Advice Request VoodooShield - Custom Rules to increase protection

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.
R

Raka Daku

Thread author
RULES, anyone trying custom rules?

Current custom ruleset (just test purpose, VAi only, & VAi set to "81" in the ruleset)
Allow All Files on My Computer when VoodooShield is ON, OFF, AUTOPILOT
If VoodooAi is less than or equal to 81

Other customizations
Settings - Basic - Deny by Default (uncheck to show prompt instead of balloon) - Unchecked
Settings - Advanced - Automatically scan blocked files with the multi engine blacklist scanner - Unchecked

Snapshots
Initial Snapshot taken
Advanced Snapshot not taken

Test (30 safe programs.. popular/lesser known/forum made/etc)
All programs were automatically allowed (VAi score less than 81)

Test (cannot test malware on the system, downloaded 13 keygens by well-known or popular crackers on various forums)
12 keygens got verdict Unsafe (VAi score above 91)
1 keygen got verdict Suspicious (VAi score 89)
1 keygen was automatically allowed (VAi score less than 81)

I uploaded the allowed keygen to VirusTotal & Comodo Valkyrie
VirusTotal - Latest report.. 3 vendors detected, CrowdStrike Falcon, Rising & Webroot
Comodo Valkyrie - Latest report.. Clean (Human Expert Analysis Overall Verdict.. Clean)

Test done under Shadow Defender
VoodooShield Latest Beta 4/406 Beta
Win 10 64 Bits Pro
Win Inbuilt Firewall
Windows Defender
 
Last edited by a moderator:

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
RULES, anyone trying custom rules?

Current custom ruleset (just test purpose, VAi only, & VAi set to "81" in the ruleset)
Allow All Files on My Computer when VoodooShield is ON, OFF, AUTOPILOT
If VoodooAi is less than or equal to 81

Other customizations
Settings - Basic - Deny by Default (uncheck to show prompt instead of balloon) - Unchecked
Settings - Advanced - Automatically scan blocked files with the multi engine blacklist scanner - Unchecked

Snapshots
Initial Snapshot taken
Advanced Snapshot not taken

Test (30 safe programs.. popular/lesser known/forum made/etc)
All programs were automatically allowed (VAi score less than 81)

Test (cannot test malware on the system, downloaded 13 keygens by well-known or popular crackers on various forums)
12 keygens got verdict Unsafe (VAi score above 91)
1 keygen got verdict Suspicious (VAi score 89)
1 keygen was automatically allowed (VAi score less than 81)

I uploaded the allowed keygen to VirusTotal & Comodo Valkyrie
VirusTotal - Latest report.. 3 vendors detected, CrowdStrike Falcon, Rising & Webroot
Comodo Valkyrie - Latest report.. Clean (Human Expert Analysis Overall Verdict.. Clean)

Test done under Shadow Defender
VoodooShield Latest Beta 4/406 Beta
Win 10 64 Bits Pro
Win Inbuilt Firewall
Windows Defender
Very cool! It is great to see that people are starting to experiment with the new rules feature. I think most users will totally understand the rules feature after about 5 minutes of experimentation... and I really think that once we build this feature out a little more, it is going to be an amazing feature.

BTW, if you can think of any other parameters that I should add to this feature, please let me know. Also, 81 sounds about right to me as well ;). Thank you!
 
R

Raka Daku

Thread author
Allow All Files on My Computer when VoodooShield is ON, OFF, AUTOPILOT, untick digital signature & blacklist, leave the Ai setting at 0 or Safe, & all my command line issues are gone! Everything works as it should.
What do you mean command line issues are gone?
 
R

Raka Daku

Thread author
Very cool! It is great to see that people are starting to experiment with the new rules feature. I think most users will totally understand the rules feature after about 5 minutes of experimentation... and I really think that once we build this feature out a little more, it is going to be an amazing feature.

BTW, if you can think of any other parameters that I should add to this feature, please let me know. Also, 81 sounds about right to me as well ;). Thank you!
Yes, Rules feature will be helpful to customize or optimize VS to suit users, layered protection on the system, etc.

