VoodooShield/Cyberlock

I think Dev is correct here i.e he meant modifying the defaults in use with other security software i.e Comodo. So, its testers responsibility to mention the modified VS defaults in use with Comodo here.

 

And thank you for recommending VS .

 

@Yash Khan i know , i agree with Dan, the test wasn't totally transparent, it is why i watched Cruelsister one right after , and i know how she work , so when i saw no flaw, i was "intrigued" by the first test...

It would be a better choice in term of security, but for the average user, it will be more prompts to answer; so maybe not the best for them... I think you can make VS automatically disabling it when on "Always ON" mode (since it is a mode made for better security) and when the user is on "Smart or autopilot", VS automatically enable the feature. What you think?

You are welcome. When a product deserve it, it should be recommended.

 

Got it guest.

Yes, something like this Or may be different settings for VS Modes.

 

Hello,

@VoodooShield , I'd like to be able to modify the icons first and the verbiage secondly, I figured the icons may have been easier. I've found it is a bit easier when there are distinct pictograms that let the user quickly recognize the program state, right now it seems to be a bit fuzzy. Thanks.

 

can you give a detailed example of what may confuse you? Actually we are discussing with the devs about it so as you are a new user your feedback will be taken very seriously.

 

Thank you for your input... can you please give us even more details?

 

I really like that idea a lot... it makes a lot of sense, thank you for the suggestion. We just have to be cognizant of the fact that for example, especially with installers, A LOT of the dependencies are not signed / are not as well developed and refined as the main gui or installer, so there will be a few false positives, both from the blacklist and Ai. But sure, we can certainly think about that. We could always have a check box (or Allow All button) on the initial user prompt, that would allow all child processes, and basically just remove that feature completely. There are a lot of options, and whatever everyone thinks is best, we will do.

BTW, I fully admit that VoodooAi incorrectly identified the file as safe... missing it by 0.0225, so it was close! Over time, you will see the composite VoodooAi score increase, as new blacklist engines realize the file is not safe... the raw VoodooAi scores will remain the same though. I was certainly relieved when the "Big 3" Ai vendors called the file safe as well.

Looking at the Cuckoo Sandbox analysis and the VoodooAi raw meta data, it does not look THAT bad... I mean it looks like it is a little bad, but nothing major... kind of like a joke app or something. Like, if I had to guess, I think a VoodooAi score of 0.4775 is about right. The overall score for Cuckoo Sandbox was 10 (malicious), but I think this was largely due to the 7 VT hits. It was identified as Foom... a quick google search yielded nothing, is anyone familiar with Foom?

I should be able to decompile it and figure out what it really does, I will do that right now.

 

BTW, if the file does not turn out to be all that malicious... I think we have all learned something very, very important here.

If you are going to test malware and are interested in performing a valid test, make sure it is unquestionably malware... especially if the file is 8 days old and 87.5% of the blacklist engines believe the file to be safe.

 

You are welcome

The "Allow All" button would be good. for both average Joe and advanced users.

Allow All: the Parent & Children will be allowed (good for popup haters ^^ )
Allow: only the current process is allowed, if the current process spawn another process the prompt popup for it again. (good for me, i like full control ^^ )

Btw, i dont know if you can implement a "explanation" of the button function when hovering on it? (like when you hover on "allow all" , a small warning appears saying "by clicking this button you will allow all dependent processes" or something like that.)

Seems trivial, but remember Average Joe never read help files.

 

Cool, everyone please think about this for the next week or 2 while I finish up VoodooAi 2.0. I think it is going to be pretty cool, but we will not know until we see the results / curves . VoodooAi was based on 40 or so features, and I am already up to 400 for this version.

Sure, we can do some kind of hover thingy, that would be cool. You guys figure it out and let me know!

 

BTW, here is the source code to the file, you can open it in Visual Studio or Notepad ++.

www.voodooshield.com/artwork/ThingThingSource.zip

I have to step away from the computer for now, but just looking at it briefly, I would guess it is a joke app, as suspected. However, still be careful because there might be something malicious in it... I will not know until I review it some more. The password is infected (just in case).

If there are any malware researchers out there who would like to look at the source and let us know what you think, please do so.

Here is the Cuckoo analysis... it includes the dropped files: http://voodooshield.asuscomm.com:8080/analysis/2441/

If it turns out to be a joke app, there are 2 things that are for certain.

