When you open the box and take out a brand-new PC, you can be pretty sure it’s malware-free. You could keep it that way by staying off the internet and not launching any new programs. That computer wouldn’t need a traditional antivirus at all, but it wouldn’t be good for much. VoodooSoft’s VoodooShield aims to keep you protected while allowing normal use of the computer. By default, it detects and blocks new, unknown programs only when your computer is in a risky state. It’s a useful tool, as proven in testing, and its new WhitelistCloud feature (for paying customers) aims to bring it closer to replacing traditional antivirus.
In a non-commercial home setting, VoodooShield’s basic features are free. If you’re using it for business, you must pay for a subscription, which starts at $30 per year for a single PC and goes down to $10 per year per PC for a thousand or more. Paid users also get tech support, access to a huge number of settings, and other advanced features, including access to the WhitelistCloud analysis system. For this review, I started with the free edition and then checked out the paid features.
Getting Started With VoodooShield
After its simple installation, the program asks you to either register your email as a free user or enter your email and license key for a paid installation. It immediately takes a snapshot of active programs on the system, announcing that activity with a small notification in the bottom right corner.
Next it asks you to choose AutoPilot mode or Application Whitelisting Mode. The former requires less user interaction but is also a bit less secure. I chose the whitelisting mode for full security.
Note that if malware is already present on your computer, it gets whitelisted in that initial snapshot, along with your legitimate programs. If you’re using this program alongside traditional antivirus, run a full scan before installation. If not, take advantage of Malwarebytes Free or another free cleanup tool before installing VoodooShield.
A big welcome screen offers a simple description of how the program works. In short, it says that instead of trying to detect and block bad programs from running the way typical malware protection tools do, VoodooShield only allows known good programs to launch. In its default Smart Mode, it operates only when your computer is at risk, meaning when it’s connected to the internet or a USB drive has been mounted.
The next screen explains that VoodooShield may block something you intended to run, and that you can click a button to allow that program. You can also turn it off temporarily with a click when installing new programs.
A third screen goes into detail about how to handle new programs. For starters, any program that was running while protection was off is whitelisted automatically when it turns on. When an unknown program appears, you get a pop-up notification from VoodooShield. If it’s something you’re deliberately installing, just click to allow it.
The program also points out that when it blocks a file, it checks the file against “50+ industry standard scan engines.” If you think that sounds like it’s checking with VirusTotal, you’re right. As you’ll see later, the sandbox analysis mentions VirusTotal by name. An antivirus using VirusTotal as its detection engine is against policy, but checking the database after detection is allowed.
On, Smart, and Off Modes
All you normally see of VoodooShield is a tiny shield-shaped icon in the bottom-right corner of your screen. You can move it to a different location, if you wish, or make it transparent. Its right click menu lets you control the program’s operational mode, among other things.
When VoodooShield is turned off, it’s in training mode, which means that it whitelists every program you run. The shield icon turns red and displays OFF. Use this mode when you’re installing a new program from a trusted source.
When you turn VoodooShield on, the shield turns blue and displays ON, and it blocks execution of any program that isn’t already on the whitelist. If it blocks access to a program you intended to launch, click the notification-area pop-up to reveal the full details, and then click Allow. If you don’t recognize the program, you can block its execution or put it in quarantine. Or you can just ignore it; VoodooShield blocks automatically after 20 seconds. As noted, for paid users the WhitelistCloud feature enhances this experience; I’ll discuss it below.
For the first while after you install VoodooShield, you may see quite a few of these pop-ups. You can reduce the pop-up clutter by sticking with Smart mode. The logic behind this mode is simple. It assumes that you don’t have malware already present on your computer, so the only way malware can enter is from the Internet or from a removable drive. In Smart mode, VoodooShield defaults to off, and it whitelists programs you run. But if you connect to the Internet or insert a USB drive, it turns on to vet any new programs.
VoodooAi and Scanning
In addition to simply blocking unknown files, VoodooShield subjects them to a machine-learning tool called VoodooAi. Trained with thousands of samples of malware and valid files, this system develops internal models of the characteristics that distinguish good from bad. It doesn’t look for specific malware signatures, or even for malware-like behaviors. Rather, it tracks dozens of file characteristics that differ significantly in the two groups.
