VoodooShield/Cyberlock

Sure, if you need a license, please email me at support@voodooshield.com and I will set that up for you!

I think I am understanding you correctly... VS does not us a global whitelist... the whitelist is based on taking snapshots of your computer while it is not at risk, that way it does not block the good stuff when it is running a web app, and is there for at risk. There is a lot more to it than that, but for simplicity sake, that is how it works in general. But anyway, that way we can keep the whitelist to an absolute minimum, and basically have a tiny, customized whitelist... the goal is to have to smallest attack surface possible. Does that make sense? If not, please let me know! Thank you!

 

Process Explorer drop ProcessExplorerX64.exe in Temp folder on 64bit OS.

 

I am not sure what you mean? After it has been allowed, right?

 

Hi Dan/Djigi,
I use the portable version of Youtube downloader and it doesn't contain a toolbar, VoodooAI still gave it a very high score but I allowed it as a False positive.
I suppose the action needed for some results depends on users preferences.

Gordon

 

Hi Dan/Djigi,
I use the portable version of Youtube downloader and it doesn't contain a toolbar, VoodooAI still gave it a very high score but I allowed it as a False positive.
I suppose the action needed for some results depends on users preferences.

Gordon[/QUOTE]
Yeah, but you might want to run that file in cuckoo sandbox, just to be sure . Actually, can you send me a link and I can check it out as well?

What I can tell you, on no uncertain terms, that when the VoodooAi score is super high, there is almost always reason. The reason might be because it contains malicious code, or it might be because the file was poorly coded. If either of these are true, it is probably best not to run the file.

You know what would help the security community tremendously? If ALL developers made sure that their software followed good coding practices and made sure their products passed a VT scan. It would make the security industries job a lot easier, and we would be able to better distinguish good software from bad.

 

Forget about, someone already post a picture about that.

 

I see, sorry, I was confused (as usual )!

 

Thanks Dan, I forgot about the Cuckoo sandbox, I should have used it - but I have been using the Portable Youtube downloader for quite a while without any problems.
Link sent.

Thanks Gordon

 

Thank you, but where did you send the link?

Also, I thought of another reason the VoodooAi score might be super high... if the file is super obfuscated, it might be high. I imagine it is because malware authors tend to obfuscate their code in an effort to bypass security software. So when training the Ai machines, a lot of the malware samples in the training sets are obfuscated... so later when VoodooAi is making a determination, if the file is obfuscated, it thinks the file is malware.

Keep in mind though, a lot of code is obfuscated... even VS is. So reasonable obfuscation is okay... it is only when the file is super obfuscated that there is an issue.

 

I sent it to dan@voodooshield.com
I can send again if you didn't receive it.
Cheers
Gordon

 

PS, I've just uploaded it to the Cuckoo sandbox (analysis 2896) with very interesting results. Malware score 7.8

Tries to unhook or modify Windows functions monitored by Cuckoo

Creates a hidden or system file

Attempts to modify proxy settings

Looks like VoodooAI wasn't wrong !

Gordon

 

Cool, thank you, I received the links.

I promise, if someone spends some time testing VoodooAi and comparing the results to cuckoo and the blacklist scan, they would be shocked how accurate it is. The only reason I know this is because I have tested the heck out of it. And yeah, it is not perfect... there are some false positives and false negatives, but overall, it is extremely accurate.

As I was saying, if there is a high VoodooAi score, there is almost certainly a good reason. So are you now a belieber? .

 

I most certainly am Dan, thankyou. A very useful and informative exercise, I will use the Cuckoo sandbox routinely now on suspect files.
Again, thanks.
Gordon

 

Cool, thank you! My Canadian reference (which was a tribute to TH) was changed .

Anyway... If anyone still has the freezing issue with 3.18, can you please send a screenshot of your Programs and Features list to support@voodooshield.com? It will help tremendously, thank you!

 

I am unaware of how you add manually to the Directory, Process Explorer? I add to Protected Applications... but ..that's only if you have an exe.

 

TH will know better on this one .

 

Sorry Dan! I meant to ask TH..

 

I need to make a clarification... it initially appeared that Cylance missed the petya variant that I posted last night.

Here is their response: Cylance PROTECT didn't miss it; if you try to execute the binary it would have been quarantined - the file scan detection is opportunistic but doesn't catch everything where as execution control does catch everything.

Here is my response: Ok, sorry about that, I was assuming that since the petya file was scanned by Cylance, and it showed in the log as “allow” that it was a miss. I was going to execute the file to see what happened, but I had already executed some less malicious malware and the machine was infected… but I think Cylance cleaned it up afterwards. Thank you for clearing that up!

So it looks like ultimately that file was detected as a threat.

 

Sorry, my bad, that was clearly addressed to TH .

 

See your email!

 

Thank you!

 

Win 10 x64.
VoodooShield Auto Pilot.

 

Ok, I believe the Cylance test is finished and it did very well! Keep in mind, malpacks do not always contain high quality malware samples... sometimes the samples are not valid executables and sometimes some of the samples are simply not even malware. With that in mind, Cylance detected 776 of the files as malicious, but there were quite a few (200 or so) samples in that malpack that were not even valid executables. So I am assuming that Cylance checks first to see if the file is even valid and is able to execute, and if not, it kind of skips it... which makes sense to me. The way VoodooAi works is it checks to see if the file is valid, then uses that as one of the features in the machine learning sample data sets. But either way is fine because the sample is not going to execute either way, and these 200 or so items should be excluded from the test completely. When I ran that malpack test on the stand alone version of VoodooAi several months back, the algorithms were even more "paranoid" than what they are now, so I am quite sure that all of those 200 invalid files were detected as unsafe, even though they should have be excluded from the test.

It is extremely difficult to say exactly how many were missed, because who knows, maybe the samples that Cylance supposedly missed are not even malware... or that bad of malware, but either way, it did score over 99% to be sure. If I had time, I would try to get a good number, but to me anything over 99% is phenomenal, and besides, I really need to get back to work on VS .

So yeah, Cylance Protect is a great product and works extremely well with VS, they are a killer combo! BTW, I am going back to my normal job, I will leave the software reviews to Rubenking .

Edit: I was curious how many might have been missed in the test, so I went through the 224 remaining samples, and it looks like the number is 10. I sent the samples to MM to see what they think.