danb

From VoodooShield
Verified
Developer
The term "next-gen" is meaningless, which is why we have never and will never use that term in our marketing ;). I think he means something outside the box.

The OP proposed a great question. A tough question. Also, I think it is important to exclude anything that is a clone of another tech.

BTW, I read the other day that some company was trying to implement block chain into their engine. I could be completely wrong about this, but I do not see how block chain is going to help in any meaningful way... I guess we will see.
 

McMcbrad

Level 10
The term "next-gen" is meaningless, which is why we have never and will never use that term in our marketing ;). I think he means something outside the box.

The OP proposed a great question. A tough question. Also, I think it is important to exclude anything that is a clone of another tech.

BTW, I read the other day that some company was trying to implement block chain into their engine. I could be completely wrong about this, but I do not see how block chain is going to help in any meaningful way... I guess we will see.
I honestly can't even see that applied on practice. What benefit are they seeing in that?
 

danb

From VoodooShield
Verified
Developer
I honestly can't even see that applied on practice. What benefit are they seeing in that?
I don't get it either... perhaps we have overlooked something ;).

BTW, one reason I think it is such a great question is because the scope is specifically narrowed to Detection.

Honestly, I think detection is currently about as good as it is ever going to get, with sigs, BB, ML/Ai, etc. It might get a little better in 20-40 years when Ai reaches Artificial General Intelligence... but then the malcoders will be utilizing the same tools, so it will be a wash.
 

danb

From VoodooShield
Verified
Developer
WiseVector StopX
Yeah, I have heard a lot of great things about WV recently and have considered pairing VS with WV because WD is quite slow and not at all user-friendly, so I ran a test (unlisted on youtube)…


WV did pretty well with the really bad malware, but as you can see, they probably need to add some more PUP’s to their training data sets.
 

danb

From VoodooShield
Verified
Developer
Adding PUP's to their training set might increase false positives and this is already a product, not coupled with a whitelist. PUPs are just a step away from a fully legit program.
Very true, but they could create a completely different algo and training data set just for PUP's, then make PUP detection optional.

Most of these PUP's are pretty bad PUP's... most of them are much closer to real malware. You would not want any of them on your machine, but on the other hand, they are not nearly as bad as a lot of stuff that is out there.
 

McMcbrad

Level 10
Very true, but they could create a completely different algo and training data set just for PUP's, then make PUP detection optional.

Most of these PUP's are pretty bad PUP's... most of them are much closer to real malware. You would not want any of them on your machine, but on the other hand, they are not nearly as bad as a lot of stuff that is out there.
Anomaly detection would be better in this case, if trained properly, with a large set of trusted programs and installers. And still, identifying them manually and creating simple, generic heuristics would be the best.
 

danb

From VoodooShield
Verified
Developer
Yeah, I have played around with anomaly detection machine learning algos and it makes sense that would be the way to go, but I personally never had much luck with these. Same with deep learning and neural networks... they certainly work, but not much better than binary classification algos.

No matter what detection mechanism you use, it is going to fail. Turing taught us this 80 or so years ago. To me, it is best to cut your loses and only allow known safe items ;).
 

roger_m

Level 31
Verified
Content Creator
Most of these PUP's are pretty bad PUP's... most of them are much closer to real malware. You would not want any of them on your machine, but on the other hand, they are not nearly as bad as a lot of stuff that is out there.
I've spent many years testing every PUP I've been able to find. In my opinion anything that is actually malicious can be classified malware, whereas actual PUPs are not malicious and can usually be easily uninstalled. They certainly can be an annoyance, particularly when they come bundled as unwanted with other software and in some cases can cause problems. For example, a cleaning app which has an unsafe registry cleaner, that mistakenly deletes important registry keys. But in that example, any problems caused are not intentional, but rather due to a poorly coded registry cleaner.

While it is good to be able to remove PUPs from the point of view they can be an annoyance. On the other hand, if they're not actually doing anything malicious and can be uninstalled, then I don't think the ability to have an excellent detect rate for PUPs is too critical, particularly when it could possibly increase false positives.

Can you give some examples of PUPs, which as you said - are closer to real malware? I'm just curious.
 

McMcbrad

Level 10
In my opinion only misleading apps, apps with no clear privacy policy and apps with no proper uninstall routine should be covered by PUP detection. Some of these can't be detected with machine learning algos, behavioural blocker or any other automated classification system. They have to be manually detected and then signatures/heuristics can be created/tweaked.
Everything else might be removed at user's discretion.
 

danb

From VoodooShield
Verified
Developer
I've spent many years testing every PUP I've been able to find. In my opinion anything that is actually malicious can be classified malware, whereas actual PUPs are not malicious and can usually be easily uninstalled. They certainly can be an annoyance, particularly when they come bundled as unwanted with other software and in some cases can cause problems. For example, a cleaning app which has an unsafe registry cleaner, that mistakenly deletes important registry keys. But in that example, any problems caused are not intentional, but rather due to a poorly coded registry cleaner.

While it is good to be able to remove PUPs from the point of view they can be an annoyance. On the other hand, if they're not actually doing anything malicious and can be uninstalled, then I don't think the ability to have an excellent detect rate for PUPs is too critical, particularly when it could possibly increase false positives.

Can you give some examples of PUPs, which as you said - are closer to real malware? I'm just curious.
Here is an example... SAP has been labeled by reputable AV's as a PUP for a very long time, even though it is not.

SAP VT.PNG


When a PUP trashes your computer, spies on you, corrupts your files or OS, etc... then that is a bad PUP.

Here are the samples used in the WV PUP test, feel free to install them on your computer.

hxxps://drive.google.com/file/d/1-jCMgNjCMPk2RypMnunZ49mQWEmNE8SN/view?usp=sharing

Please let me know if you understand the distinction.
 
Last edited by a moderator:

danb

From VoodooShield
Verified
Developer
In my opinion only misleading apps, apps with no clear privacy policy and apps with no proper uninstall routine should be covered by PUP detection. Some of these can't be detected with machine learning algos, behavioural blocker or any other automated classification system. They have to be manually detected and then signatures/heuristics can be created/tweaked.
Everything else might be removed at user's discretion.
Please see above ;).