VoodooShield/Cyberlock

Sure, thank you for pointing that out, I think that will work really well. It will be at least a couple of weeks before I work on that, so that will give me time to see if there is an even better option.

 

Thank you TH, that is seriously cool! I probably should not be saying this publicly, but oh well, you know me ... I have thought for a long time that whitelisting is the future, but it has one very serious problem... how do you safely build the whitelist, and how do you make the whitelist as small and customized as possible? Obviously, that is what VS is all about. But the funny thing is... I just know that there has to be an even better way of building the whitelist and keeping it as small as possible.

Of course, blacklisting is important as well, especially if it some form of cloud based ERP blacklisting, since there are now way too many threats for one company to keep track of. I remember when cnet advertised that none of their downloads contained malware. Now all of them do, unless the developer jumps through a lot of hoops to not include the "CNET SECURE DOWNLOAD". I mean seriously, wtf?

Anyway, these are just my thoughts, I might be completely wrong. But if I am right about this... Developers, please find the best way to build a tiny, customized whitelist, and then block everything else.

 

If I may chip in, as a new user discovering the delights of VS? Yes, most definitively, IMHO it would be safer to 'localise' the allow everything activity to the 'Allow' that the user took, then to just keep VS off generally for the default or user set period.

 

Why the protection has to be disable? what if a different exe is executed meantime?
For me the solution would be the approach used by spyshelter, comodo...
http://www.fileflash.com/graphics/screens/SpyShelter_Firewall-244277.png
A checkbox with the installer mode.
So if it's a normal exe you only get 1 popup, if is an installer and you choose this option (don't use auto detection since there is malware hidden in installers) all the exes coming out the installer will be allowed.

Anyway we shouldn't make VS weaker to be more user friendly, or at least should be optional. In any case VS protection should never be totally disabled.
Since the path of the initial exe could be the desktop I don't think your solution is really good.

 

I think that guest makes a good point but I suspect that there has to be some consideration as to how to avoid presenting the user with a flurry of popups and, as a result that we see all to often, the average user get to the stage that they constantly click 'Allow' either through lack of understanding or sheer annoyance at being interrupted (whether it is for their protection or not).

So perhaps the answer is to have both options; the simpler/more automatic one (VS off for the default time re. anything executing along the originally 'Allow' path) AND the more traditional (as per LRs post above), with the one to use being user selectable?

Not sure if that would possible, but just a thought.

 

Thank you Baldrick and guest for you help and thoughts, I really appreciate it. I see what you guys are saying, so how about something like this...

If VS blocks something, the user can click on the balloon or shield, and this will automatically upload the hash or file to VT. If VT determines that the file is clean, there will be a prompt with the following buttons:

1. Allow One - VS stays ON and allows only the one process.
2. Allow All - VS will turn OFF until one of the following occurs:
a. A web app gains focus
b. The auto reactivate time has been reached
c. The user left clicks on VS to turn it back ON

And of course, if VT determines that the file is not clean, VS will just block it and tell the user that it is infected, and if they want to run it, they have to disable VS first.

VirusTotal seems to detect the hidden malware in the installers quite nicely, so these files will be blocked automatically. Because of the way that they wrap the installers in malware, I do not think we can separate the items in the installers to allow only the good stuff, I think it just needs to be blocked.

Does this sound like what you guys are talking about? Thanks again for your help!

BTW, recently a client of mine wanted me to find some free PDF combiner software, so I looked all over the web and could not find one that did not have hidden malware, mainly toolbars. So I downloaded the best one I could find, and carefully opted out of the additional software, and it STILL infected the computer. I guess what I am saying is that the whole malware situation seems to get worse every day, and I just want someone to put an end to it. Just imagine what it will be like a year or two from now if nothing is done... computers will be unusable. I even have malware on my android tablet now, it is getting ridiculous.

 

@VoodooShield IMO checking a file on VT should be done automatically without user interaction.

If you get a popup from an installer or any exe you have 3 options in the popup

1) Block, the installer is blocked and nothing happens
2) Allow, only the exe/installer is allowed
3) Installer/learn/game mode: VS should allow all the exe's until the installer executable is closed (this is easy to monitor), in addition there could be other restrictions like time...

I think this approach is safer, easy to understand, and easy to implement

In addition there should be a way to define a "hot folder" which could be the desktop for example, where all your internet downloads appears, the files in this folder should be scanned in advance in VirusTotal (when appears without waiting to be executed). All the exe's in the hot folder should get a popup (if not whitelisted already by the whitelist or VT) no matter if you are in the installer/learn mode, since the installers are not going to place and execute any exe in this folder.

 

Yeah, I think we are on the same page, except does there need to be a Block button since the user has already told VS to run it, assuming that VT determines that it is clean?

If VT determines that the file is not clean, then VS should just block the file, and notify the user that they have to disable VS if they really wanted to run the file, so there would not be a block button here either, right? Thanks for your help!

Edit: I really like your hot folder idea, but unfortunately we cannot implement this at this time. Possibly in the future though!

 

mmm, I think we aren't in the same page then
I'm not sure what is the problem with the "block" button and why it can't appear in the popups together with "allow" and the "installer/learn/game mode". For the files that haven't been defined as trusted or untrusted by VT.

