Ransomware Test: Cylance, Sophos, VoodooShield | by VoodooShield
- Thread starter Evjl's Rain
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Dec 29, 2014
- 1,711
VoodooShield users should see this to see learn to trust the alerts from VS and to learn their meaning. Default deny is kind of a shock to some I think, who might wonder how it could be this easy. Nice test.
honestly, I always use voodooshield as a realtime VT hash checker because I can't find any alternative. I never trust VoodooAi
VS is still one of the best solutions to fight against ransomwares besides qihoo and comodo autosandbox
a painful result for Cylance considering price-over-quality
- Dec 29, 2014
- 1,711
Good points. The alerts aren't brilliant
. The problem I see is that some users may see the alert and be confused, so it could help to see many of them in a short time that way. Maybe this helps more with VS than any other program I can think of, since it is default deny. Users can visually connect to the alerts and understand better the place of VS. It does block the malware and not just other things. It certainly is a one of a kind program.If the Ai improves in future versions and the free is still in place, I think VS will become popular on Auto-pilot even on larger networks...provided the devs can come up with something so that blocks can be easily undone by a security admin. Corps don't install much on corporate networks, so I think it could be efficient if VS were spot enough on point with its recommendations. Sure would gum up the works for malware writers.
Honestly I don't see tools like VoodooSheild becoming mainstream or used in the enterprise.
The reason why Cylance is killing it in the enterprise is ease of use, ease of deployment and it doesn't need any major user interactions.
The reason why Cylance is killing it in the enterprise is ease of use, ease of deployment and it doesn't need any major user interactions.
- Mar 13, 2016
- 1,298
@all
Although Dan always chooses his own path, he listens to his customers and initiates discussion with people having different opinions (that is how we started to skype (example). Sometimes he holds of suggestions, simply because he has limited time and resources (months old suggestion confirmed after launch AIv2 example)
Some of his ideas in any random order for next years (time and resources determine pace)
- Fine tune AI-engine V2 (Q1-2017)
- Simplify user interface (ease of use)
- Offer a silent mode (ease of use)
- Offer a cloud whitelist (ease of use)
- Offer a AI only version (increase consumer market share)
- Offer a central management version (increase corporate market share)
I was triggered by your remark about Cylance, do you have any insights to share on requirements for corporate market?
Regards Kees
Although Dan always chooses his own path, he listens to his customers and initiates discussion with people having different opinions (that is how we started to skype (example). Sometimes he holds of suggestions, simply because he has limited time and resources (months old suggestion confirmed after launch AIv2 example)
Some of his ideas in any random order for next years (time and resources determine pace)
- Fine tune AI-engine V2 (Q1-2017)
- Simplify user interface (ease of use)
- Offer a silent mode (ease of use)
- Offer a cloud whitelist (ease of use)
- Offer a AI only version (increase consumer market share)
- Offer a central management version (increase corporate market share)
I was triggered by your remark about Cylance, do you have any insights to share on requirements for corporate market?
Zero Knowledge said:
Regards Kees
Hello Kees
I can give a short basic overview of enterprise.
#1 Cost benefit analyses. How much does a product cost to deploy, maintain and upgrade over a 3/5 year period.
#2 Ease of use/deployment. Do you need to train I.T staff and end users to use the new software.
#3 Compatibility with current software. Does the new AV play well with current in house software
#4 Regulatory compliance. Depending on what industry you may have to follow different rules.
#5 Zero Day protection. Does the AV software protect against unknown exploits.
This is not a final guide. Just the top 5 that I thought would be in any top 5 for enterprise.
I guess the main thing to take away is that a solution must be first cost effective to implement, easy to use for staff and workers, not breach regulatory guidelines depending on industry, and protect against unknown exploits.
Next generation AV is killing it in the enterprise market at the moment. Cylance, CrowdStrike, SentinalOne, Carbon Black are making big in roads into the traditional AV market.
The main reason those companies don't offer consumer versions is that they don't have to deal with the end user. They are selling minimum 250 licenses per enterprise on a daily basis. 250 is the absolute lowest limit you will have to buy just to get a email reply from a sales rep. They don't need to sell to consumers because they are making enough money as it is at the moment.
