VoodooShield Review by PCMag India

[Andy Ful]

Hey Andy, I completely understand your points and please do not take the following as me being defensive (especially the "irrelevant" part below ), I am just happy that we can discuss this so that everyone has a better understanding of what VS is all about and what we are aiming for.

The short answer is... I agree, if the user is browsing the web and checking email, the computer needs to be locked, even if they run a web app most of the time. Just like if you are a doctor that works 18 hour shifts, you will be wearing full PPE the entire time. Of if you are a truck driver you will be wearing your seat belt a lot more than the general population.

If after a few days of running VS in Smart Mode you want to switch to Always ON, that is perfectly reasonable. But I promise you, if I were to make it so VS only ran in Always ON from the time of initial installation, it would not be able to properly learn all of the actions and behaviors of all of the chain of events, and most likely the KMD would not even let the computer fully boot. The fact that this only happens once for each event chain (and subsequently remembers the event) is irrelevant... the only thing that matters is that it is able to do so at all. And still, in general, the only way to apply the most robust lock possible is to do so after all of the system processes are up and running.

And this discussion has been solely about automatic toggling... we have not even discussed manual toggling yet. The majority of computer novices have no idea how to right click on a tray icon to disable their security software. The whole point of VS is to provide the end user a TANGIBLE computer lock that automatically toggles when they are engaging in risky activities. VS is also there to comfort the user and to assure them that their computer is locked when they are about to click on something they are unsure of that might be suspicious. And even the most novice of users will not allow a new item after they click on a suspicious link and VS blocks something.

Some computers, like ATM machines, need to be locked full time. Computers that are not connected to the internet do not need VS at all... this is about the worst possible use case for VS. VS is intended for users who want a tangible automatic and manual toggling lock / gadget. Such a thing did not exist 8 or so years ago, so I built one .

Yes, I know it.
I did not probably consider all factors, but I feel that there are two things worth rethinking:

1. Alerts in Autopilot and Smart Mode (in the home environment).
2. Unlocking the computer in Always ON Mode after 10 minutes of user inactivity (in businesses).

We talked a lot about simplifying the alerts and golden rule, so I skip it now.
The second point can be important in businesses, because many computers can be connected to the local network without an Internet connection. But still, they share the emails and other resources from the local server. If one of the computers will be infected (that one without the installed VS or intentionally by the attacker), then the computers with installed VS (Always ON Mode toggled off after 10 minutes of user inactivity) can be also infected via the local network.
Of course, this could be solved if all potential users were trusted or had installed VS, but that would be hard to accomplish in practice.

 

[danb]

Thank you Andy... your last post made me realize where we were misunderstanding each other. I am not suggesting that security software should toggle between Completely Unprotected and Unlocked to Locked. I personally believe it should toggle between Reasonably Well Protected to Absolutely Locked (as tight as it possibly can be).

 

[BVLon]

Thank you Andy... your last post made me realize where we were misunderstanding each other. I am not suggesting that security software should toggle between Completely Unprotected and Unlocked to Locked. I personally believe it should toggle between Reasonably Well Protected to Absolutely Locked (as tight as it possibly can be).

And you are absolutely right.

 

[Cortex]

I have a 2 year licence for VS, well it's less now, but the reason I stopped using it was for me personally it really was more trouble than it was worth - I fully understand it's benefits but I'm still unlikely to use my licence again - it was my choice to buy it I have no regrets about that & any who feel its a good addition all the best - For me I continue to concentrate & system & data backup, for me that's easier & maybe foolproof - Who knows in lock-down might dust it of & give it a run.

 

[BVLon]

I have already shared everything I do or don't do in my thread "Consumer Hardening", that was a bit polluted by coronavirus-related posts

VodooShield is not useful to me personally, but it's interesting to test and play around with.

