Antivirus developers often joke that if false positives weren’t an issue they could create the perfect antivirus utility. To be sure of catching every virus, Trojan, and other malicious programs, they’d simply design a tool that blocks every program. It turns out that idea isn’t as far-fetched as it might sound. For $19.99 per year, VoodooShield will work hard to block malicious programs not caught by your regular antivirus, while making it easy to whitelist your existing good programs.
Installation is quick and simple. After a necessary reboot, the product displays just two explanatory screens. One points out that by default VoodooShield remains in training mode when you’re not using email or a browser, noting and whitelisting any programs you use. The other explains that when VoodooShield does block a program, you can manually whitelist it with a click.
Immediately after installation, VoodooShield runs in the turned-off training mode for ten minutes. This gives it a chance to notice and whitelist active processes. When that period ends, it offers to switch to SMART mode. In this mode, it remains turned off and learning until you launch an email client or browser. At that point it turns on and automatically blocks every program that isn’t already whitelisted.
This default-deny mode is similar to the way TinyWall 2.1 handles firewall permissions. If a program isn’t whitelisted, TinyWall simply won’t let it connect, but it offers easy choices for whitelisting good programs.
Of course, some malware arrives via a route other than the browser. The well-known Stuxnet attack relied on USB drives to reach computers with no network connection, but Voodoo Shield is ready for just such an occasion. If VoodooShield is turned off when you insert a USB drive, it offers to turn on protection.
Anti-Executable 5.0 takes a rather different approach. Upon installation, it scans your hard drives and actively whitelists every program it finds. You can re-run this scan if needed; there’s also an option to scan and whitelist programs based on the publisher that digitally signed them.
Where VoodooShield aims to take action only when the user is at risk, Anti-Executable is always active unless you put it in Maintenance Mode or enable Temporary Execution Mode. The former lets you install and whitelist updates; the latter just lets you run programs that would otherwise be blocked.
User Space Protection
It’s possible that you might download a file (deliberately or due to a malicious website) that doesn’t get launched until after the browser is closed. To handle that possibility, VoodooShield’s SMART mode protects user-specific folders like Documents, Downloads, and Desktop. By default, a program launched from the user space will be blocked until you whitelist it.
Malware that’s already on your system might be caught by the user space protection feature, but it might just as likely get whitelisted while VoodooShield is in training mode. VoodooShield isn’t meant to replace your regular antivirus, but to work alongside it. It doesn’t actively distinguish malicious programs from your valid applications. Before installing it, you’ll want to give your system a full antivirus scan. If you haven’t yet selected an antivirus for ongoing protection you can use a free cleanup-only antivirus like Malwarebytes Anti-Malware 1.70, Comodo Cleaning Essentials 6, or Norton Power Eraser.
The VoodooShield FAQ says the product “works great with most or all traditional antivirus software.” It specifically recommends Webroot SecureAnywhere Antivirus 2013 as a super-lightweight complement to VoodooShield’s own small resource footprint.
Scan with VirusTotal
Whitelisting a program that VoodooShield blocks is as easy as clicking on the notification, which pops up a big window that lets you allow or deny execution. If you’re not sure whether to allow or deny, you can scan the file with VirusTotal first. Bought last year by Google, VirusTotal is a website that will run any file past more than 40 virus scanners and report their results. If it has processed the same file before, results come up almost immediately.
VoodooShield recommends blocking a program if even one of the 40+ antivirus scanners flags it. For myself, if I saw that just one or two had flagged the program, I’d scroll down to see which ones, and what they called it. A name like “Generic.Heuristic.123″ or “Behaves.Like.Trojan” suggests at least the possibility that the antivirus accidentally flagged a valid program.
You can also launch a VirusTotal scan of any program simply by dragging and dropping it on the VoodoShield icon.
Hands On With VoodooShield
I tested VoodooShield by downloading and executing a dozen known malicious programs. Choosing Run from the download dialog meant the browser was still active when the malware launched, so VoodooShield’s default-deny mode prevented the launch. When I downloaded samples to the desktop, closed the browser, and then launched them, the user space protection feature kicked in and prevented execution.
I did find that I could run malware by downloading it to a non-user folder like C:Samples, shutting off the browser, and then launching the sample. However, I don’t see any way a drive-by download or malicious website could manage that sequence of events.
Interestingly, you handle whitelist management through an online console. In addition to editing out any mistakenly-whitelisted programs, you can copy the whitelist from one installation to any other, or to all of your other installations.
In order to update Windows or install a major application under Anti-Executable, you put the program in Maintenance mode. In this mode it doesn’t block any programs and adds all new and updated programs to its whitelist. I tried Windows Update with VoodooShield in SMART mode, but it blocked the installers; I had to put it in training mode for a successful update. As with Anti-Executable, you’ll want to be sure you don’t visit any other websites or launch any other products during the update.
Because VoodooShield whitelists any program in the Windows folder, the new and updated files from Windows Update had no trouble once I switched back to SMART mode. On the flip side, a drive-by download that dropped its payload in the Windows folder would slip past VoodooShield’s protection.
Not Many Settings
You can fine-tune VoodooShield’s settings, but think carefully before you do, as it comes pre-configured for optimum protection. By default, it whitelists any software in the Program Files folder and any programs in or below the Windows folder. On the flip side, it blacklists any programs that try to execute from the App Data folder, a favorite malware hiding place. Most users should leave these and other settings at their default values.
Most users should especially take a hands-off policy for settings on the Advanced tab. Among other things, meddling with these could disable USB detection, user space protection, and the product’s own defenses against being terminated by malware.
VoodooShield’s icon floats on the desktop and the program’s status. You can change its placement or tweak its transparency level. For a slow computer, there’s an option to ramp down the program’s use of system resources. A set of checkboxes lets you exempt specific programs or program types from blacklisting; you’ll most likely use these on advice from tech support.
The previous version of VoodooShield had a few loopholes, but these have mostly been closed. User space protection handles the case where you accidentally download malware and then launch it with no browser open, as long as you download it to a user-space folder. The same is true if you download malware using an unsupported browser.
Of course, there’s a very simple solution to loopholes—just set the product to be always on. My VoodooShield contact confirmed that many users switch to always on after using the product for a while.
Easy to Use
Both VoodooShield and Anti-Executable 5.0 base their protection model on preventing unapproved programs from launching. With its somewhat arcane modes and settings, Anti-Executable is best suited to a business environment. As the boss, you can use it to actively limit what programs employees use.
VoodooShield is a better choice to install on your own computer, for an added layer of protection. It’s designed to prevent malicious files from launching while making as easy as possible for you to whitelist valid files. I like the balance this product strikes between ease of use and tough protection. At present the vendor is running a free-for-one-year promotion, so give it a try and see what you think.
|Tech Support||Email and phone support available.|
|OS Compatibility||Windows Vista, Windows XP, Windows 7, Windows 8|
|Type||Business, Personal, Professional|
Copyright © 2012 Ziff Davis, Inc