Battle VoodooShield vs. Re:HIPS vs. RansomOff vs. OSArmor

imuade

Level 12
Thread author
Verified
Top Poster
Well-known
Jul 29, 2018
566
Hi there, what's your opinion about these SWs which can run alongside a traditional AV ?
If you wanna add any other app, please do it. But please, just add FREE SW (for example, SecureAPlus is not an option since it's free for 1 year only)
 
  • Like
Reactions: vtqhtr413

imuade

Level 12
Thread author
Verified
Top Poster
Well-known
Jul 29, 2018
566
Well thats a good point didnt even think about viruscope
Syshardener + OSA+ CCAV + webfilter extensions would be nice. But really doesnt matter what i run since performance always is kind of same.
Only i could think is lacking web shield would speed up things ( even my eye wont notice it) kaspersky might affect bit on browsing
K9 Web Protection doesn't slow down anything and it's really effective and configurable
 

Moonhorse

Level 38
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,728
K9 Web Protection doesn't slow down anything and it's really effective and configurable
Java clients im using will get disconnected , already were in touch with blue coats but they asked me to provide those endless lists of domains so i gave up, also comodo Dome shield is kind of enough. CCAV were using like 40mb of ram and every second boot it was at 80 so could aswell use cis
 

ebocious

Level 6
Verified
Well-known
Oct 25, 2018
252
I recommend VoodooShield in "always on" mode. When you run an installer, VS will throw up an alert, and you can allow it. After the new program is installed and you're running it for the first time, the next VS alert will also have a checkbox to create a rule for the program; you can tick that checkbox, and then click "allow" or "report false positive." Once you have your system set up the way you want it, the only alerts you should get are random alerts, like when you're opening an infected document. Whenever something unexpected like that happens, you deny it.

Once you've configured VS, it will rarely bother you unless there is a real issue. If you're a download junkie, then I'd recommend using a VM for your tinkering. Like it or not, default-deny is the only way to keep up with today's threat landscape. Traditional scanners may have a 5% chance of detecting malicious files/processes on the day of the outbreak; the whole reason there are hundred-thousands of new samples daily is because malware writers are trying to code them so that they won't be detected. The best use for AV is scanning files that are at least a few days old. VS actually uses VirusTotal, along with its AI engine. If a file is too big to upload, then you might try HMP or SecureAPlus.

For those who recommend OSA, it's not as tight as VS; there are things that can get around it even with full config. At always on, VS is nearly impenetrable for anyone except the local user. About the only things that might be tougher are Comodo FW with Cruel Sister's settings (which requires more work when you want to install something), and AppGuard (which is $59.95 a year for personal use). For those who say you'll never get infected if you use the Internet responsibly, good luck with that. I sincerely hope you never get infected, but I like my odds a lot better.
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,704
I recommend VoodooShield in "always on" mode. When you run an installer, VS will throw up an alert, and you can allow it. After the new program is installed and you're running it for the first time, the next VS alert will also have a checkbox to create a rule for the program; you can tick that checkbox, and then click "allow" or "report false positive." Once you have your system set up the way you want it, the only alerts you should get are random alerts, like when you're opening an infected document. Whenever something unexpected like that happens, you deny it.

Once you've configured VS, it will rarely bother you unless there is a real issue. If you're a download junkie, then I'd recommend using a VM for your tinkering. Like it or not, default-deny is the only way to keep up with today's threat landscape. Traditional scanners may have a 5% chance of detecting malicious files/processes on the day of the outbreak; the whole reason there are hundred-thousands of new samples daily is because malware writers are trying to code them so that they won't be detected. The best use for AV is scanning files that are at least a few days old. VS actually uses VirusTotal, along with its AI engine. If a file is too big to upload, then you might try HMP or SecureAPlus.

For those who recommend OSA, it's not as tight as VS; there are things that can get around it even with full config. At always on, VS is nearly impenetrable for anyone except the local user. About the only things that might be tougher are Comodo FW with Cruel Sister's settings (which requires more work when you want to install something), and AppGuard (which is $59.95 a year for personal use). For those who say you'll never get infected if you use the Internet responsibly, good luck with that. I sincerely hope you never get infected, but I like my odds a lot better.

