Serious Discussion Deep Instinct | Deep Learning AI Cybersecurity Platform

[Trident]

I totally get that But so far worth the trip...

Now you understand Endpoint Security.

I will have to contact Deep Instinct and enquire about this. If it’s not isolated and/or logically explained I will issue a replacement policy with immediate effect unfortunately.

Update: Email sent to Deep Instinct with all relevant information.

 

[kamiloxf]

I just got home and did the tests with it on full blast...
Now DeepInstinct detects malware much faster, but still the same problem...

Example on this sample... malicious on VirusTotal or that my agent did not react during the download and the copy...

VirusTotal

VirusTotal

www.virustotal.com

 

[Shadowra]

View attachment 275431

How did you set up the detection?

Another...

VirusTotal

VirusTotal

www.virustotal.com

 

[Shadowra]

Very weird…

In my VM with Edge and Chrome...

Firefox => No detected but detected in run

 

[simmerskool]

How did you set up the detection?

Another...

VirusTotal

VirusTotal

www.virustotal.com

Re Di + MS Defender: I just recevied reply from CyF re this...
"Integrate with windows security center basically tells defender to let DI do what it wants first then defender will look at things. However there is no harm not having checked as DI is usually faster than defender anyway."

Is Di integration the same as "registering" Di with Windows Security Center? He is saying either way is ok. The default is unchecked (disabled) re this "integration." But he makes it sound like typically you do enable that switch to integrate.

 

[Shadowra]

Re Di + MS Defender: I just recevied reply from CyF re this...
"Integrate with windows security center basically tells defender to let DI do what it wants first then defender will look at things. However there is no harm not having checked as DI is usually faster than defender anyway."

Is Di integration the same as "registering" Di with Windows Security Center? He is saying either way is ok. The default is unchecked (disabled) re this "integration." But he makes it sound like typically you do enable that switch to integrate.

For the moment I have noticed that DI is faster to detect when I am on Chromium (Chrome, Opera, Brave, Edge etc) than on Firefox...

 

[Trident]

In my VM with Edge and Chrome...

View attachment 275432

Firefox => No detected but detected in run

This means they hook Chromium-based browsers somewhere (there are few memory locations where browser can be hooked) and get information about files you download. Downloaded files are subjected to a more rigorous check. This is the explanation for this sample. The other one was not detected at all (the quasar)?

 

[Shadowra]

This means they hook Chromium-based browsers somewhere (there are few memory locations where browser can be hooked) and get information about files you download. Downloaded files are subjected to a more rigorous check. This is the explanation for this sample. The other one was not detected at all (the quasar)?

Now detected (dropper) on Chrome with DI

 

[Trident]

Alright well it seems it’s working fine. As long as there is no Mozilla in the environment

Ok. Now we got the explanation. Similar to other solutions (or actually let’s name and shame them: Defender), Deep Instinct supports Chromium-based browsers and runs additional machine learning models on files that come from the internet (like many others).

I am curious what their response will be

 

[kamiloxf]

The file named baz_uniq.exe is also detected and blocked

 

[simmerskool]

FYI Di Dashboard & my 2 powershell script blocked events. It is not displayed on Main screen, it can be found 2 more clicks in, Events | default opens to Malicious so next click is next to Malicious | Suspicious Events.
CyF tech suggested change Powershell setting "to detect instead of prevent."
Something to consider, or not?
EDIT: for now I followed CyF tech advice | changed prevent to detect. so I think (suspect) that Di can tell the difference from "normal" not malicious (not generally malicious) powershell event from a malicious one, and it may block a malicious one based on another setting: that is, the way mine was set was too tight, I don't know for sure, that's a level I'm not at yet.

 

[Trident]

CyF tech suggested change Powershell setting "to detect instead of prevent."

No, because then it will not do anything, it will just send notification to the console and wait on your action. Not recommended.

 

[simmerskool]

No, because then it will not do anything, it will just send notification to the console and wait on your action. Not recommended.

That's what I was "afraid" of Let me reopen that screen, timeout...
I see two settings: | Script Protection | Deep Script Analysis at the top of this page
Malicious PowerShell Command Execution is set to Prevent
Di info comment (Defines the action that is performed on Powershell commands with malicious content)
____________________________________________________________
bottom half of same screen
Script Control
PowerShell execution is now set to Detect (was set to Prevent) CyF said Prevent will block good powershell commands that windows needs...