1. At least 2 people owe me a massive apology.
2. If it is a joke app... then VoodooAi NAILED IT!!!!!!!!! (Half good and half bad)

 

I think the file is a joke file, but the concept could be used in a more malicious way.

 

Hello,

I'm going to purchase some Pro licenses of VS later to day so I can run through the application and start to formulate a set of pictograms. I am not a developer by trade but have experience in UX, from reading the manual I am a little confused about the details of the different modes. I'm confident this could be made more clear and usable, but I won't know for sure until I kick the tires and start to solicit feedback from the other users. Even if nothing comes of it my primary motivation is proper operation, intuitive UX is only icing on the cake. Thanks.

 

But the thing is... in order to utilize the code in a malicious way, the source code would have had to contain imports, symbols, etc, that gave it the potential to be malicious. Once it does that, THEN it is malware, and will be detected as such by blacklist and Ai.

I reviewed the code some more... it is a joke app, so the VoodooAi score of 0.4775 is correct.

 

Very cool, thank you, I would appreciate that. If you need a license, email me at support at voodooshield.com and I will set you up a license. I am going to bed soon, so I may not be able to get to it until the morning.

 

Hi VS! Long Time!!! I wish I saw this thread first as I had initially thought that David had the Comodo settings wrong, but as I read in your previous posts proper settings of VS must be employed if one wants to use CF and VS on the same system (and God alone knows why one would want that!).

But as so many people assume that a "layered approach" means adding a bunch of security products on the same system hoping that they will be both additive in protection and minimal in conflict this video was instructive. Unless you REALLY know what you are doing such assumptions will frequently end in tears.

 

Autopilot: VS does everything for you (based on its rules, scans, etc...)

Training Mode: (shield is red and say OFF ) , everything launched is allowed, no scan , no prompts. basically the install mode.

Smart Mode:
- If a web-facing apps is launched (based on a list) , VS automatically "lock" the system (Shield is blue and say ON) from now non-whitelisted files are blocked while a cloud scan is executed, a result is given, and a prompt is generated to ask the user for a decision.
- If no web-facing apps are launched, the system is "unlocked" (Shield is red and say OFF). launched files are scanned, and if clean are allowed.

Always ON
- The user decide when to lock/unlock the system (same icons display as Smart Mode) . Executed files are still scanned as the Smart Mode.

 

Yes you must disable allowance in the parent process feature; however only registered users can disable it.

Exactly, it is why when i made my "guide to a layered protection" , i mentioned that people must know how their softs behave...it is not just stockpiling softs without thinking.

 

Hello,

@VoodooShield , thank you very much for the offer, but I would prefer to pay my way on this. If I don't support the small developer how can I expect there to be a v4, v5 etc.? It's a great value in my opinion for a multi-seat multiyear license

I've gone over your privacy statement and I do have a question about the snapshot and log file uploads. Does the snapshot and log information contain information that can be traced back to a particular endpoint? Is this information stored in the clear? My concern with this is if the remote snapshots and logs are compromised server side that information could be used to break through to the client endpoints using the process and logfile data to help them exploit weaknesses on applications installed on the client. Thanks.

 

VS upload settings and whitelist (if you let it do) but the function (in my case) doesn't work very well . So in case a hacker manage to get those files, they will just know the name of your machine and what application you are using, however about if VS log the IP adress of the the machine uploading those files; i have no ideas.

 

Hey CS, how are you? Well, VS has an option to automatically allow a file based on the Parent Process. So if the parent process is a Sandboxie or Comodo sandboxed process, VS will auto allow it by default, because VS assumes that the sandbox process is already being properly handled. We can disable this feature by default (it is currently enabled by default), but it probably is not necessary.

After reading the MT thread, I am curious if there is some kind of conflict between Comodo and VS... I do not think there is, I think there were simply errors in the test. I would test this scenario myself, but I am not familiar enough with Comodo to properly perform the test, so it looks like we will have to wait for you to perform the test (if that is ok with you) .

BTW, I would be curious if the sample that remained suspended in the VS video you created, still remains suspended with the current version of VS. If you get a chance and still have the sample, and do not mind checking it out, I would be curious of the result. Thank you for all of your help!

 

Very cool, thank you, I appreciate that! No, there is no private / trackable data in the database that can be tracked to a particular endpoint... I have no interest in collecting data of any kind. It has been 4 or so years since I have looked at the current database design, but it is very generic, and it is soon going to be replaced with the VoodooAi database.

 

Exactly, it why i proposed a possible solution above.

 

Can I have it...tnx