VAi verdict based on VAi score
If I am correct..
VAi score & verdict
0 - 50 Safe
51 - 89 Suspicious
90 - 100 Unsafe

Yes, 81 plus layered protection seems effective, & less alerts.

Vulnerable Processes option would be good like drop down menu with options default & allow
set allow to automatically allow
set default to keep default
 
Last edited by a moderator:
R

Raka Daku

Thread author
danb,

Custom Ruleset
Allow All Files on My Computer when VoodooShield is ON, OFF, AUTOPILOT
If the Blacklist scan is less than or equal to 5 Positives
Block Unknowns and Trust VoodooShield's False Positive Detection
If VoodooAi is less than or equal to 90

The bold above, what does Unknowns here means?
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
danb,

Custom Ruleset
Allow All Files on My Computer when VoodooShield is ON, OFF, AUTOPILOT
If the Blacklist scan is less than or equal to 5 Positives
Block Unknowns and Trust VoodooShield's False Positive Detection
If VoodooAi is less than or equal to 90

The bold above, what does Unknowns here means?
I believe it means Unknown to VoodooAI and or VT scan ?
Dan will have to clarify :)
 
P

plat1098

Thread author
Question: Example: I set a custom rule for a games application using the default parameters and SMART mode. This app creates a lot of child processes. Now I have everything running in Sandboxie (might switch to Shade).. Are rules still necessary?
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
Question: Example: I set a custom rule for a games application using the default parameters and SMART mode. This app creates a lot of child processes. Now I have everything running in Sandboxie (might switch to Shade).. Are rules still necessary?
I don't create Custom Rules for the following clients: Steam, Origin, Uplay, GOG, and I have no issues.
Same for TS & GameVox as well.
Always in Smart Mode ;)
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
Yes, Rules feature will be helpful to customize or optimize VS to suit users, layered protection on the system, etc.

VAi verdict based on VAi score
If I am correct..
VAi score & verdict
0 - 50 Safe
51 - 89 Suspicious
90 - 100 Unsafe

Yes, 81 plus layered protection seems effective, & less alerts.

Vulnerable Processes option would be good like drop down menu with options default & allow
set allow to automatically allow
set default to keep default
Yes, those are the correct ranges... there is also a "Be Careful" / suspicious range of 51-75, which is actually part of suspicious. This is the range where things start to get a little dicey.

Yeah, at some point I will add an editable list of vulnerable processes to the Settings / Advanced tab, and I will see what I can do with adding these to the rules as well. Thank you for the suggestions!
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
danb,

Custom Ruleset
Allow All Files on My Computer when VoodooShield is ON, OFF, AUTOPILOT
If the Blacklist scan is less than or equal to 5 Positives
Block Unknowns and Trust VoodooShield's False Positive Detection
If VoodooAi is less than or equal to 90

The bold above, what does Unknowns here means?
Block Unknowns are for the blacklist scan only. VoodooAi should never have an unknown because it is going to return the verdict each and every time... unless the VoodooAi cloud server is down (which is hosted on Azure), in which case, VoodooAi would return "Error in VoodooAi".

BTW... whenever you create and save a rule, VS automatically copies the new rule to Windows Clipboard, so you can paste it wherever you like after creating a new rule. I just thought this might be helpful when people start experimenting with and sharing rules.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
Question: Example: I set a custom rule for a games application using the default parameters and SMART mode. This app creates a lot of child processes. Now I have everything running in Sandboxie (might switch to Shade).. Are rules still necessary?
Sorry, I am not sure what you mean when you ask "Are rules still necessary", can you please clarify?
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
I don't create Custom Rules for the following clients: Steam, Origin, Uplay, GOG, and I have no issues.
Same for TS & GameVox as well.
Always in Smart Mode ;)
Yeah, Smart Mode pretty much takes care of everything automatically, but it is nice to be able to create a rule when you need to. Rules will be particularly useful to SMB and enterprise admins. Thank you CG!
 
