VoodooShield/Cyberlock

Yeah, that is essentially what VS / VoodooAi is all about... the whole idea is to allow files that can easily be proven to be safe, and block everything else, especially if it is questionable, thank you!

 

Hey Pete... do you mean add more files to the training data sets?

 

Great idea, but I personally am not a huge fan of sandboxing for a lot of reasons, but mainly because average users and novices would have a really tough time understanding it.

And if it really is patented, we would not touch it with a 10 foot pole .

 

Great to know... do you know this for sure, or is it something that your heard somewhere?

 

Very cool, thank you for letting me know!

 

Which top AV vendors have the best global whitelist? It would be helpful if only known safe files are on the list... and no questionable files / PUP's.

 

I do not mean to disagree, but this changes everything. Sure, ML/Ai has been around for a while, but it has not been implemented the way the Next-Gen providers and VoodooAi recently implemented it, until they came along 3-4 years ago (basically inspection and training on the features of the PE). Also keep in mind, the algorithms have improved dramatically the last 3-4 years, so this type of ML/Ai is now an extremely relevant technology... it is just not accurate enough to be used on its own.

Now that Microsoft has implemented this type of ML/Ai into Windows Defender, this is going to completely change the game, on so many levels. Have you noticed that their recent AV lab tests are dramatically better than before? Thank you!

 

Thank you, I appreciate that! Blacklisting certainly helps, but nothing is perfect... the computer needs to be locked when it is at risk .

 

Sandboxing certainly has its role, but here is why I am not a fan of it. To me, sandboxing is ONLY useful when the user is interested in running a file with limited rights, in a sandbox, to see if it has any malicious tendencies or behaviors. So essentially, when someone is sandboxing an application, they are acting as an amateur pen tester, to see if a file is malicious or not.

Average users and novices should not willy nilly execute non-whitelisted software, unless they are installing something that is known to be safe, such as Microsoft Office. And average users and novices certainly should not try to become amateur pen testers.

Sandboxing is a cool technology, but I believe it would only be useful for the more advanced users... simply because average users and novices do not even know what a sandbox is. I have even thought of having a Novice mode in VS, where we hide the Local Sandbox button. It would be cool for armature users and novices to be able to utilize the Cuckoo sandbox, but we would have to figure out how to make it more user-friendly, so they understand that the RDP session that they are seeing on the screen is an example of what would happen if they run that file on their computer.

I forgot to mention... also, if the file can not be proven to be safe with a relatively high level of confidence, then that file should not be executed, whether in a sandbox or not!!! It is not like the world is going to end if someone does not run an executable file, because they are not sure if it is safe or not.

 

yeah, this is what i knew too

 

i think kaspersky is top notch, but comodo has very few false negatives (aka whitelisted malware)

 

mhmm, i like autopilot mode more

 

I see... yeah, none of the ML/Ai vendors have been able to do this yet, for a lot of reasons. Once our new data scientist is finished evaluating VoodooAi, I am going to talk to him about this as well. I suspect that the biggest obstacle will be the lack of number of sufficient samples to be used in our training data sets... we will need at least 50,000 or so of safe and unsafe scripts, and that is going to be quite difficult to gather.

Also, I think most of the industry relies on the fact that most or all scripts ultimate goal is to drop an executable payload, and that is where they block it. Or the other option is that they simply blacklist all scripts altogether... which can be a serious pain for admins in the enterprise, since they have a tendency to script everything.

If you ask me, I think VS handles scripts quite nicely...

1) Scripts are scanned with the blacklist, if they are unknown or malicious, they are blocked.
2) All scripts that are spawned from all Windows and other vulnerable processes are automatically blocked.
3) Scripts are auto allowed if they pass the blacklist scan and are spawned from an item that is already on the whitelist, as long as the whitelisted item is not a vulnerable Windows (or other) process.
4) There are a couple of other checks we make as well, but I would prefer not to discuss them publicly.

 

Those are both great products, thank you for your input! I do however find it quite funny that out of all of the AV vendors on the market, you mention those two . Kaspersky because of TAM and Comodo because of Defense+... how ironic .

 

well, actually i mentioned kaspersky for the high detection rate and comodo for the low false negative rate

 

Hehehe, yeah, I totally get that, and I agree. I just thought it was funny (TAM and D+).

 

Hey Dan,
Agree with you! WD together with VS and Macrium is enough for me and I feel quite safe.

 

Very cool, thank you for letting me know! Are you running Windows 10? I am going to test the latest WD very soon, and I am hoping for around a 95-97% efficacy. Then I will be able to finally say that WD is an amazing product .

 

Yes running Windows 10-64 bits with the latest WD. Cool let us know the result of your test.

 

Looking forward to your test results.

 

Welp. I am not sure what to think... the computer completely froze after 61 samples in the WD test. For some reason WD has always taken a very, very long time to test when you are testing a lot of samples, but this time it completely froze, for at least 30-60 minutes, so I just killed the machine manually. So maybe I will test again in a month or two.

BTW, you guys know how I always talk about how VS should be on mobile and IoT devices? And at least some people probably think I am crazy for thinking this?

https://www.mcafee.com/us/about/newsroom/press-releases/press-release.aspx?news_id=20170508006538

I bet Samsung would have reconsidered if they would have read page 13 of this test: https://avlab.pl/sites/default/files/68files/ENG_2016_ransomware.pdf

VS would be beautiful on these devices. On a smart TV, if you are watching TV, the device is unlocked. If you check your email or browse the web, it is locked.

 

Nowadays Comodo strength is more on the sandbox rather than on the HIPS
Back on the picture of VooDooAi AlgoBenchmark, it seems that false negatives fall on VooDooAi score between 0,3 and 0,5, while false positives fall on VooDooAi score between 0,5 and 0,8.
If you join Comodo, you can link Comodo auto-sandbox to VooDooAi score, for example:

• Ai < 0,3 (whitelisted or unknown by Comodo) = run
• Ai between 0,3 and 0,8 (whitelisted or unknown by Comodo) = sandbox
• Ai > 0,8 (any Comodo rating) = block
• Blacklisted by Comodo (any Ai score) = block

 

Dan stay away from Comodo.