VoodooShield/Cyberlock

Not with the Live Full Cloud Webroot BrightCloud® Threat Intelligence Engine: https://www.webroot.com/us/en/business/threat-intelligence

https://www.youtube.com/watch?v=vjg6Sh862cA

 

I guess I misunderstood how VD-AI worked. So basically, it's an on-demand scanner, that uses the cloud to check if some app is malware or not, am I correct? Then I haven't got any problems with it. But I do not like it when security tools constantly communicate with the web, and upload files without my permission. But I do wonder how does Cylance manage to offer AI without the need for the cloud, is it a totally different architecture perhaps?

 

When Cylance detects a file that has a high reputation number it quarantines it to your web portal. Now it might just set the location to the file on your drive but I do know the file remains on your drive and you have no permissions to access it until you go to your portal and waive the file if you know it is not bad. I am not sure I explained that in a understandable way or not.

So it was Cylance and Palo Alto Networks partner that launched the testmyav.com website? I still have to watch the video but it sounds as though the malware downloadable was hand picked?

 

I see you have found the quote function. I also surf on WSF without scripting enabled, so I thought it was weird. And your post was perfectly fine, it was a valid question, so no worries.

Perhaps it's better to discuss this in the Cylance thread. But I do hope they will launch a consumer based version, that's configurable by the user itself. That whole "Malware Managed" stuff is not my cup of tea.

 

Thank you TH! The video is an hour long so I will have to watch it on the TV when I get a chance... but can you please point me to where whitelisting is explained in the video, so I know exactly what you are referring to?

The reason I posted about whitelisting is I realized something while working on our global whitelist feature, and I want to make sure that I do this right, so it will be really cool to get your guys thoughts on this.

I am not exactly sure how BrightCloud works (hopefully I will understand it after I watch the video), so I will just focus on VS and the VoodooAi cloud feature.

Here is a great article that provides some useful numbers and explains my concern: https://www.infocyte.com/blog/2016/...to-discover-a-breach-the-answer-may-shock-you

What I am concerned about is if a zero day is released, and the file is initially determined to be safe, but 240 days later determined to be malicious. If this is the case, then global whitelisting in general is not much different than a traditional blacklist signature, right? Global whitelisting is basically a "pre-analyzed blacklist signature", right? (if that makes any sense ). Basically, for 239 days the malware successfully bypassed the security software, the damage has been done, and the hackers have probably moved on to another target, using different malware.

Having said that, there are several mitigations you can make to the global whitelist to make it more secure, but it is not absolute. For example, a file will only be added to the VoodooAi Whitelist Cloud database if it is older than a month or so (and still is determined to be safe by the blacklist scanners), and if the file is signed, etc.

The other reason I was curious about this is because I have an important meeting in a few days, and I need to be able to explain why VS's toggling whitelist snapshot approach is more secure than a global whitelist. It has always been obvious to me that our approach is more secure, but I have not been able to explain why. Basically, anything running before the computer is at risk is safe, but once the computer is at risk, anything that is not on the tiny, customized whitelist is automatically blocked.

Anyway, if you guys can help me get my head around this, and help me to be able to explain this better, I would really appreciate that, thank you!

 

I see... we actually could implement our models on the local computer, but it would be extremely difficult to properly replicate one of the big three machine learning platforms (Amazon, Azure, IBM Watson) on the local computer... and since the whole idea of VS is to lock the computer when it is at risk, and since VS already uses the cloud for the blacklist scan, the obvious choice for VS was to use the cloud. I hope to be able to retrain our models once a month soon, and it is a lot more efficient to simply update the cloud models, as opposed to pushing out models that are 200mb or so to every computer. VS / VoodooAi does not upload the actual file... it only uploads the features of the file, and this is true for the blacklist as well. The only time VS uploads the actual file is when a Cuckoo analysis is performed... which obviously it needs the file to be able to execute it in the sandbox. Thank you!

