MAX AI Based Korean AV

[cruelsister]

Hi Guys- I had no idea that the English version would come out so swiftly, so perhaps I should be more forthcoming for those that will test this product next week. First off, though, keeping in mind that Max is a Beta of the initial build, the Developers deserve much credit.

However, when testing keep in mind the following:

1). Detection- Max will do very well for executables and direct run DLL's that have been around for a bit. For malware 12 hours old or newer the detection rate is spotty.

2). Scriptors- As I mentioned above, scriptor worm detection is poor. It also will allow Powershell; if the PS payload is in the form of an exe in all probability Max will detect and stop it. For more complex PS and JScript malware (that do not rely on executable files) it did not do well.

3). False Positives- Max will check on Digital Signatures. Signed malware that has been out for a bit will be detected nonetheless. For legitimate unsigned applications things vary- something like a VT Uploader beta will be allowed; my beloved unsigned SeaMonkey will be stopped and deleted.

I'm not trying to be Cruel- but just focus on the downside of things so that the Developers can improve an already impressive application.

 

[AtlBo]

2). Scriptors- As I mentioned above, scriptor worm detection is poor. It also will allow Powershell; if the PS payload is in the form of an exe in all probability Max will detect and stop it. For more complex PS and JScript malware (that do not rely on executable files) it did not do well.

@cruelsister...how would Comodo Firewall handle malware of this type? I can't get my mind around how anything could stop this type of script activity. Especially having a difficult time explaining where the malware would originate, unless we are talking about a vulnerability of a browser or pdf viewer/editor or maybe flash or MSOffice? In this case, I guess you would be speaking of an exploit, but I am not sure...

 

[simmerskool]

Don't get me wrong, I've never used Cylance; my experience is just running files through Virus Total (with whatever settings are employed there), where Cylance has flagged quite a few files (I overstated my case when I said it was "prone to FPs"). I use WinPatrol WAR which seems to flag close to half my new installs as malicious. AI is still developing and its only as good as the underlying code. I've been working on computers (of and on) since the mid-1970s, and I am just not ready to put all my eggs in one basket, preferring layers -- I just don't think any one solution will offer a complete and total solution. I'm also a bit of a skeptic and that was my (poor) attempt to inject some humor. But it looks like a couple of folks here have already started to put this one through its paces. I wish my testing computer was up because I would love to try MAX out; I may have to set up a new one.

I have some layers here too I noticed that cylance fp 1/66 with chrome_32 v65... at VT. BUT cylance was not blocking chrome on my win7, so I asked cyberforce, who replied quickly that cylance at VT might not be the same cylance on my pc. Then realized I should be running chrome_64 bit, and cylance sees that chrome as clean at VT. The new Smithsonian magazine has an article about AI. Interesting. The really interesting thing about AI to me lately is that the first Alpha Go which was "programmed" by us humans analyzing lots of human Go games, was beaten by later version of Alpha Go, that was only told the rules of Go and it learned by playing itself. The AI/ML version got smarter by learning on its own than by analyzing human games. The Smithsonian mentioned the same thing in a different context. I only mention The Smithsonian because that's more of a cultural perspective than a tech_geek discussion. "...the sound of inevitability."

 

[simmerskool]

I was running Cylance for a few years and if I remember right in your web console, you can submit files to VT as well and flag them as safe if you actually want to run them.
I plan on giving MAX a try once in English.

I think it can depend on how much control "they" give the user. I must be doing safe hex because almost never anything to flag
& interested in MAX too.

 

[cruelsister]

Atlbo- The Comodo sandbox handles worms quite well. Note that when initially run the Worm will drop something somewhere for persistence, then run itself through wscript (or cscript) for Network spread. With the sandbox, all of these things will be contained. Of course the blocking of sandboxed apps from connecting out is a must.

As far as how a worm can get on the system- either from exploits (rare), emails, infected Flash Drives, or over the Network for connected systems. Essentially any way you can imagine.

Fun Fact- after major Retail Breaches on systems protected by Symantec, they have gotten Scriptor-serious and actually detect these things now (guess they got tired of being sued). This protection extends to the Home Norton versions

BYW- about Max- I tried a legitimate application- but this one was a signed Private Beta that some Dev sent me. Max took 5 minutes thinking about it; I got bored and rebooted as I couldn't use the system while this was taking place.

 

[AtlBo]

Atlbo- The Comodo sandbox handles worms quite well. Note that when initially run the Worm will drop something somewhere for persistence, then run itself through wscript (or cscript) for Network spread. With the sandbox, all of these things will be contained. Of course the blocking of sandboxed apps from connecting out is a must.

Anyway, even if MAX would have had a first chance before the initial breach, if the actual worm type of payload is run, MAX is not effective at stopping this if I understand correctly. So it would be certain types of activity more associated with the droppers of worms or worm type activity that MAX has a hard time with .

