Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.
No problem here accessing those links.
For an Artificial Intellligence or Machine learning solution, it would be a miss not to take signatures into account.
Simpel fact: 90% of the malware is unsigned. The 10% malware being signed, more than half relates to Android malware and misused HTTPS certificates. So a stupid check on program signature weeds out 96% of the malware. This is a fact that a machine learning solution can't ignore.
Findings of real life corporate project
I can't disclose but a test over a long period used the following (simple) algorithm.
Only programs with three strikes were allowed to run from a non UAC-location (so outside Windows and Program Files folders):
1. Is the program signed?
2. Is it from a trusted vendor?
3. Is it from a product family installed on the default PC image?
During Windows update and Google update (and a couple of other security related programs), the whitelist anti executable automatically changed to install mode allowing everything, leaving the protection over to a well known antivirus with two premium brand engines.
Using signature in AI engine.
Check during "snapshot" which signed vendors are already installed. Apply an internal list of Trusted Vendors. Build a list of products and signatures of trusted vendors. Lower AI sensitivity for products having a valid signature of a trusted vendor from a product family already installed on the PC. Paid users have the option to disable this (I think Peter2150 and Rasheed for example are going to like that disable "take signatures into account" option).
Let user decide to use signatures
I noticed in this link that it is possibe to rule in the VT results: http://www.voodooshield.com/artwork/newalgorithm.PNG Considering the new VT policy (only allowed to use public API in no freeware) you have to remove that option anyway. Would it be possible to change the VT option with "factor program signatures in".
Dan, do you want me to keep testing version 3.08 or to try the new version 3.24?
That is odd... what happens when you click on the links?
Cool, thank you for letting me know .
Me either, that is odd . Thank you stapp!
These are some really great points, and it is something we need to consider, but for now I would rather play it safe. VoodooAi does consider the signature, but that is only one of many, many features it analyzes. There are some really cool things we can do, but we only want to do them if they are safe.
The stand alone VoodooAi is just a poc, and the VT option is not available in any public release... it was just a feature that I added, but it was never approved, so I never released the stand alone version of VoodooAi with that option. I hope that makes sense, if not, please let me know .
Thank you Kees .
Hi Dan ; I did a thourough cleanup of my security config , and I promissed you to provide feedback on how CIS and VS would play together , well I am happy to inform you that they do not bite eachother! have removed Norton Security 2016 and Adguard and Hmpa. Installed CIS and VS 3.24 beta and things are working smooth , no freezes to report ; I am a happy camper atm
Okay, I was confused when you said "I would never trust (in regard to signatures using the MAC example)" I now understand that you meant "trust a signature by itself". Thanks for confirming that signature is just one of the elements AI uses to determine whether a program is safe or not
Dan, did you disable command line wildcards completely in 3.24? The " * " wildcard isn't working for me. Also a question on VoodooAI, are your tests done at the equivalent of 100% on the sensitivity scale? I've been running mine at 90%, which has been working well, very few prompts.
This come from a previous request, the request was only for the whitelist table, but I think the person who I was replying didn't understood it so he asked me.
Wishlist for the whitelist
add a new column to show the VT result (ie: 0/50 or 2/50...)
add a new column to show the VoodooAI result
(new) a column to determine if the file was trusted by (Autopilot) or by user interaction. Autopilot (Yes/No)
BTW I have just read all the progress done with the new "version" of VoodooAI, all I can say is congratulations. I'm now testing 3.24
Dan, sorry to say that this version froze within an hour of it being installed. It worked just fine initially but I stepped away from the PC for 15 minutes and when I returned and opened Opera - nothing.
Do you want any logs?
Very cool, thank you for letting me know!
Yeah, cool! And we actually can add the Allow by Digital Signature option, and just have it disabled by default. It would be quite easy to add, so I will probably do this after we figure out the freeze issue, thank you!
Yeah, sorry about that... I did disable the wildcard feature temporarily to see if by chance that was causing the freeze issue. According to faircot, VS froze for him rather quickly, so I do not believe that is what is causing the freeze issue, so I enabled it again in 3.25, which I will post in a minute. Yeah, VoodooAi sensitivity is set at 100% for the quick tests that I have performed. Now that we have new algorithms, we can play around with the sensitivity a little more, and figure out what it should be set to by default... I am thinking somewhere around 90-100%.
BTW, I analyzed 3 more random malware files, each with 1,000 files, and the results were: 99.8%, 99.8% and 99.5%, so I really think the new algorithms are going to be quite good. Thank you!
