VoodooShield Review by PCMag India

[BVLon]

Not for most files executed by the user. The users often execute the files that are several weeks/months on VT.

I agree (mostly). So, you can make it easier and simply instruct the user to run the file if it was started intentionally and block otherwise.

Every file that I download from the web or save from my email is a file that I intentionally want to run. If I don’t intend to run it, I will not save it and it will never reach VS in the first place.
I believe there is a naming convention for these files, am I wrong?

This golden rule creates - very simple and dangerous algorithm. Everything gets divided in 2 groups - the “I wanna run it, cuz I just downloaded it” group and “I don’t wanna run it cuz I was watching a movie and it appeared”...
All malware will fall into the first group, while some legit programs, upon downloading an update will go to the second one. More intelligence is needed here than this rule.

Imagine your hard configurator had an auto-update component running via a service. You have discovered critical bug somewhere in the settings and you try to push me an update while I am looking to buy sunglasses. Suddenly I see something popping up and I apply this rule. Do I intend to run it? No, I don’t. I have configured my Windows once, why will I run this software again? I block your update and the bug remains.

File can popup out of the blue only if dropped or downloaded by malware. If you instruct the user clearly, you will eliminate the root cause and nothing will be dropped/downloaded.

By telling me “run it if you intend to run it” what good are you doing to me? That’s what Everyone will do without any advise as well... what benefit does VS bring in this case? You are still not protecting me against social engineering which is known to be the best malware gateway... why am I paying you?

 

[Andy Ful]

...
By telling me “run it if you intend to run it” what good are you doing to me? That’s what Everyone will do without any advise as well... what benefit does VS bring in this case?

This is the golden rule of VS. Ignore VS for files that you intentionally want to run (except if the file is veeery suspicious in VS), and do not allow running files "out of the blue". For the first type of files, you rely on the AV detection and high VS detection. For "out of the blue" you rely only on VS.

So, you have a smart default-allow setup for most files + smart default-deny for "out of the blue" (exploits, files with spoofed extensions, etc.).

 

[oldschool]

So, you can make it easier and simply instruct the user to run the file if it was started intentionally and block otherwise.

Which is the "Golden Rule"! We are back to where we started!

I still think the user guide needs updating.

By telling me “run it if you intend to run it” what good are you doing to me? That’s what Everyone will do without any advise as well... what benefit does VS bring in this case?

So in my case of updating WD, was I correct to allow the files to run when prompted? Yes, because the prompts appeared when I was updating and not out of the blue. I didn't need information to make that decision.

And since VS is generally promoted as a companion to an AV, if I download and want to run a file with WD, Edge, etc. then I have Smartscreen or an alternative to check the file if desired. I just wouldn't rely on VS as a first layer for that particular purpose. In fact, I did this yesterday with a file that was unsigned - so everything would object to it (and did!) - and any user would confront the same prospect with virtually any AV, let alone VS.

So there are pros and cons to your proposal.

 

[BVLon]

Which is the "Golden Rule"! We are back to where we started!

I still think the user guide needs updating.



So in my case of updating WD, was I correct to allow the files to run when prompted? Yes, because the prompts appeared when I was updating and not out of the blue. I didn't need information to make that decision.

And since VS is generally promoted as a companion to an AV, if I download and want to run a file with WD, Edge, etc. then I have Smartscreen or an alternative to check the file if desired. I just wouldn't rely on VS as a first layer for that particular purpose. In fact, I did this yesterday with a file that was unsigned - so everything would object to it (and did!) - and any user would confront the same prospect with virtually any AV, let alone VS.

So there are pros and cons to your proposal.

Yeah, but that’s you lol...
Now imagine you don’t have all that knowledge. How will you handle an advice “run it if you want to run it”. I guess you’ll run everything, wouldn’t you? Any trojan out there
That’s one of the biggest issues you have to overcome in software development. You should realise that users are not you.

 

[oldschool]

For the first type of files, you rely on the AV detection and high VS detection. For "out of the blue" you rely only on VS.

Precisely! BTW, I was composing and didn't see your last post.

 

[oldschool]

That’s one of the biggest issues you have to overcome in software development. You should realise that users are not you.

I agree, this is very true. But what AV or other user-friendly solution truly guards against social engineering - if people can't reason at some basic level? Smartscreen file example I believe we have a sort of chicken or the egg quandry.

 

[BVLon]

I agree, this is very true. But what AV or other user-friendly solution truly guards against social engineering - if people can't reason at some basic level? Smartscreen file example I believe we have a sort of chicken or the egg quandry.

You need to cover these people as well... These people are at risk and need VoodooShield... Me or you, we can sense a virus just by its icon and filename...

