Reply to thread

Message

<blockquote data-quote="Andy Ful" data-source="post: 758134" data-attributes="member: 32260">Dan (VS developer) mailed to me that my first sentence above may be misleading. I agree with him.Bypassing VS by the true 0-day malware (never seen before) will require in many cases the user interaction. The average user will be mostly fooled by the very low or 0 detection on Virus Total, so the VS detection of non-VT modules (AI, anti-script, etc) will be treated as a false positive. That is why I prefer the Forced SmartScreen solution for application installers in Hard_Configurator (much less false positives).Anyway, the chance of silently bypassing VS is very low. Here is the Dan&#039;s explanation:&quot;In order for a zero day to slip through AutoPilot… It would have to…<ol>
<li data-xf-list-type="ol">Be an executable (scripts and the like are auto blocked unless they are spawned from certain parents)</li>
<li data-xf-list-type="ol">Not be an unknown on VT</li>
<li data-xf-list-type="ol">Trick all VT engines that do not have a high FP rate on VT (and are not part of VS’s FP detection)… there are around 40 of them</li>
<li data-xf-list-type="ol">Trick VoodooAi (which is slightly more aggressive than the other ML/Ai engines).&nbsp; Most ML/Ai engines will have roughly the same result since we all use very similar algos and models (trust me, the is no exaggeration… they are very, very, very similar.&nbsp; But VS was designed to be slightly more aggressive.&nbsp; Some of the other ML/Ai engines have a better false positive with a roughly 90-95% detection ratio (Cylance, CrowdStrike, etc), whereas VS was designed to have a roughly 99.5% detection ratio, with higher false positives.</li>
<li data-xf-list-type="ol">There are other checks as well… but these checks alone would block almost all zero days.&quot;</li>
</ol></blockquote>

[QUOTE="Andy Ful, post: 758134, member: 32260"] Dan (VS developer) mailed to me that my first sentence above may be misleading. I agree with him. Bypassing VS by the true 0-day malware (never seen before) [COLOR=rgb(184, 49, 47)][B]will require in many cases the user interaction[/B][/COLOR]. The average user will be mostly fooled by the very low or 0 detection on Virus Total, so the VS detection of non-VT modules (AI, anti-script, etc) will be treated as a false positive. That is why I prefer the Forced SmartScreen solution for application installers in Hard_Configurator (much less false positives). Anyway, the chance of silently bypassing VS is very low. Here is the Dan's explanation: [I]"In order for a zero day to slip through AutoPilot… It would have to…[/I] [LIST=1] [*][I]Be an executable (scripts and the like are auto blocked unless they are spawned from certain parents)[/I] [*][I]Not be an unknown on VT[/I] [*][I]Trick all VT engines that do not have a high FP rate on VT (and are not part of VS’s FP detection)… there are around 40 of them[/I] [*][I]Trick VoodooAi (which is slightly more aggressive than the other ML/Ai engines). Most ML/Ai engines will have roughly the same result since we all use very similar algos and models (trust me, the is no exaggeration… they are very, very, very similar. But VS was designed to be slightly more aggressive. Some of the other ML/Ai engines have a better false positive with a roughly 90-95% detection ratio (Cylance, CrowdStrike, etc), whereas VS was designed to have a roughly 99.5% detection ratio, with higher false positives.[/I] [*][I]There are other checks as well… but these checks alone would block almost all zero days."[/I] [/LIST] [/QUOTE]

Verification