Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.
Hey TH, thank you!
1. Will the AI be in the freemium version of VS or just paid?
2. Has the number of engines it uses been cut back to reduce FPs?
Hey Brandonn, we are not yet sure if VoodooAi will be part of Pro or not, but if you need a license, please let me know.
VS has always had a false positive detection feature for the blacklist scan that in my opinion has been extremely accurate. I think out of hundreds or thousands of times that I have seen a false positive, I think only one time it was incorrect.
Has that been everyone else's experience as well?
BTW, on the initial release of VS with VoodooAi... the verbiage at the bottom of the prompt will not necessarily be correct!!!!!!
We have not adjusted the verbiage on the prompts yet because we have to figure out when it is appropriate for the blacklist scan to override VoodooAi, and vice versa. For example, if the file is unknown to the blacklist scan, but VoodooAi detects it as clean, then we will want to adjust the verbiage prompt accordingly. Or, for example, if the blacklist scan has 10 positive detections , VoodooAi should be pretty darn high, but either way, the verbiage in the prompt should recommend that the user not run the file. One last example... if VoodooAi is super high, like .9988, and there are no positive detections on the blacklist scan, then we should warn the user that although the blacklist scan detects the file is safe, we recommend not running the file unless they research it a little more.
It will actually be pretty easy to figure out what overrides what, we just haven't gotten around to it yet. But this is what I meant when I kept talking about an auto decision .
I too think VS dont need 56 or so engines. It increases FPs. On my try I have seen quite a few 1-2/56. And quite a few times nothing from the FP engine. Sometimes I saw something like we have determined its FP. And those 1-2/56 were always from the not so reputed engines.
I think few reputed engines would be good & sufficient.
Having said that, I think you guys will be quite happy with how close the blacklist scan and the VoodooAi results coincide in general, especially for files that are unquestionably clean or unquestionably malware, especially in real world scenarios.
This is they way I view Ai as it relates to malware detection... the only absolutely, perfectly clean files are the native Microsoft Windows files, so that is one end of the spectrum. On the opposite end of the spectrum there are the super bad ransomware files. Everything else falls in between . One thing that malware detection will never be able to do is to correctly evaluate with any level of certainty the intent of the developer of any given file. For example, just as ransomware encrypts your files, there are benign utilities that do the exact same thing, except they also have the code to decrypt the files when needed. So how do you distinguish the two from each other? Well, you don't... you extract the most useful features of a file and then let Machine Learning and Ai do it for you. Most of the time it does an amazing job at determining the maliciousness of a file, especially if it can also utilize multiple blacklist scan engines, but nothing is perfect.
But this is why VoodooAi excels at correctly identifying truly clean and truly malicious files... it was trained with these, so it knows what they look like. Everything else is in between .
BTW, out of curiosity, how do most behavior blockers react to benign encryption utilities such as: http://lifehacker.com/five-best-file-encryption-tools-5677725
(I am just asking because I seriously do not know).
I actually just thought of the encryption utilities / ransomware example right now, but that will be a good test for VoodooAi... I am going to download several utilities later tonight and see the results.
Wow, really? The next time you experience an incorrect result, please let me know what files are incorrectly identified.
VS's false positive feature is not based on just a handful of positive detections... it is based on a lot more than that. I researched many AV lab test results and factored out all of the engines with high false positive rates out of the equation... unless one or more scan engines with very low false positive rates had a hit, then they are factored back into the equation.
Please post some examples... I might need to research the AV lab test results again and update what engines are factored in and which ones are not!
If I remember correctly 2 software were WinRAR 5.30 64 Bits Installer & DriverTalent Installer.
Currently trying few security software so VS is not installed otherwise would have find out in logs, VS logs records the detections, right?
Time for something fun...
Go to this site and download the 3 .exe files at the top of the page (VoodooAi does not yet work with .msi files).
Each of the files are a little different... Try to guess what you think the VoodooAi results should be, then test with VoodooAi . I will test more later, but that was just a quicky.
Heard you loud and clear Sir!
Is there a standalone VoodooAi software?
