› Forums › VoodooShield Support Forum › General VoodooShield Discussions › The Green Checkmark of Deception. (Conventional VS New Age) › Reply To: The Green Checkmark of Deception. (Conventional VS New Age)
DanKeymasterGreat question / post, thank you!!!
- February 9, 2020 at 2:59 pm
Let me give you a little context and explain how WLC came about. Ever since the beginning, our lead attorney, advisor and partner named Jim has asked me no less than 50 times if I could create a component within VS that would scan the computer for preexisting malware. I explained to him each time that VS will probably never have a realtime scanner / virus removal component for the following reasons.
1. Other companies have been building realtime scanners and malware removal products for years, and while it is impossible to achieve 100% efficacy for these types of tools, there are many different security products that do this extremely well. And basically, if you are going to build something, you should either build something that is significantly better than what already exists, or build something totally unique and out of the box.
2. After being in the field for 20+ years, I came to realize that most users automatically assume that when a security product claims “You are protected”, that to most users they assume they are 100% protected. As I have said before, I cannot count the number of times that a client has asked me “I have antivirus software, how did I get a virus?”. I also cannot count the number of times that I walked into a client’s office and their computer was infected, while their security software continued to insist that they were protected.
3. VS will remain lean and mean, and only do what it does best as a user-friendly toggling computer lock, and only do what other products are unable to because of intellectual property. Sure, VS has file insight and user recommendations, but these are absolutely necessary features. Otherwise, the user does not know what action to take when there is a block.
Having said that… It would be absolutely impossible to scan the entire hard drive of ANY computer and to be able to efficiently and correctly classify all of the files on the machine by file reputation / global whitelist. Even Microsoft cannot do this with their vast resources and unparalleled access.
Enter WLC. The reason WLC focuses only on the the running (snapshot) processes is because there would otherwise be far too many files classified as “Not Safe”. The other reason is that this implementation of WLC happens to work perfectly with VS’s snapshot tech… it is a match made in heaven.
It was also vital for WLC to scan files in realtime to continually let the user and admins know that only Safe items are running on their systems at an given moment, and to automatically create a firewall rule if an item was not determined to be safe, especially for SMB and enterprise customers.
So 7 months ago, Jim asked me yet again “Dan, I want to know that only safe files are executing on my computer”, which gave me the idea for WLC. WLC has really taken off the last couple of months… there is a continual stream of new files being analyzed. I was thinking this influx would slow down over time because new files are only analyzed once, but it is not slowing down, it continues to grow.
On somewhat of a side note, I stumbled upon this video the other day…
And obviously I am a huge fan of what they are suggesting in the video. Kaspersky is an amazing product and they do have one heck of a whitelist, but with 1M new files being created everyday, this is simply an impossible task, especially when one third are malware (so I am told).
So I think maybe we should maybe think more in terms of dynamic levels of protection (VS’s core toggling feature), in addition to dynamic whitelisting.
Security products have come a very long way the last few years, but they all have one thing in common. They focus solely on what causes an endpoint to become infected and do not even consider why an endpoint is infected. In other words, the industry focus has been on detecting malware or malicious actions (such as signatures, behavior, heuristics, ML/Ai etc.), which is what causes the system to become infected. Instead, what VoodooShield does is focus on why the system is infected. In almost all cases, the system was infected because the user was browsing the internet or checking email and they stumbled upon a malicious link or attachment.
All security products have one constant security posture / level of protection, so at any given moment they are either too aggressive or not aggressive enough, although one could argue that on occasion they might have the perfect security posture / level of protection.
Anyway, to answer your original question… yes, that is what WLC is all about, but WLC focuses only on the running snapshot processes because otherwise there would simply be too many Not Safe verdicts. Thank you!10