VoodooShield/Cyberlock

Hi Dan, I have the standalone scanner VoodooAi 0.90 beta.
Is there a newer version, and if so, how can I get it?
I think you used to have a link in your signature.

 

I have asked for this as well in the past but it looks like that won't be any new version of VoodooAi as a standalone product.

 

A newer version will be available soon:

Edit:

 

About VoodooAi... I am not sure if there is going to be a standalone product or not, if it makes sense for us to do so, then we certainly will. The 0.90 beta version was just a simple POC, and at that time, our models only used around 25 or so features, and now it uses 300 or so. We have a few different options, please let me know if you guys think any of these makes sense.

1. Update 0.90 to use the new VoodooAi 2.0 models and keep it as a POC. To me, this does not make a lot of sense because it is a POC that very few people would use.
2. Create a version of VoodooAi 2.0 that only performs a quick scan to scan the common hiding spots for malware, and also performs analysis on pre-execution blocking. VoodooShield already has this feature, I just have not activated it yet.
3. Partner with an AV company with a massive global whitelist and offer a full system scan and analysis on pre-execution blocking. All ML/Ai models with great detection rates will have false positives... there is no way around it, except to implement a global whitelist that filters the false positives.

Please let me know what you guys think, and what you think a standalone version of VoodooAi should offer, in terms of features. Either way, I still firmly believe that ML/Ai should not be used alone to protect a computer. Maybe I am simply being too protective and need to lighten up a little... but I cringe at the thought of letting bypasses occur, so that our false positive rate remains extremely low. Basically, whether the engine / model is a traditional AV or a so called "Next-Gen" ML/Ai engine, you cannot have super high detection rates and extremely low false positives. The key is to find the exact point (in the curve) where the engine / model detects a percentage of malware approaching 100%, with an acceptable number of false positives. If you ask me, VoodooAi models are pretty close to finding this exact point, although admittedly, our false positive rate is slightly higher than what I would prefer. The problem is, if we reduce the false positives, there will be a significant amount of bypasses. To me, with the advent of ransomware, false positives should be a distant secondary concern... basically AV labs should only consider false positives as a factor if the detection rates approach 100%. Otherwise, any mention of false positives is absurd.

I am extremely excited to have the AV Labs test VS on AutoPilot, with the blacklist disabled and VoodooAi enabled. As long as they do not test many obscure files, it is going to do extremely well... I have tested the heck out of it, so I am sure of this.

On kind of a funny side note... just yesterday I met a data scientist with 20+ years of ML/Ai experience, and he is reviewing our three models, and he is going to help me optimize VoodooAi even more. It will be extremely interesting to see what he finds... I sent him one of our curves (along with some other info), and this was his initial impression of VoodooAi 2.0...

"fyi, the ROC you presented is usually treated as a fantastic and perfect result. In fact, I haven't ever seen anything like that in real world applications in out-of-sample test set. So my intuition based on a 20+ years of expertise tells me that this model was overtrained. Of course I might be wrong and I'd need to study your data more closely before actually making any conclusions. If your ROC curve is real then it hardly could be improved any further, but I suspect it isn't. In the latter case I could help you indeed."

BTW, I normally do not like to quote people on here, but it was the easiest way for me to explain what was going on.

Anyway, either (1) I made a mistake in the models that he will be able to correct (and help me optimize VoodooAi), or (2) our models are in great shape... I will let you guys know what he says. Either way, it will be nice to have an experienced data scientist help me optimize VoodooAi.

Here is the curve (ROC) that I sent him... I have posted it on here before, so you guys have already seen it.

www.voodooshield.com/artwork/AlgoBenchmark.PNG

So that is where we are with VoodooAi. Please let me know what features a standalone version of VoodooAi should have... like if you guys could design VoodooAi from the ground up, what would it look like? Thank you!

 

What about an auto-sandbox a la Comodo for unknown files.

 

Just a thought that probably isn't even good to think about : is it possible or feasible to create an ML model that can detect safe files? The current trend of ML is to detect malicious files. But why not create an ML that detects safe files? In this way, a whitelist can be generated automatically. Ratings from the current VAi and the new whitelisting ML would determine positive detection of files.

 

I think auto-sandbox is a Comodo patent technology

 

If option 1 is easy, do it.
Let geeks play with it, it is your best publicity in the end. It is the most unique second-opinion scanner available.

 

Really? if true that suxx , i like the concept , auto-virtualization of unknown files

 

I would assume that Comodo's patent is for how its own auto-sandbox operates, but not for the general auto-sandboxing. I think anybody can program auto-sandboxing, just not the way Comodo's auto-sandboxing works because of the patent.

 

@VoodooShield
Option2 and 3 sounds well. Option 2 would be a second opinion scanner option 1 could be an AV or simply you could license VAI as an engine.