What happens with the delay between the execution and the response from VT?
What happens if only 1 of 60 AV's detect the file as dangerous?
5 of 60?...
When a file start to be blocked, when is consider trusted, and when is consider suspicious... all this needs to be defined.

So in the case the file is suspicious or VT doesn't have an instant answer (this issue could be partially avoid with the hot folder idea) for the file executed a popup should appear giving the user 4 options.

Wait, force, Virus Total
Block
Allow
Install/learn Mode

 

Hi VS/Hi LR

Interesting debate...but VS, I think that I am with LR re. the need for a Block button. Point taken about "...the user has already told VS to run it, assuming that VT determines that it is clean", it is possible that VT is incorrect or not clear as to 'how good' the .exe involved is, i.e., the point that VT made re. 1 of 60, 5 of 60, etc., so it is good to give the user a choice. But also one does not want to necessarily give a non knowledgeable user too many options....

So, what about this re. configuration options (picking up also the point made by LR re. "...checking a file on VT should be done automatically without user interaction":

One configuration option that indicates to VS whether checking a file on VT should be done automatically without user interaction OR if the popup is displayed first with an option to send to VT if the user wants to.

Another configuration option that indicates whether the post scan popup is shown only if the scan comes back as negative OR if it is shown regardless of scan result, so giving the user the final decision based on the scan result details, experience, whatever, etc.

Therefore (i) Auto VT check or Manual submission to VT and (ii) Auto continue on clear scan or Not.

I think that the possible combinations of both options will give you either a completely automatic process if the .exe is clean or one that allows the user complete control, and flexibility between those extremes depending on how you set the options...hopefully you get my drift...(and that I am correct/my logic is not flawed, hopefully?).

Just a thought to add to the 'pot'.

Regards


Baldrick

 

I was initially thinking that there would basically 2 different prompts, depending on if VirusTotal detects a threat, so please tell me what you guys think:

Prompt if VirusTotal returns 0/48
Allow (One Process)
Training
(We can add a block button, but the user has already told VS that they want to run the file)

Prompt if VirusTotal returns 1+/48
Block

During the delay of the upload of the hash or file, the file will not run until VirusTotal says it is clean.

I was thinking about putting a threshold on the number of detections from VirusTotal, but what if it is a really bad zero day, and only one of the scanners are aware of the virus? So I was thinking it would be best to not have a threshold, and if any threats are detected, the file would be blocked.

Although, we could have a threshold in the settings with a different prompt:

Prompt if VirusTotal returns < Threshold/48
Allow (One Process)
Training
Block

I really think we are talking about the same thing, but we need to take into account that there are 2 (possibly 3) different prompts, and just need to figure out what buttons go on each prompt, and this will be easy to change later if we need to. But here are the scenarios, what buttons do you think should go in each one?

Prompt if VirusTotal returns 0/48
Prompt if VirusTotal returns 1+/48
Prompt if VirusTotal returns < Threshold/48

Also, I am not sure what you mean by "Wait, force, Virus Total". Thanks again for your help!

 

Yes, there is an option in the settings (at the bottom of the attached pic), and if I am understanding everything correctly, that is what it does. I think everything will be a lot more clear once we get 2.0 up and running and you guys are test driving it. We can always make adjustments as necessary. Thank you for your help!

 

Hi VS

Excellent...looks like lesser minds (i.e., mine) think like greater minds (i.e., yours)...

Agreed, lets get to the v2.0 beta, give it a run and feedback on that as otherwise you may well end up chasing your tail...if I may be so bold as to suggest.

Regards


Baldrick

 

That's funny . Yes, it think it will be easier to figure out the Auto VT Scan and the prompt buttons once you guys try 2.0. I really think we are all saying the same thing, or we are at least very close to saying the same thing. So I will do everything I can to get you guys a beta version asap. Thanks again for your input and help!

 

Hi VS

Am late to the VoodooShield party but am very much loving it...will be a pleasure to beta test for you.

Wishing you pre-emptively, a Peaceful & Prosperous New Year.

Baldrick

 

Thank you, same to you! Happy New Years everyone!

 

Happy New Years Dan here's to VS and prosperous 2014!

Cheers,

Daniel

 

Thank you Daniel, same to you!!!

 

Happy New Years Dan

 

Thank you jmonge! Same to you!!!

 

Is ver 2 coming out or is there a beta first?

 

Oh, there will definitely be a beta since there are major, major changes. Most of the beta testers will be the people on wilders and a few local clients of mine. There are a lot more things that could potentially go wrong with this version, at least initially, since it is running as a service. It would not do any permanent damage to the computer, but it could be a real pain for someone if things went wrong. So yeah, we will be testing it thoroughly! Thank you!

 

BTW, the other day I saw "Bot Revolt" on wilders and was not sure what it was. So I checked it out a little, but have not had time to test drive it much. I guess they track the bad hackers and basically blacklist their IP (or whatever it is that they blacklist). Has anyone tried it yet, and if so, what do you think so far? Anyway, I thought it was a really cool and innovative concept, so we wish them the best!

 

Sign me up for the beta. Can't wait to get my hands on it.

 

Sounds good, will do! I guess BR is a reincarnation of PB, which I was never familiar with, but it is a great concept. BTW, I am realizing that I need read up on all of the new products that have come out the last 3 years . I am so focused on VS that I never get a chance to see what new really cool products are out there. What are some of the coolest / innovative new products that I have missed the last 3 years?