CS even like VS when she reviewed it using "autopilot", and said something like "elegantly coded..." in the You Tube "comments". And this was a couple of years ago. I agree with @Eddie Morra that VS is more like ERP than OSA. And yes, VS is light - no two ways about it. (y)
 
E

Eddie Morra

When I did tests with the Auto-Pilot component roughly around a year ago, I found that it wasn't actually that difficult/time consuming to surpass it by making a malicious PE appear like a genuine one. As long as you can fool the Ai scoring enough, it'll let the application run without any alert, but only if the Auto-Pilot mode is being used.

The Auto-Pilot mode is still fine though, because malware in the wild is not going to be using the tricks I used to pull it off... malware authors who are targeting home users do not care about VoodooShield, they care about Anti-Virus solutions, and thus they do things which will make the VoodooShield Ai ratings high (e.g. high entropy levels due to packing).

In no way am I bashing VoodooShield here - as I've already said, it works well and it is unlikely that malware in the wild would be pulling off what I did - but I thought I should mention my personal experiment because nothing in this world is invincible and I'd hate for someone to get infected because they assumed a feature like Auto-Pilot was invincible/full-proof (not that anyone has said this - but just in-case).

If you aren't using Auto-Pilot though, then the experiment I did would obviously fail and you'll still be notified about the process creation attempt and will be able to decide based on the information shown to you - the trust score will still be non-existent and all the way back on the green if you managed to "pull it off" though, which increases the chances of it being allowed by the user in a realistic scenario as long as any provided details are not appearing "off" to a trained eye.
 
Last edited by a moderator:
F

ForgottenSeer 72227

If you aren't using Auto-Pilot though, then the experiment I did would obviously fail and you'll still be notified about the process creation attempt and will be able to decide based on the information shown to you - the trust score will still be non-existent and all the way back on the green if you managed to "pull it off" though, which increases the chances of it being allowed by the user in a realistic scenario as long as any provided details are not appearing "off" to a trained eye.

Very good test, which goes to demonstrate that no product is perfect. I've used VS in the past and still think its a great program. You bring up a good point about the user having to make a decision based on an alert. If a malcoder were to take the time like you did to mask the true identity of the malware one could not only get by the Autopiolt, but also could technically bypass the "ON" option if it shows up as all green, tricking the user into thinking its safe. That's why its not always safe to assume that when a programs doesn't flag a piece of malware, or says its safe, that its truly safe. Granted like you said, home users will probably not run into malware this sophisticated when it comes to VS, as malcoders wont put the time in to home users as they would lets say a large business/enterprise.
 

ebocious

Level 6
Verified
Well-known
Oct 25, 2018
252
CS even like VS when she reviewed it using "autopilot", and said something like "elegantly coded..." in the You Tube "comments". And this was a couple of years ago. I agree with @Eddie Morra that VS is more like ERP than OSA. And yes, VS is light - no two ways about it. (y)
You are correct. I mentioned OSA because a previous user recommended it in lieu of VS. I didn't see any mention of ERP, and saw no reason to mention it myself, as it is better at making you feel secure than actually being secure.
Very good test, which goes to demonstrate that no product is perfect. I've used VS in the past and still think its a great program. You bring up a good point about the user having to make a decision based on an alert. If a malcoder were to take the time like you did to mask the true identity of the malware one could not only get by the Autopiolt, but also could technically bypass the "ON" option if it shows up as all green, tricking the user into thinking its safe. That's why its not always safe to assume that when a programs doesn't flag a piece of malware, or says its safe, that its truly safe. Granted like you said, home users will probably not run into malware this sophisticated when it comes to VS, as malcoders wont put the time in to home users as they would lets say a large business/enterprise.
That's why I don't rely on VT ratings. As I mentioned in my original post, traditional AV is only good for scanning files that are at least a few days old. If VS throws up an alert when you're opening a document, that's a red flag. You should only click allow when you are trying to install or run a new program. And you should only install a program when you're confident it is clean.
 
F

ForgottenSeer 72227

That is pretty much the only reason I felt impelled to note that I wasn't bashing VoodooShield. I've seen you on other threads bringing forward mention of unpatched bugs/other issues for other security software... only for you to be accused of bashing by fanboys.

