Serious Discussion Deep Instinct | Deep Learning AI Cybersecurity Platform

[simmerskool]

One more update from CyF tech. He said to go ahead and integrate Di with Windows Security Service - just enable that switch. He does not mention what happens to MS Defender, other than implied from his email in my earlier post.
Would appreciate comments re this? thanks.

 

[Trident]

One more update from CyF tech. He said to go ahead and integrate Di with Windows Security Service - just enable that switch. He does not mention what happens to MS Defender, other than implied from his email in my earlier post.
Would appreciate comments re this? thanks.

Once you integrate DI to WSC it will disable Defender. Nothing else will happen apart from that

You should perform an accurate risk assessment and determine if you need Defender or not. My recommendation is to install something like Avast Web Shield (just that) alongside DI, as it offers no anti-bot/IPS and url blocking. I don’t think Defender is necessary to most users.
If not, at least BD TrafficLight or something similar.

 

[piquiteco]

I don’t think Defender is necessary to most users.

Which AV do you recommend instead of defender? where it protects in all sectors of the system? it can be paid, I am always open to new possibilities.

 

[simmerskool]

Once you integrate DI to WSC it will disable Defender. Nothing else will happen apart from that

You should perform an accurate risk assessment and determine if you need Defender or not. My recommendation is to install something like Avast Web Shield (just that) alongside DI, as it offers no anti-bot/IPS and url blocking. I don’t think Defender is necessary to most users.
If not, at least BD TrafficLight or something similar.

here is what the CyF tech wrote earlier: "Integrate with windows security center basically tells defender to let DI do what it wants first then defender will look at things." To me his comment states or implies that MS Defender is not disabled; hence my confusion. I have installed other AV on VM and sure they do disable Defender. For me the real question: tech says, just enable Di integration. Nothing else to do, no reboot, etc... But if I do that and I decide I don't like Di integration, how easy then to get MS Defender working again? I guess I'm a little skittish since ESET borked my win firewall (according to MS support).

Once you integrate DI to WSC it will disable Defender. Nothing else will happen apart from that

You should perform an accurate risk assessment and determine if you need Defender or not. My recommendation is to install something like Avast Web Shield (just that) alongside DI, as it offers no anti-bot/IPS and url blocking. I don’t think Defender is necessary to most users.
If not, at least BD TrafficLight or something similar.

ok! I did find something officially authoritative on page 130 of the Di Admin Guide | "Integrate D-Client with WSC, by default this feature is disabled...If Windows Defender (n/k/a MS Defender) is active and the D-Client integration is enabled, Windows Defender is disabled." How does square with CyF tech saying "...basically tells defender to let DI do what it wants first then defender will look at things." It's not like I want to run MS Defender, I just don't want to break MS Defender, and I want to have the ability to restore Defender without another win10 in-place upgrade It is not stated or clear that once Di is integrated, if you subsequently disable, does that automatically and fully restore MS Defender.

Update on the app that Di blocked earlier due to Behavior Analysis | Reflective DLL Injection: I went into dashboard, found the event and had an option to add to allow list (paraphrase), did that, and shortly after got a new Di popup that it was "Restored, is safe and can be accessed." Easy... until I tried to access it again and got the same Threat Prevented. Posting this not because I'm annoyed, I'm not, I'm sure there's a tweak in there. Glad that it's working and preventing stuff Di thinks is bad. PS I sent an email to that app's developer but I speculate he is unlikely to fix this on his end.
EDIT also sent a message to CyF support. (I'm glad Di is catching "stuff")

 

[Shadowra]

Please screenshot your settings for "Deep Static Analysis"

 

[Trident]

@simmerskool Microsoft Defender is an integral part of Windows. Microsoft Defender’s state is managed by WSC. You have 2 options:

• Register Deep Instict in Security Centre. In this case the Security Centre itself will disable Defender shortly after, whilst leaving the Defender service active in memory and security intelligence updates (Win 11) will continue being downloaded. Once other solutions are unregistered (or sometimes even just disabled), Microsoft Defender will be re-enabled instantly.
• Not to register Deep Instinct in Security Centre. In this case both solutions remain active. Whoever has the higher altitude in the minifilter will be the first to block malware. Defender provides cloud-first approach, whilst Deep Instinct serves as a local protection engine. It is recommended under Defender exclusions to add DI folders and under DI exclusions to add Defender’s folder.

Which one you will prefer is entirely up to you.

@piquiteco I don’t recommend using other antivirus solutions with Deep Instinct. I suggest users point their attention to web blocking and IPS /Anti-Bot. Avast Web Shield can quickly be installed on its own to provide anti-bot, anti-phishing and and light IPS capabilities. It will greatly complement DI.

View attachment 275446

Now you have configured it contrary to how I mentioned in a previous post and even more gentle. Very high level threats will require a very high confidence. To run it in a more aggressive manner, select Moderate or Low.

 

[Shadowra]

Now you have configured it contrary to how I mentioned in a previous post and even more gentle. Very high level threats will require a very high confidence. To run it in a more aggressive manner, select Moderate or Low.