I am no expert (did anyone suspect anything different?) But not every powershell command is malicious, right? How do you tell? I'm expecting Di to figure that one out unrealistic?? Or the 2 scripts blocked overnight perhaps should have not been blocked? And if user has to write a specific rule for each action in windows, that seems unrealistic. Don't get me wrong, I am not saying you are wrong, but should Di be blocking good scripts at 3:55 AM while I'm usually sleeping.

And now seeing the full breakdown of the powershell script block: process chain wininit.exe -> services.exe -> svchost.exe -> CompatTelRunner.exe -> CompatTelRunner.exe -> powershell.exe |
User Name | NT Authority\System

Seeing all the info is Di_nice! Sounds like MS phoning home?? (can't share screenshot as I'm in VM, Di on Host)
So you're saying (I think) better on Prevent, but then when you see an event like this, Di should let user specifically allow that script from that source change the next time. And that's the better procedure every time something like this happens.

 

[Trident]

PowerShell execution is now set to Detect (was set to Prevent) CyF said Prevent will block good powershell commands that windows needs...

This one will block PowerShell from launching. It is my favourite but I recommend on your system you keep it on “detect”.

Figuring out what’s malicious is the home AVs way. Businesses are not that sparing.

 

[Andy Ful]

The DI engine was tested by AV-Comparatives a few months ago:

https://assets.virustotal.com/reports/spc_fdt_deepinstinct_202212_en.pdf

Test Results for DI engine (PE files):
malware detection rate 92.4%
False Alarm rate 0

From other sources, it follows that DI can be a strong protection against ransomware attacks.
DI should enhance Defender protection because Defender's local AI is not so strong.

Edit.
For comparison:

https://www.av-comparatives.org/wp-content/uploads/2022/05/spc_google_vt_202205.pdf

 

[Kongo]

Now detected (dropper) on Chrome with DI

Please screenshot your settings for "Deep Static Analysis"

 

[simmerskool]

This one will block PowerShell from launching. It is my favourite but I recommend on your system you keep it on “detect”.

Figuring out what’s malicious is the home AVs way. Businesses are not that sparing.

ok, I agree at least for now. And really happy I dug a little deeper on this one, it led me to the screen with ALL the info about that 3:55 AM powershell event. Much easier for me to get to the next level (whatever that is) by seeing and experiencing these things, rather than just reading about them. Or the longer I have Di on my win10 the more I'm liking it.
PS Di just blocked an app I know is good -- Di Behavioral Analysis did not like Reflective DLL Injection Behavior. I see this as a positive thing. I can double check this, let the author know that maybe there's a better way for him to code this, and I can also allow it run next time I use that app. This is what I've been wanting.

 

[Trident]

Di Behavioral Analysis did not like Reflective DLL Injection Behavior

Can’t blame DI, I don’t like this behaviour either. There is a setting there which you can modify or you can allow this app. Since you know it is safe.

 

[simmerskool]

Can’t blame DI, I don’t like this behaviour either. There is a setting there which you can modify or you can allow this app. Since you know it is safe.

Right I saw this a plus for Di, it is working, I don't mind at all that Di blocked this app because of a suspicious dll. I see it as alerting me to something I should be aware of. +++
EDIT perhaps also interesting (to me) that Di did not detect this with it Deep static analysis scan.

 

[Trident]

Right I saw this a plus for Di, it is working, I don't mind at all that Di blocked this app because of a suspicious dll. I see it as alerting me to something I should be aware of. +++
EDIT perhaps also interesting (to me) that Di did not detect this with it Deep static analysis scan.

Static analysis by nature (I found an article linked below ) doesn’t care about instructions and frequently they will be obfuscated in a way that even if desired, it won’t be achieved. Detecting behaviour is for dynamic analysis (emulation) as well as behavioural blocking. Static analysis looks at PE structures and other attributes. This is why it can’t be detected and DI does not rely only on detection.

Malware Analysis 101 - Basic Static Analysis

A continuation of my previous write-up “Malware Analysis 101”, this explains the basic of Basic Static Malware Analysis.

infosecwriteups.com

Detecting Malware Pre-execution with Static Analysis and Machine Learning

Until recently, we haven't been focusing on static analysis malware detection because we believed dynamic has the most potential long term. This changed today. Learn more!

www.sentinelone.com