Serious Discussion Deep Instinct | Deep Learning AI Cybersecurity Platform

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
I totally get that :ROFLMAO: But so far worth the trip...
Now you understand Endpoint Security.

I will have to contact Deep Instinct and enquire about this. If it’s not isolated and/or logically explained I will issue a replacement policy with immediate effect unfortunately.

Update: Email sent to Deep Instinct with all relevant information.
 
Last edited:

kamiloxf

Level 1
Apr 3, 2016
36
I just got home and did the tests with it on full blast...
Now DeepInstinct detects malware much faster, but still the same problem...

Example on this sample... malicious on VirusTotal or that my agent did not react during the download and the copy...


DeepUI_LjI6JgWrxH.png
 
Last edited by a moderator:

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,792
How did you set up the detection?

Another...
Re Di + MS Defender: I just recevied reply from CyF re this...
"Integrate with windows security center basically tells defender to let DI do what it wants first then defender will look at things. However there is no harm not having checked as DI is usually faster than defender anyway."

Is Di integration the same as "registering" Di with Windows Security Center? He is saying either way is ok. The default is unchecked (disabled) re this "integration." But he makes it sound like typically you do enable that switch to integrate. :unsure::unsure:
 

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,631
Re Di + MS Defender: I just recevied reply from CyF re this...
"Integrate with windows security center basically tells defender to let DI do what it wants first then defender will look at things. However there is no harm not having checked as DI is usually faster than defender anyway."

Is Di integration the same as "registering" Di with Windows Security Center? He is saying either way is ok. The default is unchecked (disabled) re this "integration." But he makes it sound like typically you do enable that switch to integrate. :unsure::unsure:

For the moment I have noticed that DI is faster to detect when I am on Chromium (Chrome, Opera, Brave, Edge etc) than on Firefox...

Capture d’écran 2023-05-16 220546.png
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
In my VM with Edge and Chrome...

View attachment 275432

Firefox => No detected but detected in run
This means they hook Chromium-based browsers somewhere (there are few memory locations where browser can be hooked) and get information about files you download. Downloaded files are subjected to a more rigorous check. This is the explanation for this sample. The other one was not detected at all (the quasar)?
 

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,631
This means they hook Chromium-based browsers somewhere (there are few memory locations where browser can be hooked) and get information about files you download. Downloaded files are subjected to a more rigorous check. This is the explanation for this sample. The other one was not detected at all (the quasar)?

Now detected (dropper) on Chrome with DI
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Alright well it seems it’s working fine. As long as there is no Mozilla in the environment 😀

Ok. Now we got the explanation. Similar to other solutions (or actually let’s name and shame them: Defender), Deep Instinct supports Chromium-based browsers and runs additional machine learning models on files that come from the internet (like many others).

I am curious what their response will be 😀
 

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,792
FYI Di Dashboard & my 2 powershell script blocked events. It is not displayed on Main screen, it can be found 2 more clicks in, Events | default opens to Malicious so next click is next to Malicious | Suspicious Events.
CyF tech suggested change Powershell setting "to detect instead of prevent."
Something to consider, or not? :unsure:
EDIT: for now I followed CyF tech advice | changed prevent to detect. so I think (suspect) that Di can tell the difference from "normal" not malicious (not generally malicious) powershell event from a malicious one, and it may block a malicious one based on another setting: that is, the way mine was set was too tight, I don't know for sure, that's a level I'm not at yet. :whistle:
 
Last edited:

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,792
No, because then it will not do anything, it will just send notification to the console and wait on your action. Not recommended.
That's what I was "afraid" of :eek: Let me reopen that screen, timeout...
I see two settings: | Script Protection | Deep Script Analysis at the top of this page
Malicious PowerShell Command Execution is set to Prevent
Di info comment (Defines the action that is performed on Powershell commands with malicious content)
____________________________________________________________
bottom half of same screen
Script Control
PowerShell execution is now set to Detect (was set to Prevent) CyF said Prevent will block good powershell commands that windows needs...

I am no expert (did anyone suspect anything different?) But not every powershell command is malicious, right? How do you tell? I'm expecting Di to figure that one out 😅 unrealistic?? :rolleyes: Or the 2 scripts blocked overnight perhaps should have not been blocked? And if user has to write a specific rule for each action in windows, that seems unrealistic. Don't get me wrong, I am not saying you are wrong, but should Di be blocking good scripts at 3:55 AM while I'm usually sleeping. :unsure::unsure:

And now seeing the full breakdown of the powershell script block: process chain wininit.exe -> services.exe -> svchost.exe -> CompatTelRunner.exe -> CompatTelRunner.exe -> powershell.exe |
User Name | NT Authority\System

Seeing all the info is Di_nice! Sounds like MS phoning home?? (can't share screenshot as I'm in VM, Di on Host)
So you're saying (I think) better on Prevent, but then when you see an event like this, Di should let user specifically allow that script from that source change the next time. And that's the better procedure every time something like this happens.
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
PowerShell execution is now set to Detect (was set to Prevent) CyF said Prevent will block good powershell commands that windows needs...
This one will block PowerShell from launching. It is my favourite but I recommend on your system you keep it on “detect”.

Figuring out what’s malicious is the home AVs way. Businesses are not that sparing.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
The DI engine was tested by AV-Comparatives a few months ago:

Test Results for DI engine (PE files):
malware detection rate 92.4%
False Alarm rate 0

From other sources, it follows that DI can be a strong protection against ransomware attacks.
DI should enhance Defender protection because Defender's local AI is not so strong.

Edit.
For comparison:
 
Last edited:

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,792
This one will block PowerShell from launching. It is my favourite but I recommend on your system you keep it on “detect”.

Figuring out what’s malicious is the home AVs way. Businesses are not that sparing.
ok, I agree at least for now. ;) And really happy I dug a little deeper on this one, it led me to the screen with ALL the info about that 3:55 AM powershell event. Much easier for me to get to the next level (whatever that is) by seeing and experiencing these things, rather than just reading about them. Or the longer I have Di on my win10 the more I'm liking it. :D
PS Di just blocked an app I know is good -- Di Behavioral Analysis did not like Reflective DLL Injection Behavior. I see this as a positive thing. :D I can double check this, let the author know that maybe there's a better way for him to code this, and I can also allow it run next time I use that app. This is what I've been wanting.
 

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,792
Can’t blame DI, I don’t like this behaviour either. There is a setting there which you can modify or you can allow this app. Since you know it is safe.
Right I saw this a plus for Di, it is working, I don't mind at all that Di blocked this app because of a suspicious dll. I see it as alerting me to something I should be aware of. +++
EDIT perhaps also interesting (to me) that Di did not detect this with it Deep static analysis scan.
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Right I saw this a plus for Di, it is working, I don't mind at all that Di blocked this app because of a suspicious dll. I see it as alerting me to something I should be aware of. +++
EDIT perhaps also interesting (to me) that Di did not detect this with it Deep static analysis scan.
Static analysis by nature (I found an article linked below 👇🏻) doesn’t care about instructions and frequently they will be obfuscated in a way that even if desired, it won’t be achieved. Detecting behaviour is for dynamic analysis (emulation) as well as behavioural blocking. Static analysis looks at PE structures and other attributes. This is why it can’t be detected and DI does not rely only on detection.

 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top