VoodooShield/Cyberlock

Right now I am leaning toward and working on raising some money and building VS on our own, but if the right company came along and wanted to be involved, we would certainly entertain that option. Probably the best scenario for VS would be to have one of the top security companies invest in and own a significant part of VS and become our "big brother". But really, I am open to anything, with more emphasis on what is best for VS (and locking computers), and less emphasis on making short term money.

 

Whatever direction you go, I sincerely wish all the best for you and for VS. You are working so hard, you really deserve to make money.

 

Years..... https://community.spiceworks.com/people/richard-cylance ex Webroot Employee.

 

Thank you, I appreciate that!

BTW, one thing I totally forgot to mention on the first test video (during the VS test) is that the blacklist scan is only analyzing some of the files because it will only allow you to upload a few at a time... basically it limits the number of files you can upload at any given time, so it skips quite a few samples. If we delayed each execution by 5-10 seconds, the blacklist scan would analyze every single file... but I actually sped up the executions by lowering the user prompt countdown and the number of VS flashes. That is why the user prompt often times says "Threat Detected by VoodooAi!", and not "X/XX Threats Detected by Blacklist Scan and VoodooAi"... but I just chose to run it as it was so that we could also get a rough idea how the blacklist scan was doing with these samples as well.

It might be easier to just scan the files with the stand alone version of VoodooAi, since it does not the blacklist scan. From what I remember, I think the stand alone version of VoodooAi "missed" 2 of the 1000 samples... but upon further inspection, these files were pretty clean... there are always going to be a handful of clean files in any malware pack.

 

Interesting... thank you TH!

 

I am not exactly sure what the rate is for the blacklist scan, but 4 files per minute sounds about right. I think I am going to kill two birds with one stone and add options to VS to turn off the blacklist scan and also turn off VoodooAi, and then when I run the next test / video, disable the blacklist scan. See, between the blacklist scan and VoodooAi, it would be very, very, very difficult to find something that would bypass both... especially when unknown files are blocked by default. So then if we test with the blacklist scan disabled, and only VoodooAi enabled, that levels the playing field even more. It will also reduce the false positives. And that way, the testing labs will have the option to disable the blacklist scan if they feel it is more fair to do so. I have tested the heck out of VoodooAi with the stand alone version of VoodooAi, and it will do great. It will not be 100% all of the time, but it will be 99.5% +. And I am okay with that, because the computer should be locked anyway .

Implementing these options will also let users who have the freeze issue disable VoodooAi, to see if that is what is causing the issue... I think it is VoodooAi that is causing the freeze.

Hopefully I will be finished with the 2 new VS features and the video by tomorrow night. I already tested Cylance, and it scored almost identical to what it scored the first time... I think it was off by 0.1%... so it did pretty darn well, but the computer should still be locked . Thank you!

 

Sure, I can test that in a day or so, but I want to make sure we perform the test exactly how Sophos did... it might be a little difficult since we no longer have the video to study. If we can remember exactly what they did, then sure, I can do that.

Yeah, I tried to do a queue a while back, but I ran into problems, so I ended up just having the user prompt say "Blacklist scanner is busy" (or something like that). It actually keeps up pretty well, especially for everyday use, and I am sure it is extremely uncommon for the blacklist scan to be busy. Maybe at some point I can try a queue again... thank you for the suggestion!

 

What do you call the black list? The VT result?

EDIT: typo

 

Dan

In a previous post a mentioned that when 5 AV's flag an executable it is for sure (99,99%) malware. So the VT blaklist scan is a usefull addition to VS. No discussion about that.

With windows 8 an Anti-Virus (blacklist solution) and Smart screen (whitelist reputation solution ) is already part of your OS. When VS needs the VT blacklist scan it overlaps as a solution and it tells potential customers that VS with AI on itself is not enough (because it needs an AV blacklist obviously).

Anti Executables exist for ages (Faronics AE and Software Restriction Policies) and there are free Anti-Executables (NVT) and AE with VT like blacklist combined with fremium (Secure Aplus) why launch another me-too product?

So drop VT scan and stay away from overlapping technology and traditional AV players with deep pockets and communication power (see attacks of Symantec and Sophos on Cylance).

Why not position your product as innovative technology bringing Cylance like technology to the consumer market, you define your own category. VS as the perfect companion to a free AV, focusing on unknown threats. Think about that. What potential market could that be?

Regards Kees

 

I disagree, VT is information and information is power, the user doesn't even need to know that VS is using VT as part of VoodooAI calculations or as a separate thing in the VS equation.

