App Review AppGuard vs CyberLock

[ebocious]

100% of the scripts and files were blocked, and only executed once the Allow button was clicked. Slow the video down to 0.25 and you will see.

WhitelistCloud and VoodooAi are not capable of analyzing every single file type. This is true with all scanners, they all have limitations on what file types they are able to analyze.

So in the test, whenever there was a file type that CyberLock was not able to analyze, Shadowra clicked Allow, but the recommendation in the user prompt was to Block for all of the files and scripts. Shadowra was just seeing what would happen if the user clicked Allow. Whenever I perform efficacy tests, I always click the button that is recommended.

Having said that, it would be a good idea to make the user recommendation even more obvious than it currently is. That is one of the things I have been working on, mainly in the new simple user prompt.

Not 100%, but I believe he clicked block when CL said unsafe, and allow when it said unknown. That said, I assume the system would have been protected otherwise.

It's been some time since I tried VS (CL). If I recall, it has the option to automatically err on the side of caution, and block anything that is not known to be safe. Is this correct?

 

[n8chavez]

I just don't understand why you'd purposefully select the "Allow" knowing that the malicious script would be allowed and thus CL would fail? Why? Are we all expecting CL to do all the work, or do you think CL users are dumb enough to just not know to block something they didn't execute. This seems like a very flawed test. Anyone with two brain cells, or from Missouri who has a cousin/wife, would know to block what you don't intend to run.

 

[oldschool]

@Shadowra Great video, as always. I have one request: please slow down the frame rate of your videos just a bit, because the way it is now, it's very difficult to follow what's happening. I don't know if I'm the only one who has trouble with this or not, but it seems adding a minute or two to your videos would help viewers.

 

[danb]

Not 100%, but I believe he clicked block when CL said unsafe, and allow when it said unknown. That said, I assume the system would have been protected otherwise.

It's been some time since I tried VS (CL). If I recall, it has the option to automatically err on the side of caution, and block anything that is not known to be safe. Is this correct?

Yes, that is my understanding as well. But in doing so, this would not be an apples for apples AppGuard VS CyberLock test. In short, offering tons of usability features, like the ability to allow a blocked item in real-time is a good thing, not a bad thing. Hell, in DefenderUI Pro and WDAC Lockdown, we even added a feature to allow native WDAC blocks . Even some people from Microsoft "Loved" this feature.

Locking down the system and blocking everything is the easy part. Making your lockdown app user-friendly is the difficult part.

And yes, you are correct, there are tons of different ways you can adjust easily the settings in CyberLock so that the user does not inadvertently allow something malicious.

 

[ebocious]

I just don't understand why you'd purposefully select the "Allow" knowing that the malicious script would be allowed and thus CL would fail? Why? Are we all expecting CL to do all the work, or do you think CL users are dumb enough to just not know to block something they didn't execute. This seems like a very flawed test. Anyone with two brain cells, or from Missouri who has a cousin/wife, would know to block what you don't intend to run.

I personally wouldn't, unless it was triggered by something I had downloaded from a known legitimate site and fully trusted. If it came in an email, I'd definitely be given pause.

But that's just me. I can't speak for everyone in MO, and I can guarantee some would click allow.

 

[danb]

I just don't understand why you'd purposefully select the "Allow" knowing that the malicious script would be allowed and thus CL would fail? Why? Are we all expecting CL to do all the work, or do you think CL users are dumb enough to just not know to block something they didn't execute. This seems like a very flawed test. Anyone with two brain cells, or from Missouri who has a cousin/wife, would know to block what you don't intend to run.

In addition... if we designed CyberLock to block child processes spawned from recently allowed items, then it would be blocking all things it is not supposed to be blocking... for example, if you are installing a new app and it spawns tons of new processes.

CyberLock will block certain items from allowed scripts, but we have to be careful and not adversely affect usability.

 

[danb]

I personally wouldn't, unless it was triggered by something I had downloaded from a known legitimate site and fully trusted. If it came in an email, I'd definitely be given pause.

But that's just me. I can't speak for everyone in MO, and I can guarantee some would click allow.

Yeah, and we are deigning the new simple user prompts to look super scary and ominous when they turn red . I think that alone will help tremdousely.

 

[ebocious]

Yes, that is my understanding as well. But in doing so, this would not be an apples for apples AppGuard VS CyberLock test. In short, offering tons of usability features, like the ability to allow a blocked item in real-time is a good thing, not a bad thing. Hell, in DefenderUI Pro and WDAC Lockdown, we even added a feature to allow native WDAC blocks . Even some people from Microsoft "Loved" this feature.

