VoodooShield/Cyberlock

Thank you Baldrick... yeah, it is running great for me too. I guess there were a couple of minor bugs that VoodooAi caused, but I think Vlad either has them fixed or is very close.

 

Thank you... It is a lot more accurate than what you think it would be, huh? I mean, nothing is perfect, but man, it is doing pretty darn well, especially since it is so new. And keep in mind, we will retrain the machine learning models here in a couple of months with all of the new, truly random samples, and it will be even more accurate. I imagine in 6 months or so it will be super accurate.

Yeah, I looked at DNSJumper and VidCoder, and looking at the metadata (fingerprint / features of these files) I can EASILY see why VoodooAi would classify them as unsafe. Basically, some software utilities are compiled in such a way that they resemble that of malware more than they resemble benign software. Then again, you cannot blame VoodooAi, if for example, the file is not digitally signed and DEP and ASLR are not enabled, or if the file was obfuscated with an obfuscator that a lot of malware authors use . There are many other features that VoodooAi looks at, but these are the best examples that I can provide. Think of it this way... if there is a software utility that you downloaded, and you had no idea if it was malicious or benign, and there was no indication anywhere on the web whether a file was safe or not... but the file is not digitally signed and DEP and ASLR were disabled, you would think it is malicious, right? Well, that is what VoodooAi has to contend with. There are many more features than these that VoodooAi uses in the fingerprint, but for example, if all files were digitally signed and had DEP and ASLP enabled (basically good coding practices), then VoodooAi's job would be a lot easier. Having said that, it does pretty well, huh? . Thank you!

 

How VoodooAi is with PUP?

 

VS Mode was Scan & Allow.

VS installs thosee C++ stuffs. After system restart WU found updates for the C++ stuffs but install was failing. I tried few times too but were failing. Exiting VS updates went fine.

 

It depends, but overall it does really well. A few days ago I posted the following link to demonstrate what you are asking about:

http://www.axantum.com/axcrypt/Downloads.html

You will notice that when the file is packed with open candy, the VoodooAi result increases dramatically. Obviously the training data set does not have all of the various PUP's, but it really does quite well. It does best with the super bad malware though, which makes sense because the training data set is basically windows and office samples for the clean files and then pretty bad files for the malicious files. When we can afford it, we will hire a data scientist to make it even better, but so far, so good. The infrastructure is now in place, so now we can refine it.

Also, back to what I was saying earlier... some software developers worry about their products being falsely identified by all of the various security software as malware, and some developers could care less if their products trigger false positives. It is a personal choice. But personally, I think it is worth it to take a few simple precautions, like signing the file and making sure DEP and ASLR is enabled, to help ensure that your product is not falsely identified as malware.

 

Hmmm, we better keep an eye on Scan and Allow mode then. If you see it happen again, please let me know!

 

I tried FreeFileSync installer. It too has Open Candy bundled. VoodooAi calculated "Safe".

 

I dont remember correctly but I think I had tried with default i.e Smart Mode too & WU still failed to install.
Will keep an eye & if the prob appears will let you know.

By the way, VoodooAi is excellent. Is it going to be in the free version on VS final version 3 release?

 

Yeah, it depends . But the cool thing is... when combined with the blacklist scan I think we will see some pretty amazing results. Basically, if one does not catch it, the other should. VoodooAi excels when it comes to zero days and unknown malware (and super clean files), whereas the blacklist scan excels at everything else. It is a great combo... we just need to get the prompts right .

 

Thank you... yeah, it is not perfect, but I am quite happy with it so far. And it is only going to get better... VoodooAi is in its infancy.

 

Well put, Dan.

 

Yeah, looking forward to the improved prompts...would be good to see how you guys are going to adjust the blacklist results with VoodooAi

 

Is it safe to install over top of the previous version with this release?

 

Thanks! updated with no issues

 

Hmmm, I guess everything is hackable afterall . Now let's find a way to bypass VS!!!

http://money.cnn.com/2016/03/21/technology/doj-apple-hearing/index.html

 

Yeah, you should be able to just install over the top!

 

The reason I request for an option for detection level is coz I have tried SecureAPlus & Crystal Security. They have multiple engines like VT. And I have noticed most of the FPs is with 1-2 detection. Crystal Security has an option to set detection level. If set to 3, it really minimize FPs a lot & thus enhances usability.

I know blacklist & VoodooAi adjusted results will help minimize FPs. But I would say do an internal testing with detection level option & set it to 3 & see how it goes. It will further help minimize FPs & improve usability.

Currently 5 or more detection is counted as malware & auto-quarantined after time limit.
So detection level option should have 1-2-3-4 choices in drop down menu. And these detection should work as it work now i.e not auto-quarantined but blocked after time limit. Offcoz default you can set you think best from 1-4.

 

I see... but what about the zero days and unknown malware / ransomware samples that I have posted on here recently that initially only had 1-2 detections? If we simply only considered the total number of detections, they would slip right through, right? To me, I would want to at least know if these detections are from scan engines that have unusually high false positives, right?

There are really cool things we have planned for the prompts that will safely limit the number of false positives, especially when VoodooAi is factored into the equation. We should be finished with the prompts in the next couple of weeks. Can you please retest for false positives after we optimize the prompts, and if you are still experiencing high false positives, we can revisit this issue. Thank you!

 

Ok, got it.
Looking forward to the upcoming build.

And mostly I see FPs from Chinese AVs & not so reputed AVs like Nano, Bkav, etc...

 

I have been thinking about this quite a bit... even though no payload should slip through the way VS is currently, there is no reason for a web app to start any Windows or other vulnerable processes to spawn a child process. So I agree with you, we should take this one step further and basically have it so that web apps cannot spawn Windows (and other vulnerable processes) as child processes at all... even if they are whitelisted. Thank you for the recommendation... even though the malicious payload would be blocked either way, there is no reason to not block Windows and other vulnerable child processes of web apps, even when the item is whitelisted, mainly because the only time there would be a prompt is when an exploit is trying to exploit a vulnerable process. So I stand corrected , thank you!

 

Sure thing Dan, I'll keep an eye on it.

If it's not doing it on your end, then that makes me believe that it might be machine specific.
I'll give it a go on a separate machine and I'll get back to you.

 

3.10beta not syncing to online

 

https://www.wilderssecurity.com/threads/voodooshield.313706/page-340#post-2561707

Happened again just now with 3.10. Both IE11 and VS locked up.

 

Cool, thank you! Yeah, it is working for me, so please let me know!