I hope that helped somewhat Kees.
- Jan 4, 2016
- 1,022
Well, I tried to contact him on "the other forum" but moderators don't approve my post. I don't know why
- Oct 22, 2016
- 409
- Mar 13, 2016
- 1,298
Some of the other forum mods are very tight in applying their forum rules, that is why I came to this forum also
- Jul 28, 2014
- 1,990
I think instead of checking just malware samples, VoodooShield should also test usability in comparison with other AVs, this means installing large amounts of commonly used software (VLC, IDM, Malwarebytes, etc) and see how many commonly used software are blocked in this test. I would suspect that VS would definitely have more trouble allowing them to install than other AV products.
- Mar 13, 2016
- 1,298
Hello Kees
I can give a short basic overview of enterprise.
#1 Cost benefit analyses. How much does a product cost to deploy, maintain and upgrade over a 3/5 year period.
#2 Ease of use/deployment. Do you need to train I.T staff and end users to use the new software.
#3 Compatibility with current software. Does the new AV play well with current in house software
#4 Regulatory compliance. Depending on what industry you may have to follow different rules.
#5 Zero Day protection. Does the AV software protect against unknown exploits.
This is not a final guide. Just the top 5 that I thought would be in any top 5 for enterprise.
I guess the main thing to take away is that a solution must be first cost effective to implement, easy to use for staff and workers, not breach regulatory guidelines depending on industry, and protect against unknown exploits.
Next generation AV is killing it in the enterprise market at the moment. Cylance, CrowdStrike, SentinalOne, Carbon Black are making big in roads into the traditional AV market.
The main reason those companies don't offer consumer versions is that they don't have to deal with the end user. They are selling minimum 250 licenses per enterprise on a daily basis. 250 is the absolute lowest limit you will have to buy just to get a email reply from a sales rep. They don't need to sell to consumers because they are making enough money as it is at the moment.
I hope that helped somewhat Kees.
Thanks,
At #2 ease of use and #3 compatibility
At the moment we are discussing a local white-list based on program signatures determined when VS does its post-install system snapshot. Because companies often use standardized images, this would imply a "no actions required / automatic deployment" for system admins/IT managers. This local hash/signature whitelist guarantees offline protection (no internet connection available) and can be changed through central management (e.g. in response to malware outbreak). Central Admins even can put on a 'lock' when endpoint has admin rights (tightly limited to local white-list managed by company or relaxed using the cloud whitelist).
#4 Regulatory compliance.
Thinking about how to implement this. Please help me get this clear. Regulatory compliance is industry based, so this "entity of control" is between the local whitelist (image or company based) and the global cloud whitelist (basically for every VS user). This could be implemented using insudstry specific mask or views in the cloud whitelist. Out of my head this would have some data base impact (either replicate the hash for every industry or add a multiple industry code array to the hash). So do you know of security software already implemented regulatory compliance?
#Unknown exploits
At the moment VS does a perfect job blocking exploits triggered by executables and does very well against poisoned documents. Dan is thinking about further strengthening protection of script based exploits
#Pricing
Since VS offers a fully functioning freeware function, we have discussed micro-licensing (which is common for phone apps often priced between $0.99 and $2.99 annually). I have not yet convinced Dan on this. He has an enormous advantage at the moment. He has sold quite a few licenses and he is able to deliver customer services on his own (somple because VS does not require much user support). Because a lot of people bought a license to support development of VS, it is unclear yet of the current group of users are very educated users requiring little support by themselves OR VS is a killer application when it comes to requiring little customer support. When the latter is through, no other AV can meet his low cost of operation. So VS could be sold according 'micro licensing' scheme (say $1.99 per endpoint/user seat annually). Do you have any info on pricing schedules of next gen AV's?
Regards Kees
- Jun 14, 2011
- 1,790
VS shouldn't be compared with "traditional" AV's because it is a whitelisting / anti-exe app so it is rather normal that VS will cause some more trouble than any AV.