People will always want to think that their favourite product/solution is perfect and that by someone showing that there's a potential weakness (no matter how big or small it is) automatically contradicts their belief that its perfect. Part of the problem is they want to believe the they are protected 100% and that they can do whatever because they think that the product will protect them 100% of the time. This is why I go around emphasizing that fact that no matter what product or security solution you choose, nothing is perfect and that you still have to practice safe habits regardless. This is also why one needs to take any test of their product with a grain of salt, whether its from AV-comparatives or the HUB here, you can't assume that if a product always scores well that it will never fail.

On the contrary I think this also goes the other way as well, people that hate certain products do not want to admit that the product(s) they hate actually improved.

You are correct.
That's why I don't rely on VT ratings. As I mentioned in my original post, traditional AV is only good for scanning files that are at least a few days old. If VS throws up an alert when you're opening a document, that's a red flag. You should only click allow when you are trying to install or run a new program. And you should only install a program when you're confident it is clean.

I agree whole heartedly. On the flip side one also has to look at the experience of the user. For an average computer user with basic skills VS might not be the best for them, as it can flag legitimate processes/programs, which can cause alert-fatigue. The one thing one wants to avoid is alert fatigue where by if they can't differentiate what's good and what's bad, then that's just as bad as not having any security, they will just hit accept everytime.
 
5

509322

That is pretty much the only reason I felt impelled to note that I wasn't bashing VoodooShield. I've seen you on other threads bringing forward mention of unpatched bugs/other issues for other security software... only for you to be accused of bashing by fanboys.

Yeah, well, you know how it goes. This is the security forums where the emotionally sensitive get bent out of shape over trivial matters. Afterall, we're talking about software here. From how people react, you'd think that we came to their house and kicked their beloved pet.

What gets posted on these forums has virtually no influence in the grand scheme of things. But some people really believe that what is posted on security forums matters. That it somehow is the reason that their product is not a success.

People say AppGuard is garbage. So what ? Sure, it has warts. It's my job to find those warts and report them. I do it all the time. We're talking about software. All software has issues.

What is perplexing is the amount of emotional investment people put into their relationships with softs. It is clear that they are having an emotional relationship with the things.
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,704
You are correct. I mentioned OSA because a previous user recommended it in lieu of VS. I didn't see any mention of ERP, and saw no reason to mention it myself, as it is better at making you feel secure than actually being secure.

That's why I don't rely on VT ratings. As I mentioned in my original post, traditional AV is only good for scanning files that are at least a few days old. If VS throws up an alert when you're opening a document, that's a red flag. You should only click allow when you are trying to install or run a new program. And you should only install a program when you're confident it is clean.

I only mentioned CS's test because Autopilot is the recommended mode for use in testing, since that mode is most like a traditional AV - and that she was complimentary In no way was this meant to make a definitive statement about VS, nor to attribute invincibility to VS. BTW: A user on Wilders has suggested that Dan get rid of VT completely and rely only on the AI.

I fail to see any of today's posts to this thread that are evidence of "hurt feeling" as @Lockdown suggests, nor that anyone took your post (#43) as "bashing". Most members here understand the value of both open discussion and civility.

What I liked about your post was its clarity here, especially for a new VS user:

I recommend VoodooShield in "always on" mode. When you run an installer, VS will throw up an alert, and you can allow it. After the new program is installed and you're running it for the first time, the next VS alert will also have a checkbox to create a rule for the program; you can tick that checkbox, and then click "allow" or "report false positive." Once you have your system set up the way you want it, the only alerts you should get are random alerts, like when you're opening an infected document. Whenever something unexpected like that happens, you deny it.

.

So once again, thanks for your clear and civil post! :)(y)
 
5

509322

I only mentioned CS's test because Autopilot is the recommended mode for use in testing, since that mode is most like a traditional AV - and that she was complimentary In no way was this meant to make a definitive statement about VS, nor to attribute invincibility to VS. BTW: A user on Wilders has suggested that Dan get rid of VT completely and rely only on the AI.

I fail to see any of today's posts to this thread that are evidence of "hurt feeling" as @Lockdown suggests, nor that anyone took your post (#43) as "bashing". Most members here understand the value of both open discussion and civility.

What I liked about your post was its clarity here, especially for a new VS user:



So once again, thanks for your clear and civil post! :)(y)

There is a long history of which you are not aware. @Eddie Morra would not have even mentioned that his intent was not to bash, but I'm certain he felt compelled to do so given the fact that he was stalked, surveilled and brutally attacked across the forums for merely mentioning something that someone thought was negative.

