VoodooShield discussion

[ForgottenSeer 55778]

Voodooshield "Always On" provides the best protection for a knowledgeable user, right? What other settings are recommended.

 

[Evjl's Rain]

Voodooshield "Always On" provides the best protection for a knowledgeable user, right? What other settings are recommended.

always on does provide the best protection, in theory. However, it shows so many popups which may force us to allow without reading.
Moreover, when we install a program, we almost always have to disable VS/put it into Install Mode = unprotected during this period. Or at least we have to set it to autopilot
Personally, I much prefer Autopilot mode beause it has significantly less popups and we don't have to disable VS during installation of programs. It automatically allows double-negative processes to run. Practically, Autopilot mode is safer for me and for many users but for some people, Always on is the better choice

EDIT: other settings (PRO only):
- uncheck: Basic -> "Deny by default..."
- uncheck: Advanced -> Automatically allow by parent process...

 

[ForgottenSeer 55778]

always on does provide the best protection, in theory. However, it shows so many popups which may force us to allow without reading.
Moreover, when we install a program, we almost always have to disable VS/put it into Install Mode = unprotected during this period. Or at least we have to set it to autopilot
Personally, I much prefer Autopilot mode beause it has significantly less popups and we don't have to disable VS during installation of programs. It automatically allows double-negative processes to run. Practically, Autopilot mode is safer for me and for many users but for some people, Always on is the better choice

Thanks! I have no doubt you are more knowledgeable than me, so I'll just use Autopilot.

 

[Evjl's Rain]

Thanks! I have no doubt you are more knowledgeable than me, so I'll just use Autopilot.

I just updated my post for 2 recommended settings for VS pro. I just change those 2, nothing else

 

[askmark]

EDIT: other settings (PRO only):
- uncheck: Basic -> "Deny by default..."
- uncheck: Advanced -> Automatically allow by parent process...

@Evjl's Rain can I ask, why do you uncheck "Deny by default..."?

 

[Evjl's Rain]

@Evjl's Rain can I ask, why do you uncheck "Deny by default..."?

because when default deny is on, there will be a small yellow popup appear. If we want to make decision, we have to click on the yellow popup and then the big popup with all options will show up

if we disable default deny, the big popup will appear immediately. It's equally safe because VS still automatically blocks harmful objects after 20 seconds countdown. Unchecking this option decreases the number of clicks

 

[Svoll]

@Evjl's Rain

Does the Pro version give you less FP's?

 

[Evjl's Rain]

@Evjl's Rain

Does the Pro version give you less FP's?View attachment 133066

yes that option will decrease FP rate but will completely ignore VoodooAi
if you catch a true 0-day malware and VT detection rate is 0 or 1/56, you will be in trouble. Fortunately, this is rare
I leave that option default

I changed only 2 options, which are common amongst VS users so there is no noticeable bug. When I tried to change another option, which no one does, I found a bug and reported to VS dev, he fixed it. In the end, I didn't find that option useful and left it default

 

[askmark]

because when default deny is on, there will be a small yellow popup appear. If we want to make decision, we have to click on the yellow popup and then the big popup with all options will show up

if we disable default deny, the big popup will appear immediately. It's equally safe because VS still automatically blocks harmful objects after 20 seconds countdown. Unchecking this option decreases the number of clicks

Thanks for the explanation. The option seems a bit pointless if all it does is increase the number of clicks.

 

[Evjl's Rain]

Thanks for the explanation. The option seems a bit pointless if all it does is increase the number of clicks.

that option is good for users who use smart/always on modes because it blocks everything without user intervention, and the small popup doesn't overlap on the screen
If we disable it, the big popup may interfere with what we are doing and we may click Allow by mistake. It's more suitable for Autopilot users

 

[askmark]

that option is good for users who use smart/always on modes because it blocks everything without user intervention, and the small popup doesn't overlap on the screen
If we disable it, the big popup may interfere with what we are doing and we may click Allow by mistake. It's more suitable for Autopilot users

That makes sense. I'm a always on, default-deny type of guy so have it enabled

 

[Deleted member 2913]

yes that option will decrease FP rate but will completely ignore VoodooAi
if you catch a true 0-day malware and VT detection rate is 0 or 1/56, you will be in trouble. Fortunately, this is rare
I leave that option default

That option doesn't ignore VAi...the option means VAi verdict safe & suspicious will be allowed BUT VAi unsafe verdict, alert will be there.

And 1/56 detection doesn't mean VS will treat as FP...If I am correct VS FP engine & combine results of VT & VAi determine FP/malicious.

 

[Evjl's Rain]

That option doesn't ignore VAi...the option means VAi verdict safe & suspicious will be allowed BUT VAi unsafe verdict, alert will be there.