Blacklisting will allow to run anything that's not recognized by it's definitions and whitelisting works the other way around so first you'll need to whitelist a program / driver / commandline before it could be executed.
- Jul 28, 2014
- 1,990
I agree, which is why I don't really think the video above proves anything when compared to a traditional AV. The fact that VS is a whitelisting application while being compared to blacklisting AVs is like comparing apples to oranges, yes VS might be better in a way when protecting the system from malware, but it also drastically drops the usability of the system.
- Mar 1, 2014
- 1,708
If I remember correctly, Dan said that if VS is tested against AVs, the auto-pilot mode should be used instead of the whitelisting modes (Smart Mode and Always On Mode). In this way, VS would act closer to an AV, than as a whitelisting application.
VS was tested in autopilot. It means it is somewhere between a traditional AV and a whitelisting app (hybrid). Autopilot automatically allows double-negative apps to run (VT=0-1/56 and Ai=safe). those apps are very likely to be safe.
In his previous video VS showed a result of ~96% if I'm not mistaken
In this video zemana portable could successfully run without being blocked
The video proves that VS is a highly effective tool for users who can read and decide what is shown on the screen but not for novice users because of the rate of false positives. Novice users may assume a blocked app is not working and they may notknow what to do or how to allow it to run
it also proves that traditional AVs are not enough today. We need something stronger and more aggressive. The best tools against ransomwares like comodo, winantiransom and voodooshield, all of them are very aggressive and have high false positives
it's not easy to find an app which has very low rate of positives and high detection rate for ransomwares. Qihoo auto-HIPS?
Hey Kees!
I will try to answer your questions to the best of my ability.
Just a simple question, Kees are you now a business partner of VoodooSheild?
Symantec and McAfee enterprise products both meet various industry regulatory bodies compliance statutes.
I'm pretty sure Kaspersky & Webroot would meet regulatory requirements as well.
You need a good log solution in enterprise networks. I would advise VoodooSheild to build a robust log capability in it's enterprise console.
Script based detection will be very important going forward in the industry. Cylance already has a module to detect script based attacks.
Most AV's will have to incorporate a script based defense mechanism into their products in the next few years.
The next gen AV companies I've dealt with are priced around $60 per license for 50 to 250 users.
The more you buy the better discount you get. If you are buying 2500+++ licenses it would be about $35 to $40 per license.
The biggest cost for enterprises is if they choose to buy the next gen AV's real time threat intelligence platforms.
CrowdStrike, Carbon Black, Cylance, SentinalOne, Palo Alto, Cisco, Barracuda sell their consoles for $20,000 plus in most cases.
I will try to answer your questions to the best of my ability.
Just a simple question, Kees are you now a business partner of VoodooSheild?
Symantec and McAfee enterprise products both meet various industry regulatory bodies compliance statutes.
I'm pretty sure Kaspersky & Webroot would meet regulatory requirements as well.
You need a good log solution in enterprise networks. I would advise VoodooSheild to build a robust log capability in it's enterprise console.
Script based detection will be very important going forward in the industry. Cylance already has a module to detect script based attacks.
Most AV's will have to incorporate a script based defense mechanism into their products in the next few years.
The next gen AV companies I've dealt with are priced around $60 per license for 50 to 250 users.
The more you buy the better discount you get. If you are buying 2500+++ licenses it would be about $35 to $40 per license.
The biggest cost for enterprises is if they choose to buy the next gen AV's real time threat intelligence platforms.
CrowdStrike, Carbon Black, Cylance, SentinalOne, Palo Alto, Cisco, Barracuda sell their consoles for $20,000 plus in most cases.
- Mar 17, 2016
- 457
AUTOPILOT is the closest it gets to an AV as you can see in the video "Threats Detected by Blacklist scan and VoodooAI" so technically its comparable, WHITELISTING is only in SMART and AlwaysON setting this blocks everything whether its safe, fp, or malicious, the real point of the test is Efficacy w/c the end result is a protected PC.
Not really as proof ZAM portable upon pre-execution was not blocked by VS...
Last edited:
- Oct 22, 2016
- 409
Hi, where can I get the app efficay Test used in this test?