It's like sometimes we forget with tests that the malware is sitting there on the desktop. The presumption is it will run for a test obviously, but in real life it must be activated somehow for the malware to have a chance. At any rate, if MAX has a weakness with worm type activity, I think I might say it is moreso that it just doesn't block some types of scripts very well. I am basing this purely on what Kaspersky has to say about worms here:

A Malware Classification -Kaspersky Daily

Spoiler: Worm

Worm: Worms are considered to be a subdivision of viruses since they are also self-replicating programs; however unlike viruses, they do not infect existing files. Instead, worms are installed directly onto their victims� computers in a single instance of �self standing� code, before finding opportunities to spread or tunnel themselves into other systems through things like the manipulation of vulnerable computer networks. Worms, as with viruses, can also be defined further by breaking down the methods in which they infect, like through email, instant messaging or file sharing. Some worms exist as standalone files, while others reside in computer memory only.

Don't know if this would line up 1 for 1 with the @cruelsister definition of a worm. Feel free o/c to correct me as your knowledge base dictates...

 

[cruelsister]

A fine definition, but a bit vague. A typical way a system can get infected is by connecting infected removable storage (Flash Drive) to a system- the worm will activate immediately and do whatever nastiness it is programmed to do. If the newly infected system is on a network it will connect out and spread that way quite easily. Some place too much emphasis on how a file is run in tests. The emphasis instead should be placed on whether or not a Security application can detect an initial run, or at least remediate infection on an already compromised system.

To that end my next 2 videos will speak to both points- this weekend will be remediation of an infected system by 2nd opinion scanners, and the second (around April 13th) will be how an application the developers of that product asked me never to test will deal with it.

 

[cruelsister]

Atlbo- regarding how a worm can get on a system, check out this:

Malware Alert - jRAT Leverages Crypter Service to Stay Undetected

It doesn't add a worm per se, but it easily could. It is just Loads O' Fun with multiple vb downloads running via cscript and various Task Kill commands.

 

[ForgottenSeer 69673]

Is the English Beta out yet?

 

[mekelek]

v1 is out in English
it seems to have gotten a serious UI overhaul, going to give it a spin in a minute
malwares.com

 

[mekelek]

for everyone that used the Beta, there is no uninstallation entry at the usual place, go to C:/Program Files/MAX and run the uninst.exe

MAX v1 won't uninstall or stop MAX Beta but after a restart only the newest runs, so first uninstall the old then install the new.

 

[ZeroDay]

v1 is out in English
it seems to have gotten a serious UI overhaul, going to give it a spin in a minute
malwares.com

Great share, Thank you.

 

[ZeroDay]

Can this be installed alongside Windows defender or is it a standalone AV?

 

[Deleted member 65228]

Can this be installed alongside Windows defender or is it a standalone AV?

It looks like it is supposed to be stand-alone but I am only guessing. However even if it were to install fine with Windows Defender enabled and if it doesn't disable Windows Defender, I doubt it will conflict.

I doubt they are known enough for Microsoft to accept them in partnership and allow them access to Security Center integration just yet anyway. Maybe the vendor hasn't even thought about that yet.

 

[Mikesierra]

Can this be installed alongside Windows defender or is it a standalone AV?

I tried it along with F-Secure AV in a VM and didn´t notice any serious issues. However, this was just a quick test and chances are high that MAX isn´t compatible with other AVs.

 

[mekelek]

Can this be installed alongside Windows defender or is it a standalone AV?

It looks like it is supposed to be stand-alone but I am only guessing. However even if it were to install fine with Windows Defender enabled and if it doesn't disable Windows Defender, I doubt it will conflict.

I doubt they are known enough for Microsoft to accept them in partnership and allow them access to Security Center integration just yet anyway. Maybe the vendor hasn't even thought about that yet.

I tried it along with F-Secure AV in a VM and didn´t notice any serious issues. However, this was just a quick test and chances are high that MAX isn´t compatible with other AVs.

after spending some time with MAX, i don't see a reason for conflict with any AV.

 

[Deleted member 65228]

after spending some time with MAX, i don't see a reason for conflict with any AV.

I don't distrust them as much either. The only reason I said I wouldn't wasn't because I *assumed* they would be bad it was because I never trust a new vendor off the bat, but they don't seem non-trustworthy. Only time will tell - in a few months we'll see what happens with them to get more of a better image of how they work, etc.

Interesting concept and approach IMO

 

[mekelek]

I don't distrust them as much either. The only reason I said I wouldn't wasn't because I *assumed* they would be bad it was because I never trust a new vendor off the bat, but they don't seem non-trustworthy. Only time will tell - in a few months we'll see what happens with them to get more of a better image of how they work, etc.

Interesting concept and approach IMO

they seem to want to become the Asian Virustotal with malwares.com, they just added a URL section there too.
their way of throwing out a product like this for free to test for everyone is a good sign.
the amount of time i spent to try to get my hands on other AI/ML based product, it's almost like they're hiding.

 

[ZeroDay]

Does Max AV run light on the system? This could be a perfect partner for CF.

 

[mekelek]

Does Max AV run light on the system? This could be a perfect partner for CF.

it's only doing anything heavy when a sample is unkown to malwares.com so it uploads said sample and waits for results.
it feels light but i only tried it in VM.