Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.
Yeah, I cannot wait for you guys to see it . I am doing all I can to get it to you guys .
@VoodooShield Haha, I'm here! I will explain one of the most important troubles of the product, in my opinion.
We will consider VoodooShield free running in Autopilot mode.
Everything is ok when we run a malware which is not executable, because VoodooAI will not be able to scan that, and it will be blocked.
The problem comes with a really new executable malware... Everything is ok until nobody has scanned it with VirusTotal, because it will be blocked.
But trouble comes if the file is scanned too early with VirusTotal, when the file is like one hour old... None of the signature-based engines there will have a signature for it, and we have to rely on AI products to detect the malware (CrowdStrike Falcon (ML), Cylance, Endgame, Sophos ML, SentinelOne (Static ML), Qihoo-360, Tencent: tell me if I missed some products). These AI engines are quite a lot now on VirusTotal, but let's say that none of these is able to detect the sample.... VoodooAI is the last chance of the product and, if it doesn't flag the file as malicious, it will be able to run. The VirusTotal process is automated and you have no control over it.
I was thinking of a function to block all unsigned executable files by default... That would basically resolve this issue, but you'll also need to whitelist some of the most used unsigned programs, otherwise we will have too many false positives. I think the product need some kind of manual whitelist.
VirusTotal is not Always that good... Some engines Always block legitimate installers, and this way VoodooShield will block them too..
An other problem: VoodooShield is quite slow to load on a system, when you are able to see the desktop (talking about the icon and the widget). Can you speed up this process?
Then, there is an other thing about PUPs and bundled programs, but you can't solve this because of the way your product works. I tested this one with Utorrent (I never used this kind of software, but I now that is bundled with programs). In my country (Italy), utorrent has no longer the OpenCandy thing, but is now bundled with Bytefence anti-malware and Avast Free Antivirus. Even if these two are not malicious (Bytefence is detected as PUP by Malwarebytes though), no user, especially talking about beginners, will want them on their pc bundled with utorrent. So I ran a test... Your product blocked the utorrent installer on execution because some engines were detecting it on VirusTotal.
Then I tested COMODO Firewall with my settings (I don't know if I can share my config link here), and, with my surprise, the HIPS were able to block both the bundled programs, without user interaction, and no Window was shown in utorrent to install them. In the end, the user would have his software installed without other programs. But, again, this one about PUPs can't be solved on your product,
I'll send you some other samples, if I will have time
Don't worry as you said is your opinion and it goes against what VT and the AV vendors in VT think.
If you don't understand the benefit for everyone behind is your problem
Thanks, now we need the feature to.pick what av engines to take into account by VS.
Do you think to sale Life Time licenses at discount for wilders members?
Just wanted to let you know guys.. I've just run two tests of VoodooAI. I ran only unsafe executables
In the first one I found one suspicious sample, the others were all marked as unsafe. Unfortunately, I didn't check how many files I scanned
In the second one I founs 2/50 suspicious files. Scannung manually each file is hard work, I don't know if @VoodooShield uses any other tool.
@VoodooShield I sent you those suspicious samples
Hi Dan - I recently dumped Avast for ZAM Free. Since the change, I have not seen "Voodooshield failed to load". With Avast, it was several times a week, I normally power down if I'm going to leave the house or whatever, so on any day there would be at least two cold boots, sometimes 3 or 4. At least once a week there would be several consecutive load failure notices, once there was six I had to click through.
But not yet once with ZAM Free. So it would seem that any sharpish AV would impede VS loading to some extent.
FWIW, VS is one of the first 3 icons loaded in the Tray at every boot now. I don't use the gadget, but I do see the flash when it loads and is instantly hidden. That also happens early in the logon process.
I'm not unduly worried about VS being--or not--first to liven up. At logon there are no browsers active, and while several apps are indeed phoning home--thank you GlassWire!--I can't yet visualise any malware that isn't already trusted. To put it simply, if I have a root-kit, my system is toasted black, VS or no. That's the only threat I can imagine at boot/login.
Dan explained this the other day. He used to use the GUI to load VS. Now it is the other way around.
The malware better be signed or VS will through a pop up stating it is not a signed file. You then get a choice of allowing or blocking. True it could still be allowed but at least you get a warning. But I am not sure what the free version would do since I have never used the free version.
I totally get your points, and most or all of these are fixed in VS 4.0 .
