VoodooShield/Cyberlock

Wouldn't this be because neither "Crystal Security" or "Virtual DJ" have signed exe's ,so would be labelled as being from an "unknown Publisher"?

 

Well, my efficacy testing days are done... at least until I reformat my testing computer and clean off the ransomware .

Djigi sent me the 36 samples that he was testing to see if I had the same result. The answer is yes, I had the exact same result (minus the one file that was not executable).

First I checked to make sure they were all executable (all but one was), then I ran EfficacyTest on the 35 samples, using the same procedure I listed above... here are the results (please watch the video carefully, especially towards the end).

www.voodooshield.com/artwork/ComodoBeta10.PNG

http://www.voodooshield.com/artwork/EfficacyTestComodoBeta10.webm

The ransomware encrypted the desktop files of my host test computer (the desktop folder is setup as a shared folder in VirtualBox).

This is a silly question, but do you guys think that the test computer is infected too, or did it just encrypt the files? I believe Cerber was the culprit. Either way, I am going to format that computer because I simply cannot take a chance. I rebooted my main computer several times, and it seems to be okay.

Long story short... BE VERY CAREFUL WHEN TESTING MALWARE. I knew I was playing with fire, and I knew at some point I would be burned . The development computer was off, and is going to stay off until I am 100% sure that I do not have a ransomware issue.

Edit: BTW, please keep in mind that Comodo made it very clear that the version we tested is beta and that we should expect bugs, so this is a completely invalid test.

 

Cool, thank you... with all of this info, Vlad will have it fixed in no time .

 

I'm sorry
Why didn't you create some kind of snapshot (like Rollback Rx) before test or test in Virtual machine?
CIS failed big time, no Autosandbox show in your test too (I will watch video in a minute)?

 

I'm wondering if anyone else who has had the freeze bug also has disabled the countdown timer?

 

Yeah, but the main thing is that they are .msi files, which VoodooAi is not currently able to analyze.

Also, the digital signature does help to determine the maliciousness of a file, but it certainly is not the only feature that the machine learning models consider. And actually, sometimes the digital signature makes a big difference, and sometimes the difference is negligible... it is all dependent on the other features, and what their results are. For example, Kardo uses obfuscation to protect his code, which is totally cool... he actually suggested to me what obfuscation to use, and we still use it today, but we do not obfuscate the code quite as much as he does with Crystal Security. We actually would use the exact same strength of obfuscation the he uses, but then it breaks the VoodooAi API, so we had to back it off a little.

Anyway, if you were to test the Crystal Security Portable .exe, it would probably test in the "be careful" or "suspicious" range, because it is obfuscated and not signed. But since Kardo does not use any dirty encrypting (and other) tricks that the malware authors use, if he were to sign the file, it would probably (easily) be in the safe range. So it is dependent on A LOT of factors, and the machine learning / Ai algorithms are SOOOOO complex, that the human mind could probably never figure out for certain why it determined the probability / result that it returned (unless you were a really talented data scientist). That is what is so cool about machine learning and Ai... it spots things that a human could never spot. I hope that makes sense, if not, please let me know, thank you!

 

It's totally cool, it is totally my fault... I really thought it would block pretty much everything since it did so well on the test that I ran earlier. It is just my test computer anyway, so no big deal at all, it probably needs a good reformat .

I have no idea how the Comodo Sandbox works... I just ran everything with defaults like my first test, expecting to see similar results. Thank you!

 

This is new to me... do you disable the countdown timer?

 

Yep, as I mentioned in a recent email.

Otherwise I wouldn't know that VS has blocked something while I'm a way from my machine, as I was this very early Sunday AM my time.

 

Thanks Dan..Yes that makes perfect sense.
Yes,I'm a big fan of Kardo as I use Crystal Security myself

 

I just watch your video and see that you test it in VirtualBox, so I don't understand why didn't you create snapshot before test?



I have shared folder with "real PC" but that folder is read-only so no malware from virtual PC can't get to the "real PC".



I'm not sure are you real pc is infected or just virtual pc?

 

BTW, Kees sent me a great analogy for VoodooAi. For anyone who does not understand why I am not concerned about false positives (even though there are not that many with VoodooAi anyway), I think this will help you understand the whole point of VS and VoodooAi.

VS and VoodooAi is not intended to replace, compete with or behave like traditional antivirus.

Rather, think of VS as a UAC enhancement and think of VoodooAi as a SmartScreen enhancement, since VS and VoodooAi is MUCH more similar to these compared to traditional antivirus.

Neither UAC or SmartScreen are subject to false positives or any of the other criticisms that a small handful of people hold VS to.

My point is this... how cool would it be if UAC borrowed some features from VS and SmartScreen borrowed some features from VoodooAi?

THAT is what VS is all about.

 

I do not do snapshots in VirtualBox... I just delete the VM when I am finished and then make a copy from my backup.

My shared folder was not read only, and yeah, I am 100% sure that all of the files on the desktop were encrypted... it is a total mess.

Hopefully the host / test PC was not infected, but I am going to reformat it just to be sure. I am just happy that it did not nuke my other computers .

 

Yeah, both Kardo and Crystal Security are really cool! We have always talked about doing a CS / VS combo, but either he is too busy or I am, so we just have not had the time.

 

Cool, thank you for letting me know... I am going to reformat anyway just to make absolutely sure.

 

Couple of years ago my "real PC" was infected when I was doing the test, after that my shared folder is ALWAYS Read-only!

 

Yeah, mine will be too from now on . The funny thing is that I ran all of those tests with full read and write privileges, and there was a lot of ransomware and super bad malware in the 1,000 and 3,000 sample sets.

BTW, please keep in mind that Comodo made it very clear that the version we tested is beta and that we should expect bugs, so this is a completely invalid test.

 

I know it is BETA but it should perform better.
In your video I can see couple of Sandbox pop-up but in my test I didn't see any.

 

Dan, did you not get the last two emails I sent?

 

I did, thank you! I just have not checked my email for a little while.

 

BTW, here is the first Comodo test, it did great: www.voodooshield.com/artwork/Comodo.webm

 

Sorry, I missed this earlier... yeah, I will remove the shared folders from now on. VS was on and active on the host computer, and I later looked at the logs and it look like it blocked regsvr32 around this time... I am not sure that has anything to do with it or not. I do not think the host computer was infected, I think it just encrypted the files, but as you said, there is no point in taking a chance, because we all know how sneaky malware can be.

 

Samples & EfficacyTest were copied before or after CIS install?

 

Basically, I get everything in place... the samples, EfficacyTest, settings on the VM, and apparently disconnect the shared folders .

And I actually make a copy of the prepared VM once it is all ready to go (with samples and everything), that way I only have to do all of this stuff once (and not for each subsequent test).

Then once everything is in place, then install the AV software that is being tested, then update the AV software, then run the test.

Thank you!

 

CIS Stable Version - Treats files on the system before CIS install as "Safe"
CIS 10 Beta - Dont know if its change or not, if not then files on the system before CIS install are treated as "Safe".