Advice Request VoodooShield Rules

Please provide comments and solutions that are helpful to the author of this topic.

n8chavez

Level 16
Thread author
Well-known
Feb 26, 2021
774
I was wondering if anyone would be willing to share any global drive rules, or share any advice on how to best use them. For example, would it be better to adjust VoodooAI to a lower number and create exclusions rather than risk allowing a file to run that has a higher score?

I also run Sandboxie. How would I make a rule that works well with it; a rule that block everything on the RAM drive other than the apps I specify should run in sandboxes? If I make a blanket block rule for the RAM drive then I get prompted for Firefox about 10000 x 10^10th, even though Firefox is whitelisted.
 
Last edited:

carl fish

Level 7
Verified
Mar 6, 2012
330
Why is VS so difficult to figure out how to make it work? It does not work very well, now does it? It is blocking vital system resources.
it does work well, it's a pure default deny with no preinstalled whitelist like Comodo for example making it more secure but you do get alerts for installed sometimes.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,471
I n what mode VS should be run?
Please read the user guide and especially chapter 3 on the different modes:

The two most important modes and shown during install are:
Smart / Default (VoodooShield will toggle between ON and OFF):
Smart mode will toggle VoodooShield between ON and OFF, depending on if the computer is at risk of infection or not, which is mainly determined by whether a web app is running or not. Web apps such as Internet Explorer, Outlook and Firefox all expose the computer to significant risk while they are running, so when a web app is launched, VoodooShield automatically toggles to ON to lock the computer, and anything that was previously whitelisted is allowed, but all new non-whitelisted executable code is blocked.
Likewise, if no web apps are running, there is no reason to lock the computer, so VoodooShield automatically toggles to OFF so that it can automatically and safely build the whitelist while the computer is not at risk. VoodooShield’s proprietary toggling severely limits the quantity of dangerous affirmative user prompts that the user is required to respond to.
AutoPilot Mode (VoodooShield will remain in AutoPilot Mode):
AutoPilot mode will remain in AUTO Mode and automatically allow and whitelist any file that is determined to be Safe by VoodooAi and WhitelistCloud. If a non-whitelisted process is spawned that is determined to be Not Safe by VoodooAi or WhitelistCloud, VoodooShield will block the item and prompt the user so they can decide whether to allow the item or not.
AutoPilot mode is a great choice for users who want the power and performance of application whitelisting, without the hassle of constantly being bombarded by affirmative user prompts. Gamers and software testers typically use this mode.
I personally use AutoPilot mode.
 
Last edited:

n8chavez

Level 16
Thread author
Well-known
Feb 26, 2021
774
Back on topic, is it possible to create "if, then, else" rules? If I create a blanket block rule for my Sandboxie RAM drive, things that are supposed to be able to run (apps I designate to use sandboxie only) are not doing to be able to run (duh). Then if I create allow rules based on that apps signature, as exceptions to that block rule, I still get prompts asking me to allow the app. So, I'm doing something wrong. Any ideas?
 
  • Like
Reactions: Gandalf_The_Grey

carl fish

Level 7
Verified
Mar 6, 2012
330
It's not you. It's the software.
yes its the way the software, it takes a while to get used to it at first

for example I use it in always on mode with aggressive but I always use the whitelist cloud scan option to make sure everything is in the whitelist, I also have notify when new not safe items are detected turned on.

maybe using the whitelist cloud scan or using the training mode for a while might help you.
 
Last edited:

Tutman

Level 12
Verified
Top Poster
Well-known
Apr 17, 2020
542
VS Free should be run with Defender UI but Defender UI should not be run with VS Pro. I have always used Smart Aggressive Mode. Alot of users use Autopilot Aggressive Mode also.
I have one question.... is Defender UI (free) only really useful for when using windows defender?
 

n8chavez

Level 16
Thread author
Well-known
Feb 26, 2021
774
Here's something interesting. I have my sandboxie RAM drive assigned to s:\, and as you can see from the screenshot the block rule for s:\ is disabled. I would think that would mean that the block rule is invalid. There are also block rules set up for every other harddisk drive letter. But I am still getting prompted for sandboxed processes even though there is no block rule in effect for s:\. As soon as I enable the other rules I start to get prompts from verified and safe sandboxed processes. If I enable the rule for s:\ and enable whitelisting, after doing so I still get prompts for verified safe processes, such as Mozilla Firefox.