 

Best way I can think of. Just wish I had used VoodooShield when I did a clean a install of W10. Now I have no idea as so what I may have been infected with. (Obviously nothing to obvious!)

Given your two thoughts I've quoted, could VoodooShield re scan my white list on a regular basis?

 

Hi fetch, yeah, exactly... the real time scanner is all ready to go, I just have not activated it yet, but I will soon. I like to use the BitDefender quickscan and also the Webroot System Analyzer, they are both really cool. Thank you!

http://quickscan.bitdefender.com/ (someone on wilder's told me about this one, I forgot who)

http://www.majorgeeks.com/files/details/webroot_system_analyzer.html

 

Here is an example of what I am talking about… this file was analyzed with VoodooAi in the last hour or so, the result was 0.9554, and the blacklist was 1/56, and VS called the 1 threat a false positive.

The different variants of this file go by the following names (the names are listed in the Additional Information section of VT):

Stonegarlic
Patcher.exe
Thor.exe

Here is one of the variants from 8 months, 3 weeks ago:
Edit: Sorry, the link was removed, but the blacklist score was 53 / 56

Here is one of the variants from 1 month, 3 weeks ago:
Edit: Sorry, the link was removed, but the blacklist score was 1 / 56

~removed as per policy

https://www.wilderssecurity.com/thr...-posting-of-jotti-virus-total-results.180057/


I never really paid much attention to all of this, but when I was looking at some of the VoodooAi possible false positive results that were above 0.9500 (where the blacklist result was 0/57 or 1/57), what I found was quite surprising. Don’t get me wrong… VoodooAi does have some false positives, but a lot of times this is due to poor development practices on the file being analyzed (not signed, obfuscated into oblivion, packed, no dep or aslr, etc.).

But my point is… how can you ever build a useful global whitelist, if it takes 8-12 months to ensure the file is safe, especially when there is a great chance that a new version of the file will probably be released in that time, so the process has to start over from day one.

Sorry, I am just thinking out loud here… and was curious what you guys thought of this.

 

Firefox tells me the Bitdefender Quick Scan is incompatible with 51.0.1 ...

 

Hmmm, that is odd... do you mean the plugin? I am running FF 51.0.1 (32bit), and it is working for me, but it is not using the plugin like it used to.

 

To me, a Whitelist is a list of executables collected from legit vendors (then updated with each new release of the said executable); not something unknown that was flagged as safe after some analyse.

Blacklist is a list of recognized malicious executables.

so based on that , unknown files are what i call the Grey list, just waiting to be cataloged in one of the other two list.

 

Yes I presume so, it is trying to download something when I start scan. I am using FFx64. No matter.

 

Thank you VoodooShield, for your Links and it ist funny the Post from Parker (Trend Micro).
I've started the PDF from Voodooshield 3.0 trahttp://fs5.directupload.net/images/170129/qhutzokz.jpg nslate to German languarge.
http://fs5.directupload.net/images/170129/qhutzokz.jpg

 

Marcus J. Ranum once wrote this article: The Six Dumbest Ideas in Computer Security

Item #1 in the article is of interest.

The solution: The Ultimate Firewall - be sure to check Installation Instructions.

I guess that VoodooShield offers a more practical solution.

 

Much simpler build a local white list on software signatures during VS system snapshot. Before allowing any new program, VS always performs a VT blacklist scan as double check. Remove the signature from the local white list when the VT blacklist scan finds one program with this signature as malware (e.g. more than 5 engines think it is malware)

 

High praise, Dan - agree with Peter

 

Yeah, like I said I totally misunderstood how VD-AI worked, it seems to be quite advanced.

 

@VoodooShield

When AI rating is above 0.9 and VT does not flag it as malware, trust AI and consider it a zero day in stead of a false positive

 

Thanks for posting Callender, that article might be a few years old but is still totally relevant. Item #1 could have been written by Dan!

 

FYI: I also tried installing by downloading the .xpi file and installing from file.

 

Usually I just exit and restart when I'm ready to resume protection.