The Green Checkmark of Deception. (Conventional VS New Age)

Forums VoodooShield Support Forum General VoodooShield Discussions The Green Checkmark of Deception. (Conventional VS New Age)

  • Post
    GrDukeMalden
    Participant
    US
    So multiple times now, I’ve seen Dan write about how when the vast majority of antivirus programs will give you a green checkmark when all of the components are running properly. Most people mistake this as their system being “fully protected” as their antivirus misleads them into believing.

    I wanted to start a discussion about which security products besides VS aren’t misleading with their equivalent of the green checkmark.

    The other two are products I use along side VS. Comodo firewall (the way I configure it) And SecureAPlus with the name and thumbprint option selected on silent mode…Are the only other products I can think of that actually mean you’re secure when they say you’re secure.

    Comodo does something kind of similar to WLC. When CIS does a scan it labels whitelisted files as “Safe” known malware as “malicious” and anything it can’t identify as “unrecognized”.

    And SecureAPlus on silent mode with the whitelisting settings set to the name and thumbprint option won’t allow anything it can’t identify from the whitelist.

    So I ask you all here on this forum. What other security products are there besides S.A.P. Comodo and V.S. are being honest when they say your PC is protected?

    • This topic was modified 7 months, 3 weeks ago by GrDukeMalden.
    |VPN(paid)| VoodooShield(Paid)| ComodoFW(Free)| HitManPro.Alert!(Paid)|
    0
    0
Viewing 6 replies - 1 through 6 (of 6 total)
  • Replies
    Dan
    Keymaster
    US
    Great question / post, thank you!!!

    Let me give you a little context and explain how WLC came about.  Ever since the beginning, our lead attorney, advisor and partner named Jim has asked me no less than 50 times if I could create a component within VS that would scan the computer for preexisting malware.  I explained to him each time that VS will probably never have a realtime scanner / virus removal component for the following reasons.

    1.  Other companies have been building realtime scanners and malware removal products for years, and while it is impossible to achieve 100% efficacy for these types of tools, there are many different security products that do this extremely well.  And basically, if you are going to build something, you should either build something that is significantly better than what already exists, or build something totally unique and out of the box.

    2.  After being in the field for 20+ years, I came to realize that most users automatically assume that when a security product claims “You are protected”, that to most users they assume they are 100% protected.  As I have said before, I cannot count the number of times that a client has asked me “I have antivirus software, how did I get a virus?”.  I also cannot count the number of times that I walked into a client’s office and their computer was infected, while their security software continued to insist that they were protected.

    3.  VS will remain lean and mean, and only do what it does best as a user-friendly toggling computer lock, and only do what other products are unable to because of intellectual property.  Sure, VS has file insight and user recommendations, but these are absolutely necessary features.  Otherwise, the user does not know what action to take when there is a block.

    Having said that… It would be absolutely impossible to scan the entire hard drive of ANY computer and to be able to efficiently and correctly classify all of the files on the machine by file reputation / global whitelist.  Even Microsoft cannot do this with their vast resources and unparalleled access.

    Enter WLC.  The reason WLC focuses only on the the running (snapshot) processes is because there would otherwise be far too many files classified as “Not Safe”.  The other reason is that this implementation of WLC happens to work perfectly with VS’s snapshot tech… it is a match made in heaven.

    It was also vital for WLC to scan files in realtime to continually let the user and admins know that only Safe items are running on their systems at an given moment, and to automatically create a firewall rule if an item was not determined to be safe, especially for SMB and enterprise customers.

    So 7 months ago, Jim asked me yet again “Dan, I want to know that only safe files are executing on my computer”, which gave me the idea for WLC.  WLC has really taken off the last couple of months… there is a continual stream of new files being analyzed.  I was thinking this influx would slow down over time because new files are only analyzed once, but it is not slowing down, it continues to grow.

    On somewhat of a side note, I stumbled upon this video the other day…

    And obviously I am a huge fan of what they are suggesting in the video.  Kaspersky is an amazing product and they do have one heck of a whitelist, but with 1M new files being created everyday, this is simply an impossible task, especially when one third are malware (so I am told).

    https://www.virustotal.com/en/statistics/

    So I think maybe we should maybe think more in terms of dynamic levels of protection (VS’s core toggling feature), in addition to dynamic whitelisting.

    Security products have come a very long way the last few years, but they all have one thing in common. They focus solely on what causes an endpoint to become infected and do not even consider why an endpoint is infected. In other words, the industry focus has been on detecting malware or malicious actions (such as signatures, behavior, heuristics, ML/Ai etc.), which is what causes the system to become infected. Instead, what VoodooShield does is focus on why the system is infected. In almost all cases, the system was infected because the user was browsing the internet or checking email and they stumbled upon a malicious link or attachment.

    All security products have one constant security posture / level of protection, so at any given moment they are either too aggressive or not aggressive enough, although one could argue that on occasion they might have the perfect security posture / level of protection.

    Anyway, to answer your original question… yes, that is what WLC is all about, but WLC focuses only on the running snapshot processes because otherwise there would simply be too many Not Safe verdicts.  Thank you!

     

     

     

    1
    0
    GrDukeMalden
    Participant
    US
    I was talking more about which antivirus products, besides VS, aren’t being misleading when their product says it’s protecting them. As far as I’ve seen, only other whitelisting applications are telling the truth with their equivalent of the green checkmark.

