and doesn't corrupt the install. That is, it's not mandatory to use install mode as it is concerned with ease of use?

 

Wow !!!!!!!!!!!!!!!!!!!

What has this thread turned into anyway? I was not going to reply but this is getting ridicules as many posters are now emphasizing.

Other companies use the same approach to self protection. They lock the system down so that you have to do a hard shut down. The reason for this is so that anything left in RAM will be gone on reboot. as a precaution. This thread is going to drive me to drinking.

Voodoo is one of the best security solutions I have seen since process Guard and the like.
I am pretty sure not many here were using programs like Norton for DOS as I did. I know some have. I can tell you I was a beta tester for Norton after they scarfed up Cleansweep.
Google that and it will tell how long I been beta testing.

https://en.wikipedia.org/wiki/Quarterdeck_Office_Systems

I know this really dates me

 

Technically, I believe most AV vendors will recommend that you disable all of your security software when installing new software. This used to be commonly recommended, but somehow, we have all gotten away from this. Here is an older article that goes into more detail.

http://ask-leo.com/why_do_some_prog...ling_and_should_i_turn_it_on_again_after.html

Having said that... it is perfectly fine to have VS block items during an install, and simply allowing them manually... you should not have to worry about corruption.

Typically, for small installs, I leave VS on, and just click Allow. But for larger installs I either put VS in disabled mode, or if I am installing a lot of software, I just exit VS altogether. Thank you!

 

I am saying this issue we are discussing has nothing to do with layers.

Layers are a great thing... especially if you run a great behavior blocker along side VS... you could not ask for much more than that.

 

Thank you, I appreciate that. A drink actually does sound good about now.

 

Thank you, Dan. BTW, according to Geek VS is taking up 10.7MB, with my other soft, CFW, using 149MB. When I had Avast installed that was about 860MB. I'm still amazed that your little progamme is so powerful and, even better, it was developed by one guy and a few contractors.

 

Thank you, I appreciate that! Alex has also been working on optimizing the gui even more, so it will soon be even quicker to start and use even less memory... it will be pretty cool.

 

@VoodooShield
Dan
Almost there with the testing. Going out now.

 

I hate this "side topic" type of banter, but Dan is correct, the very first thing that happens, that messages the user of the
option to allow or block is what ? stay with me " it was blocked" yes before the user is prompted for a decision, VS has blocked
the process in question. So first out of the gate, VS 1 Attack 0, reguardless of your so called bypass being 100% user dependent
the very first step requires it be blocked by VS or no user prompt right ?, you have to admit that's weak as water Wave

 

Very cool, thank you for letting me know! BTW, remember there was one last item that we need to exclude, but hopefully it will be running fine without it. It will be included in the next build.

BTW, there have not been any reports posted in the last day or two about the latest beta... does that mean it is working well for everyone?

You know, I always thought it would be handy to have a lock down feature anyway... I think there might be some really great uses for it in the future (besides self-defense)... especially in the enterprise. So now we are close to having a lock down feature... whether we implement it in the stable release or not is up in the air, and even if we do, it will be optional. Thank you guys!

 

That's a great way of looking at it, thank you _CyberGhosT_!

BTW... I wonder if his "bypass" counts as a bypass if VS is in Disabled or Training Mode while testing... isn't that ultimately the EXACT same thing as clicking Allow? Just curious.

 

I don't know and I refuse to give this that much thought and time.
I had a ton of respect for Wave at one point and that looks misplaced.
But that is "Off Topic" so I will police myself.
I refuse to comment further on anything counter productive to VS, or that is not
directly aimed at improving or solving issues.
Dan you should take that stance as well