Agressive yes but false positive

 

[Trident]

Agressive yes but false positive

View attachment 275448

You will have to allow them off

 

[ShenguiTurmi]

In my VM with Edge and Chrome...

View attachment 275432

Firefox => No detected but detected in run

If it only shows PUA and no more suffixes, this is from D-Cloud's cloud blacklist. Like Sophos, they cloud itself is only designed to be used for anti-PUA, not other types of malware. Only later did they use the cloud to control more explosive threats. If it's showing PUA and you're experiencing this, is it possible that your connection to D-Cloud is unstable?

 

[Digmor Crusher]

Simmerskool, I commend you for taking a deep dive into this product and posting your results here, it will greatly help others who choose to give it a try.

And kudos to others who are also providing tips.

 

[Shadowra]

If it only shows PUA and no more suffixes, this is from D-Cloud's cloud blacklist. Like Sophos, they cloud itself is only designed to be used for anti-PUA, not other types of malware. Only later did they use the cloud to control more explosive threats. If it's showing PUA and you're experiencing this, is it possible that your connection to D-Cloud is unstable?

I'm on Fiber but I'm going to check if it's not my firewalls that disturb the software

 

[Trident]

If it only shows PUA and no more suffixes, this is from D-Cloud's cloud blacklist. Like Sophos, they cloud itself is only designed to be used for anti-PUA, not other types of malware. Only later did they use the cloud to control more explosive threats. If it's showing PUA and you're experiencing this, is it possible that your connection to D-Cloud is unstable?

The Sophos cloud is actually the heart of the product, the whole Sophos antivirus API (SAVI) can be used exclusively via the cloud, keeping just 10.2 MB of local machine learning models as a fallback. This is the Check Point implementation. Even with the full database downloaded locally, Sophos still prioritises the cloud always, as long as there is connection to it.
In addition to that, Sophos offers various other components such as the cloud emulation.

It’s one of the more cloudy products out there.

https://assets.sophos.com/X24WTUEQ/at/pmcvfp2sfvfsg5qjfjj8624/sophos-antivirus-sdk-ds.pdf

 

[ShenguiTurmi]

The Sophos cloud is actually the heart of the product, the whole Sophos antivirus API (SAVI) can be used exclusively via the cloud, keeping just 10.2 MB of local machine learning models as a fallback. This is the Check Point implementation. Even with the full database downloaded locally, Sophos still prioritises the cloud always, as long as there is connection to it.
In addition to that, Sophos offers various other components such as the cloud emulation.

It’s one of the more cloudy products out there.

I agree with putting more detection in the cloud, because in today's environment not many people will be exposed to viruses with frequent disconnections.
But I don't know how they designed it so that when scanning for new samples via the cloud, an extremely large number of samples are reported as PUA, even if they have clear malicious behavior (e.g. ransom/ password theft).

 

[Kongo]

View attachment 275446

But with those settings it's normal that your DI doesn't necessarily detect the same threats as on VirusTotal. I am pretty sure that the results from VirusTotal are based on more aggressive Deep Static Analyis settings.

 

[Trident]

But with those settings it's normal that your DI doesn't necessarily detect the same threats as on VirusTotal. I am pretty sure that the results from VirusTotal are based on more aggressive Deep Static Analyis settings.

Definitely, similar case was discussed by malwarebytes for example as well:

False positive - Malware.Heuristic.1003 (VirusTotal)

The sample is password protected. Password: infected My company is the developer of this app that allows downloading video files from websites. GetVideoSetup_v1.8.0.9.zip

forums.malwarebytes.com

It has been discussed by other vendors as well. VirusTotal is not an indicator what actual products will detect.

I agree with putting more detection in the cloud, because in today's environment not many people will be exposed to viruses with frequent disconnections.
But I don't know how they designed it so that when scanning for new samples via the cloud, an extremely large number of samples are reported as PUA, even if they have clear malicious behavior (e.g. ransom/ password theft).

This is something to do with the machine learning models. Locally it extracts the so called “bag of attributes” (bagging) if the cloud is not certain already what this file is. These are processed in the cloud and verdict is issued as an output.

If it erroneously classifies malware as PUA it may be that the models are not extremely certain this is malware and output low confidence (which automatically falls into the PUA threshold) or maybe there are specific aggressive models against PUA that “caught” the malware.
If the genotype analysis itself outputs PUA label, then it’s been “overtrained”, perhaps the training sets of PUA wrongly contained malware and it extracted features relevant to malware.

Sophos in many cases will output 2 detections (it is the only one I’ve seen doing that) delimited with a + sign. I’ve not given it a proper thorough test to say more. I am not in love with Sophos to be honest.

