Serious Discussion Deep Instinct | Deep Learning AI Cybersecurity Platform

[simmerskool]

There should not be any issues. But, adding SWH or H_C to AV+DI looks too complex for me.

In this VM with Di, no other av, just Di, (ditto host) only MS Defender was on them, then installed Di and integrated Di which turned Defender OFF. I'm trying to avoid "complex," whilst learning Di. Easy to deploy but CyF tech said many nuances... Not boring yet, even fun1 "Patience, young padawan" -- easier to be patient and relaxed in VM ("quietly and steadily persevering or diligent, especially in detail or exactness").

going to DL Avast Free for its Web Shield. Now that Di is registered you say Avast Web Shield will install passively, and you're saying to then change AWS to "active" (is that the right word?)
Is installing software an issue with Di, ie, does it need to be disabled during an install? I assume not...

sidenote Avast Web Shied did not work for me. Still love Di

what is management sever address when installing the client?

funny how they don't tell you that up front, you have to ask the right question(s) But in truth the CyF techs have been helpful and prompt (my experience)

 

[Digmor Crusher]

fwiw, I bought a 2d DeepInstinct license and installed (aka deployed) it on a win10_vm. It's actually easy once you a have couple of key facts. Depending on how you deploy it (more than 1 method I think), it either runs a Deep Static Scan, on my host win10 that scan took 4.3 hours, or it runs that scan in background, on this VM it ran in background and relatively fast, I did not even notice it was scanning in terms of impact, or it does not run a scan. I'm running malwarebytes browser extension.

I saw @AndyFul post in this thread, any opinion about using H_C or SWH with DeepIn, the goal being to avoid conflict

4.3 hours, wow. I've never used an AV , secondary program etc that took that long for a scan. I don't remember a scan for any product ever taking over 30 minutes. Now, I'm not saying a 4 hour scan is a good or bad thing, it just seems like its excessive to me.

Edit: maybe its my computer, only 300gb on C drive.

 

[Trident]

4.3 hours, wow. I've never used an AV , secondary program etc that took that long for a scan. I don't remember a scan for any product ever taking over 30 minutes. Now, I'm not saying a 4 hour scan is a good or bad thing, it just seems like its excessive to me.

Edit: maybe its my computer, only 300gb on C drive.

This is the downside of deep static analysis. It provides high levels of detection, sometimes even 2-3 months old engines can catch newest malware. But it takes resources and time. That’s why majority of static analysis engines have restrictions in place, such as size.

Signatures provide quick scanning but the engine must be updated constantly.

 

[simmerskool]

4.3 hours, wow. I've never used an AV , secondary program etc that took that long for a scan. I don't remember a scan for any product ever taking over 30 minutes. Now, I'm not saying a 4 hour scan is a good or bad thing, it just seems like its excessive to me.

Edit: maybe its my computer, only 300gb on C drive.

This was the longest, why I mentioned it, but no impairment. I have had other av where initial scan took a long time. c:\ is 2 TB ssd, + 4 other hdd/ssd. For the initial scan on that host, I just let Di initial 4 hr scan run (watched 2 movies). But on this VM Di's initial scan was in background, and no indication that it was even running in terms of system resource usage and feel at keyboard. But Di dashbd showed 6-figure number of files had been scanned on VM while I was using it. Running scans is (seems) not to be a concern with Di as it is scanning /analyzing everything in real-time. Fast & light all the time for me.

This is the downside of deep static analysis. It provides high levels of detection, sometimes even 2-3 months old engines can catch newest malware. But it takes resources and time. That’s why majority of static analysis engines have restrictions in place, such as size.

Signatures provide quick scanning but the engine must be updated constantly.

I just let the win10 host 4+ hr scan run and left the building (plus MS Defender was the registered av when I ran the +4h Di scan). On this VM, Di is registered, & the scan was in the background, minimal resources used. No impairment at keyboard. I did not know the initial scan was running. (console was not open). I get the sense that there's little need to run Deep Static Scans very often. Another question to research &/or ask CyF techs.
PS I have the Admin Guide open to page 29 section 3.3 Dashboard. Info deep & deeper... I feel some proficiency deploying in the near future

 

[simmerskool]

fwiw, MT @Bot posted this reply in another thread:
Wazuh can be integrated with DeepInstinct, and it could complement its capabilities. Wazuh specializes in threat detection and response, file integrity monitoring, log analysis, and compliance. On the other hand, DeepInstinct is an advanced anti-malware software that uses deep learning to detect and prevent cyber threats. By integrating Wazuh and DeepInstinct, organizations can achieve a comprehensive security solution that includes both threat prevention and detection, with real-time monitoring and response capabilities. This can provide an additional layer of security and help organizations to identify and respond to advanced threats quickly.