Supplementing this machine-learning engine, VoodooShield checks any blocked file against the database of a well-known multiengine antivirus scanning service. Legal and contractual issues theoretically prevent the company from naming that service, but in the reports from its cloud sandbox you can see that it’s VirusTotal. And yes, while the service in question can’t legitimately be used as a primary detection engine, checking whether files have already been scanned is OK.
For a file that seems to be malware, VoodooShield offers several options. Besides merely blocking the file’s execution, you can choose to quarantine it, just as you can with Bitdefender Antivirus Plus, Kaspersky, and most traditional antivirus tools. When VoodooShield blocks a file as malicious, not merely unknown or suspicious, the Allow button changes to Allow False Positive. If you click it, you must confirm that you know what you’re doing, and that running the file could introduce malware.
For a real-world test, I tried launching each of the malware samples that I use in regular antivirus testing. VoodooShield blocked all of them, naturally, since they were not whitelisted. It also identified all but a few of them as malware, for a total detection score of 96 percent. For comparison, Avast, McAfee, and Norton also detected 96 percent of these samples, while Webroot SecureAnywhere AntiVirusdetected 100 percent of them. Of course, these standard antivirus programs had many chances to foil the malware, including static detection before launch and detection based on behavior, among others.
The details for each detection included figures for how many VirusTotal participants had examined the file, and how many flagged it as malicious. In most cases, 70 or more antivirus engines weighed in. The number of red flags ranged from 28 to 67, with two-thirds of the samples getting the stinkeye from at least 40 antivirus engines.
I also launched about 20 old PCMag utility programs. These are legitimate programs that aren’t commonly used, since the PCMag utility library has shut down. Some aren’t digitally signed, while others are signed with expired certificates. VoodooShield reported on certificate status, and noted the cases where one or two antivirus engines flagged the app, but in most cases, it advised going ahead with the installation.
For five of the programs, the VirusTotal database drew a blank, and the VoodooAi component couldn’t decide. VoodooShield advised blocking these from running (a step short of putting them into quarantine). Exactly one of the legitimate programs got tagged as suspicious, because for some reason eight of the antivirus engines identified it as malware.
I deliberately chose these files because, while they’re legit, they have some problems. VoodooShield’s behavior seems totally reasonable to me. If you stick with up-to-date programs that are digitally signed, as you should, VoodooShield shouldn’t give you any trouble.
Playing in the Sandbox
VoodooShield includes a local sandbox mode, designed to let you run iffy programs without permitting them to make any permanent changes to the file system or Registry. I chose a dozen samples for sandbox testing, opting for ones that do something visible onscreen. For half of them, VoodooShield didn’t even offer the local sandbox. The other half nominally ran in the sandbox, but didn’t do anything at all. My company contact admitted that this feature isn’t the most useful.
Much more interesting is the cloud-based Cuckoo sandbox. VoodooShield’s messaging does point out that submitting files to Cuckoo effectively makes them public and warns not to submit anything private or proprietary. Note that both sandbox modes are fully available to consumers using the free edition.
Cuckoo runs each submitted sample in a virtual environment that’s equipped with telemetry to track exactly what happens. You can check a box to view that virtual machine using remote desktop technology. It was fascinating to watch the Petya ransomware encrypt the virtual disk and demand its ransom, only to vanish once analysis finished. The display does lag at times. Instead of flashing between red-on-white and white-on-red, the Petya installation visibly repainted the screen for each flash.
Each Cuckoo analysis took five minutes or more, so I only ran about a third of the samples through the process. In every case, it came up with a malware score of 10.0 points, meaning malicious without a doubt. For some, it supplied an identifying name such as Petya, Razy, or Youxun.
That malware score is just the top of a very lengthy page of information about the tested program. Every file dropped by the malware, every change to the Registry, every network access attempt, it’s all there. Probably the most interesting section is titled Signatures. This lists specific behaviors that went into identifying the program as malicious, things like setting itself to launch at startup, stealing private information, or attempting to interfere with the analysis process. The one signature present in almost every case was this: “File has been identified by at least ten Antiviruses on VirusTotal as malicious.”