On the other hand I would like to have voodooAI as an standalone real time (second opinion) AV.

The default deny approach, VS, Comodo... is more secure but is uncomfortable for the end users, this might be a problem in order to commercialize VS

 

Well as said defeault deny anti-executables are around for ages. How many of them are installed on the PC's of normal (non power users)?

Less is more is a valuable and proven approach in design, ranging from architecture to IT.

 

Hey Kees,

Thank you, that is a very interesting view, and I think you make a lot of sense. I do think the blacklist scan is extremely helpful to the end user, and when combined with VoodooAi, it would be extremely difficult to find something that will bypass both... they really are a great combo.

My point in making these test videos is to demonstrate that no matter how accurate various solutions are at detecting and blocking malware, the computer still needs to be locked when it is at risk. I have read or seen on multiple occasions, people suggesting something like "Bill Strub, co-founder of St. Paul, Minn.-based NaviLogic, a Cylance partner, said the Sophos test was "not the same level of performance that we've seen" with the product. He said he has only seen one instance where a downloader made it past the Cylance system, only later to be caught as it began to download malware to the environment." from the following link: http://www.crn.com/news/security/30...t-for-endpoint-security-heats-up.htm/pgno/0/1

Which is why I question if anyone is even testing these solutions, when it is extremely easy to find malware that slips by them. Detection rates above 95% or so are phenomenal, but as bad as malware is these days, it is simply not enough, without locking the computer when it is at risk.

There are a lot of really great AV products on the market, but none of them have focused on creating an application whitelisting solution that is user-friendly that everyone can use properly. You would be shocked to see how quickly complete computer novices understand VS... they "get it" within a few minutes... basically after the first time or two that VS blocks something. The reason I know this is because lot of times I will need to log in to a clients computer remotely, so they need to download, for example, TeamViewer, and it is quite funny how they say something like "Oh, VoodooShield blocked TeamViewer, let me allow it." And these are people who are such novices that they do not even know how to change their desktop background... and this is not an exaggeration .

The security industry needs to move away from the current "Allow by default" model and pivot to a "Deny by default" model. With VS, the idea is to lock the computer, but if a non-whitelisted executable can prove with the blacklist scan and VoodooAi that it is squeaky clean, then it is okay to either auto allow, or recommend to the user that it is okay to allow. The thing is, we cannot just lock up the entire computer and burden the user with affirmative user prompts for all new non-whitelisted items. And as you know, VS has several features that automatically and safely build the whitelist, so the user is not burdened.

A lot of the enterprise IT managers will not even consider application whitelisting because it is extremely daunting to implement, and there is a lot of ongoing maintenance involved. But the way I see it, that is not a reason to not lock the computer when it is at risk. They should not just give up and throw their hands in the air in frustration, and settle for 63-95% detection rates.

Yeah, I am extremely familiar with the Symantec VS Cylance fiasco... and something tells me that the attacks on Cylance are not going to be ending anytime soon. My intention is to not attack any of these companies, but rather to make people realize that their computer needs to ALSO be locked when it is at risk. I think with youtube and social media, we have plenty of "communication power", especially when it is extremely easy to demonstrate that all of these products need to also be locked. Because really, you need both high detection rates and you need to lock the computer. Thank you Kees!

 

Hey guest... please see post #10934 as well, I discuss a lot of this in that post. Great points btw, thank you! Yeah, at some point we might build VoodooAi out a little more, that would be cool.

I really think you would be surprised how comfortable end users are with VS (no matter their skill level)... they are actually more comfortable when VS is sitting on their desktop and they know it is protecting them. And I have yet to find a local user (out of 300-400 or so) who is unable to understand and properly use VS. Thanks again!

 

Exactly, but hopefully VS is either already user-friendly enough to change this, or will be soon . Thank you Kees!

 

Yeah, that is pretty much what VS currently does, with the false positive detection and VoodooAi stuff. It is not absolutely perfect yet, but we can tweak it a little more then it should be just right. Thank you!

 

@VoodooShield

Agree, as I said there is a 99,99% something is malware when at least 5 engines flag it as malware at VT. So VT is usefull, just wondering how much worse would VS perform with AI only?

@SHvFl
Well you are right, but when VS takes off, would you let someone eat your market share away using your knowledge? See what reactions Cylance triggers. When something might not be needed (Dan will be running tests soon with AI only), why provide competitors a stick to hit you with?

When you are not an replacement, you are not a competitor. Without having all the info, being an add-on did not seem to hold MBAM back in gaining a nice and profitable market share.