It will be best utilised by organisations that allow staff to work outside of the company. This action might present an enormous risk, so VoodooShield in its most aggressive configuration will have to be installed and running at all times. Especially organisations with IT to OT... Simply relying on AI, IPS and other common methods might not always suffice and as we know, all breaches start with human element... if you are able to adapt your security approach dynamically to the user's needs you will both close all gaps that traditional approaches leave, whilst in the same time, avoid security "fatigue" where users just want to shut down your software or allow everything so it finally shuts up.

 

[Andy Ful]

@danb,
Is it possible that RunBySmartScreen executable which is digitally signed could run any other executable (EXE or MSI) without VT alerts? This would be probably an interesting way of applying the VS golden rule in AutoPilot Mode in simplified form:
Do not allow files that are alerted by VS.

1. All files opened/executed normally (by the user, software auto-update, scheduled tasks, exploit, payload, etc.) will be protected by VS, with a strong default suggestion of not allowing the execution of alerted files (smart-default-deny).
2. EXE and MSI files could be run by the user via the right-click Explorer context menu "Run By SmartScreen" without VS alerts (except maybe those with very high-risk scoring).

I noticed that some users on MT applied this method in practice. If I correctly remember, there was a similar option in Comodo Firewall.

Edit.
I noticed that this method can be also applied by WD Application Control available in Windows E3 or E5 versions. The EXE files are allowed when checked & accepted by SmartScreen App Rep, even when they are normally blocked by Intelligent Security Graph.

Authorize reputable apps with the Intelligent Security Graph (ISG)

Automatically authorize applications that Microsoft's ISG recognizes as having known good reputation.

docs.microsoft.com

 

[codswollip]

QOwnNotes throws flags with updates (which occur often).

 

[oldschool]

@danb,
Is it possible that RunBySmartScreen executable which is digitally signed could run any other executable (EXE or MSI) without VT alerts? This would be probably an interesting way of applying the VS golden rule in AutoPilot Mode in simplified form:
Do not allow files that are alerted by VS.

1. All files opened/executed normally will be protected by VS, with a strong default suggestion of not allowing the execution of alerted files (smart-default-deny).
2. EXE and MSI files could be run by the user via the right-click Explorer context menu "Run By SmartScreen" without VS alerts (except maybe those with very high-risk scoring).

I noticed that some users on MT applied this method in practice. If I correctly remember, there was a similar option in Comodo Firewall.

I think @danb considered integrating Smartscreen somehow around the time he was considering the Whielist Cloud feature. This would be nice if there is a way to implement it.

Then you could earn some royaltie$ for your concept!

 

[danb]

@danb,
Is it possible that RunBySmartScreen executable which is digitally signed could run any other executable (EXE or MSI) without VT alerts? This would be probably an interesting way of applying the VS golden rule in AutoPilot Mode in simplified form:
Do not allow files that are alerted by VS.

1. All files opened/executed normally (by the user, software auto-update, scheduled tasks, exploit, payload, etc.) will be protected by VS, with a strong default suggestion of not allowing the execution of alerted files (smart-default-deny).
2. EXE and MSI files could be run by the user via the right-click Explorer context menu "Run By SmartScreen" without VS alerts (except maybe those with very high-risk scoring).

I noticed that some users on MT applied this method in practice. If I correctly remember, there was a similar option in Comodo Firewall.

Edit.
I noticed that this method can be also applied by WD Application Control available in Windows E3 or E5 versions. The EXE files are allowed when checked & accepted by SmartScreen App Rep, even when they are normally blocked by Intelligent Security Graph.

Authorize reputable apps with the Intelligent Security Graph (ISG)

Automatically authorize applications that Microsoft's ISG recognizes as having known good reputation.

docs.microsoft.com

Thank you for the suggestion Andy! We have something similar in place, but we could always modify or expand on the current implementation.

Yes, in any version of VS that has WLC, the SS result is one of the heavily weighted features that determines the final WLC verdict. There are also around 20 or so digital signature features and 300 or so other features that all determine the final WLC result. The WLC result does not follow the SS result perfectly, but it is heavily influenced by the SS result, and is a little more aggressive than vanilla SS. From there, the user can choose how files that pass the WLC test are handled (please see screenshot).

