My thoughts on Application Whitelisting | SecureAPlus & Voodooshield Test



Is whitelisting better than Antivirus. In this video I share my thoughts on Application Whitelisting, using the example of SecureAPlus and VoodooShield, while testing them against malware. Is a false positive better than a false negative?

——————————————-

Want to join the TPSC community? Join our Discord server!

Want instant updates when new malware is discovered? Follow me on Twitter:

Do you enjoy the content on this channel? YouTube ad revenue is virtually non-existent so please consider funding TPSC via Patreon:

For business inquiries, please contact:
leo@thepcsecuritychannel.com

Music from Jukedeck – create your own at

Nguồn: https://top100vn.com/

Xem thêm bài viết khác: https://top100vn.com/cong-nghe/

44 thoughts on “My thoughts on Application Whitelisting | SecureAPlus & Voodooshield Test

  1. I can see these being useful for embedded systems which only need to run couple of pieces of software. Whitelist those software and just block everything else, as nothing else is needed anyway.

  2. I view whitelisting as essential tool. The fact that they give the user some control is a GOOD thing. I don't always want everything to be automated.

  3. If it is sent to server Secureaplus will scan it and give you an idea what it is…but I understand ur point, not all people know how to use AV. When I first got a PC, I was afraid to use the program so I just left the AV to do its thing. For example, my Mum is so afraid of viruses and she doesn't know how to use AV. She just leaves it and believes that the program will protect her. But then again, she doesn't visit sketchy websites, just a few she knows about.

  4. If you have used a computer a while and know the fundamentals, nothing beat Voodooshield. It's one of the few applications, that can show a clean sheet everytime you run a test. You got VirusTotal to help you out with
    decisions. I mean it's not nuclear science. I understand your point of wiew, but in the real world, I really think VS is one of the big dogs. I have used it 5-6 months, and I'm stunned.

  5. As a noob, I would expect VoodooShield to block any new software I wanted to install (but I was as sure as I could be that the software was legitimate) but I would just unblock/allow it since I intentionally downloaded it, but where I would think it would be useful is when I’m browsing the net or clicking on a link in an email I thought was trustworthy and suddenly VoodooShield is alerting me that a software is trying to install/start when I haven’t intentionally tried to download or install anything at that time, in which case I would block/quarantine it and use a good AV to scan the system plus a second opinion scan too to get a good idea of its a known malware? If I was still suspicious that it could zero Day malware that my av software wasn’t familiar with yet I could just keep it in quarantine for a few weeks and test again once signatures are likely to have been updated?
    Although what is the difference between this and just running my computer in a ‘user’ account and needing to enter an admin password every time I want to install a software, or I’m browsing or reading through emails unexpectedly get an admin pop up screen asking for my password to install a software when I wasn’t intentionally trying to install anything at that time…how effective is simply using a computer as a ‘user’ compared to whitelisting?

  6. Hello mate … Help me to choose a antivirus product for me.. i m a lite gamer and i do download from torrents.. help me out

  7. Secure APlus, messed up my system, never used again after that. I do like how it lets you decide though, I know what I should block and not.

  8. Did you do the first system scan which goes through the auto-whitelisting process? Would one benefit of a whitelisting program be to prevent a dll or exe running via a drive-by download on a PC via a zero-day? Now the average user would probably just allow it. but someone more tech-savvy may stop and wonder where that came from.

  9. You clearly did not take any time to introduce and explain the features of SAP or VoodooShield to your viewers, and your "test" was no test at all but simply an opinion. Maybe because you fail to understand the product? You rarely bother to do anything but install a product with default settings and you fail to educate your viewers about the features and uses of a product. The coup de grace is your recent addition of the automated malware downloader with which you bombard a product. Quantity (of malware) vs quality appears to be your modus operandi. It defies all logic, except the logic of $$$, slick videos and pleasant voiceovers. Yes, "Stay secure and stay informed." Just not on this site, please!

  10. blocks 100% of all legitimate applications … BUT WILL IT BLOCK 100% OF ALL RANSOMWARE !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  11. Can you put Lookout Mobile Security to the test its a app available on the Google play store for smartphones and tablets and it's also available for desktops and laptops

  12. White listing apps I think are better for servers where the constants are known and not changing as much. End user desktops change to much.

  13. Hey I need help with my pc I was hit by randsomeware but I had a backup and used it, but I thought that was done. (I was wrong) and now it tried to log onto my father’s gmail, and my bitcoin wallet. I have their ip address(and isp, it is Comcast) who do I contact I need help.

  14. I do use SecureAplus because I think myself as little advance user and do not install new application very often(maybe 1 or 2 in a month).

    Thank you for the video and advise.

  15. 5 mins in and this is exactly why I dislike VoodooShield. I've used it twice over the past few years and everyone singes it's praise it blocks all malware yeah!

    And I'm left thinking it blocks everything not just malware. What is the purpose of a security solution that blocks everything by default?

    There is a saying the only secure pc in the world is one that is in a box surrounded with 5 foot of concrete. There might be a very rare chance that a random file would drive by and download while trying to auto launch itself but most malware is ran with the thought it is a legitimate program. No one runs malware on purpose knowing it is malware so if you try to do something like this you would default to approving it. Stuff like this would be good for a childs computer to prevent them from messing with it. It will do nothing to stop someone who is trying to run a program that is malware but they assume it is not.

  16. There's only one "whitelisting" application that I use over any antivirus and it's built in Windows,it's called secpol.msc(Local Group Policy Editor)and it works like a charm!