VS is almost perfect as it is now although I would change a few small things as I have suggested in the past. The evolution of you product depend on having an important user base to feed and improve VAi and being able to monetize it (the product).

Option 2 (many fps maybe) would offer a good alternative for those looking for a second opinion/layer AV like zemana or hitman pro (now that is going to have real time av as well)

Option 3 is not incompatible with option 2, and there are some companies in bad shape that could be interested in like Malwarebytes, and other companies which still relies mostly on heuristics and definitions. Or you could license your engine to be used by any company like bitdefender does.

 

VoodooAi 2.0 + auto-sandboxing , people already using an anti-exe would find it useful

 

For me auto-sandboxing is as noneffective as an antiexe, how many apps runs well on a sandbox and won't require any modification or save file, at the end you whitelist it because is the only way the app will work properly. If the user want to run it, he will run it, if the file (malware) doesn't properly work he will think is sandbox fault and will disable it, if he knows or suspect that the file is malware the user won't run the file so sandbox/antiexe is ineffective again.

 

my idea of auto-sandbox is that he run the file and VoodooSandbox ( ) based on the reputation of the file would auto-isolate it or not , if isolated only the dumbest user would disable the sandbox to run it...Then it is the user fault , not the program fault which did what it is supposed to do.
It is not much different than a dumb users restoring a malicious file from an AV quarantine to run it; so AV are also ineffective , anyway anything is ineffective when used by a dumb user.

 

@ronjor

Thank you! I think you just saved me a lot of time by posting the following (https://www.wilderssecurity.com/thr...-windows-10-needs.383448/page-22#post-2673375)

Direct link: https://blogs.technet.microsoft.com/mmpc/2017/05/08/antivirus-evolved/

Okay, this is seriously funny... this blog was just released today. It is funny because we were just discussing ML/Ai. Apparently Microsoft has implemented ML/Ai into Windows Defender... which is pretty bad news for all of the Next-Gen providers that rely solely on ML/Ai, since all of the various ML/Ai models are going to yield quite similar results (I have said this multiple times in this thread). Anyone who scans newer malware with VirusTotal on a regular basis will notice that the 4-5 ML/Ai engines all detect the zero days immediately, and pretty much all tend to agree. And for example, if one misses a file, they pretty much all do. Ai is Ai... we are all looking at the same or similar features, and utilizing extremely similar algorithms in our models... the only thing that is truly variable is how aggressive you want to make your models.

That being the case, there really is no reason for VS / VoodooAi to implement realtime file and folder scanning... we will just keep our slightly aggressive models that are utilized during pre-execution (when a file is blocked), and we are good to go. Basically, the models that are utilized for realtime file and folder scanning cannot be quite as aggressive as the models that we use during pre-execution, otherwise, there would be way too many false positives and safe quarantined files. And since the models that are designed for file and folder scanning are less aggressive, there will certainly be malware bypasses (as demonstrated in a lot of my videos)... but VS / VoodooAi will take care of this issue with its slightly aggressive models upon execution of the file.

I realize that Microsoft might not implement ML/Ai into all versions of Windows, and I realize Windows 7 is still close to half of the OS market... but by the time we finish developing a realtime VoodooAi scanner, and by the time it was adopted by users, pretty much everyone will be on Windows 10... so it would be a huge waste of time and resources to try to offer a similar solution for Windows 7 and 8.

This gives us a much clearer picture on the road we will take (thanks again @ronjor)... it is just funny that Microsoft's blog was released today! Basically, we will keep our pre-execution models slightly aggressive, although I am excited to see if our new data scientist will be able to optimize them even more... I will keep you guys posted! If you guys have any ideas on this, please let me know, and I will catch up on the posts I missed asap, thank you!

It is funny how things work out .

 

So just do an updated POC, if it's not too much work. Everyone who sees it is impressed. It's good PR, in my opinion.

 

Yeah, that is kind of what I am thinking too, thank you!

 

And VS/VoodooAi will still be able to scan the favorite malware hiding spots with our slightly aggressive models... it will be cool.

 

Hi Dan
Just to check in running on a desktop and laptop with WD , WF, and smartscreen and both have run for months doing everyday tasks with no aggravation or penetration. Never one complaint from gaming kids to banking wife. The only other addition is Adguard. Absolutely no need for anything else here. These computers are not trying to get in trouble but kids don't go out their way to avoid it. A pretty accurate real world test in my opinion. Keep it simple. Thanks again , Rocky

 

Oh by the way both never come off Autopilot.

 

then go with option 3 and partner with comodo

 

I don't think this changes anything, most av vendors have been using ML with more or less success for years the difference is that now is cool to call it AI.

I am not saying that you should discontinue VS but you should look for alternatives and options, and don't close any door

 

@VoodooShield
Quite impressive indeed
So, totally you have 166.772 samples, with 324 false positives (legit apps being blocked) and 30 false negatives (actual malware being undetected).
What can save the user from the false negatives? The blacklist scan?