Locking down the system and blocking everything is the easy part. Making your lockdown app user-friendly is the difficult part.

And yes, you are correct, there are tons of different ways you can adjust easily the settings in CyberLock so that the user does not inadvertently allow something malicious.

Yes, my underlying thought was also that this demonstration would have been apples to apples, had the block button been used in all cases. And it could even be argued that there is a benefit in being able to temporarily relax but not totally disable protection. If memory serves me, the easiest way to install a new app with AG on the system is to completely disable protection for a specified period (e.g. 15 minutes, 30 minutes, 1 hour), leaving the system wide open. It'd be nice if I can lower protection level from something like "paranoid" to a "prompt me" setting, where I can allow child processes until the new application is installed, then raise protection back to "paranoid" to disable all alerts and just block anything unknown.

Yeah, and we are deigning the new simple user prompts to look super scary and ominous when they turn red . I think that alone will help tremdousely.

I like this idea.

 

[n8chavez]

I mean, the idea that CL, or any product for that matter, is supposed to scan the script and determine if its functions can be detrimental is insane! It's not like they have a whitelist-able hash.

 

[cartaphilus]

I like the fact that shadowra clicked allowed on script since that's how I would do it I mean what else should I do if 100% or scripts pop a prompt? Of course I will click allow since that's why I downloaded the program I want to try it.

That's the danger of prompt on every executable. At which point do you just say "Just run the damn thing!"

 

[Shadowra]

@Shadowra Great video, as always. I have one request: please slow down the frame rate of your videos just a bit, because the way it is now, it's very difficult to follow what's happening. I don't know if I'm the only one who has trouble with this or not, but it seems adding a minute or two to your videos would help viewers.

Unfortunately, this is due to the acceleration I use...
I'll try to lower the speed on the next one! (I was using 2x, I'll go to 1.25 / 1.30 )

 

[simmerskool]

CyberLock can analyze some scripts, but there are some it is not able to analyze yet. Do you think the blue Recommended label on the Block button is sufficient, or should we make the user recommendation more obvious?

Thanks again for the test!

I think I have seen a double warning in CL (you'd know better ) so a 2d popup "Hey you clicked "allow" -- are you f'ing serious!!)

 

[simmerskool]

I understand that you wanted to demonstrate or test CL's reaction. Enabling something that has been marked as suspicious leaves your system vulnerable. However, it's obviously a different matter if blocked was clicked and the system remained compromised.

Although I own both of these programs, I have chosen to continue with CL because it is considerably easier to use and more cost-effective for me. I loved AG, but it needed a lot of adjusting because it can't identify which is either good or bad.

last time I read ALL the material on AG -- it is design NOT to ID as "good / bad" -- if anything is doing the wrong thing in the wrong place it is blocked, period. (my understanding & the less you tweak AG the better it works, default works -- which is not only my opinion, but it takes awhile to come to this realization -- or it did for me). I do like and use both apps.

 

[simmerskool]

I like the fact that shadowra clicked allowed on script since that's how I would do it I mean what else should I do if 100% or scripts pop a prompt? Of course I will click allow since that's why I downloaded the program I want to try it.

That's the danger of prompt on every executable. At which point do you just say "fck it! Just run the damn thing!"

...after running it in a few online sandboxes...

 

[oldschool]

I'll go to ... 1.30

Even that (1.30) would help a lot. Thanks!

 

[oldschool]

if anything is doing the wrong thing in the wrong place it is blocked, period.

Because it's their customized and turbocharged version of SRP, IIRC.

 

[simmerskool]

If memory serves me, the easiest way to install a new app with AG on the system is to completely disable protection for a specified period (e.g. 15 minutes, 30 minutes, 1 hour), leaving the system wide open.

I think the setting is "allow installs" and doubt it leaves the system "wide open" -- & there is a setting below that to turn it off -- but me no expert on AG, just a user.

 

[oldschool]

That's the danger of prompt on every executable. At which point do you just say "Just run the damn thing!"

It's called "security fatigue". One way around this with VS is to turn off notifications and prompts and let it do its thing. If something on your system isn't working, check the user logs.

 

[simmerskool]

Because it's their customized and turbocharged version of SRP, IIRC.

and it seems to work

 

[ErzCrz]

It's called "security fatigue". One way around this with VS is to turn off notifications and prompts and let it do its thing. If something on your system isn't working, check the user logs.

CL has the helpful feature of Autopilot Though I agree with other comments to @danb Maybe just have mini notifications have Block as the main portion of the popup with a small text link to allow in a corner. e.g.

Spoiler: CL Block Notification

I had to use the Comodo Installer with the certificate issue as an example Will have to restart to see if I can look at simple notification