An in-person IT tech I know mentioned Wazuh to me | I am not reccomending it, as I have zero experience with it. Wazuh was new to me yesterday. I've only looked at its webpage.

Wazuh - Open Source XDR. Open Source SIEM.

Wazuh is a free and open source security platform that unifies XDR and SIEM protection for endpoints and cloud workloads.

wazuh.com

fwiw2 on my Di VM I did the simplest "test" last night to get the feel of how Di responds. went to eicar website and tried to DL eicar file1 and the page was blocked by MS Defender SmartScreen (recall that Di is integrated with WSC, Defender off), ditto eicar file2, when I clicked on eicar file3 (eicar_com.zip) SmartScreen did not alert BUT Di popped up Threat Prevented Deep Static identified it as a trojan. Di block was immediate.

A peaceful Sunday, enjoying Di, going thru the admin guide (AG) 3.3 Dashboard. Di Behavior prevented a threat the other day as I opened an app Di had not seen me run before with a Reflective DLL Injection violation. I know this app to be good, and figured out how to add to allow list. what is (can be) tricky is some sub-windows have dropdowns not obvious (to me) until you do it. Main dashboard, select Prevention Events, opens new window listing events, each event is date stamped, given a unique ID number, double click that event, read all about it, upper right corner blue [Action] button with a few choices, I used "add process to allow list" this opens another window, where you select device (I have 2 now), select policy, and then the tricky part, | Select Behaviors and you see All + 4 other options, none of which matched my blocked event, until I realized MORE behaviors were listed as scrolling dropdowns. Then found the exact behavior: Reflective DLL Injection, [add] and that app now runs. Di nice interface IMO, obvious screen, to deeper screen, to deepest screen, to deeper than deepest, until you get to where you need to go, Granular nice, or I like it. (only 280 pages to go -- but 3x redundant as it talks about windows, macOS and linux in same AG)(only putting Di on win10 for now)

A peaceful Sunday, enjoying Di, going thru the admin guide (AG) 3.3 Dashboard. Di Behavior prevented a threat the other day as I opened an app Di had not seen me run before with a Reflective DLL Injection violation.

Update: to add process to allow list progress report fwiw. Several days ago, CyF support emailed me howto allow Behavioral Analysis block, I think I understood and followed exactly..., but the problematic app I want to run is still blocked with the same Reflective DLL injection block. The good news, the problematic app is not something I have to run. So it's a good project to figure this out, allowing this threat_prevented_behavioral_block. I was 99%+ sure I added it to allow list correctly, that is until it didn't run again... Most likely user missed a nuance

 

[Kongo]

Update: to add process to allow list progress report fwiw. Several days ago, CyF support emailed me howto allow Behavioral Analysis block, I think I understood and followed exactly..., but the problematic app I want to run is still blocked with the same Reflective DLL injection block. The good news, the problematic app is not something I have to run. So it's a good project to figure this out, allowing this threat_prevented_behavioral_block. I was 99%+ sure I added it to allow list correctly, that is until it didn't run again... Most likely user missed a nuance

And how did you add it?

 

[Shadowra]

Continued from my use of DeepInstinct:

It will soon be 1 month that I'm testing it. And I removed it from my PC.
The AI is very good but very aggressive and killed me some files of some games in aggressive (including DLL of Riot Game as Valorant) and I am a slacker, I have the laziness to make rules exclusions etc and to look in all the dashboard to recover
But I found a place for it! It's on a dedicated PC, where I run applications that I'm not sure are safe. And since its AI is excellent, it helps me

 

[Kongo]

Continued from my use of DeepInstinct:

It will soon be 1 month that I'm testing it. And I removed it from my PC.
The AI is very good but very aggressive and killed me some files of some games in aggressive (including DLL of Riot Game as Valorant) and I am a slacker, I have the laziness to make rules exclusions etc and to look in all the dashboard to recover
But I found a place for it! It's on a dedicated PC, where I run applications that I'm not sure are safe. And since its AI is excellent, it helps me

That shows why it's meant for businesses where new software isn't installed on a regular basis. On home systems where you install games and other software regularly you can face false positives.

 

[Shadowra]

That shows why it's meant for businesses where new software isn't installed on a regular basis. On home systems where you install games and other software regularly you can face false positives.

Yep. But I think I'll try it again, but creating rules as soon as I have time

 

[Kongo]

Yep. But I think I'll try it again, but creating rules as soon as I have time

I can relate to your previous posts tho. I have the most aggressive settings applied and yet there are some malicious files (like definitely malicious: Redline stealer etc.) that DeepInstinct doesn't detect with Static AI while it's detected on VirusTotal. Didn't you contact Deep Instinct about that @Trident ? Any news?

 

[simmerskool]

And how did you add it?

