Advice Request Will VoodooShield work offline?

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
  1. Default blocking of all files/command lines including exploit attempts (lockdown based on settings): online + offline
  2. VoodooAI threat score: online only
  3. Blacklist scan (multi-engine): online only
  4. Sandbox (local): online + offline
  5. Sandbox (Cuckoo): online only
Basically, default denying of executed files is ON for both network conditions, further dependent on your mode: Autopilot, Always ON, Smart Mode.
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Could you please compare the Smart Mode with Always ON Mode ?
What's the main differences ?
Let the Guide be of some worth -
Smart / Default (VoodooShield will toggle between ON and OFF): Smart mode will toggle VoodooShield between ON and OFF, depending on if the computer is at risk of infection or not, which is mainly determined by whether a web app is running or not. Web apps such as Internet Explorer, Outlook and Firefox all expose the computer to significant risk while they are running, so when a web app is launched, VoodooShield automatically toggles to ON to lock the computer, and anything that was previously whitelisted is allowed, but all new non-whitelisted executable code is blocked. Likewise, if no web apps are running, there is no reason to lock the computer, so VoodooShield automatically toggles to OFF so that it can automatically and safely build the whitelist while the computer is not at risk. VoodooShield’s proprietary toggling severely limits the quantity of dangerous affirmative user prompts that the user is required to respond to.
Always ON (VoodooShield will remain ON): Always ON mode is typically used after a few days or weeks, once the whitelist is sufficiently built so that VoodooShield knows what to block and what to allow. Although a lot of users prefer to run VoodooShield in AutoPilot or Smart mode full time.
Understand from the extract above - how and when it updates its whitelist and acts. ON/OFF has much to do with building & using the whitelist of files encountered.
One thing I'll add is that in Smart Mode too, if you have no web apps open (hence VDS is OFF with a Red Icon), alerting & blocking of new executed files does occur by design!
Only in Disable/Install mode does it not alert about anything (and no updating of whitelist is done).
All that you will fully understand by experimenting a bit with the modes.
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
@Parsh
You said: "One thing I'll add is that in Smart Mode too, if you have no web apps open (hence VDS is OFF with a Red Icon), alerting & blocking of executed files does occur by design!"

Yes; but always working with the updated whitelist.
That's why I used the word "new" ;)
It will use the updated whitelist during that mode; and regarding the new files, it will be alerting about/blocking them. This can be a point of confusion for some beginners as to whether it will block new files it encounters when VDS is OFF (Red Icon) or not. OFF and Disabled mode are different concepts as used.
 

BearHug

Level 4
Thread author
Verified
Well-known
Jun 9, 2017
158
  1. Default blocking of all files/command lines including exploit attempts (lockdown based on settings): online + offline
  2. VoodooAI threat score: online only
  3. Blacklist scan (multi-engine): online only
  4. Sandbox (local): online + offline
  5. Sandbox (Cuckoo): online only
Basically, default denying of executed files is ON for both network conditions, further dependent on your mode: Autopilot, Always ON, Smart Mode.
Will it show that whether it is a Virus or not?
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Will it show that whether it is a Virus or not?
Depends on the threat score and multi-engine scan, though it does not mention a file as "virus" specifically (and that is logical for the purpose of the program).
VDS is not built specifically to detect only viruses. It is an anti-exe solution that also provides threat score (VoodooAI) for a file + multi-engine malware scan.

If a virus is encountered (and the malware launch location/attack vector is covered as per the settings), it will be blocked like any other file, the multi AV-engines are very likely to detect it as virus & the VoodooAI should also display a high threat score.
In regular cases, most important sources of virus(what you call them) are covered and an intuitive alert should follow like:
Screenshot (1014).png
Basically, it will block virus just like any other file and show threat score, multi-engine detections that will help you to know that the file is malicious (eg. a virus).
 

BearHug

Level 4
Thread author
Verified
Well-known
Jun 9, 2017
158
Depends on the threat score and multi-engine scan, though it does not mention a file as "virus" specifically (and that is logical for the purpose of the program).
VDS is not built specifically to detect only viruses. It is an anti-exe solution that also provides threat score (VoodooAI) for a file + multi-engine malware scan.

If a virus is encountered (and the malware launch location/attack vector is covered as per the settings), it will be blocked like any other file, the multi AV-engines are very likely to detect it as virus & the VoodooAI should also display a high threat score.
In regular cases, most important sources of virus(what you call them) are covered and an intuitive alert should follow like:
View attachment 155538
Basically, it will block virus just like any other file and show threat score, multi-engine detections that will help you to know that the file is malicious (eg. a virus).
Offline?
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
As I mentioned in post #2, VoodooAI and Multi-engine scan (Virustotal) both need an internet connection. However, default blocking of files occurs irrespective of the network status.

VDS is not an AV, neither it has any malware definitions. The concept is entirely different. It's for the users who want to block any files from running, by default, and also have a whitelist that gets updated as needed.
For convenience and for getting an insight on the file's nature, VoodooAI + Multiengine results + sandbox are provided so that you can be sure whether to allow or block the file(s) or commandlines that VDS encounters on your system.
 

BearHug

Level 4
Thread author
Verified
Well-known
Jun 9, 2017
158
As I mentioned in post #2, VoodooAI and Multi-engine scan (Virustotal) both need an internet connection. However, default blocking of files occurs irrespective of the network status.

VDS is not an AV, neither it has any malware definitions. The concept is entirely different. It's for the users who want to block any files from running, by default, and also have a whitelist that gets updated as needed.
For convenience and for getting an insight on the file's nature, VoodooAI + Multiengine results + sandbox are provided so that you can be sure whether to allow or block the file(s) or commandlines that VDS encounters on your system.
Thanks!
 
  • Like
Reactions: Parsh
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top