VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. kram7750

    kram7750 Guest

    What on earth? Ok sure whatever you say

    Let me help you.. https://www.virustotal.com/en/about/best-practices/

    #2 - handpicking engines could be harmful to the AV/URL scanning industry and it is pretty clear as to why...
     
    Last edited by a moderator: Aug 7, 2017
  2. guest

    guest Guest

    lol
    I guess you made up the point 2, learn to read, but first give us a non stupid reason on why this is harmful for the AV industry. Why choosing what AV engines I what to see in VS result is harmful?

    In secureaplus you can handpick engines they use metadefender or something similar and no one is dead for it.
     
  3. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Is there an option to hand pick engines in VS? I did not see one.
    Might be something to consider.
     
  4. guest

    guest Guest

  5. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
  6. kram7750

    kram7750 Guest

    Well, I can definitely think of a non-stupid reason but you could have done it yourself if you thought for yourself instead of asking to be spoon fed. :D

    Obviously, if you can hand pick Avast, Avira, Kaspersky, ESET, and Qihoo then this may not be fair on those vendors. Because then someone else would be making money for intelligence being provided by other vendors... And do you want to know what those vendors use to generate that intelligence? Money.

    I do not know how the deals with VT and other vendors work. Maybe vendors do make money from VT. But it really does not take a genius to work out why it can be seen as unfair... So if other vendors do not get any profit for someome using their data for commercial purposes, then IMO this would be unfair.

    I just pointed out it could be unfair and pointed out potential VT usage violations. Dan can check them or even ask VT but if its ok then sure add it

    But ok kl if you disagree with that being unfair then sure. I just suggested it could be unfair, never said it was guaranteed to be disallowed. Dan can add it if he wants if it doesnt break any rules ofc
     
    Last edited by a moderator: Aug 7, 2017
  7. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,072
    I've read that a number of times, in an attempt to try and understand what you are saying. But, it still makes no sense to me. Perhaps, you can explain it again more clearly.
     
  8. kram7750

    kram7750 Guest

    As an example, you now own a security vendor of your own called mRoger and you provide an Anti-Virus solution which is paid (mRoger Anti-Virus). You have your engine on VirusTotal to help general people using the service online, or using a free desktop tool to scan with VT.

    Now a product comes along which is commercial and paid (not just free), and they are relying on VT for malware scanning (no real database of their own for hash checksums or generic signatures). The product owners decide to add "Enable mRoger engine" but you had no say in whether you wantex your engine used in the product or not.

    Now, of course you also comply with the VT rules when you have your engine added. But if you do not make money for the usage of your engine when someone else is using it and making money, and neither have a say in it at all, is this fair? It could also give people the impression that you actually gave consent and have some sort of "partnership".

    It makes perfect sense IMO but Dan can do what he wants if he is allowed. If you do not understand this one then don't worry about it
     
  9. guest

    guest Guest

    I think I don't understand you either.

    What you are saying that is unfair and is destroying the AV industry it being used by many vendors and it's well known practice and allowed by VT. Don't you think all the vendors use VT data to create definitions? they use detections of other engines to prioritize the analysis and creation of their own definitions. And this makes the AV industry stronger.
    The only difference here is that VS (that not only relies on VT) show you the information and let you choose without going to the web browser to see VT website.
    Thanks to this VT gets for files for feed their 5X or 6X engines, it's a win win situation.
     
  10. kram7750

    kram7750 Guest

    You are saying that it would be fair for a commercial paid product to use data being provided by other vendors (because they get more files to analyse). I am saying that unless the product is entirely free, this is unfair unless the vendors providing the data are also paid. I am also saying that unless the vendor agree's, their name should not be mentioned on the product because people might think that the vendor actually aporoves of the product/partnership. That is my opinion.

    For the record, I never said that VS uses only VT.

    Its a personal opinion situation on whether it is fair or not. Like I said, if it is allowed and Dan wants to add it then sure

    Edit:
    Look it doesnt matter you and someone else dont understand me so dont worry
     
  11. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,370
    SecureaPlus had to remove Virustotal as second opinion scanner due to the new policy. They have to provide their own engine(which they don't have) to Virustotal in order to use the service as an antivirus scanner.

    Dan, doesn't need to have his own engine. Cause VoodooShield doesn't use virustotal to scan the whole computer like SecureAPlus does, rather it's more similar to how Process Explorer uses Virustotal. Though it would be good if they accepted VoodooAI into the mix.

    Now the actual issue here is the selection of engines.

