VoodooShield/Cyberlock

Hi Dan,
Glad to see you around again, and congratulations on getting your VS patent granted.
The new VoodooAi sounds very interesting, looking forward to hearing more about it.
Have a great Christmas and new year.

Gordon

 

Hi Dan

We have missed you...but now that you have explained what you have been up to (we should have guessed...)...that all sounds way, way cool and I am sure I am not the only one who cannot wait to see VoodooAI out, about and helping to deal with nasties.

Congratulations on the patent...noticed that on the About screen in the v3.06 Beta...glad that you hard work is now officially protected.

And may I take this opportunity to wish you and those nearest & dearest to you a very Merry Festive Period, and a Peaceful & Prosperous New Year...and continued success with VS.

Regards, Baldrick

 

Hi Everyone

Just started using VoodoShield and I just wanted to know whether it is necessary or advisable to use an Antilogger such as Spyshelter or Zemana to complement security software?

I have Win 7 SP1, Sandboxie TinyWall, BitDefender Free A/V +VoodooShield

Thanks

Terry

 

Hi Terry

Welcome to the VS Userbase.

VS is essentially an extremely sophisticated computer 'lock', i.e., it locks down your system so that only what either it determines (via heuristics and with recourse to VirusTotal)to be safe is allowed to run OR what you the user decides you wish to allow to run, i.e., the "if I do not know what it is/have not requested that it runs' principle. So it will prevent a keylogger from running it based on the above but it would not hurt or cause any issues for VS if you run a specialist anti keylogger application, as part of a layered defence.

Just my thoughts for what they are worth...

Regards, Baldrick

 

Here is a quick portable beta version of VoodooAi. There is still a little more tweaking that needs to be done, but this will give you an idea of how well VoodooAi is going to do.

THIS BETA PORTABLE VERSION REQUIRES .NET 4.5!!!

Vlad is integrating VoodooAi into VS, and will convert it to 3.5 during this process so this will not be a requirement soon. Originally, VoodooAi was going to be a web app, not unlike VirusTotal, so that is why I started it in .net 4.5. Then I thought it would be cool to have a standalone app, and obviously to integrate it into VS.

A little more about VoodooAi… it has an amazing ability to detect files that contain code that could be used maliciously, but it does not try to figure out the intent of the code… like did the author intend for the code to be malicious. As a result, a lot of system utilities and virus removal tools will be classified as Unsafe. Then again, maybe that is a better approach anyway… Instead of trying to guess whether the author intended to harm your computer, maybe it is better to just let the user know that the file they are about to allow contains code that has the potential to be malicious. Maybe that is where the AV industry went wrong… they were trying to guess the intention of authors, when really they should have just been examining the code to see if it has the potential to do something malicious? Just a thought.

BTW, there is a login at the top right, I left it unlocked for now so you guys can explore the app (not that there is much too it ). Once we release a production version, we will create a new database where users can upload safe and unsafe samples to the training data, to increase the accuracy and precision of the machines / algorithms. But obviously, we need to know where the data is coming from if we are going to use it in our models. When looking at the raw data, it is quite cool... you can tell pretty much immediately if something is malicious or not.

BTW, of course there will be false positives and false negatives... if someone could build something that was 100% accurate, there would not be a need for computer locks, right? Also, keep in mind, malware packs are not 100% perfect either... sometimes they contain false positives as well... I recently learned that the hard way . But overall, most malware packs contain mostly viruses and malware.

Feel free to download some malware packs and compare VoodooAi to your favorite AV, and let me know how it does! Thank you!

www.voodooshield.com/artwork/VoodooAi.exe

 

I am still on v2.86...So, I guess this is not for XP.

 

This demo is completely separate from VS for now... but as long as you have .net 4.5 installed, it should work!

 

Thanks...I'll give it a spin.

 

I launched it, and it appeared briefly in Process Explorer, and disappeared. So, I checked and I don't have .net 4.5 installed. I have .net 4.0 installed, though.

 

Sure, thank you! It works in a VM really well too. It has been averaging around 98-99% accuracy... which is what the statistics that it generated said it would do. If you guys find some malware packs that throw it for a loop, let me know and I will upload it to the training data and retrain the machines... that will fix that .

Also, I discovered a pretty cool example earlier. If you go to download.com and download "Installer Enabled" apps (the green download button), VoodooAi should detect these as unsafe. Whereas if you download the installer using the "direct download link", usually VoodooAi will call the file safe... assuming it is not some virus removal tool or something that has to dig deep into windows.

 

Well, we should have a .net 3.5 version in a couple of days. Do you have a VM you can try it on?