Thank you, I appreciate that! Yeah, I really like your suggestions and I have added them to the to do list. So once we figure out the freeze issue, we will see what all we should add. We can definitely add the VoodooAi results since the realtime VoodooAi will be enabled soon, but as far as the blacklist scan goes, I am not sure if we can add that or not, mainly because only blocked files are scanned with the blacklist. So basically, none of the files that were in the initial snapshot would have blacklist results. If I can get approval to scan the initial whitelisted items with the blacklist scanner, then I will certainly do that. All of this stuff will be quite easy to add, and will be really cool, and I will start working on it as soon as the freeze issue is fixed. Thanks again!
Thank you for letting me know... it is actually great to know that the wildcard feature is not causing the issue, mainly since that is the only part of the code that I am completely unfamiliar with . We really have the possibilities for the freeze issue narrowed down, so I am certain we are getting close to fixing it once and for all. I am really sorry it is taking so long, and I really appreciate everyone's patients! This is an extremely difficult bug to fix because none of the 5 or so debug techniques is catching this bug... at all .
I decided to add logging to EVERY SINGLE sub routine in VS's main GUI code... so if everyone can install VS 3.25, and if VS freezes, please send me the log. If possible, even if VS does not freeze, if you want to search the DeveloperLog.log for "Exception in", and if there are any entries, please send me the log. The DeveloperLog.log is in the C:\ProgramData\VoodooShield directory.
I also temporarily disabled the USB detection for VS 3.25, just to test.
Sorry it is taking so long, but I promise, we are getting close! Thanks again!
3.25 download is 3.23.
I grabbed 3.25, I'll let you know if it freezes, I'll send over the logs if it does.
The displayed link is correct but the actual link in his post went to an older version, copy paste the link in the post instead of clicking on it.
Oops, sorry about that, it is fixed now, thank you!
Good news and bad news... The bad news is that VS froze, but there were not any helpful logged events. The good news is that I think I am pretty close to finally figuring out what is causing the issue. I know it is not necessarily related to Chrome, but Chrome does have a tendency to trigger the freeze. Anyway, I just have to wait for it to freeze once more, and I think I will know exactly what is causing the issue. I will let you guys know asap, thank you!
Ok, I think it all makes sense now. VS was set to only handle 10 new process creation threads concurrently, and I think the reason Chrome would freeze is because it will start 15 or so threads all at once. I noticed something earlier in the DeveloperLog, even though it was not logged as an actual error... each process is logged like this:
[06-08-2016 23:26:16] [DEBUG] - SRD::HP: ctx=7, proccess: id = 7060, name=chrome.exe, path=C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, cmd="C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --channel="8264.3.36264464\1055349655" --lang=en-US --mojo-platform-channel-handle=2344 --ignored=" --type=renderer " /prefetch:8, parent pid=8264, parent process=chrome.exe
[06-08-2016 23:26:16] [DEBUG] - chrome.exe (7060) AllowReason: 0x0103
[06-08-2016 23:26:16] [DEBUG] - SRD::HP: ctx=7, allow = True (00:00:00.0044667)
When VS froze on me earlier, I noticed that the first 2 of the 3 lines for each process were missing, so it looked something like this:
[06-08-2016 23:26:16] [DEBUG] - SRD::HP: ctx=7, allow = True (00:00:00.0044667)
[06-08-2016 23:26:17] [DEBUG] - SRD::HP: ctx=7, allow = True (00:00:00.004466
[06-08-2016 23:26:18] [DEBUG] - SRD::HP: ctx=7, allow = True (00:00:00.0044669)
[06-08-2016 23:26:19] [DEBUG] - SRD::HP: ctx=7, allow = True (00:00:00.0044670)
So then I went to the KMD part of the code where these items are logged, and noticed that VS is only set to handle 10 threads concurrently. The maximum is 64, and I will email Vlad to see what he thinks I should set it to. Right now I have it set to 50 and it seems to be working great, but if Vlad thinks I should set it to 64 or something else, then I will. Really, if you think about it, all I did was change the 10 to 50, so basically all I did was change the 1 to a 5… it is amazing how much trouble one single character can cause .
So hopefully the freeze issue is fixed once and for all. I added some logging for the USB detection issue, so if anyone is still having an issue with it, please let me know, it will be a much easier fix then the infamous freeze issue . Also, while waiting for VS to freeze tonight, I was testing the new VoodooAi algorithms... overall I am very happy with them, but I do need to tweak them a little because there are a few too many false positives. Basically, the training data sets contain 13 times the number of unsafe samples as it does safe samples... so what is happening is that there is a much better chance that the features will match an unsafe sample. It is a super easy fix... I had to do it last time as well. After I do that, it should still be extremely accurate and have very, very few false positives.
Thanks again, here is the version where hopefully the freeze issue is fixed for good!
Thanks Dan, for continuing on the hunt for a fix. I'll install 3.26 and report if I find any issues.
3.26 running okay so far on Win 10.
Dan...are you going to sleep at all? 3 version in one day?...1,5 hour ago I was here and downloaded new 3.25 and now I see the new one...you are "crazy"