 

[simmerskool]

@simmerskool Microsoft Defender is an integral part of Windows. Microsoft Defender’s state is managed by WSC. You have 2 options:

• Register Deep Instict in Security Centre. In this case the Security Centre itself will disable Defender shortly after, whilst leaving the Defender service active in memory and security intelligence updates (Win 11) will continue being downloaded. Once other solutions are unregistered (or sometimes even just disabled), Microsoft Defender will be re-enabled instantly.
• Not to register Deep Instinct in Security Centre. In this case both solutions remain active. Whoever has the higher altitude in the minifilter will be the first to block malware. Defender provides cloud-first approach, whilst Deep Instinct serves as a local protection engine. It is recommended under Defender exclusions to add DI folders and under DI exclusions to add Defender’s folder.

Which one you will prefer is entirely up to you.

@piquiteco I don’t recommend using other antivirus solutions with Deep Instinct. I suggest users point their attention to web blocking and IPS /Anti-Bot. Avast Web Shield can quickly be installed on its own to provide anti-bot, anti-phishing and and light IPS capabilities. It will greatly complement DI.

this is going to sound nitpicky re definitions, sorry about that in advance. Nowhere that I've seen have Di manuals used the term "register" they say "integrate." The manual does say integration will "disable" Defender, but the email from CyF tech states that post-integration, Defender will "look at things" after Di. This makes me wonder, are we all, including CyF tech, using the same definition of "disable." Perhaps I'm the only one scratching my head -- I know what he said, what does he mean...

Re my Behavior blocked app, CyF tech said there's an additional switch to throw to correct that. Will update later, I have an appointment.

Appreciate everyone's insights. I think Di is great.

 

[Trident]

I think the support agent didn’t read properly (which frequently is the case).
The right word is “register” as you are not integrating anything. The security centre serves like a book where information about the security status is written.

“Post-integration” defender will not look at anything, it will be disabled. Pre-integration, it will not know that Deep Instinct is an antivirus and will continue doing its job (albeit in its typical mediocre manner).
They’ve provided the wrong information. I guess they are busy.

The process of disabling itself is carried out by the Security Centre which serves as a Defender manager.

It’s like Deep Instinct says “Hi, I’m an antivirus” and Security Centre wants you to use one at a time, so instantly disables Defender. Like when you go to work and you clock in, you are registering yourself at work. You are not integrating yourself there

 

[simmerskool]

[U It is recommended under Defender exclusions to add DI folders and under DI exclusions to add Defender’s folder.

Avast Web Shield can quickly be installed on its own to provide anti-bot, anti-phishing and and light IPS capabilities. It will greatly complement DI.

Yes in MS Defender I did add the 8 process exclusions for Di stated in Deployment Guide (DG), before I deployed Di on my hardware win10. Currently, Di is not "integrated" with WSC. (integration pending ) So far I have not created exclusions for Defender in Di console. I haven't seen that discussed in DG, but may have missed it. Anyone have a page reference for that?

fwiw, I use either Edge, Chrome or Firefox depending on what I'm doing. I looked in MS extension store for Avast Web Shield last night, but did not find it. AWS is an extension? Is it a separate app from Avast or a module in their av?

In reference to Behavior Block... the CyF tech nicely said in reply to my question: "There is a lot to learn and understand the nuances [of Di]"

Since I installed Di on my hardware rather than on VM, I am aware I am being overly cautious... | PS no blips from Di overnight

Simmerskool, I commend you for taking a deep dive into this product and posting your results here, it will greatly help others who choose to give it a try.

And kudos to others who are also providing tips.

Thanks, yes it's a little deeper dive, or I am rusty , but no one should think my comments are negative re Di, I really like it! There's somewhat of a learning curve, but in a good way since you have access to tweak deep & deeper. And it behaves nicely on my win10 too.

 

[Shadowra]

Oui, dans MS Defender, j'ai ajouté les 8 exclusions de processus pour Di énoncées dans le guide de déploiement ( DG ), avant J'ai déployé Di sur mon win matériel10. Actuellement, Di n'est pas "intégré" au WSC. ( intégration en attente :incertain::incertain Jusqu'à présent, je n'ai pas créé d'exclusions pour Defender dans la console Di. Je n'ai pas vu cela discuté à la DG, mais je l'ai peut-être manqué. Quelqu'un a une référence de page pour ça?

fwiw, j'utilise Edge, Chrome ou Firefox selon ce que je fais. J'ai regardé dans le magasin d'extension MS pour Avast Web Shield hier soir, mais je ne l'ai pas trouvé. AWS est une extension? Est-ce une application distincte d'Avast ou un module dans leur av?

En référence au Behavior Block ... la technologie CyF a bien dit en réponse à ma question: "Il y a beaucoup à apprendre et à comprendre les nuances [ de Di ]"

Depuis que j'ai installé Di sur mon matériel plutôt que sur VM, je suis conscient que je suis trop prudent... rudent:rudent: | PS pas de blips de Di pendant la nuit

Avast Online Security & Privacy - Microsoft Edge Addons no ?

 

[simmerskool]

I'm on Fiber but I'm going to check if it's not my firewalls that disturb the software

fwiw, twice in past 2 days I got messages in Di console that it lost connection, but whatever that was it seemed to auto reconnect ok. CyF tech mention that Di server does not maintain constant contact with your pc, but checks-in about every 10 min. Don't ask me to explain it, I'm just repeating what I was told.