Cool, thank you! I could not find the WinRar file that had a detection, but I did find the DriverTalent file, and yes indeed, the engine that detected it was always borderline, so we will remove it from the list. If you find more, please let me know and we will adjust it! BTW, VoodooAi was correct on both .
Hehehe, sorry, I lost my reading glasses for a little while .
Yeah, you can download it here: www.voodooshield.com/artwork/InstallVoodooAiPortable.exe
Its portable software?
And only scanning or execution detection too?
It is just a quick and dirty demo to demonstrate VoodooAi... so I would not use it as a scanner. Ai should never be used as a scanner in my opinion... it should be used with a toggling desktop shield gadget / computer lock .
Keep in mind SUSPICIOUS DOES NOT MEAN UNSAFE . (We might need to change the name suspicious to something else ).
Ever consider adding a user-defined vulnerable process list to VS ? Whereby user can add additional vulnerable processes - like NET assemblies - vbc.exe, csc.exe, RegAsm.exe, and others like PresentationHost.exe. In total there's about 50 to 60 - that never need to run on the vast majority of systems.
More importantly, adding these to vulnerable process list will prevent any type of dodgy bypass of white-listing be trusted, but highly abusable processes. Make VS much, much less susceptible to clever breach via scripts that cleverly abuse vulnerabilities in host processes and NET assemblies.
Malware testing shows these are more and more targeted for manipulation to circumvent policies\restrictions.
Yeah, at some point we can create a editable list of vulnerable processes, but right now this is all handled internally (and securely and efficiently I might add ). There is no reason to go into details here, but let's just put it this way... child processes are not allowed from every single folder .
Ok, here is something infinitely interesting that I accidentally stumbled upon.
Yesterday, someone analyzed the following file with VS's Cuckoo Sandbox, and the file turns out to be a teslacrypt variant. When it was analyzed by VT yesterday, it received 0/57 detections. One day later (today), it received 9/57. Something is very wrong with that. I would ask if anyone knew of a service where we could report this file to all of the various blacklist vendors... ah, but what's the point? There are probably 100 or more variants similar to this one. VoodooAi scored the file 0.9975, so basically very unsafe .
There is a download link on all of the cuckoo sandbox pages, so if you choose to download any files from there, please be very careful!! Speaking of that, at some point I really should think about deleting the 1.3 million pieces of malware stored in various locations all over my machine one day .
For the past two days I have been running Voodoshield 3.09 on Virtualbox with Windows Defender and
Windows Firewall blocking out and ingoing.
I must say I am very impressed, used samples from Malwaretips Virus Exchange, Malc0de etc, what was left over from
WD was zappt by VS except a Spico KMS found by Zemana was placed in the windows folder. Tried the Cuckoo Sandbox but
need to set it up properly, as the firewall blocks.
Could you please tell me the proper set up for Cuckoo Sandbox and I'll carry on testing.
Note: One of the files tested was 70.exe
Very cool, thank you for the info! I have seen the pages where all of the blacklist vendors are listed separately, but I never thought of just having one mailing list for all of them!
BTW, what if we set up VS to automatically zip and email all of the vendors on the mailing list anything with obvious detections? Or maybe we can add this to voodooshield.com, so users can easily upload files to all of the vendors? Or maybe wilders would like to add a page where users can submit a sample, and it will automatically zip and email the file to everyone on the mailing list?
Thank you, we appreciate that!
Ohhh... so you were the one who uploaded 70.exe? If you do not mind me asking, where did you find such a new variant of teslacrypt?
I am not sure exactly what is being blocked? It seems to be working for the samples you have mentioned. Is it the RDP that is being blocked?
Thank you for testing and for your help!
Edit: BTW, did VS block Spico KMS, then you allowed it?
You can get samples of 70.exe and 80.exe from Malc0de. Still live an hour ago.
Very cool, thank you, it is something to consider! I wonder why there is not already a service for this? It would probably be best for VirusTotal to offer this, but I imagine they would have to filter out the fake submissions.
Cool, thank you, I will have to check it out!
Separate names with a comma.