 

No, my system would go into shock, if I installed a VM after 8 years of testing everything live on this system.

 

I see . BTW, the training data set is currently only 100,000 files or so. The next few days I will be uploading massive amounts of training data and retrain the models, then it should be even more accurate.

 

Training data? Not, locally stored I hope?

 

No, nothing is stored locally, just the raw metadata is uploaded to the database. VoodooAi extracts the features from each of the files, and uploads the raw data to the server. And actually, VoodooAi does not upload any files at all, just the metadata from the features that it extracts (which is why it is not slow). The data that it sends looks something like this: 0, 3, 63000, 1, 0... except the string is a log bigger than that . Also, no personal information is uploaded at all... just the string of numbers.

 

Dan, I test another program in another snapshot, SAP...and it does upload certain exes, but not personal files. Is this similar?

 

No, VoodooAi does not upload the actual file at all. It examines the file and uploads raw data that it obtained when it examined the file. For example, a lot of AV software will extract the SHA256 hash from a file and upload it to see if there is a match. In the same way, VoodooAi extracts the SHA256 hash, along with a lot of other features of the file, and just uploads the string of characters.

 

I suppose we could say a fingerprint is created for the information extracted from a file. Millions of [unique] fingerprints...

 

Yeah, exactly, but the features are all extracted pre-execution, so it is not like any of the traditional technologies like sandboxing, behavior blockers, heuristics, etc, which all actually analyze the file longer and "deeper". So VoodooAi leverages machine learning and Ai to compensate for the this. Like all malware analysis, it is definitely not perfect (if it were, there would be no reason to lock our computers), but it does work really well in conjunction with the 57 blacklist scan, especially for the unknowns and zero days. For example, if the 57 blacklist scan analyzes a file and returns a 0/57, and VoodooAi has a false positive, then I would trust the blacklist scan, which VS will do automatically (in conjunction with VS's false positive capabilities). But for brand new malware and zero days, VoodooAi really excels... like when the blacklist scan is returned as unknown. So basically have a computer lock, 57 blacklist scan (with false positive detection), machine learning / Ai and you have something that would be quite difficult for anything to bypass, even if the user accidentally tries to allow it. They all work quite nicely together.

 

I tried checking a file with VS Ai, and got the following error below. I'm using Windows 7X64.

See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.ComponentModel.Win32Exception (0x80004005): A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond


************** Loaded Assemblies **************
mscorlib
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.NET/Framework/v4.0.30319/mscorlib.dll
----------------------------------------
VoodooAi
Assembly Version: 0.5.0.0
Win32 Version: 0.5.0.0
CodeBase: file:///G:/VoodooAi.exe
----------------------------------------
Microsoft.VisualBasic
Assembly Version: 10.0.0.0
Win32 Version: 12.0.51209.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Microsoft.VisualBasic/v4.0_10.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualBasic.dll
----------------------------------------
System
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34238 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Core
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll
----------------------------------------
System.Windows.Forms
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34251 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34270 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Runtime.Remoting
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34245 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Runtime.Remoting/v4.0_4.0.0.0__b77a5c561934e089/System.Runtime.Remoting.dll
----------------------------------------
System.Data
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_32/System.Data/v4.0_4.0.0.0__b77a5c561934e089/System.Data.dll
----------------------------------------
System.Configuration
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Xml
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34234 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
System.Transactions
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_32/System.Transactions/v4.0_4.0.0.0__b77a5c561934e089/System.Transactions.dll
----------------------------------------
System.EnterpriseServices
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_32/System.EnterpriseServices/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.EnterpriseServices.dll
----------------------------------------

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:

<configuration>
<system.windows.forms jitDebugging="true" />
</configuration>

When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.

 

Hi Dan,

Just tried to give VooodoAi a spin but I am either completely misunderstanding the way it works or doing something wrong.

When I drag-n-drop an infected exe. into the the blue box there is no re-action. If I select the file via the browsing option I get the following pop-up:



I have NET Framework 4.5.2 installed on a Windows7 64-bit machine.

 

Oops, sorry, please try it now. I had to open the firewall on the database. Actually, it says that it can take up to 5 minutes, so please try after 5 minutes .

 

I'm still having the same problem Dan. The Application becomes unresponsive after submitting the file, and crashes.

 

Do you have .net 4.5 installed?

 

That's a relief - I thought it was me.

I have just thrown around fifteen malicious exe. files at it and it identified every one.

Is it possible that Voodoshield plus VoodooAi are going to make "traditional" a/v software redundant?