 

I see... well, when you combine the two (with VS's false positive detection), it is essentially 100%, or at least approaching 100% (99.99 % or so). VoodooAi alone, from my testing is 99% or above, typically 99.5%. The reason VoodooAi has such high detection rates is because it is set to be slightly more aggressive then, for example, Cylance, since it is performing a realtime scan, and cannot be quite aggressive, otherwise, there would be way too many false positives. And with VS / VoodooAi, obviously you can set the VoodooAi Sensitivity to your liking... but either way, users should not run on AutoPilot... they should lock their computer when it is at risk. I implemented AutoPilot so that users who simply do not want to lock their computer, can still use VS and VoodooAi.

But that is EXACTLY why VS's application whitelisting / toggling computer lock component is the absolute perfect match for Ai.

VS already has a realtime VoodooAi scanner that is slightly more relaxed then the one that is currently used when something is blocked... I just have not enabled it yet, but will do so soon. Then we will see how well it works and if there are too many false positives.

But to me, false positives are only an issue when they are a result of a realtime scan. I believe there is absolutely nothing wrong with informing the user of the maliciousness of a file, when a non-whitelisted item is blocked. To me, that is not a false positive... that is simply informing the user. As I posted yesterday... it is just absolutely insane to me that HijackThis could ever be considered a false positive. It is a phenomenal app, but the user should be aware of its potential dangers, and not auto allowed. Thank you Kees!

 

Yeah we don't disagree about that

 

My suggestions -
1. An option to set VT detection level i.e 3, 5, etc. Personally I find level 3 good. So detection 3-4 AVs should be mentioned suspicious & after popup time-out should not be auto-quarantined. Detection 5 & above AVs should be mentioned malware/malicious & after popup time-out should be auto-quarantined.
2. List all the AVs so that users can select the AVs for VT detection. Dont know if its possible & allowed by VT or not?

Would be good if reputed & good AVs are only kept & not reputed & FPs prone AVs are not kept.
May be take a POLL here to keep/remove AVs.

I have mentioned the options quite a few times in this thread so please dont take it as bugging or repetitive posts.
Just honest suggestion & wish.

 

Cool, thank you for the suggestions! VS's false positive feature currently works like this... Anything that has 5+ detections is considered unsafe. If there are 1-4 detections, there is a list of engines with low false positives and a list of engines with high false positives... I researched these results from the various AV testing lab data. So if the only detections are from engines that have high false positives, then VS assumes it is a false positive. If any of the detections are from the low false positive list, the file is considered unsafe. I am sure there is a little tweaking we can do, and we can possibly make some of the options user adjustable... but having said that, the false positive feature is surprisingly accurate as is it... but we can always make it better. I would love to list all of the engines so the user can adjust them, and it would be quite easy to do so, but at this time that is not a possibility .

I have to go onsite and help a client move, but I will talk to you guys soon... thank you!

 

I have to get going... but keep in mind, that is the beautiful thing with Ai... it detects the dirty tricks that malware authors use to evade traditional antivirus, so that really is not an option for them, because if they do so, then the traditional antivirus will catch them . Thank you!

 

Sure, anything is possible. Which is exactly why we need to lock our computer when it is at risk . Okay, I really am leaving now .

 

Also, SHvFl, please keep in mind that the whole idea is to severely limit what options malware authors have. If there is a great traditional security product and an Ai product on a device, the malware authors options are extremely limited. Let's at least make them work for it .

Krusty13 will enjoy this... As I was driving today, I realized that if the brakes on my car failed say 1-10% of the time, I think most people would find that unacceptable. But yet, it is okay for security software to fail at a similar rate? To me, the potential repercussions are simply way too high to settle for anything less than a detection rate that at least approaches 100% (without locking the computer).

 

I have had another couple of freezes with VS 3.28 and always the same conditions as follows:

D/l program - in this case it was Dropbox.
Install program
Allow the first 1 or 2 popups then set to training mode and allow rest of program to install.
Open program
When VS reminds you select No.
Icon should still be red. Rt click on to select Smart. At this point with me it is frozen.

Hope this helps. Will send logs if needed.

Edit
This usually occurs if I forget to set it to Smart again.

 

Thank you David, yeah, that does help!

While I was adding the 2 new features to disable the blacklist scan and VoodooAi, I noticed something that might be the cause of the freeze issue, and I will post a version asap.

So basically, everyone can run the new version, then if they are still having the freeze issue, if they want to disable VoodooAi for a couple of days to see if the freeze issue still exists, we will have the issue completely narrowed down. Thanks again!