Antivirus developers often joke that if false positives weren't an issue they could create the perfect antivirus utility. To be sure of catching every virus, Trojan, and other malicious programs, they'd simply design a tool that blocks every program. It turns out that idea isn't as far-fetched as it might sound. For $19.99 per year, VoodooShield will work hard to block malicious programs not caught by your regular antivirus, while making it easy to whitelist your existing good programs.
Installation is quick and simple. After a necessary reboot, the product displays just two explanatory screens. One points out that by default VoodooShield remains in training mode when you're not using email or a browser, noting and whitelisting any programs you use. The other explains that when VoodooShield does block a program, you can manually whitelist it with a click.
Getting Started
Immediately after installation, VoodooShield runs in the turned-off training mode for ten minutes. This gives it a chance to notice and whitelist active processes. When that period ends, it offers to switch to SMART mode. In this mode, it remains turned off and learning until you launch an email client or browser. At that point it turns on and automatically blocks every program that isn't already whitelisted.
This default-deny mode is similar to the way TinyWall 2.1 handles firewall permissions. If a program isn't whitelisted, TinyWall simply won't let it connect, but it offers easy choices for whitelisting good programs.
Of course, some malware arrives via a route other than the browser. The well-known Stuxnet attack relied on USB drives to reach computers with no network connection, but Voodoo Shield is ready for just such an occasion. If VoodooShield is turned off when you insert a USB drive, it offers to turn on protection.
Anti-Executable 5.0 takes a rather different approach. Upon installation, it scans your hard drives and actively whitelists every program it finds. You can re-run this scan if needed; there's also an option to scan and whitelist programs based on the publisher that digitally signed them.
Where VoodooShield aims to take action only when the user is at risk, Anti-Executable is always active unless you put it in Maintenance Mode or enable Temporary Execution Mode. The former lets you install and whitelist updates; the latter just lets you run programs that would otherwise be blocked.
User Space Protection
It's possible that you might download a file (deliberately or due to a malicious website) that doesn't get launched until after the browser is closed. To handle that possibility, VoodooShield's SMART mode protects user-specific folders like Documents, Downloads, and Desktop. By default, a program launched from the user space will be blocked until you whitelist it.
Malware that's already on your system might be caught by the user space protection feature, but it might just as likely get whitelisted while VoodooShield is in training mode. VoodooShield isn't meant to replace your regular antivirus, but to work alongside it. It doesn't actively distinguish malicious programs from your valid applications. Before installing it, you'll want to give your system a full antivirus scan. If you haven't yet selected an antivirus for ongoing protection you can use a free cleanup-only antivirus like Malwarebytes Anti-Malware 1.70, Comodo Cleaning Essentials 6, or Norton Power Eraser.
The VoodooShield FAQ says the product "works great with most or all traditional antivirus software." It specifically recommends Webroot SecureAnywhere Antivirus 2013 as a super-lightweight complement to VoodooShield's own small resource footprint.
Scan with VirusTotal
Whitelisting a program that VoodooShield blocks is as easy as clicking on the notification, which pops up a big window that lets you allow or deny execution. If you're not sure whether to allow or deny, you can scan the file with VirusTotal first. Bought last year by Google, VirusTotal is a website that will run any file past more than 40 virus scanners and report their results. If it has processed the same file before, results come up almost immediately.
VoodooShield recommends blocking a program if even one of the 40+ antivirus scanners flags it. For myself, if I saw that just one or two had flagged the program, I'd scroll down to see which ones, and what they called it. A name like "Generic.Heuristic.123" or "Behaves.Like.Trojan" suggests at least the possibility that the antivirus accidentally flagged a valid program.
You can also launch a VirusTotal scan of any program simply by dragging and dropping it on the VoodoShield icon.
No comments:
Post a Comment