Having said that, I might have found a way to perform all of the analysis on the endpoint so that WLC no longer requires the file to be uploaded for analysis, although this is not really that big of a deal because each file only needs to be uploaded and analyzed once. Also it would require Windows 10, so we might wait until 10 has an even larger market share.

 

[danb]

QOwnNotes throws flags with updates (which occur often).

Interesting, thank you Telos! If you get a chance, can you please send me a link to the installer and possibly a quick note on steps to reproduce (if there are any)?

 

[danb]

I think @danb considered integrating Smartscreen somehow around the time he was considering the Whielist Cloud feature. This would be nice if there is a way to implement it.

Then you could earn some royaltie$ for your concept!

Gotta love OS... always giving away shares of VS .

 

[BVLon]

I am failing to establish who is the target audience... if it's mostly advanced users then there is no need to do a bigger whitelist, as advanced users will never block anything by mistake. They can do with no whitelist as well. If it's novice users, or people who just need to do their work, it is not too difficult to change their security posture. They just have to be aware of the golden rule. In my opinion it's better to focus on other stuff like user experience, web monitoring, etc. People should rather be advised how the mechanism works.

 

[plat]

Is Whitelist Cloud no longer a standalone? It's now integrated into VoodooShield?

danb: as a regular, basic user, I'm looking at your screenie for the Whitelist Cloud dashboard, and it seems to me to be a whole lot of information squeezed into one little window. An advanced user would probably be able to navigate around without problems. Me, I'd be stopping by "how Whitelist Cloud works" then moving over to "Create [both] Firewall rules for not safe items," then around and around. Then I'd be trying to remember what the heck I was doing here.

This would be a very big undertaking. But, is there some way to organize similar components into respective tabs under the main Whitelist Cloud window? The less info on one page, the less overwhelming it might be to a novice or basic user.

 

[codswollip]

Interesting, thank you Telos! If you get a chance, can you please send me a link to the installer and possibly a quick note on steps to reproduce (if there are any)?

QOwnNotes

Open source markdown note-taking for Linux, macOS and Windows, that works together with Nextcloud Notes

www.qownnotes.org

 

[danb]

I am failing to establish who is the target audience... if it's mostly advanced users then there is no need to do a bigger whitelist, as advanced users will never block anything by mistake. They can do with no whitelist as well. If it's novice users, or people who just need to do their work, it is not too difficult to change their security posture. They just have to be aware of the golden rule. In my opinion it's better to focus on other stuff like user experience, web monitoring, etc. People should rather be advised how the mechanism works.

The initial target audience was my local clients who used to ask me all of the time "I have antivirus software, how did I get a virus?" I had been asked this question, almost verbatim, hundreds of times. Even though I knew the answer, it was difficult to explain to my clients (especially the novice ones) why traditional AV was not able to block all infections. Eventually I put it in the most simple terms and settled on "your antivirus is a filter, and you are assuming that it is a lock" as my explanation for their question. It was at that time that I was up at 3am fixing two laptops with the same malware that I came up with the idea for a tangible toggling computer lock, so I am certain that being asked this question is what led me to the idea for VS. But now, I would say that our target audience is any web connected device that needs a tangible toggling computer lock, which is actually not that well defined. Keep in mind that VS can be configured to not allow any new, non-whitelisted items until it is approved by an admin in the web management console, so there probably is a pretty large target audience.

Yes, I try to limit my discussion as much as possible on the user experience and the basics of how VS works. I would prefer not to go into details for a lot of reasons, but mainly because it would look like shameless self promotion .

