VoodooShield Review by PCMag India

oldschool

Level 59
Verified
Mar 29, 2018
4,857
Yeah, the system will certainly be more locked down when a web app is running, but I need to make sure that Windows Defender updates are never blocked.

Has anyone ever experienced any other Windows update blocks?

Now that I think of it, I had a browser open when the update got blocked. This was the first time I remember any update being blocked. Yes, I was using v. 5.64 when I did my testing. (I'm not using regularly because I'm taking the "Windows Defender only" challenge. :LOL:)
 

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,014
View attachment 235106
That's enough for novice and advanced users.

View attachment 235107
Here everyone can get rid of the file, advanced users can use the sandbox and get a report & false positive can be reported/excluded.
...
This was rather easy. What would you propose for 35%, 25%, or 10% detections that will occur in most cases?

Any two-sentence-information + some options (like Quarantine, Cuckoo Sandbox) will not be useful and most users will want to get more detailed information anyway.
 
Last edited:

oldschool

Level 59
Verified
Mar 29, 2018
4,857
It's funny, novice users seem to understand VS better than a lot of advanced users who overthink VS, simply because they say "oh, that's my toggling computer lock", and they understand it is a lock that is there to protect them, and withing a couple of minutes they completely understand the concept.

Especially if they remember the VS Golden Rule: "Allow it if you are intending to run it", which is what I did yesterday when updating WD. I skip the mini prompt via the "Deny by default - uncheck to show prompt instead" setting --> 1 less prompt to answer. (y)

Edit: But the user guide is in serious need of a rewrite, however.
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
886
I had in mind that it may be hard to inform the user correctly what to do. The advanced user does not need very informative alerts. More information is required for less advanced users.
That is a great point, I totally agree, thank you Andy! Maybe we could have an Advanced Miniprompt option that advanced users could enable and it would include no file insight, but would include a block and allow button? I think if we had 2 different main user prompts, we would probably run into all kinds of issues.
 

RoboMan

Level 32
Verified
Content Creator
Jun 24, 2016
2,172
Let's not forget aobout a key fact: VoodooShield's developer, Dan, is active in security forums, listening to criticism, continuosly updating his software, and quickly answering support/suggestions e-mails. I myself have e-mailed him with a couple of suggestions, two of which were introduced and implemented within the next versions of the software.

And on a more technical view of the product, it's really simple to use, offers a free solid version, and complements with other software without any issues. It's not heavy, and doesn't trouble your OS. In all my life using it, I only had a couple of issues with VS slowing down software execution, and after two e-mails with developer it was fixed.

Bottom line, you get a free software, regularly updated, free e-mail support and personalized fixes. I will support Dan until the product is discontinued.
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
886
View attachment 235106
That's enough for novice and advanced users.

View attachment 235107
Here everyone can get rid of the file, advanced users can use the sandbox and get a report & false positive can be reported/excluded.
I don't see what more might someone wish to know. Cuckoo will provide enough info for people looking to dig deep into the infection.
The average Joe shouldn't and doesn't care about any technicalities (Process X loaded module Y and dropped file Z, downloaded from website A, in directory AB)...Forensic analysis is for people who know what they are doing, and if they know what they are doing, they will not be paying $30.00 for a second layer of security.People need to know that VoodooShield, in the least intrusive way possible, is indeed having their back.
Detailed information can be kept in a log or security history, but users don't have to be "traumatised" by blood-red popups full of "stuff" they don't understand. Some users will panic when they see the biohazard icon and will switch their PC off.
In addition, setting can be added for users to choose whether they want "simple" or "detailed" alert and telemetry can be monitored, or not.
If users have chosen "detailed", VS can feed them all details.

So the question here is, will you be doing "universal" software, useful to everybody, or will you be targeting a niche group of people, who like an alert to be taking half of their screen. I believe that companies like LG Mobile have already taught us that the "niche group" approach doesn't lead to success. Survey on the subject is not really needed.
Selling VoodooShield is like selling ice generator to households that already paid $2000 for a Whirlpool side-by-side fridge freezer. You better make sure this ice generator is damm good, quiet and "one size fits all", otherwise they will slam the door in your face.
You guys are two steps ahead of me... I should have scrolled down and read first ;). But yeah, having the option for either a simple or advanced user prompt would be really cool, thank you guys!
 