 

[Terry Ganzi]

I'm running the 5.64 beta, next these issues can be reproduce easily if you have a vm reset windows use v.s along side windows defender alone for security, then download I.D.M, then download anything with it a box will appear that is I.D.M letting you know the download has finish close that box, now proceed to taskbar open I.D.M it will show what you have downloaded right click on it some options will appear press on open folder V.S will block that for sure, and it's not only this latest V.S all of them from version 3 onward the latest best build is V.S 504 without a doubt, V.S whitelist part is secretly horrible also when it comes to WD updates, they have days you will open it & all is well peep on it 8 hours later it stuck on something and gone loop crazy,I get WD updates every hour without fail, any person that don't keep they pc on for long periods have nuffin to fear, let me be very clear no 3rd part security program should never stop,hinder or hold hostage widows or windows defender security updates period. I know because i check my pc regularly, so what about the person that don't or ain't know how to solve it. Please make your foundation strong before you let others coax you in about putting on a roof when the siding ain't even started.........................Respectfully Mr.Ganzi

I love this program without it my pc feels naked. I was there in the background watching you form the start. (VoodooShield ?)
I need you to stay focus on this project like i have. I have a serious O.C.D for hypocritical and deceitful people that
say to people looking to try this software that it is useless and you don't need it yet they haven't produce a video or any solid proof that it doesn't protect the system. They have 2 software testers on this forum that i have great respect for Cruel Sister and harlan4096. Then they have a group that pushes this umbraian attitude talking about this software product no proof and pollute the minds of the weak or nonknowlegdgeable. Assumptions gets people nowhere fast, Please take your time with this software I know you're only 1 man and things can get monotonous
take a break clear the brain for the wolves are waiting in the shadows for that 1 big slip up to say you see, told you so.
Just read anything on this forum about V.S and your awareness level will go pro.
Honest people work load in this world does be 9 times heavier that the crocked 1's and all honest people work burns down like a house on fire (fast) If not careful. So Champ again please be cautious and take your time.
You also have some great followers that believe in your work and try very hard to help where possible and champion your cause. Solid foundation everything else will fall into place trust me on that.

 

[Andy Ful]

The VS golden rule can have a problem with software auto-updates. The user has to have some knowledge to safely allow them.

 

[BVLon]

The VS golden rule can have a problem with auto-updates. The user has to have some knowledge to safely allow them.

Yeah, and the software is intelligent enough to avoid it, it all comes down to user communication. I actually love VS, I want to be able to recommend it and install it on more machines, but alerts need to be tweaked first.

 

[Arequire]

You need to cover these people as well... These people are at risk and need VoodooShield...

I disagree. The kind of people you're talking about require education, knowledge, not another piece of software.
Sticking VS on their system isn't going to stop them from infecting themselves, it'll just delay the infection. VS will be just another prompt they'll thoughtlessly click through right before executing "invoice.exe" or whatever software they've decided swipe off Pirate Bay today.

 

[BVLon]

I disagree. The kind of people you're talking about require education, knowledge, not another piece of software.
Sticking VS on their system isn't going to stop them from infecting themselves, it'll just delay the infection. VS will be just another prompt they'll thoughtlessly click through right before executing "invoice.exe" or whatever software they've decided swipe off Pirate Bay today.

This software is actually capable of keeping them safe.

 

[Andy Ful]

I disagree. The kind of people you're talking about require education, knowledge, not another piece of software.
Sticking VS on their system isn't going to stop them from infecting themselves, it'll just delay the infection. VS will be just another prompt they'll thoughtlessly click through right before executing "invoice.exe" or whatever software they've decided swipe off Pirate Bay today.

Your note is probably valid for any security software. Strongly motivated users can simply turn off the protection or make an exclusion, except if it is forbidden by the computer administrator. Of course, it is easier with VS if it does not clearly instruct the user what to do.
Any protection that alerts the user and leaves a way to allow execution, requires some responsibility. So it will not be the right solution for users who know that the program is probably malicious and think that security can save them anyway.

 

[Andy Ful]

The problem with auto-updates could be solved in a great deal, by allowing already installed & signed applications from "\Program Files ..." folders to run signed EXE and MSI files.

 

[oldschool]

i have great respect for Cruel Sister and

Speaking of which, the cruel one made a cameo appearance reecently! Can you find it?

The VS golden rule can have a problem with software auto-updates.

I don't think I've had update issues, except for this last one - which I now believe was caused by my own user error. See above post.

The user has to have some knowledge to safely allow them.

Absolutely!

The kind of people you're talking about require education, knowledge, not another piece of software.

You are correct ...

VS will be just another prompt they'll thoughtlessly click through right before executing "invoice.exe" or whatever software they've decided swipe off Pirate Bay today.

... but your comment still makes me laugh!

 

[danb]

Hey guys, it looks like I have a few posts to catch up on, and I should be able to later. But I just wanted to quickly mention that most installed software should be able to auto update itself, since VS has several rules in place that automatically allow safe updates. For example, if a whitelisted item is signed and the installer is signed as well, odds are it is going to be allowed, assuming all of the file insight checks out. We have similar rules for parent processes, whether the file is signed or not, but there are always file insight checks that must be met first. Also, please keep in mind that VS toggles to OFF after 10 minutes of user inactivity, so the security posture is lowered so that background processes and updates are not interrupted. There are several other rules that we have developed over the years, but these are a few examples that come to mind.

Having said that, if anyone knows of any software that does not update without being blocked, please let me know and I will see if we can find a safe way to auto allow it.