 

[danb]

Is Whitelist Cloud no longer a standalone? It's now integrated into VoodooShield?

danb: as a regular, basic user, I'm looking at your screenie for the Whitelist Cloud dashboard, and it seems to me to be a whole lot of information squeezed into one little window. An advanced user would probably be able to navigate around without problems. Me, I'd be stopping by "how Whitelist Cloud works" then moving over to "Create [both] Firewall rules for not safe items," then around and around. Then I'd be trying to remember what the heck I was doing here.

This would be a very big undertaking. But, is there some way to organize similar components into respective tabs under the main Whitelist Cloud window? The less info on one page, the less overwhelming it might be to a novice or basic user.

The standalone version of WLC is available from www.whitelistcloud.com, and it is free. The current implementation of WLC in VS is in need of some refinements and simplification. Alex will be working on moving most of the WLC settings and features to the web management console so it can all be handled by admins, which will greatly simplify things for SMB and enterprise installations. But for individual users, we certainly need to simplify WLC, so all suggestions are certainly welcome . Thank you!

 

[Andy Ful]

I think that the current implementation of VS can be useful, for most semi-advanced users and some advanced users, as companion security to the AV. They can correctly recognize "out of the blue execution" and do not allow it. For example, if they open a picture and see the VS alert, then they recognize it as "out of the blue". If they open a picture and VS accidentally alerts about particular software update (rarely), then they can recognize this as safe.
If they install the software alerted by VS, then they can look at VT and can see that some good AVs recognized it as PUA, etc.

For less advanced users, the VS golden rule will be an illusion of security. Most infections are due to opening email attachments. The less advanced users do not realize what is opening and can be convinced to open anything. The golden rule will not save them.
Similar problems can occur when installing the software bundled with Adware or PUA.

 

[BVLon]

The standalone version of WLC is available from www.whitelistcloud.com, and it is free. The current implementation of WLC in VS is in need of some refinements and simplification. Alex will be working on moving most of the WLC settings and features to the web management console so it can all be handled by admins, which will greatly simplify things for SMB and enterprise installations. But for individual users, we certainly need to simplify WLC, so all suggestions are certainly welcome . Thank you!

Let us know if we can help for the whitelist somehow.

 

[BVLon]

I think that the current implementation of VS can be useful, for most semi-advanced users and some advanced users, as companion security to the AV. They can correctly recognize "out of the blue execution" and do not allow it. For example, if they open a picture and see the VS alert, then they recognize it as "out of the blue". If they open a picture and VS accidentally alerts about particular software update (rarely), then they can recognize this as safe.
If they install the software alerted by VS, then they can look at VT and can see that some good AVs recognized it as PUA, etc.

For less advanced users, the VS golden rule will be an illusion of security. Most infections are due to opening email attachments. The less advanced users do not realize what is opening and can be convinced to open anything. The golden rule will not save them.
Similar problems can occur when installing the software bundled with Adware or PUA.

That’s exactly what I’ve been repeating from the very beginning... all trojans are called trojans because they, as Huourong Internet Security says “Seduce the user to open them”. @harlan4096 I've seen such alert on your screenshots, correct me if I an wrong. So as I said in one of the upper post, this golden rule creates 2 outcomes and both ain’t pretty. 1: vital program updates might be blocked cuz they “come out of the blue”, which can actually produce a contra-effect on security and 2: malicious and harmful stuff might very well be allowed.
Then again, let’s not forget that the software is equipped with an access to quite a lot of threat intelligence. So end of the day, it all comes down to how the software will present you with this intelligence and advise you to proceed. It’s just wording needs to be strong and pushing the user towards the right choice, and blocked programs should be re-checked couple of times. Then again, @danb is saying that users handle the program quite well...

 

[Andy Ful]

Some semi-advanced users may think that anti-exe solutions can protect them without the AV. This is not true. There are some well known methods of bypassing such protection. For example via the email archive attachments that contain the legal & innocent but vulnerable EXE file + malicious DLL (DLL hijacking). The anti-exe can check the legal EXE file, but cannot check DLLs that are loaded by this EXE.