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,014
Now that I think of it, I had a browser open when the update got blocked. This was the first time I remember any update being blocked. Yes, I was using v. 5.64 when I did my testing. (I'm not using regularly because I'm taking the "Windows Defender only" challenge. :LOL:)
II think that VS has an option to disable the protection. So, you can use VS together with "Windows Defender only" challenge. Just use WD + VS on working days and switch off VS on weekends (or conversely). :)
 

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,014
@danb
So maybe use the alert with the golden rule (only one sentence) and three options: <Block> (default option), <Allow>, and <Advanced options>. Simple and effective.:)(y)
If the file is suspicious enough, for example detections > 30%, then use two options <Block> and <Advanced>.
 
Last edited:

danb

From VoodooShield
Verified
Developer
May 31, 2017
886
Especially if they remember the VS Golden Rule: "Allow it if you are intending to run it", which is what I did yesterday when updating WD. I skip the mini prompt via the "Deny by default - uncheck to show prompt instead" setting --> 1 less prompt to answer. (y)

Edit: But the user guide is in serious need of a rewrite, however.
I agree OS... VS really is all about the golden rule. If people follow it, VS will work well for them. Yeah, I need to work on the user guide sooner than later ;).
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
886
Let's not forget aobout a key fact: VoodooShield's developer, Dan, is active in security forums, listening to criticism, continuosly updating his software, and quickly answering support/suggestions e-mails. I myself have e-mailed him with a couple of suggestions, two of which were introduced and implemented within the next versions of the software.

And on a more technical view of the product, it's really simple to use, offers a free solid version, and complements with other software without any issues. It's not heavy, and doesn't trouble your OS. In all my life using it, I only had a couple of issues with VS slowing down software execution, and after two e-mails with developer it was fixed.

Bottom line, you get a free software, regularly updated, free e-mail support and personalized fixes. I will support Dan until the product is discontinued.
Thank you Robbie, I appreciate that!
 

oldschool

Level 59
Verified
Mar 29, 2018
4,857
Now that I think of it, I had a browser open when the update got blocked. This was the first time I remember any update being blocked. Yes, I was using v. 5.64 when I did my testing.

@danb I think I just found out why WD update was blocked here: In the past, while adding some apps via "autodetect web apps", I had unknowingly or mistakenly added MsMpEng to the list so of course VS protected it! I'm pretty sure that's the reason. 🤔
 

Terry Ganzi

Level 26
Verified
Feb 7, 2014
1,541
Thank you Terry, I hope you are doing well too! Thank you for letting me know about IDM... I had to fix a similar issue with Free Download Manager a while back. I am aware of the WMP block... for that we will probably just want to hardcode it. But I am not familiar with the Windows Defender platform updates block... was this an automatic or manual update?

BTW, what version of VS are you running? If you are not running the 5.64 beta, please let me know how it does with IDM... there is a chance that it is fixed in this version.

https://voodooshield.com/Download/InstallVoodooShield564beta.exe

I will look into the others as well, thank you!

I'm running the 5.64 beta, next these issues can be reproduce easily if you have a vm reset windows use v.s along side windows defender alone for security, then download I.D.M, then download anything with it a box will appear that is I.D.M letting you know the download has finish close that box, now proceed to taskbar open I.D.M it will show what you have downloaded right click on it some options will appear press on open folder V.S will block that for sure, and it's not only this latest V.S all of them from version 3 onward the latest best build is V.S 504 without a doubt, V.S whitelist part is secretly horrible also when it comes to WD updates, they have days you will open it & all is well peep on it 8 hours later it stuck on something and gone loop crazy,I get WD updates every hour without fail, any person that don't keep they pc on for long periods have nuffin to fear, let me be very clear no 3rd part security program should never stop,hinder or hold hostage widows or windows defender security updates period. I know because i check my pc regularly, so what about the person that don't or ain't know how to solve it. Please make your foundation strong before you let others coax you in about putting on a roof when the siding ain't even started.........................Respectfully Mr.Ganzi
 

Attachments

  • Problems.PNG
    Problems.PNG
    38.8 KB · Views: 68
Last edited:
B

BVLon

@danb if you have developed software with this effectiveness, then you’ve probably engaged with quite a lot of users, that’s not to be denied.

You need to know however that Users in antivirus forums can’t be your research focus as many of them are quite advanced. Majority of users won’t sign up to their security product’s community and won’t leave you any feedback. If they don’t like the product, they will just uninstall it.
Even a biohazard sign is an element of scare in some... you need to make sure that VS doesn’t fail to give them this “We’ve got your back feeling”

Guys, please be serious. You are saying the VS condept is “allow if you intend to run it”. But if I don’t wanna run it, I can simply not run it... how will it execute? I don’t need VS to NOT run content. VoodooShield’s got capabilities that normal AV products don’t, it is not just some HIPS system. It’s powered by 71 blacklists, AI and a whitelist.
It is a program that’s extremely intelligent and capable of pushing the user towards the right decision. Right decision should be very clear maybe in one sentence, just as I have suggested. Wording should be strong enough and confident to guide the user. Not to cause more confusion.
 
