VoodooShield/Cyberlock

Edit: I have to make this very clear... this is a ML/Ai comparison.

WannaCry.exe
SHA-256: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Cylance: Quarantined!!! (I was actually happy!)
CrowdStrike Falcon (ML): malicious_confidence_69% (W)
Endgame: not detected
Palo Alto: known signatures only
SentinelOne (Static ML): not detected
Symantec: known signatures only
VoodooAi: http://www.voodooshield.com/artwork/WannaCry.png

The other day I said Ai is Ai. I might have misspoke.

Then again, VoodooAi is not perfect either, so it really comes down to this… Unknown or questionable files should never be executed, whether sandboxed or not. Period.

It really is that simple.

 

If people were doing what you said, home user security apps won't be much needed...but curiosity is human nature.

 

Just curious, but what is your objection to executing a questionable file, if it is properly isolated by sandboxing?

 

Nice to meet you Decopi!

I replied to your email earlier... here was my response, thank you!

VS’s realtime scanner is not active yet, but it will be soon. VS will then scan your running processes and malware hiding spots, and it will all be automated.

This feature will be enabled within a month or two, so for now, you will have to rely on other scanners.

 

guest, I am extremely disappointed in you (this time)... you are smarter than that(and I am not just saying that) . Almost ALL malware is executed from phishing / drive-by / exploits.

 

Why even run it in a sandbox? It is an unknown file. Why even take the chance if it is a brand new file? It is not like the world is going to end if you do not run a silly executable file on your computer.

Besides, running the file in a sandbox is okay for advanced users... but novices and average users have never even heard of a sandbox, and how to properly deal with it.

Sure, execute the file on a remote sandbox to see if it is malicious... that is cool, but malware has countermeasures / anti-sandboxing. So if it is unknown or questionable, just do not run it.

It reminds me of an old joke (I had to tone this down and modify it a little). A teenager tells his dad that his feet smell. And his dad says "well, quit smelling them".

Unless you are a malware / pen tester, you have no business executing unknown or questionable files. And of course, when the computer is at risk, it needs to be locked .

 

#28

 

Hehehe, Krusy, are you confirming that I am unable to find their ML/AI detection, or did I miss something .

 

Perhaps you missed it. The Trojan.Gen detections are signature-less.

• Ransom.CryptXXX
• Trojan.Gen.8!Cloud
• Trojan.Gen.2
• Ransom.Wannacry

Intrusion Prevention System

• 21179 (OS Attack: Microsoft Windows SMB Remote Code Execution 3)
• 23737 (Attack: Shellcode Download Activity)
• 30018 (OS Attack: MSRPC Remote Management Interface Bind)
• 23624 (OS Attack: Microsoft Windows SMB Remote Code Execution 2)
• 23862 (OS Attack: Microsoft Windows SMB Remote Code Execution)
• 30010 (OS Attack: Microsoft Windows SMB RCE CVE-2017-0144)
• 22534 (System Infected: Malicious Payload Activity 9)
• 23875 (OS Attack: Microsoft SMB MS17-010 Disclosure Attempt)
• 29064 (System Infected: Ransom.Ransom32 Activity)

 

What i meant is that all fall under general use of "safe habits" or not; malware very rarely popup in your system out of the blue.
The users always involuntarily (or not) looked for trouble by clicking a unknown/suspicious link, reading a mail from unknown senders, executing (as you said) silly files, etc... (aka curiosity) which triggers the attack vectors you mentioned.

Problem in our modern society is that nothing can prevent someone to look for something he really want even if you warn him about the risk.

i don't say, security softs are useless, if it was the case i won't promote those i am using, i just say you can't prevent human nature to put itself at risk.

 

I seriously am confused now... those links are all old links, dating back to 2010.

It looks like Symantec was quick to discover wcry, and honestly, it does not matter if they use traditional methods or ML/Ai, it is just cool that they discovered it quickly.

My post was mainly about how maybe not all ML/Ai is the same... it is kind of up in the air.

But if you have a link that shows that their ML/Ai picked up on it, I would really appreciate seeing it.

 

I see what you are saying. But we actually can prevent prevent human nature to put itself at risk (while still allowing the obviously good stuff). It is coming soon in our enterprise web management console. And for example, parents who do not want their children to infect the computer, can adjust VS's settings so that their children are limited... although it would not be a bad idea to have a mode for this.

 

I'll just say the Symantec on VT works differently to the engines in their AV. Trojan.Gen is short for generic, so if it walks like a duck and quacks like a duck...

Here's some light bedtime reading for you.

https://www.symantec.com/connect/articles/heuristic-techniques-av-solutions-overview

 

That's stupid, people can't rely in whitelist from 3rd parties in order to execute a file or not.
I can't install something because the file for my AV is unknown?

 

It is why i promote SRPs and Anti-exes over all other methods to secure a workstation, however those models can't fit with the Average Joe frenetic needs to execute/install whatever they see.

 

From what I have seen, Symantec is quick to point out that their ML/Ai engines detected the threat.

 

Would you execute a totally unknown file with a high VoodooAi score? A better question... would you want the teller at your bank to execute a totally unknown file with a high VoodooAi score?

 

@VoodooShield see my point ?

 

If users can deal with UAC, they can deal with VS.

 

Honestly, no. Just do not run the damn file.

 

I see the post I quoted has been edited.

Dan, I have no inside knowledge of Symantec's detection of this ransomware, but as they pointed out -"Symantec and Norton customers are protected against WannaCry using a combination of technologies."

Cheers!

 

rewind a bit:

see?
conclusion: If really wanted , human will override the security soft.

 

I was simply pointing out that VoodooAi nailed WannaCry, and most other ML/Ai's missed it. I was actually quite surprised... usually they all pretty much agree.

Cool, I do not care what detects it, as long as it is detected... I was just comparing ML/Ai engines, because truly, they are the only ones that are adept enough to detect zero days. But then again, when they miss zero days, they will always be shown as a miss on VT.

 

No, if for example, VS was blocking software that the user really wants to install, then they have to click on the balloon and prompt.

Please suggest a better way .

 

All that I am saying is that the computer should be locked when it is at risk. If you disagree, please let me know why, and an alternative to fix the malware epidemic .

(And I am also saying that VoodooAi HAPPENED to do extremely well with WannaCry, when most of the other ML/Ai "solutions" failed).