I can give you a step by step breakdown, but I suspect some miscommunication with CyF / Di server last night, based on something I saw. In contact with CyF tech, will update. I will say that when I added the Reflective DLL injection to allow process list for that app, I did get a green successful banner at the top of the dashbd page, so something amiss somewhere, will update.

 

[Kongo]

I can give you a step by step breakdown, but I suspect some miscommunication with CyF / Di server last night, based on something I saw. In contact with CyF tech, will update. I will say that when I added the Reflective DLL injection to allow process list for that app, I did get a green successful banner at the top of the dashbd page, so something amiss somewhere, will update.

I think you need to add it to the "Behavioural Analysis Allowlist" as it was a behaviour-based block

 

[Trident]

I can relate to your previous posts tho. I have the most aggressive settings applied and yet there are some malicious files (like definitely malicious: Redline stealer etc.) that DeepInstinct doesn't detect with Static AI while it's detected on VirusTotal. Didn't you contact Deep Instinct about that @Trident ? Any news?

Yeah, I am away from work, haven’t checked my inbox for a while. I’ll have a look at the pile of emails soon.

 

[simmerskool]

I think you need to add it to the "Behavioural Analysis Allowlist" as it was a behaviour-based block

I think I did unless I'm in the wrong place. Don't you go to the prevented block list, find the block for the Reflective DLL event, blue action button, add process to allow then another popup for Select Behavior, click Reflective DLL injection from the scroll down list, add ok green banner successful... That seems to be what I'm hearing from CyF tech,
ALSO I tried to run that app 2 more times last at specific times noted, got popups on my pc desktop Threat Prevented, same reason, but those 2 blocked events are NOT listed in my dashbd. Am I missing something (would not be the first time)

 

[Kongo]

I think I did unless I'm in the wrong place. Don't you go to the prevented block list, find the block for the Reflective DLL event, blue action button, add process to allow then another popup for Select Behavior, click Reflective DLL injection from the scroll down list, add ok green banner successful... That seems to be what I'm hearing from CyF tech,
ALSO I tried to run that app 2 more times last at specific times noted, got popups on my pc desktop Threat Prevented, same reason, but those 2 blocked events are NOT listed in my dashbd. Am I missing something (would not be the first time)

Policies --> Allowlist --> Behavioural Analysis

 

[simmerskool]

Policies --> Allowlist --> Behavioural Analysis

I'll check there too, meanwhile, CyF tech said he added the allow for Reflective DLL to this app, but I still get the same block error. So just for the record, it's not me being dumb Something is amiss...??

 

[simmerskool]

Policies --> Allowlist --> Behavioural Analysis

yes looked there, the app IS listed with Reflective DLL injection added to allow list and time-stamped when I did it yesterday, allowing the way I did it above. So this might be a bug with Di?? or its interface?? I still like Di. Could be the app calls something else which also shows up as Reflictive DLL injection...?? just thinkin' out loud.

 

[Trident]

@simmerskool Have a look at both logged events related to the dll injection blocking. What’s different about them? Is it absolutely the same event logged again and again?

 

[simmerskool]

@simmerskool Have a look at both logged events related to the dll injection blocking. What’s different about them? Is it absolutely the same event logged again and again?

yes x_half-dozen... meanwhle CyF tech now believes me (rather than thinking I'm hopeless) and is doing a full audit to track down what's happening, he said he wants to change a policy setting he thinks is, or could be, not kosher** (Israeli software) . (...this is would be correct in a SIEM cross-correlation, but not here...) I told him go ahead and to document it specifically so I will be able to pass it along if relevant for anyone else.. He also said the dashbd messages I've gotten re Failed Connectivity are bogus and will be fixed with some update they are doing on their end.
**no offense to Kongo intended, I followed his settings template except where CyF made a later suggestion. I'm not sure what the new envisioned change is, will update. And Kongo posted a disclaimer I like Di. just a nuance learning curve.

 

[simmerskool]

update to Monday woes. CyF tech advised something seems to be blocking communications or policy updates being delivered to your devices. Then he asked me to send him the \programdata\deepinstinct\log\ui.log
and about 10 min later he said try to open the problematic app now, and it opened perfectly. As to source or reason for blocked comm, I don't know yet. windows firewall, with a recent MS tech in-place upgrade, so firewall should have no remnants from ESET Premium or anything else. Maybe I used H_C to harden the firewall in the enough remote past to have forgotten about it, but thinking MS upgrade should have removed that, if I had done it... maybe something else but let's not be paranoid. (note I mentioned above it feels like some sort of miscommunication. (gave myself a gold star )

Meanwhile he says: policy | device policies | Suspicious activity monitoring, beware "remediate" and set it to "detect" if you want notices -- remediate can scramble your system.