App Review Ransomware Test: Cylance, Sophos, VoodooShield | by VoodooShield

[danb]

@danb so I finally got around to the test.

Scan 1 (completely offline): 35 files, ranging from not-so-malicious malware to ransomware, were missed of the 147.

Scan 2 (with internet connectivity): all but 8 of the 147 files were quarantined (incl. the ransomware). See attachment.

Very cool, thank you for letting me know! Pretty close to my results. Just curious... they probably have new algos / models that were used in the test, right? Pretty impressive efficacy increase if you ask me... that was an extremely bad malpack that had been passed around MT users. It was quite popular, so I figured I would run the test.

BTW, I never test with internet connectivity for Cylance, because they always recommend people test without it. But it is extremely interesting to compare the two results. What makes the result significantly better for the connected test? If you cannot answer publicly, but still are able to tell me privately, please email me. Thanks again!

 

[danb]

Dan emailed me that he had replaced the allow by whitlisted parent process with the allow by whitlisted vendor signature. Can anyone onfirm?

Hey Kees... I want other people to rely too, but I just wanted to mention that we still have the parent process feature as well.

 

[David R]

Very cool, thank you for letting me know! Pretty close to my results. Just curious... they probably have new algos / models that were used in the test, right? Pretty impressive efficacy increase if you ask me... that was an extremely bad malpack that had been passed around MT users. It was quite popular, so I figured I would run the test.

BTW, I never test with internet connectivity for Cylance, because they always recommend people test without it. But it is extremely interesting to compare the two results. What makes the result significantly better for the connected test? If you cannot answer publicly, but still are able to tell me privately, please email me. Thanks again!

This was the latest version, so yes, it would have been newer than your original test. That said, I still have my doubts about the configuration by Malware Managed team.

As with any AV product, it's an ongoing process. There is a constant need for further development and fine tuning, so my guess would be that with internet connectivity, the agent is able to lookup an updated "cloud" signature or version and block those additional files it may have missed by the "offline" version.

Yes, it works well offline and without signatures (like a legacy AV product would use), but even better while connected to the internet, which to your point in a previous point, is how most users would get malware in the first place...browsing around and clicking on malicious email attachments for Flash Player update pop ups, etc....

 

[danb]

This was the latest version, so yes, it would have been newer than your original test. That said, I still have my doubts about the configuration by Malware Managed team.

As with any AV product, it's an ongoing process. There is a constant need for further development and fine tuning, so my guess would be that with internet connectivity, the agent is able to lookup an updated "cloud" signature or version and block those additional files it may have missed by the "offline" version.

Yes, it works well offline and without signatures (like a legacy AV product would use), but even better while connected to the internet, which to your point in a previous point, is how most users would get malware in the first place...browsing around and clicking on malicious email attachments for Flash Player update pop ups, etc....

Cool, I was attributing the increased efficacy to updated algos / models, but it might have something to do with the config as well, but either way the results were pretty close though, so that is great to see. Thank you!

 

[simmerskool]

I tried downloading the Home version, but it requires a corporate email... how'd you get the home version?

for deep armor, well if you email them and say the "magic words," they give you access. I have a corp address, but I think I used a private email, and they were ok. I think if you are active at MT they (may) give you access. They may not want you doing a test since it is considered beta.
my current hardware is pretty strong, still DA seems to slow it some, so far only app where I've noticed a slowdown. Other folks here know more about DA.

 

[Windows_Security]

Hey Kees... I want other people to rely too, but I just wanted to mention that we still have the parent process feature as well.

When they are both available, I would disable the allow by parent process. Only reason to keep allow by parent process is when you use a lot of unsigned software.

 

[David R]

When they are both available, I would disable the allow by parent process. Only reason to keep allow by parent process is when you use a lot of unsigned software.

Wouldn't this allow malware that injects itself into legitimate processes get by, such as Poweliks or Kovter?

 

[danb]

Wouldn't this allow malware that injects itself into legitimate processes get by, such as Poweliks or Kovter?

Potentially, but please keep in mind that this rule / setting does not apply to everything. As a silly example, we have to exclude explorer.exe from this rule / setting, hehehe for obvious reasons . It would allow pretty much everything .

So there are several checks in this rule, otherwise, yeah, we could accidentally allow something we did not want to. I have spent a very long time refining these rules, in an effort to automatically allow as much good stuff as possible, while blocking as much bad stuff as possible, simply to enhance our usability.

As you and I have discussed... application control is a very robust and secure technology, but no one uses it because it is too much of a PITA. That is where VS comes in... we are the only user-friendly computer lock. The way we see it... just because traditional application whitelisting is not user-friendly enough for people adopt, that does not mean that the endpoint should not be locked when it is at risk .

Having said that... if you can find a way around this, please let me know! As I always say... there is not a chance that I thought of everything.

 

[danb]

When they are both available, I would disable the allow by parent process. Only reason to keep allow by parent process is when you use a lot of unsigned software.

Yeah, probably so, but it is nice to have them both as options. Thanks again for the recommendation!

 

[Windows_Security]

Yeah, probably so, but it is nice to have them both as options. Thanks again for the recommendation!

Hi Dan, good to see you around here also. Allow by parent process is implemented smartly, also VS does not allow Internet facing processes to lauch other programs and offers risky command protection (to prevent bypassing the whitelist), so the hijacking of credentials through (DLL) injection or (hollow) process spawning is not as easy as it sounds.