Malware Hub Report VoodooShield 6 - December 2020 Report

[harlan4096]

VoodooShield 6 - December 2020 Report

Due to the small number of samples used in this tests, you should take results with a grain of salt. We encourage you to compare these results with others and take informed decisions on what security products to use.

__

C: Clean / P: Protected / P - NC: Protected - Not Clean / I: Infected / E: Encrypted

* Dynamic BB Bonus Test (Resident Protection Disabled)
* Partially Blocked
BSR: Before System Reboot
ASR: After System Reboot

December 2020​	Samples Pack​	Static Detection​	Dynamic Detection​	Total Detection​	System Files Encrypted​	2nd Opinion Scanners​	System Final Status​	Thread Link​
​	​	​	FREE​	AUTOPILOT​		​	​	​
01/12/2020​	1​	0 / 1​	0 / 1*​	1 / 1 0 / 1*​	Yes*​	N/A​	P E*​	Post#3​
02/12/2020​	2​	1 / 2​	2 / 2​	2 / 2​	No​	C​	P​	Post#3​
02/12/2020​	2​	0 / 2​	2 / 2​	2 / 2​	No​	C​	P​	Post#2​
03/12/2020​	2​	0 / 2​	2 / 2​	2 / 2​	No​	C​	P​	Post#2​
04/12/2020​	2​	0 / 2​	2 / 2​	2 / 2​	No​	C​	P​	Post#2​
05/12/2020​	1​	1 / 1​	1 / 1​	1 / 1​	No​	C​	C​	Post#2​
06/12/2020​	2​	1 / 2​	2 / 2​	2 / 2​	No​	C​	P​	Post#2​
07/12/2020​	1​	0 / 1​	1 / 1​	1 / 1​	No​	C​	P​	Post#3​
			REGISTERED​	AUTOPILOT​	(RELAXED)​
08/12/2020​	3​	1 / 3​	2 + 1* / 3​	2 + 1* / 3​	No​	C​	BSR: I ASR: P​	Post#2​
10/12/2020​	1​	0 / 1​	1 / 1​	1 / 1​	No​	C: HMP NPE F-S I: WV​	P - NC​	Post#2​
11/12/2020​	6​	1 / 6​	1* + 4 / 6​	1* + 5 / 6​	Yes​	C​	BSR: I ASR: E​	Post#2​
12/12/2020​	1​	0 / 1​	1 / 1​	1 / 1​	No​	C​	P​	Post#4​
13/12/2020​	1​	1 / 1​	0 / 1​	1 / 1​	No​	C​	P​	Post#2​
14/12/2020​	4​	0 / 4​	4 / 4​	4 / 4​	No​	C: HMP NPE F-S I: WV​	P - NC​	Post#2​
15/12/2020​	3​	1 / 3​	1 / 3​	1 / 3​	Yes (Twice)​	C​	E​	Post#2​
16/12/2020​	1​	0 / 1​	1 / 1​	1 / 1​	No​	C​	P​	Post#2​
17/12/2020​	4​	4 / 4​	4 / 4​	4 / 4​	No​	C​	C​	Post#3​
18/12/2020​	1​	0 / 1​	1 / 1 ​	1 / 1​	No​	C​	P​	Post#2​
19/12/2020​	8​	3 / 8​	8 / 8​	8 / 8​	No​	C​	P​	Post#2​
20/12/2020​	4​	4 / 4​	4 / 4​	4 / 4​	No​	C​	C​	Post#3​
22/12/2020​	3​	0 / 3​	3 / 3​	3 / 3​	No​	C​	P​	Post#2​
23/12/2020​	2​	0 / 2​	2 / 2​	2 / 2​	No​	C: HMP F-S I: WV NPE​	P - NC​	Post#3​
23/12/2020​	4​	4 / 4​	4 / 4​	4 / 4​	No​	C​	P​	Post#2​
27/12/2020​	3​	1 / 3​	3 / 3​	3 / 3​	No​	C​	P​	Post#3​
27/12/2020​	4​	4 / 4​	3 / 4​	4 / 4 3 / 4​	Yes​	C: WV HMP F-S I: NPE​	E​	Post#3​
28/12/2020​	2​	0 / 2​	2 / 2​	2 / 2​	No​	C​	P​	Post#3​
29/12/2020​	2​	1 / 2​	2 / 2​	2 / 2​	No​	C​	P​	Post#2​
29/12/2020​	6​	5 / 6​	4 / 6​	5 / 6 4 / 6​	Yes (Twice)​	C​	E​	Post#3​
/12/2020​	​	/ ​	/ ​	/​	No Yes​	C I​	C P - NC I E​	Post#​
/12/2020​	​	/ ​	/ ​	/​	No Yes​	C I​	C P - NC I E​	Post#​
/12/2020​	​	/ ​	/ ​	/​	No Yes​	C I​	C P - NC I E​	Post#​
/12/2020​	​	/ ​	/ ​	/​	No Yes​	C I​	C P - NC I E​	Post#​

 

[Lenny_Fox]

Why post an empty report for a test date in the future?

 

[harlan4096]

Today 01/12/2020, VS testing starting from today

Also I usually create the full table structure to save time, later in every malware test I only have to fill in...

 

[danb]

Why post an empty report for a test date in the future?

He loves VS soooooo much that he just could not wait to get started .