  17. Can you please test = RansomOff from Heilig Defense against ransomware ? It can be a great free program to have, for you're protection. Thank you in advantage.

  18. I would say most novice users better off with Comodo Internet Security, it whitelists quite a lot of trusted software companies, and any unknown files are sandboxed, then the unknown files are sent to Comodo for analysis. If the file turns out to be malware, Comodo will include the signature of the file in the next signature update, if the file turns out to be legitimate, Comodo will release the file from the sandbox and add it into the whitelist.

  19. I want to say mine on this topic. Basically, in 2018, if the user is using a secure email client and is not downloading torrents, there is not much risk of getting infected with serious malware. However, I have to say that I still use VoodooShield paired with Windows Defender in one of my systems (a shared computer). The idea about teaching a beginner to use whitelisting solutions is, first of all, to start from a clean install of Windows. The rule I could give them is: "If something pops-up but you didn't run anything, then it's probably a false positive and you should allow it". "If you executed a something, it's blocked and it's an email attachment, then it's malware for sure" (few standard users are sent software via email). "If you downloaded a new program the issue comes: if it's downloaded from a trusted site, then it's probably a false positive, and if it's from a site you don't trust, you should block it (but who can say, in the case of CCleaner hack. But, in that situation, also blacklisting solutions couldn't detect it at the beginning). The positive factor and issue about VoodooShield is the fact it's using VirusTotal, and users should be thought first how to use it. This could increase much the detection, but produce also false positives. The other issue is their command-line monitoring: sometimes VoodooShield blocks some command lines, especially when installing new software. That's an other rule to add "If the software blocks a command line while you are installing a software, just allow it". So yeah, there are a lot of rules to teach, but in my case the software works well because the system is not modified very much and new programs are installed rarely. I also use a Standard User Account in all my systems (I read in various places it's recommended to use). However, in my personal system I switched from COMODO to Windows hardening via NovirusThanks Syshardender (basically disabling wscript, macros, DDEauto, autorun and other risky features), because it doesn't impact on the system at all (just registry modifications) and I don't use those features at all. I could also have enabled software restriction policies, but I don't really like them.

  20. Hey Leo, can you also compare it to Kaspersky's optional "Trusted Applications Mode"? https://support.kaspersky.com/14372

  21. Only watched the first three minutes so far … while I do agree with you're comments 100% so far …. I also just have to say that those files by MS should have been signed .. but stilll I agree 100% so far with what you're saying

  22. 08:57 voodooshield allows everything in the program files folder by default, so I don't think very many normal users would have to worry about VS making the system unusable. I have elderly friends that I've set up with VS and they never have any issues with it. They call me every now and then about how it blocked something and I go over there to check it out for them and every time it turns out to be malware that they got from a spam email.

  23. 03:01 I admit, if I was a regular user, I wouldn't know what to do with an alert like that. The reason why I advocate for whitelisting products so aggressively is mostly because of polymorphous malware and the fact that it's much easier to track the new releases of legit software than it is to track the new variants of malware. I'm a much bigger advocate of voodoo shield and comodo, because their contingencies for when they encounter unknown files are much easier for a normal user to understand.

  24. As always realy nice and useful videos leo, but i have a question please: why always malwarebytes which i ever trust flag the Advanced system care software as PUP, while most other Av flags it as a clean cheat?

  25. This is why you use Comodo.

    Allows files verified as Trusted, whilst also Allowing Unknown files to run in a sandbox that is unable to infect the machine (whilst Comodo Cloud services analyze the file) and finally Blocks files verified as Malicious.

  26. “Process Hacker's powerful process termination capabilities bypass most security software and rootkits, ending the entire affected process.”

    https://download.cnet.com/Process-Hacker/3000-2094_4-10971791.html

    Think about what you are testing here Leo… you are testing ProcessHacker. ProcessHacker is a great program, but you should know that as a malware analyst, it contains many attributes that make it appear indistinguishable from malware. One of the signatures was “not-a-virus:HEUR:RiskTool.Win32.ProcHack.gen”… you should know as a malware analyst what this means… it means that other engines almost certainly detected this file as a false positive in the past and had to manually whitelist it. Right?

    In other words, if VoodooAi did not detect this file as unsafe, then I would be deeply concerned. If traditional signatures do not detect ProcessHacker as malware, I would be equally concerned… and we should all hope and pray that the only reason that other 64 engines did not detect ProcessHacker as unsafe is because they manually whitelisted the file.

    If you want to perform a test that would be interesting and applicable to people who are not malware analyst, simply download the top 100 or 1000 files from any download site and test again. These are the types of files that our novice, moderate and advanced users download. VoodooShield actually works extremely well for novices and moderate users because most of them never install software (certainly not ProcessHacker), they basically use the same 5-10 apps everyday like I do.

    Also, VS does not toggle when on AutoPilot, it only toggles in Smart Mode. Please do not take this as an insult, but this makes me wonder how much time you spent evaluating VS in the first place. Please do me a favor… try VS for one week and let everyone know what you think after using it for a week. After that, install it on your parent’s computer for a week, and just tell them that it a lock for their computer. I will even provide the licenses. Thank you!

  27. Our company is MSP for Comodo ITSM software. It has many predefined trusted apps and files, so it's not that intrusive. AV is good enough, Valkyrie is good at categorizing threats and Containment at its heart works wonders protecting clients. Console gives us info about threats with hashes and links directing right to virus total. In this kind of combo is example where Whitelisting really shines.

Leave a Reply

Your email address will not be published. Required fields are marked *