VoodooShield/Cyberlock

From Glasswire!

 

Thanks very much indeed. I checked those domains but they do not appear in my hosts file.

I've reloaded with a smaller hosts file and that works. The problem is that it still leaves more than half a million entries to check.

The smaller hosts file doesn't block VS but the larger one does.

 

Sorry I have no use for a host file mine is default and protected by WSA.

 

voodooshield is doing a very good job of protecting my computer, but I think it is a little too good. It blocks every installer I try to run. The icon blinks a little, but it doesn't show a prompt, and it doesn't even log the event...

 

Okay I detect connections to these domains but still cannot relate any of them to anything in my (old) hosts file.

ussouthcentral.services.azureml.net
www.virustotal.com
voodooshield.database.windows.net
www.voodooshield.com
a23-4-59-27.deploy.static.akamaitechnologies.com
ghs-vip-any-c46.ghs-ssl.googlehosted.com
96-31-37-96.hostcollective.com

 

Hi,

Congratulation Mr.Dan and all VS user for latest VS 3.5

Only this issue I found during use VS (all version till 3.5) - Only this !



I install Kaspersky Pass Word Manger - which is add a plugin extension (reg.exe) in all browser -

I install chrome and Firefox - Only this appear when open Firefox - every time I open Firefox I should press ALLOW :/ !!!

As you see - Ai = 0.0200 & file is safe ? Why (may digitally singed) and how to stop that, I cannot ?

 

I had a similar thing with Norton toolbar every time I opened FF. I solved it by keeping FF open and resetting the whitelist.

 

I just looked at the Settings > Web Apps, and noticed it has yellow highlights, which weren't there before. I assume those are the ones that are presently running on my system.

 

Correct.

 

Hi Krusty

Thanks for the confirmation.

P.S. Back after the mouse froze, and could only move the cursor around the screen using the trackpad. I still haven't worked out why it happens, occasionally.

 

I've had a couple of strange issues with the latest 3.50.

1) When loading a new program, the shield turned completely white while it was processing and examining the program. It took longer than it usually does to look at it, but the shield then went back to normal after that period of time and the program loaded up fine. This has only been on one particular program (that I now can't remember!), not on every single one.

2) I wasn't at my PC at the time to see what had happened, but I normally have it in sleep mode when not using it. The PC fired up and restarted itself for some reason. When I loaded into Windows, VS was sitting in Training Mode when it's normally always in Auto. I had to re-select Auto mode again.

Any advice? If you want my log, let me know and I'll send it on for you Dan.

 

Have you tried to uninstall VS (and removing the settings and log files when prompted), then reboot and reinstall VS? That really should do the trick... sometimes super old .dat files can mess things up a little.

Actually, if you can send me your DeveloperLog.log file before uninstalling VS, I can take a look at it. Thank you!

 

Cool, thank you for letting me know... sure, if you can send me your DeveloperLog.log, that would be great.

It sounds like something caused your computer to reboot itself... you might try to reinstall VS like I described in the previous post. Thank you!

 

Ooops, thank you for catching that Hamo... yeah, I can fix that... I just need to change the logic on the anti exploit code a little.

Can you please send me a link to the Kaspersky password manager that is causing this issue so I can test after fixing it?

I hope to catch up on the other posts today or tomorrow... there were just a couple that I wanted to respond to now. Thank you guys!

 

Hi,

Sure, this site : http://usa.kaspersky.com/downloads/purchase/kpm-purchase/

Direct link : https://klamericas.secure.footprint.net/files/main/en/kpm8.0.5.485en_11072.exe

* You may need to create an account.

 

@VoodooShield
I have discovered what seems to be a minor bug in 350.

When using a USB drive, the USB notification doesn't always appear on the shield but, when it does, it doesn't disappear when the pen drive is removed. I have been using SMART mode and even if I switch to disable and back again, it is still there. The only way I have found to remove it is to exit VS and then restart again.

I will forward the logs if you wish Dan.

 

I'm guessing WAR is also using PE Analysis, but it only comes into action when malware is excuted, so I'm not sure. AFAIK, Invincea would always run malware inside the sandbox and then decide if it's malicious based on behavioral monitoring. But if I'm correct, the AI module from VS, simply scans apps before execution, so it's similar to an AV?

Doesn't sound like my cup of tea.

 

Dan I keep getting Pop-Ups from Program Files and this latest one is from Office 2016. In Smart Mode.

 

Yes, It's pre-execution. The behaviour is not monitored, after a file is executed.