But seriously, @harlan4096, thank you for testing... VS can be difficult to test so if you have any questions please let me know. One hint, you MIGHT want to reset the whitelist in VS often... depending on how you are testing.

BTW, what mode are you using to test? AlwaysON, Smart or AutoPilot?

This should be interesting .

 

[harlan4096]

Thanks!

For now I'm on Free Mode and AutoPilot, but will be changing modes after some days or every 1 or 2 weeks to check the differences, will be add a note about the settings used in this stats Table...

 

[danb]

Sounds great... let me set you up with a VS Pro license, I will pm you one right now.

 

[harlan4096]

Sounds great... let me set you up with a VS Pro license, I will pm you one right now.

Thanks, that would be great and welcome

 

[harlan4096]

One more thing, I disabled Windows Defender but left SmartScreen enabled (used WPS tool + Defender Control):



Update: also Defender Control

 

[danb]

Thanks, that would be great and welcome

Sure, thank you as well... I just sent you a license. If for some reason it does not work please let me know.

Yeah, it probably is easiest to test on AutoPilot because if VS is ON (Smart or Always ON), and the malware is within the scope of VS's protection, I promise you, it is going to block it. Whereas with AutoPilot, there might be a small chance you can get something through, especially if you have an innocent looking sample that is signed with a valid EV cert, that is probably your best chance.

 

[danb]

One more thing, I disabled Windows Defender but left SmartScreen enabled (used WPS tool):

View attachment 250160

Sounds great... that will work either way, but if it were me I would just disable all other protections, including UAC and SS.

 

[harlan4096]

Sounds great... that will work either way, but if it were me I would just disable all other protections, including UAC and SS.

Done, creating clean snap-shot...

 

[danb]

Very cool. BTW, you might want to use the latest version of VS below. It should not make a difference in testing, but just in case.

VS 6.06b

https://voodooshield.com/Download/InstallVoodooShield606b.exe

SHA-256: a1df08121a0beb6309af6994e122f07a0d55a1ea70470c71bb2cb068ba179251

Also, in the interest of full disclosure, I wanted to let you guys know what I can see on my end. A while back I wrote a little app that lets me monitor all of the new samples that VS / WLC encounters. So I can open this app and tell at a glance how well VS is doing, mainly because the Safe samples are highlighted in Green and the Not Safe samples are highlighted in red. And there are several little features in this app that gives me detailed file insight about a sample, with just a simple click.

It is interesting because it is super easy to see when people are testing VS / WLC, and I know at a glance if they are doing well or not (with both positives and negatives), and I can optimize our algos if necessary.

Anyway, I just thought it was fair that I mention this to @harlan4096, so he has an idea of what what we see on our end.

 

[harlan4096]

Yes, I downloaded/installed that version 6.0.6b that @Gandalf_The_Grey posted not so long here in on thread of the forum

 

[Zerion]

Great to see this tested @harlan4096, also very nice to see you back here @danb

 

[danb]

Great to see this tested @harlan4096, also very nice to see you back here @danb

Very cool, thank you, I appreciate that!

 

[danb]

@harlan4096, thank you for the first test... great catch! I tested and confirmed that there is indeed a bug in AutoPilot mode for .jar files. In my quick and dirty test, VS properly blocked the file in Smart ON mode, but missed the file when it was on AutoPilot (so I am sure it would miss the file in Smart OFF mode as well). Is that what your test reflects as well?

I was actually thinking about removing .jar support in VS because this type of malware was not so common for a while, requires JRE (which the user install base is dwindling) and is disabled by default in similar products because this block does produce false positives, especially for business users.

But .jar has made a comeback recently, so we will be keeping .jar support and ensure that it works properly in all VS modes.

Thanks again, great catch, I appreciate your help!

 

[danb]

Here is a version that should fix the AutoPilot bug that @harlan4096 found, and actually it probably affected other file types than just .jar. The bug was related to when I recently replace VT with WLC in VS's Rules (similar to the bug that @Lenny_Fox recently encountered). It's funny, you can actually disable the one default rule in VS then the .jar file is blocked, so if we would not have had the one default rule, it probably would have been a very long time before we discovered this bug.

I did not have the same .jar file that @harlan4096 tested with, so I used a different sample, but if it is okay with @harlan4096, it might be a good idea to test the first .jar sample again... because if for some reason the bug is not fixed then I would probably need to debug with the actual sample to make sure the bug is completely fixed before we continue testing. Thanks again!

VS 6.06c

https://voodooshield.com/Download/InstallVoodooShield606c.exe

SHA-256: 083dd2ac20fa6fb6bed29969fabcdfbdb9caf4094ced85b70563911e85d8545c

 

[harlan4096]

Ok, just downloaded! will install the new VS version and perform again the test with the same jar

 

[harlan4096]

I can confirm in new version 6.06c bug is fixed, this time jar file blocked, will post results of both tests with b & c versions soon...

Also I have to test the new 2 small pack from today (a new jar file )

 

[danb]

Very cool, thank you for letting me know! Luckily this bug appeared after the current public 6.06 release, otherwise I would be scrambling to release a fixed version to the public since this is a pretty big bug (probably the biggest, most significant bug we have ever had), and it was all due to one line of code... "Exit For" . So anyone running the public version 6.06 or the beta version 6.06c is safe.