And 1/56 detection doesn't mean VS will treat as FP...If I am correct VS FP engine & combine results of VT & VAi determine FP/malicious.

in a few occasions, I saw VS in autopilot mode allowed VT=1/56 + Ai=safe. However, Smart mode = off stopped them and prompt for user input. Not very sure but this is what I observed

 

[Deleted member 2913]

in a few occasions, I saw VS in autopilot mode allowed VT=1/56 + Ai=safe. However, Smart mode = off stopped them and prompt for user input. Not very sure but this is what I observed

Thats what I mentioned, FP is determined by FP engine & combine result of VT & VAi.
In this case, 1 detection at VT & safe at VAi & FP engine = determined as safe & allowed.

 

[Svoll]

always on does provide the best protection, in theory. However, it shows so many popups which may force us to allow without reading.
Moreover, when we install a program, we almost always have to disable VS/put it into Install Mode = unprotected during this period. Or at least we have to set it to autopilot
Personally, I much prefer Autopilot mode beause it has significantly less popups and we don't have to disable VS during installation of programs. It automatically allows double-negative processes to run. Practically, Autopilot mode is safer for me and for many users but for some people, Always on is the better choice

EDIT: other settings (PRO only):
- uncheck: Basic -> "Deny by default..."
- uncheck: Advanced -> Automatically allow by parent process...

I tried this and it did lower the amount of popups. @Evjl's Rain, if i enable or check AUtomatically allow by parent process, I get even less popups, Is it safer to have it enable or disabled. I read that about 80% have that option disable, Why?

 

[Evjl's Rain]

I tried this and it did lower the amount of popups. @Evjl's Rain, if i enable or check AUtomatically allow by parent process, I get even less popups, Is it safer to have it enable or disabled. I read that about 80% have that option disable, Why?

because if you get a new trojan.downloader or a .js file, VT's not yet detected it, VoodooAi also does not support .js file. You are likely to get low VT detection rate and safe Ai score, or no Ai score because file type is not supported. When you allow it to run, all child processes will be allowed and you may get infected because the .js downloads it payloads and those payloads will be automatically allowed

if that option is uncheck, you will definitely get more popups because child processes/payloads will NOT be allowed automatically, they will be scanned and you can decide to block them based on the results of VT and Ai score (most of them should be .exe)

this option is the difference between free and pro users if you enable it, it means you are still a free user without ads

 

[shmu26]

because if you get a new trojan.downloader or a .js file, VT's not yet detected it, VoodooAi also does not support .js file. You are likely to get low VT detection rate and safe Ai score, or no Ai score because file type is not supported. When you allow it to run, all child processes will be allowed and you may get infected because the .js downloads it payloads and those payloads will be automatically allowed

if that option is uncheck, you will definitely get more popups because child processes/payloads will NOT be allowed automatically, they will be scanned and you can decide to block them based on the results of VT and Ai score (most of them should be .exe)

this option is the difference between free and pro users if you enable it, it means you are still a free user without ads

a lot of good points here.
however, the dev says that child processes are not automatically allowed for scripts, because most people don't need to run scripts.

 

[Evjl's Rain]

a lot of good points here.
however, the dev says that child processes are not automatically allowed for scripts, because most people don't need to run scripts.

that's the best and easiest example I can find you know
I just tried to convince him that option is a must for pro users

@Svoll another example: malware is implanted inside an installation file not detected by VT (too large to upload) & Ai is unsure, you may get infected if you allow it
I just tell the worst scenarios the chance you get infected is slim but it's highly recommended to uncheck that option. It's good to disable it + Autopilot because we will get enough popups, not too many

 

[shmu26]

that's the best and easiest example I can find you know
I just tried to convince him that option is a must for pro users

@Svoll another example: malware is implanted inside an installation file not detected by VT (too large to upload) & Ai is unsure, you may get infected if you allow it
I just tell the worst scenarios the chance you get infected is slim but it's highly recommended to uncheck that option. It's good to disable it + Autopilot because we will get enough popups, not too many

there are locations where parent/child is disabled by default, even for exe files.
For instance, I just got a prompt from VS about a program update file located in a folder that is in appdata/local/temp.
I have already whitelisted this program's updater, so the file it created should have been allowed. But no, I get a prompt.
This tells me that parent/child permissions are disabled by default when the child is in a suspicious location.

 

[_CyberGhosT_]

there are locations where parent/child is disabled by default, even for exe files.
For instance, I just got a prompt from VS about a program update file located in a folder that is in appdata/local/temp.
I have already whitelisted this program's updater, so the file it created should have been allowed. But no, I get a prompt.
This tells me that parent/child permissions are disabled by default when the child is in a suspicious location.

Exactly right Shmu26
I disable the auto allow for appdata location as well seeing thats a popular target area.
* Maybe nesting or launch area would be more an appropriate term.