Last edited by a moderator:

Gandalf_The_Grey

Level 48
Verified
Trusted
Content Creator
Apr 24, 2016
3,740
@danb I think I just found out why WD update was blocked here: In the past, while adding some apps via "autodetect web apps", I had unknowingly or mistakenly added MsMpEng to the list so of course VS protected it! I'm pretty sure that's the reason. 🤔
That was not so in my case, only "msedge" and "teams" where manually added to web apps... 🤔
 
B

BVLon

This was rather easy. What would you propose for 35%, 25%, or 10% detections that will occur in most cases?

Any two-sentence-information + some options (like Quarantine, Cuckoo Sandbox) will not be useful and most users will want to get more detailed information anyway.
You can say “Small number of vendors have detected a threat and more might follow. We recommend that you keep the file blocked and we’ll rescan it again in 12 hours.”

“VoodooAi has detected few signs that the file might be untrusted. We recommend that you keep the file blocked, unless you are absolutely sure it’s safe. “

That will be <30%.

“Fair amount of vendors have detected threat in this file, so we’ve blocked it for your protection. We’ll check if this number will go up in 12 hours.”

“VoodooAi has detected a fair amount of characteristics that this file is untrustworthy. We recommend that you stay away from this file and we’ll rescan it in 12 hours.”

In 12 hours:

“We rescanned a file that was deemed malicious by fair number of vendors and this number has now gone up from “x” to “y”. We recommend that you quarantine this file.”

“The same number of engines as 12 hours ago detect a threat in this file. This is typical for potentially unwanted and low-risk software.
We recommend that you do not use this file, unless you really know the source.”

“We rescanned a file and the number of engines detecting it as a threat went down from “x” to “y”. It looks like it’s a false positive, but it will be best if we rescan the file once again.”

“We rescanned a file that was suspected by VoodooAi and this file now appears in “y” blacklists. We recommend that you (block and rescan if [y/71]*100 <30, or quarantine if [y/71]*100 >30)”

And if users think differently than all 71 vendors and VoodooAi, they can exclude it and report fp. It’s actually extremely simple. De duplication here will be extremely important, as one Bitdefender detection will boost the percentage quite a lot. I already spoke about deduplication in my previous posts.
 
Last edited by a moderator:

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,014
You can say “Small number of vendors have detected a threat and more might follow. We recommend that you keep the file blocked and we’ll rescan it again in 12 hours.”

or

“VoodooAi has detected few signs that the file might be untrusted. We recommend that you keep the file blocked, unless you are absolutely sure it’s safe. “
In the first case, you will probably get the same result for most files after 12 hours. Most files are run intentionally by the users, and the files are usually not new.
The second case would be useful in rare cases when the file was executed without user intervention or when the user wants to open a picture and it wants to execute out of the blue. When the user wants to run something intentionally, then such information is useless.
 
B

BVLon

In the first case, you will probably get the same result for most files after 12 hours. Most files are run intentionally by the users, and the files are usually not new.
The second case would be useful in rare cases when the file was executed without user intervention or when the user wants to open a picture and it wants to execute out of the blue. When the user wants to run something intentionally, then such information is useless.
Once a file goes on VT, most of the vendors are subscribed to their intelligence platform and within 12 hours the number of engines detecting it is just bound to grow. If users are looking to run content “of their choice” they will disregard any sort of info. No information is useless, especially in the AV industry. You can provide it to the user and then it’s up to them whether they will follow or not. It just has to be provided in the right way.
 
Last edited by a moderator:
  • Like
Reactions: Protomartyr

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,014
Once a file goes on VT, most of the vendors are subscribed to their intelligence platform and within 12 hours the number of engines detecting it is just bound to grow.
Not for most files executed by the user. The users often execute the files that are several weeks/months on VT.
If users are looking to run content “of their choice” they will disregard any sort of info. No information is useless. You can provide it to the user and then it’s up to them whether they will follow or not. It just has to be provided in the right way.
I agree (mostly). So, you can make it easier and simply instruct the user to run the file if it was started intentionally and block otherwise.
 
Top