And the sad truth is, even though he was being honest, there are those that will still ignore what he said, twist what he said, and perpetuate the fallacy that he is a hater. In fact, like I said, to some he is and forever shall be a hater. A malicious actor. It's unfortunate, but cross my heart it's all perfectly true.
 

ebocious

Level 6
Verified
Well-known
Oct 25, 2018
252
I agree whole heartedly. On the flip side one also has to look at the experience of the user. For an average computer user with basic skills VS might not be the best for them, as it can flag legitimate processes/programs, which can cause alert-fatigue. The one thing one wants to avoid is alert fatigue where by if they can't differentiate what's good and what's bad, then that's just as bad as not having any security, they will just hit accept everytime.
Which is why I gave instructions to try and simplify it as much as possible. I'll be honest with you: the only programs VS bothered me about were a few portable programs (e.g. a few tech tools, my Ninite file for updating, and the restart and shutdown buttons I created from batch files), and AutoKMS. All other preexisting apps were recognized from the gate.

Cybercrime leapfrogged drug trafficking in 2004 to become the largest criminal industry on the planet. The average user experience involves malware infection, and having to call your insurance company and other creditors to let them know that the card you use for autopay has been compromised, and you have to wait two weeks for a replacement. I hope to see that change someday. And the way to change that is to push the envelope a little. There have been propositions of licensing people to use the Internet, just like we license people to drive. Maybe that's not such a bad idea.
 
5

509322

Which is why I gave instructions to try and simplify it as much as possible. I'll be honest with you: the only programs VS bothered me about were a few portable programs (e.g. a few tech tools, my Ninite file for updating, and the restart and shutdown buttons I created from batch files), and AutoKMS. All other preexisting apps were recognized from the gate.

Cybercrime leapfrogged drug trafficking in 2004 to become the largest criminal industry on the planet. The average user experience involves malware infection, and having to call your insurance company and other creditors to let them know that the card you use for autopay has been compromised, and you have to wait two weeks for a replacement. I hope to see that change someday. And the way to change that is to push the envelope a little. There have been propositions of licensing people to use the Internet, just like we license people to drive. Maybe that's not such a bad idea.

Industry will never be held liable for breaches. At least in no cases except gross negligence - which would be difficult to prove.

And besides, a person must prove that they suffered actual damages as a result of any data breach. If it results in cyberstalking, surveillance, bad credit, inability to buy something or move forward with a venture and other such stuff, there's nothing that a person can do. Actual monetary damages are addressable, however.

At least that is how the law works here in the U.S.
 

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
For me VS (paid) is working fine together with SysHardener and OS Armor. SysHardener is use once and forget about it. If i see OS Armor message i really read it since its most of the time quite but just don't like my printer driver stuff. But since it still prints i don't care :D
I also like some programs more than other. As long as a person disagrees with a good reason all is good (Saying xy ist sh.. doesn't help). Disagreeing is part of a discussion (when it's not getting to a personal or insulting level. )
At least that's what i expect from adults.
 
Last edited:

ebocious

Level 6
Verified
Well-known
Oct 25, 2018
252
NVT OSArmor and VoodooShield are designed to work differently - they do not serve the exact same purpose. In my opinion, it would be more appropriate to compare VoodooShield to NVT EXE Radar/Pro.
Yeah, I only mentioned OSA because someone recommended it in lieu of VS. I felt no need to mention ERP, because it's not as tough as advertised. :)
 
  • Like
Reactions: askmark

ebocious

Level 6
Verified
Well-known
Oct 25, 2018
252
Industry will never be held liable for breaches. At least in no cases except gross negligence - which would be difficult to prove.

And besides, a person must prove that they suffered actual damages as a result of any data breach. If it results in cyberstalking, surveillance, bad credit, inability to buy something or move forward with a venture and other such stuff, there's nothing that a person can do. Actual monetary damages are addressable, however.

At least that is how the law works here in the U.S.
Right. I wonder how many people will actually be able to claim anything from the $50 million allocated for settlements from the Yahoo breach in 2016.

How many hospitals and government agencies are using your products? I fear the day when we p*** off China/Russia, and they launch an all-out attack on our infrastructure. We need all the protection we can get.
 
  • Like
Reactions: vtqhtr413

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top