Also, thanks again for all of the suggestions and ideas on the prompts and GUI... now that we have an idea of what everyone is thinking, maybe we can think and talk about it a few more days and figure out a great game plan. Thanks again, talk to you soon!

 

[Arequire]

Your note is probably valid for any security software. Strongly motivated users can simply turn off the protection or make an exclusion

True, but as you said it's more difficult when the ability to exclude files is obscured by being buried in the settings.

This software is actually capable of keeping them safe.

It could be if you eliminated their ability to manipulate it, but that's unworkable. Trust me, I tried.

In regard to VS blocking the WD platform update, the reason it does so is because its signed with a different digital signature than the rest of Microsoft's files. See here, right side:

There's tons of Microsoft-signed files all sporting the same digital signature on my whitelist but none that match this one, so the "Automatically allow items that match a digital signature in the whitelist snapshot" rule wouldn't apply.

 

[danb]

I love this program without it my pc feels naked. I was there in the background watching you form the start. (VoodooShield ?)
I need you to stay focus on this project like i have. I have a serious O.C.D for hypocritical and deceitful people that
say to people looking to try this software that it is useless and you don't need it yet they haven't produce a video or any solid proof that it doesn't protect the system. They have 2 software testers on this forum that i have great respect for Cruel Sister and harlan4096. Then they have a group that pushes this umbraian attitude talking about this software product no proof and pollute the minds of the weak or nonknowlegdgeable. Assumptions gets people nowhere fast, Please take your time with this software I know you're only 1 man and things can get monotonous
take a break clear the brain for the wolves are waiting in the shadows for that 1 big slip up to say you see, told you so.
Just read anything on this forum about V.S and your awareness level will go pro.
Honest people work load in this world does be 9 times heavier that the crocked 1's and all honest people work burns down like a house on fire (fast) If not careful. So Champ again please be cautious and take your time.
You also have some great followers that believe in your work and try very hard to help where possible and champion your cause. Solid foundation everything else will fall into place trust me on that.

Thank you, I appreciate that! There was a small group of individuals who targeted VS for a couple of very specific reasons, and they will not be doing so anymore because we have chosen to take action. The fact that they had to cheat to supposedly bypass VS tells you everything you need to know about VS's efficacy and their integrity.

 

[danb]

True, but as you said it's more difficult when the ability to exclude files is obscured by being buried in the settings.


It could be if you eliminated their ability to manipulate it, but that's unworkable. Trust me, I tried.

In regard to VS blocking the WD platform update, the reason it does so is because its signed with a different digital signature than the rest of Microsoft's files. See here, right side:
View attachment 235119
There's tons of Microsoft-signed files all sporting the same digital signature on my whitelist but none that match this one, so the "Automatically allow items that match a digital signature in the whitelist snapshot" rule wouldn't apply.

Instead of going through each post and confusing everything, I am just going to reply to this one. Before I forget, the "Automatically allow items that match a digital signature in the whitelist snapshot" does not apply to Microsoft sigs. We excluded Microsoft sigs until we are certain that they are not forged. I do not believe they are, but until we know for sure, we had to exclude them from this option. As far as the block goes, it is a very odd one, but we will certainly find a safe way to auto allow it, and that will in turn safely fix other potential blocks we would otherwise encounter down the road. It is the long way to go about it, but it is the only safe way.

I hear what you guys are saying about the prompts, and here is my take...

First and foremost, new, non-whitelisted items should never be able to automatically execute when the user is engaging in risky activity. Some people say "well, the user might just click allow and infect the computer." I guess that is true to a certain extent, but that is much better than the alternative, which is that the file auto executes. By prompting the user, you at least are giving the user a chance and some pause in order to make the correct decision. How many novice or average users do you think would click the Allow button on a Red prompt? Also keep in mind, using the golden rule, pretty much all of the attacks not initiated by the user clicking on the file are resolved before the main prompt is even shown.

In all of the years that VS has been around, there have been only 2 reported infections from the user clicking the allow button, and one of those was a bug in VS that did not deal with the .scr file type correctly, which has been fixed since then. VS has a lot more users than you would guess, and to have that low of an infection rate is remarkable. I could go into a long story about how I work directly with some of our novice and average end users / beta testers and refined the usability throughout the years, but that does nothing for the discussion, simply because no one has seen what I have seen. My hope is that with your suggestions we can refine VS's usability even more to create an even better usability / protection balance.

When it comes to endpoint protection, there are only a few options, and each has a valid use case.

1. Do not lock the endpoint at all and only rely on detection
2. Lock the computer full time
3. Lock the computer when it is at risk with VS

If there is another option I am missing that we can implement into VS, I would love to discuss the possibilities.

Thank you guys, have a great weekend, talk to you soon!

 

[oldschool]

@danb I think I just found out why WD update was blocked here: In the past, while adding some apps via "autodetect web apps", I had unknowingly or mistakenly added MsMpEng to the list so of course VS protected it! I'm pretty sure that's the reason.

@danb here is what I posted earlier that you may have missed.