Keep in mind... I do not recommend AutoPilot unless VS is combined with a quality AV. The computer needs to be locked when it is at risk . I simply added AutoPilot as kind of a "Safe Training" mode... it is not intended to be used on a daily basis unless VS is combined with a quality AV. But yeah, I totally agree that there will be bypasses (especially for "zero day" malware) when VS is on AutoPilot... but that just further demonstrates my point that the computer should be locked when it is at risk. But keep in mind, VoodooAi's algos are more aggressive than other "Next Gen" Ai products, and this is by design. The whole point of this is to auto allow (when VS is on AutoPilot), as many safe items as possible, while still blocking most of the malware. Hopefully you know what I mean, but if not, please let me know.
As far as bundled PUP's are concerned... they should only be allowed (when VS is on AutoPilot), if the digital signature matches the parent. This should be how VS 3.59 is already, but if not, please let me know. I am adding a new feature in VS 4.0 that will auto scan the child processes, even when the signature matches the parent.
So yeah, you bring up some really great points, and these will all be fixed in VS 4.0. Please test VS 4.0 when I release it and let me know what adjustments I need to make... thank you!
Oops... I was going to try to reply to some of the other posts, but something just came up, so I will be back asap.
BTW, there are a few "bugs" in VS 3.59... and most or all of these are fixed in VS 4.0. So when VS 4.0 is ready in a couple of days, please retest and let me know what changes I need to make.
I have made MASSIVE changes to VS 4.0 (unlike anything ever before), so there will be some small bugs, but they will be easy to fix. I am going to do my best to make certain that VS 4.0 is as bug free as possible... but there is not a chance that the initial release will be perfect . But overall, VS 4.0 is running amazing, and the bugs will be easy to fix. Thank you guys, talk to you soon!
Anyway you could make VS become a behavior blocker also?
Looking forward to checking out 4.0
Fantastic, I can ditch another software then. I'm psyched about the new version but because of the major changes, will we still be able to install 4.0 over the top or will it be necessary to cleanly install it?
What about the loading time at startup? Can you speed up it a little bit?
I forgot to mention the command line problem (autopilot)... Now this is nearly solved and there are much less command line alerts when installing legitimate software in autopilot. Yesterday I tried installing Cryberghost VPN and I got one command line alert before installing the network driver.
Do you have any tool to pass me to scan multiple files with the latest version of VoodooAI?
Thank you for the update Dan! I'm looking forward to giving her a try.
Anyone have trouble with Dropbox Desktop updating?
About a week ago, I got an update, while VS was running, and VS logs say regsvr was blocked . No command line showed as blocked -- just an entry about blocked regsvr in the log, and no prompt from VS when it happened.
Funny thing is, I did not notice any problem with Dropbox afterwards. It continued to start up at user account log-in, like before.
I had a problem this week with my Avira product updater trying to download and install a new product update. This happens every couple of months when a new product version is pushed out. Normally the updater just pulls new AV signature files down every 2 hours without issue. If a new version is available, it will automatically install that. But I noticed a couple of update failures in the Avira logfiles, that when reviewed, indicated a new product version was attempting to install.
But no alerts were received from VoodooShield, running in 'SMART(default)' mode. I then set VoodooShield to 'Disable / Install Mode', but Avira updater still failed. Only when I completely exited the VoodooShield app, was the Avira update able to complete successfully.
I also noticed that "disable/install mode" still blocks things, sometimes.
Even training mode sometimes blocks things.
Today I needed to exit VS, start up a certain app (Toggl desktop), and then take a snapshot. Only that way it whitelisted my app.
@TheMalwareMaster You tried the "slow" loading problem on different pcs? On my p6200 laptop VS loads slow like all other programs that are installed. On an old intel 2500k with an ssd i coudn't say anything loads slow and the cpu is not realy new.
@VoodooShield How about an "Allow for 5mins" button? When i start a game like gw2 it often patches stuff and i have to allow a .tmp which then seem to apear in my whitelist and clutters it. Im running VS in "always on" and i'm to lazy to switch to another mode just for starting a game.
How is going the development? I hope you can release the new version soon, we all are eager to test it
On my Acer laptop (it has 5 years and came out with Windows 8. Not it's running Windows 10. It's generally fast). VoodooShield is only slow to load on startup. Everything else is OK.
On my new desktop the same. Maybe VoodooShield is slower to load than other programs because of the way it's programmed
Probably the delay is just the GUI, the service start much earlier. Depending how voodooshield is designed protection may start at service start rather than GUI
Dan already explained how VS starts now. I also mentioned it above. He used to start the service with the GUI, now it is other way around.
What is the most stable, bug free build of VS right now? I was thinking build 359b.
I agree as I've had no issues with this version.