That tell me that either there is a bug in VoodooShield, or, it does not play nicely with Sandboxie and there is some soft of conflict between the two. Or, third option, I'm an idiot and am doing something wrong.
 
F

ForgottenSeer 69673

there once was a very small group of people that used to follow Dan from forum to forum bashing his work. They would get banned and just come back as someone else. I have not seen that in some time now.
 
  • Like
Reactions: Nevi and Shadowra
F

ForgottenSeer 69673

I was wondering if anyone would be willing to share any global drive rules, or share any advice on how to best use them. For example, would it be better to adjust VoodooAI to a lower number and create exclusions rather than risk allowing a file to run that has a higher score?

As far as I know, the slider for the AI setting was done away with when Dan stopped using Virus Total.

In the RULES section, there is a drop down for rules type. What option did you chose there? I do not see an option there for your RAM Drive choice or did you select all files on my computer? Maybe try changing the letter of your RAM drive to one on the drop down list?

Are you using the current Beta or what?

Guess Dan will have to answer your questions when he gets back
 
Last edited by a moderator:

n8chavez

Level 16
Thread author
Well-known
Feb 26, 2021
774
Interestingly, I uninstalled Sandboxie and I'm still having the same issues; if a block rule for a mounted drive (as seen below) active I get prompted to allow things like Firefox that reside on c:\. If any of these rules are disabled there's no problem, and I get no prompts.
1.png

That's odd because the rule should have nothing to do with the app, which already has allow permissions.

2.png

The AI options are still there in the most recent beta of 6.80. Could that be the problem?
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,632
Hey guys, it does not at all surprise me that there are things in the Rules feature that needs to be refined. People have not utilized the Rules feature all that much to find out what we need to adjust to make them work the way they are expected to work. So please continue to post anything you feel needs to be tweaked and I will work on it over the next week or so.

Also, it is probably best to just ignore burmr, he is just trying to shut down this thread. We have contacted the authorities and we will let them deal with him. He does not seem to understand that cyber stalking and harassing someone for 4-5 years is criminal and is punishable by real jail time, but trust me, he is going to find out soon enough.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,632
@danb, are suggestions? Am I doing something, or thinking about things, wrong?
No, you are not doing anything wrong at all ;). We just have not spent much time at all refining the rules to make them behave like everyone expects them to behave, so right now they only behave the way that I expected them to behave when I first implemented them. But once everyone provides suggestions and input, we will be able to make them behave how everyone expects them to behave, so they will be a lot better for everyone, especially on a feature like Rules where the sky is the limit. I sure you guys will think of all kinds of cool things we can do to refine them and will also create rules that I never even thought of.

Also, they need to be refined anyway since we implemented the new Contextual Engine. And now that everything else is done and most or all of the other bugs are worked out, now is a great time to work on this. Thank you!
 

n8chavez

Level 16
Thread author
Well-known
Feb 26, 2021
774
No, you are not doing anything wrong at all ;). We just have not spent much time at all refining the rules to make them behave like everyone expects them to behave, so right now they only behave the way that I expected them to behave when I first implemented them. But once everyone provides suggestions and input, we will be able to make them behave how everyone expects them to behave, so they will be a lot better for everyone, especially on a feature like Rules where the sky is the limit. I sure you guys will think of all kinds of cool things we can do to refine them and will also create rules that I never even thought of.

Also, they need to be refined anyway since we implemented the new Contextual Engine. And now that everything else is done and most or all of the other bugs are worked out, now is a great time to work on this. Thank you!

I have a couple. 1. Make "If, then, else rules" so users can block anything from running with the exception of x. That would be very handy and would prevent usders from having to make a block rule followed by exceptions to that rule. 2. The ability to set up a folder to always lockdown and prompt would be nice too. That way users can restrict what runs and what cannot. That would further restrict certain directories that often used all the time, such as download directories and document directories. Of course, the latter suggestion means having to add other capabilities to the rules section other than block/allow.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top