    It's similar situation as to why Zemana had to disable the ability to select engines.
    https://www.wilderssecurity.com/threads/zemana-antimalware-2-beta.372569/page-39#post-2515729
    1- Protecting Partners intellectual properties and treat everybody equally according to legal frameworks of our partnerships
     
  12. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    @VoodooShield
    https://www.wilderssecurity.com/threads/voodooshield.313706/page-684#post-2692354

    I know I should probably wait for version 3.60, but I'd really like to know about when VoodooShield blocks without prompting or writing to User Log.
    For example, ADB always fails when I have VoodooShield enabled. I just get an "Access is denied" without any prompts or new log entries. I didn't even know it was VoodooShield for a while.
    This can be even worse for programs that run in the background and doesn't display errors when failed, such as updaters. I usually have VoodooShield on AutoPilot.

    I'd also like to know how to block apps from opening the browser, such as MyPlayCity games. Not as much of a priority, but annoying nonetheless.
    Not sure if this applies, but how can I prevent standard users from messing with VoodooShield settings? I tried setting a password, but it's cumbersome prompting every time I disable it to install/update.

    And lastly, I hope to see the UI improved so that the shield gadget can remain on another monitor after reboot, and right click menu appears next to the cursor instead of bottom right of primary monitor.
    Would like to be able to open the settings or enable/disable VoodooShield by double-clicking the shield gadget or tray icon. Don't know how to unhide the gadget though...

    Sorry if the above items have already been addressed in 3.60, but I don't really have time to test it
    right now. Hope to have some input from you Dan, wish you the best.
     
  13. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,285
    Location:
    Among the gum trees
    But Dan does have his own engine - VoodooAi.
     
  14. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,370
    I know. I did mentioned it on my post. What I meant was that since VoodooShield doesn't scan the entire system using VirusTotal like SecureAPlus did, Dan shouldn't need to submit his engine to them. Though I think it would be good if he did.

    https://www.virustotal.com/en/faq/
    I want to scan my entire system, where can I download VirusTotal?
    VirusTotal just provides a second opinion on a given file or URL. It is by no means a full-fledged antivirus and we do not want it to be, therefore, VirusTotal is not available for download, it is just a web application.
     
  15. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,072
    They were using multiple engines, but only actually listing some of them. This is a different scenario to using VT and only using the results from some engines.
     
  16. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hehehe, okay, I am getting very, very close… I had a couple of very funny setbacks, and I will be sure to tell you guys in Vegas.

    I am not sure if the new Rules Wizard will be up and running 100%.... but you will at least be able to see what it is about and maybe even write some rules. It kind of depends… there is a chance that the Rules Wizard might be 100% complete in a couple of days, so if so, that is cool. But I have not yet started working on the logic code for it… and if it was anything like the database code… man, I am in for a lot of fun . I completely forgot how much work it takes to create a database from scratch and connect everything… so that kind of delayed progress a little, but looking back the last few days, it was not too bad, and it will be worth it.

    So anyway… about the Rules Wizard logic… I think I have a plan, and while the logic / code is going to be quite complex, I do not think it will be too bad. So the plan is… I am going to release this version to you guys asap… 1-3 days, and while you guys are checking it out, I will be finishing up the rules wizard code.

    Then again, I might sit down and code the whole Rules Wizard logic in an hour… it all kind of depends.

    The only thing that I am worried about at this point is that the registration is not working quite right… and I have emailed Alex, but he is quite busy. So I am hoping that we can get that fixed in the next day or so… I am really, really bad with web / api stuff, and I do not like working on it. But if Alex is not available, I know several other devs that can help… I would just prefer Alex fix the issue since he wrote the code for the website / api. If worse comes to worse, I can figure it out, but it might take a while… I mean, it WILL take a while .

    Anyway, one last thing… I was thinking about the blacklist scan date and if it is file insight that is relevant for the Rules wizard, so I wanted your guys opinion… I cannot quite get my head around this yet and I think I am missing something. Basically, file insight really should be absolute… and when the blacklist scan date changes, or is updated, that kind of throws things for a loop. For example, if you have a file that was scanned a year ago, and all engines detect the file as “threat not detected”… and no one happens to ever (re)scan that file again, the file could still be malware. Or, if you have a file that is one day old, and all of the scan engines detect the file as “threat not detected”… isn’t that pretty much the same as the file that was scanned a year ago ?

    My question is… is the scan date at all relevant or useful as file insight for VS (or the new VS Rules Wizard)? I mean, it is interesting to know the file date when you are looking at a file… but a lot of times it simply does not matter. Hopefully I explained this correctly… anyway, please let me know your thoughts.

    So anyway, we are getting close… thank you guys, talk to you soon!

    PS.. someone was asking here or on MT if people are still infected with malware... the answer is yes. I have this small client who has 3 computers... 2 of them run VS and one guy who decided to uninstall VS after literally 3 blocks (from his logs). Anyway, he lost everything... and I mean everything... and actually, I have never, ever seen a ransom demand like this. I would post it, but I would not do that to my client, so I never took a picture of it. Anyway, this happened like 8 or so days ago. So yeah... malware is all about supply and demand. When VS started 6 years ago, there were 15,000 new malware a day... now there are 300,000. People do not waste their time unless they will gain from it. So yeah, it is an issue.
     