 

Thank you, I will take a look and see if I can reproduce it!

 

Thank you hamo, I will check it out!

 

Updated from 3.48 to 3.50 manually without uninstalling 3.48.
UAC setting was still set to Maximum as it was before the install, but UAC behaviour was acting as "Do not dim my desktop". Moved the UAC scroller from Maximum to Default and then back to Maximum, and its behaviour is working as intended now.

 

I could be totally wrong about this, but I believe WAR's "Ai" is behavior based (not PE based like VS and the other next-gen Ai solutions). The reason I am led to believe this is because in the WAR videos I have seen, the prompt states "Performed a Ransomware/Malware like action"... so one can only assume that their "Ai" engine extracts features from their behavior monitoring mechanism... so essentially it is a behavior blocker. If you ask me, Ai and behavior blocking are not exactly a natural combo (for a lot of reasons), whereas application whitelisting and pre-execution Ai is a phenomenal combination. For example, if VS ever has a behavior blocker, it will be completely separate from VoodooAi. In the end, all that really matters is if it works or not, and if it works really well, they may find that they do not have a need for their application whitelisting component.

You might ask WAR how their Ai works... I am sure a lot of people would be interested. I was hoping to find some information on their Ai technology in their recent PCMag review (Neil wrote a whole section on VoodooAi for our review), but there was not a single mention.

Yeah, Invincea is as exactly as you described (as far as I know).

As far as VoodooAi is concerned... no, it is not similar to an AV, but I have to tell you, they compliment each other very, very nicely. AV's are great at detecting the common threats, and Ai is great at detecting the zero days. Both are imperfect, but when you combine the two, you really have the best of both worlds... then when you add a lock, well, you are good to go!

There are a lot of AV companies that are developing Ai engines, and actually some have been using Ai for a couple of years now... they just did not have the marketing creativity that some of the new next-gen vendors have . Ai is very powerful, but it is not the holy grail of computer security.

As far as VS is concerned, sometimes the blacklist is correct, and sometimes VoodooAi is correct, but usually they both agree and are correct... unless you are analyzing some extremely uncommon open source file (or trying to find some obscure file that you believe will fool VoodooAi ). That is... VoodooAi (and the blacklist) works great for most of the say 5,000 to 10,000 or so common applications that the absolute majority of people use exclusively. If you want to verify, simply go to your favorite download site and download the top 100 apps and analyze with VS... I do it everyday and am usually very happy with the results. But of course it will never be perfect.

That is the funny thing... most samples (95% or so) are relatively straightforward, and determining the maliciousness is quite simple. But around 5% of samples are extremely tricky, and there really is no way to conclusively determine whether the file is intended to be malicious or not (and I am not even talking about greyware). For example, you can analyze a file with VT, VoodooAi and Cuckoo... and all 3 will have varying results. Not only that, but where do you draw the line in determining maliciousness of a file, especially when it comes to greyware?

The simple truth is this... we will NEVER develop an AV or Ai engine that can render the correct verdict on the maliciousness of a file, at a rate that approaches 100%... NEVER! Current Ai technologies from the nex-gen vendors approach a theoretical 99%... although in practice it is closer to 95% from what I have experienced. 95-99% sounds great until you consider that, for example, a company with 1,000+ employees will certainly have to contend with malware issues. Also, keep in mind, ransomware is now a billion dollar industry:

http://money.cnn.com/2016/04/15/technology/ransomware-cyber-security/

And obviously, ransomware is a small fraction of the total amount of malware released daily.

http://money.cnn.com/2015/04/14/technology/security/cyber-attack-hacks-security/

When we started VS in 2011, there were 15,000 new pieces of malware a day. It has at least doubled every year since then... almost like Moore's law .

To me, the answer is simple... lock the computer when it is at risk, and if something is blocked, look at the file insight and decide whether it is worth taking the chance to run the file or not.

Sorry for the rambling... I kinda went on a tangent, but if you want to know more about VoodooAi or Ai in general, I am more than happy to discuss publicly... ask away . Thank you!

 

Hey TH, how are you? Hmmm, that is odd... does it continue to prompt you after you click allow? If so, you might have to uninstall, reboot, and reinstall... just be sure to click "Yes" when it asks if you want to remove the Settings and Logs (during the uninstall).

Hopefully we will not have to do this anymore... the last changes that were made in VS 3.5 should put us in pretty good shape. I did my best to avoid deleting the .dat files, but there were a lot of changes that needed to be made. Thank you!