I also sandboxed a half-dozen legitimate utilities that VoodooShield recommended blocking. All but one ranged from 3.6 to 6.2 on the malware scale. The remaining one got flagged as total malware, with a collection of signatures to rival any of the actual malware. Among its alleged suspect behaviors were two instances of interfering with Cuckoo, a check for the presence of known forensic tools, and code injection to a remote process. All this from a utility whose sole purpose is to display system stats such as CPU usage, available disk space, and length of the current Windows session!
I found the sandbox scan fascinating, but the average user might not. In addition, its reporting on some valid programs wasn’t any different from how it described known malware. There’s no requirement to use Cuckoo, fortunately.
Paid Edition and WhitelistCloud
Paying for VoodooShield enabled a boatload of settings that most people don’t need and gets you tech support, which you might need. Most importantly, paid users get the benefit of a feature called WhitelistCloud. When you turn on this feature, it scans the files on your system and flags them as safe or not. It does clarify that a file marked “not safe” may be fine—it just couldn’t confirm the file as safe. On my test system, it marked all the active programs safe.
The other difference is that when VoodooShield reports on an unknown program, it includes a line for WhitelistCloud. I re-ran my malware collection under the paid version and found the results not terribly useful. The stats from VirusTotal didn’t change, nor did VoodooAi’s rating. And WhitelistCloud marked full 15 percent of the samples as safe.
I ran through my set of legitimate programs again, with better results. WhitelistCloud correctly marked all of them as safe. Still, only one sample got a clean bill of health from all three sources: the antivirus engines, VoodooAi, and WhitelistCloud.
One of the things you get by opting for the paid version is full access to the program’s advanced settings. Note that you can certainly use VoodooShield without ever touching these. In fact, many of the settings are aimed at a managed situation in which IT controls what users can do with the program. I won’t attempt an exhaustive discussion of all the settings.
You’ll find the right-click menu a little different. Now in addition to the mode choice, you have a choice of security posture: Aggressive (the default), Moderate, Relaxed, and Silent. A pop-up description suggests that you may want to run at Moderate or Relaxed mode for a while, until VoodooShield learns all your programs. My own thought is that Aggressive protection seems just fine.
Two settings pages that might prove useful are Whitelist and Quarantine. Not only can you see all the programs you (or VoodooShield) have whitelisted, you can remove any that were whitelisted in error. In a similar fashion, you can see all the quarantined files and optionally delete them permanently. In the unlikely event that you managed to quarantine a valid file, you can restore it.
On the Utility page you can back up and restore the whitelist, or back up and restore your settings, with backups either on the desktop or in the cloud. This is also the page that allows an IT administrator to define a password, preventing users from making changes to the settings. In a multi-PC installation, the administrator can log into VoodooShield online to sync whitelists between computers.
In Smart mode, VoodooShield turns from off to on when a Web-aware application launches. The Web Apps page lists all the apps it tracks, highlighting any that are currently connected. It also lets you add custom browsers and other Web-aware apps to the list.
Among other things, the settings page lets you tweak VoodooAi’s sensitivity from its default Balanced mode down to Reckless or up to Paranoid. You can tweak UI elements such as the transparency of the shield icon. You can also control how VoodooShield handles programs in specific folders.
If you launch the Settings dialog from the free edition, the program suggests that you upgrade to the paid edition. If you decline to upgrade, you’ll still see all the settings. You just won’t be able to change them.
A pure whitelisting solution, one that just blocks execution of any new file, would be too annoying for the average user. VoodooShield’s ability to lock down the computer only when there’s potential for risk balances security with convenience. Previously, the introduction of the VoodooAi system brought this program closer to true antivirus status. We expected WhitelistCloud to further that journey, but its simple safe-or-not ratings didn’t do much for us. The free edition is definitely a good addition to your security arsenal, but unless you’re working in a commercial setting, we don’t see a real reason to purchase the paid edition.
Meanwhile, you still need a traditional antivirus. Use VoodooShield alongside one of our Editors’ Choice antivirus tools: Bitdefender Antivirus Plus, Kaspersky Anti-Virus, McAfee AntiVirus Plus, or Webroot SecureAnywhere Antivirus.