    But I do get what you’re saying.

    Microsoft SE back during the windows 7 and windows XP days was awful. It got a really crappy detection rate on top of sometimes being unable to handle some of the things it would catch. But it kept showing the green checkmark all the while a piece of ransomware would be running on the system.

    Norton was and still is the same way. I have elderly friends that use it and their computer tech says it’s “the best one” but in the next breath with admit he doesn’t know specifics about how software functions. I’ve had him work on my PC a few times whenever I have a hardware issue and he’s good about that at least.

    Back to my point about Norton. It consistently gets the lowest detection rate out of all of the top selling products. Even comodo’s antivirus gets a better detection rate and comodo is notorious for having a bad detection rate with the antivirus (don’t misunderstand what I’m saying, comodo works great, their virus database is bad though.) Any time I’m doing someone’s backup with a norton product it only tells me AFTER I’ve finished the backup that “you haven’t performed a backup recently”

     

    |VPN(paid)| VoodooShield(Paid)| ComodoFW(Free)| HitManPro.Alert!(Paid)|
    0
    0
    Dan
    Keymaster
    US
    Yep, I agree!  I mean really, this is not rocket science, it is common sense.  We will never solve the malware crisis as long as new arbitrary executable code is allowed to automatically execute.  Everyone knows this but they are just hoping for the silver bullet that is going to fix everything.  The most recent silver bullet was the whole ML/Ai promise which I watched it on 60 minutes… it was going to solve the malware crisis.  The funny thing is, after watching that episode of 60 minutes, I believed for about 10 minutes that they might have actually cracked the code and all of our problems would disappear overnight.  Ten minutes later I came to my senses and realized our work is not over.

    Please do not get me wrong, ML/Ai certainly has an important role to play in cybersecurity, assuming it is applied correctly and in reasonable doses.  It is slightly more accurate and effective than traditional signatures, but it certainly is not going to change anything in a meaningful way.

    We need to focus on dynamic levels of protection, combined with file reputation and ML/Ai, which is what the whole WLC / VS implementation is all about.

    1
    0
    simmerskool
    Participant
    none
    fwiw, I’ve used VS continually for a long time (I think I have some version 1.nn files saved somewhere), and then was intrigued with cruelsister’s persistence for comodo firewall (when “properly” configured).  I’ve been running VS and CF together for a few years now without any compatibility issues.  I’ve been told this setup is overkill, but why if it does not affect performance?  I ignored those naysayers.  Only change I’ve made lately, I run win10 in vmware workstation 15. I now run WD for av which does display a green checkmark, but I like seeing a white WLC icon in systray.  Last snapshot scan was 6.23 sec.  Lately, I ponder privacy more than security.
    1
    0
    GrDukeMalden
    Participant
    US
    @simmerskool may or may not remember me from wilders security when I’ve shared the way I configure comodo firewall. It’s very similar to CruelSister1’s way of configuring it. Except my way blocks ALL unknown and ALL known malware instead of sandboxing it. My way of configuring comodo firewall has evolved a little, since there’s a few new features in it now.

    Proactive security,

    General settings: User interface: turn off welcome screen, turn off notifications about tasks being sent to the background turn off the upgrade button and enable password protection. Keep the widget but get rid of all of the “Pane” things. It confirms that comodo is actually running, sometimes the tray icon can be a little finicky

    Firrewall: Firewall settings: Turn on “do not show popup alerts” and select “block requests”. Turn on “filter IPv6 traffic” turn on “do protocol analysis”

    Firewall: Network Zones: Turn on “do not show popup alerts” and select “public”

    HIPS: HIPS Settings: Turn on “do not show popup alerts” and select “block requests”.

    Containment: Containment Settings: Turn off “do not virtualize access to” options, turn off “enable automatic startup for services installed in the container” Turn on “do not show privilege elevation requests” Select “block” Don’t allow virtualized access to the clipboard Protect the virtual desktop with a password. The virtual desktop can now be used to protect your PC from a friend that wants to use it now.

    Containment: Auto-Containment: Change the setting currently set to “run virtualized” to “block”

    File Rating: File Rating settings: Enable “do not show popup alerts.

    Advanced Protection: VirusScope: Enable “do not show popup alerts” and make sure “monitor only the applications in the container is OFF

    (Optional)Advanced Protection: Device Control: Make sure it’s enabled, log detected devices should be turned on, enable “show notifications when devices are being disabled or enabled” Add all existing devices to the exclusions, and block every category of devices that can be blocked. This will keep anyone from being able to spread their crap from their own devices into your PC. Allow only your own devices whenever you get a new one.

    Advanced Protection: Miscellaneous: Turn off “do not automatically clean up suspicious certificates And maybe turn off “show alerts in case any other software attempts to modify current settings of installed browsers

     

    • This reply was modified 7 months, 2 weeks ago by GrDukeMalden.
    |VPN(paid)| VoodooShield(Paid)| ComodoFW(Free)| HitManPro.Alert!(Paid)|
    0
    0
    simmerskool
    Participant
    none
    GRDukeMalden

    Thanks for your post with your CF tweaks!  Will dig into them.

    /sk

    0
    0
Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.