R

Raka Daku

Thread author
VoodooShield 406 Beta (Usability Test)

Win 10 64 Pro
Win Defender
Win Firewall
Test done under Shadow Defender


Custom Ruleset
Allow All Files on My Computer when VoodooShield is ON, OFF, AUTOPILOT
If VoodooAi is less than or equal to 90

Settings changed
Settings - Basic - Deny by Default (uncheck to show prompt instead of balloon) - Unchecked
Settings - Advanced - Automatically scan blocked files with the multi engine blacklist scanner - Unchecked

Reasons to test VAi at 90 (90 - 100 or 90 & above)
*
VAi at 90 score means VAi verdict "Unsafe". There will be "Unsafe" verdict alerts only
* I have watched quite a few VS tests, & noticed that VAi does well against malicious or malware i.e mostly or almost all the time "Unsafe" verdict
* I thought lets see how it does against safe programs at VAi 90. And if it does well, then I will request a HUB tester or post a request to do VS malware test with Custom Rules & Settings mentioned here + Windows Defender (PUP enabled) + Windows Firewall

Here is the Usability Test results (all safe programs)
Programs already on the system were run (No Unsafe verdict alerts, 1 issue was there)

Adguard Desktop, Adobe Acrobat DC, DVDFab Media Player 3, FreeFileSync, Macrium Home 7, MS Office 2016, Picasa, Shadow Defender, Sticky Password, Unchecky, Unlocker 64, Windscribe Desktop, WinRAR & WordWeb.
FreeDownloadManager 5 (extension in GoogleChrome) - Everytime Chrome is run, a Command Line alert is there

Portable programs already on the system were run (No Unsafe verdict alerts or issues were there)
4kvideodownloader, 4kvideotomp3, 7-Zip, 10AppsManager, AIMP, Advanced Renamer, Audacity, Avidemux, DnsJumper, Firefox 64, FixWin10, GoogleChrome, HDSentinel Pro, HitmanPro 64, Kaspersky System Checker, MediaInfo, Microsoft PID Checker, Mkvtoolnix, PEstudio, Process Explorer, qBittorrent, Revo Uninstaller, Rufus, SecureMyBit, SubtitleEdit, TeamViewer, Ultimate Windows Tweaker, VidCoder 64, Vivaldi 64, Western Digital Diagnostics, WUShowHide, XYplorer & Zemana Antimalware.

New programs.. programs installed/uninstalled successfully (No Unsafe verdict alerts or issues were there, Command/Script alerts info, & 1 Crack tested)
WebsiteX5 Start, Shade Sandbox, Veeam Agent for Windows 2, Western Digital Diagnostics, DeepArmor 36, Ashampoo Snap Business 10, BCompare 4, Camtasia 9, CPUBalance 64, ExpressVPN, Wondershare Filmora, FotoJet Collage Maker, GOMPlayerPlus, InternetDownloadManager, MailBird, MediaPlayerMorpher, OODiskImage Pro 11 64, ProtonVPN, Apowersoft Screen Recorder Pro, Tally ERP 9, XeroWeight Flashback, TeraCopy 3, Apowersoft Video Editor Pro, VirtualBox 5, Vivaldi 64, VLC 64 & VMware Workstation Pro 12
EaseUS Todo Backup Home/Workstation 10 - During install/uninstall, more than 10 Command/Script alerts
PowerDVD Ultra 17 (Trial Retail) -
During install/uninstall, more than 10 Anti-Exploit alerts mentioning conhost.exe (Safe verdict with score 1)
Wondershare Video Converter Ultimate -
During install/uninstall, more than 20 Command/Script alerts
Tally 9 Crack - Unsafe verdict with score 100

I have mentioned only programs with many VS Command/Script alerts. During the whole test i.e Start to Finish, there were total 78 Command/Script alerts as per VS Command Lines section in the GUI.


UPDATE

VoodooShield 407 Beta

Same Results for the above mentioned FreeDownloadManager, EaseUS Backup, PowerDVD & Wondershare Video
 
Last edited by a moderator:
R

Raka Daku

Thread author
Yeah, at some point I will add an editable list of vulnerable processes to the Settings / Advanced tab, and I will see what I can do with adding these to the rules as well. Thank you for the suggestions!
I am looking forward to vulnerable processes option.
Any chance to see vulnerable processes atleast in rules in the on-going betas & final?
 
  • Like
Reactions: shukla44 and shmu26
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top