  17. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, I would wait for the next version... this issue should be fixed. If not, please let me know, thank you!
     
  18. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I actually offered VoodooAi to VT to list with their other engines SEVERAL months before the other "Next Gen" providers did so... and I was actually VERY reluctant to do so... but then I was like, "You know what, it is only fair since they are helping me... and besides, it will get our name out there a little more". Sounds silly, but that is exactly what happened.... I think I was optimistically drunk when I sent the email ;).

    Everyone should revisit what happened during the whole VT event almost a year and a half ago... http://blog.eckelberry.com/a-bomb-just-dropped-in-endpoint-security-and-im-not-sure-anyone-noticed/

    Here is the thing about VoodooAi... would false positive efficacy benefit from adjusting VoodooAi based on the other 63 or so engines? Of course it would... a lot of the players in the industry improve their efficacy by relying on VT. Look at Cylance... when the whole VT event happened over a year ago, Stewie said :

    Stuart McClure
    May 7, 2016 at 9:37 pm



    Hey guys,


    Hate to break up the fun Cylance bashing folks but we need to set the record straight. This announcement does *not* impact Cylance one iota. We have a completely independent conviction engine using math and algorithms, learning from the past to predict the future. We would be happy to educate anyone who is interested.


    Alex, we would not be against a retraction of your claims to the contrary. Completely up to you.


    Now, back to my weekend.


    Thanks
    Stu


    Fast forward to today and now Cylance has joined VT, which is actually a great thing since Cylance is actually a great product. My ONLY issue with Cylance is their marketing... their product is actually pretty darn great overall.

    So anyway, my point is... the other "Next Gen Ai" products offer you scores based on their score which is adjusted by the 62 other scores. The problem is, especially on "zero day" / unknown malware, A LOT of times, they are ALL WRONG!!! Experienced attackers verify that their malware is undetectable for they deploy it.

    The end user needs to see the RAW Ai scores, like VoodooAi shows... not the incorrect result of the masses. This is why I do not mind being different, and I do not mind a few more false positives... especially when the end result is a sky rocketing malware detection efficacy that is truly unmatched.

    Ai performs best when it is implemented into a deny by default solution and the Ai is offered as file insight, rather that a full fledged scan engine. Like this... block unless you are ABSOLUTELY SURE this file is good. The funny thing is... our competitors do this based ONLY on digital signature (which is dangerous), but when VoodooAi does this with checks 100+ times more accurate, it is a false positive if the answer is incorrect. It is freaking absurd. Do the hard work to give your customers necessary file insight.

    Is VoodooAi perfect? Absolutely not... some guys from MT have sent me some samples that VoodooAi missed, so I can include them in the next training data set. So that will work for now, but it will need to be constantly updated, which is fine... it is not like we need to add 300,000 new files to a blacklist each day.

    So I totally agree... Ai is not perfect, and it never will be... which is a good thing, because if that were the case, then I would have been wrong about the computer needing to be locked when it is at risk ;).

    The point is... NO ONE should EVER allow a file that is not proven to be safe, while a web app is running. It really is that simple. If you can safely allow known good files then cool. The alternative is to block every single item... which this method has been fiercely rejected by the security community for a very long time now... it will never happen.
     
    Last edited: Aug 9, 2017
  19. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I have missed A LOT posts, but I happened to see this one.

    Anyway... yep, I added an automatic cleanup in VS 4.0.

    Here is the thing... our sales have been picking up dramatically and I am ready to go full time with VS. So I have been killing myself the last couple of months to make sure EVERYTHING is just right, so I can relax and answer peoples questions ;).

    That is the short story ;). Anyway, I am getting very, very close ;).
     
  20. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,285
    Location:
    Among the gum trees
    o_O Hmmm. ;)
     
  21. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,977
    I thought I recognized the name, since I used to beta test Sunbelt Software releases, i.e. CounterSpy, then Vipre when Alex Eckelbery was CEO of that company. - "Previously, I was the president of the security business unit for GFI Software, subsequent to the acquisition of Sunbelt Software in 2010, where I was its CEO for eight years.
    Sunbelt Software was a leading provider of security software for the Windows market, best known for its VIPRE Antivirus product." - http://www.eckelberry.com/aboutme.htm
     
  22. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hehehe, that was not my initial intention... but things just kinda got out of hand ;).

    Prepare to be amazed. ;).
     
  23. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I am totally confused ;). Please let me know what you mean ;).
     
  24. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,977
  25. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,285
    Location:
    Among the gum trees
    Hmm some more. Sounds exciting!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.