Malware Hub Report VoodooShield 6 - December 2020 Report

Disclaimer
  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

harlan4096

Moderator
Verified
Staff member
Malware Hunter
Apr 28, 2015
7,405
VoodooShield 6 - December 2020 Report
Due to the small number of samples used in this tests, you should take results with a grain of salt. We encourage you to compare these results with others and take informed decisions on what security products to use.
__

C: Clean / P: Protected / P - NC: Protected - Not Clean / I: Infected / E: Encrypted


* Dynamic BB Bonus Test (Resident Protection Disabled)
* Partially Blocked
BSR: Before System Reboot

ASR: After System Reboot

December
2020​
Samples
Pack​
Static
Detection​
Dynamic
Detection​
Total
Detection​
System Files
Encrypted​
2nd Opinion
Scanners​
System
Final Status​
Thread
Link​
FREE
AUTOPILOT
01/12/2020
1
0 / 1
0 / 1*
1 / 1
0 / 1*
Yes*
N/A
P
E*
02/12/2020
2
1 / 2
2 / 2
2 / 2
No
C
P
02/12/2020
2
0 / 2
2 / 2
2 / 2
No
C
P
03/12/2020
2
0 / 2
2 / 2
2 / 2
No
C
P
04/12/2020
2
0 / 2
2 / 2
2 / 2
No
C
P
05/12/2020
1
1 / 1
1 / 1
1 / 1
No
C
C
06/12/2020
2
1 / 2
2 / 2
2 / 2
No
C
P
07/12/2020
1
0 / 1
1 / 1
1 / 1
No
C
P
REGISTERED
AUTOPILOT
(RELAXED)
08/12/2020
3
1 / 3
2 + 1* / 3
2 + 1* / 3
No
C
BSR: I
ASR: P
10/12/2020
1
0 / 1
1 / 1
1 / 1
No
C: HMP NPE F-S
I: WV
P - NC
11/12/2020
6
1 / 6
1* + 4 / 6
1* + 5 / 6
Yes
C
BSR: I
ASR: E
12/12/2020
1
0 / 1
1 / 1
1 / 1
No
C
P
13/12/2020
1
1 / 1
0 / 1
1 / 1
No
C
P
14/12/2020
4
0 / 4
4 / 4
4 / 4
No
C: HMP NPE F-S
I: WV
P - NC
15/12/2020
3
1 / 3
1 / 3
1 / 3
Yes (Twice)
C
E
16/12/2020
1
0 / 1
1 / 1
1 / 1
No
C
P
17/12/2020
4
4 / 4
4 / 4
4 / 4
No
C
C
18/12/2020
1
0 / 1
1 / 1
1 / 1
No
C
P
19/12/2020
8
3 / 8
8 / 8
8 / 8
No
C
P
20/12/2020
4
4 / 4
4 / 4
4 / 4
No
C
C
22/12/2020
3
0 / 3
3 / 3
3 / 3
No
C
P
23/12/2020
2
0 / 2
2 / 2
2 / 2
No
C: HMP F-S
I: WV NPE
P - NC
23/12/2020
4
4 / 4
4 / 4
4 / 4
No
C
P
27/12/2020
3
1 / 3
3 / 3
3 / 3
No
C
P
27/12/2020
4
4 / 4
3 / 4
4 / 4
3 / 4
Yes
C: WV HMP F-S
I: NPE
E
28/12/2020
2
0 / 2
2 / 2
2 / 2
No
C
P
29/12/2020
2
1 / 2
2 / 2
2 / 2
No
C
P
29/12/2020
6
5 / 6
4 / 6
5 / 6
4 / 6
Yes (Twice)
C
E
/12/2020
/
/
/
No Yes
C I
C P - NC I E
Post#
/12/2020
/
/
/
No Yes
C I
C P - NC I E
Post#
/12/2020
/
/
/
No Yes
C I
C P - NC I E
Post#
/12/2020
/
/
/
No Yes
C I
C P - NC I E
Post#
 
Last edited:

danb

From VoodooShield
Verified
Developer
May 31, 2017
1,031
Why post an empty report for a test date in the future?
He loves VS soooooo much that he just could not wait to get started ;).

But seriously, @harlan4096, thank you for testing... VS can be difficult to test so if you have any questions please let me know. One hint, you MIGHT want to reset the whitelist in VS often... depending on how you are testing.

BTW, what mode are you using to test? AlwaysON, Smart or AutoPilot?

This should be interesting ;).
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
1,031
Thanks, that would be great and welcome ;) 😅
Sure, thank you as well... I just sent you a license. If for some reason it does not work please let me know.

Yeah, it probably is easiest to test on AutoPilot because if VS is ON (Smart or Always ON), and the malware is within the scope of VS's protection, I promise you, it is going to block it. Whereas with AutoPilot, there might be a small chance you can get something through, especially if you have an innocent looking sample that is signed with a valid EV cert, that is probably your best chance.
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
1,031
Very cool. BTW, you might want to use the latest version of VS below. It should not make a difference in testing, but just in case.

VS 6.06b
SHA-256: a1df08121a0beb6309af6994e122f07a0d55a1ea70470c71bb2cb068ba179251

Also, in the interest of full disclosure, I wanted to let you guys know what I can see on my end. A while back I wrote a little app that lets me monitor all of the new samples that VS / WLC encounters. So I can open this app and tell at a glance how well VS is doing, mainly because the Safe samples are highlighted in Green and the Not Safe samples are highlighted in red. And there are several little features in this app that gives me detailed file insight about a sample, with just a simple click.

It is interesting because it is super easy to see when people are testing VS / WLC, and I know at a glance if they are doing well or not (with both positives and negatives), and I can optimize our algos if necessary.

Samples.PNG

Anyway, I just thought it was fair that I mention this to @harlan4096, so he has an idea of what what we see on our end.
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
1,031
@harlan4096, thank you for the first test... great catch! I tested and confirmed that there is indeed a bug in AutoPilot mode for .jar files. In my quick and dirty test, VS properly blocked the file in Smart ON mode, but missed the file when it was on AutoPilot (so I am sure it would miss the file in Smart OFF mode as well). Is that what your test reflects as well?

I was actually thinking about removing .jar support in VS because this type of malware was not so common for a while, requires JRE (which the user install base is dwindling) and is disabled by default in similar products because this block does produce false positives, especially for business users.

But .jar has made a comeback recently, so we will be keeping .jar support and ensure that it works properly in all VS modes.

Thanks again, great catch, I appreciate your help!
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
1,031
Here is a version that should fix the AutoPilot bug that @harlan4096 found, and actually it probably affected other file types than just .jar. The bug was related to when I recently replace VT with WLC in VS's Rules (similar to the bug that @Lenny_Fox recently encountered). It's funny, you can actually disable the one default rule in VS then the .jar file is blocked, so if we would not have had the one default rule, it probably would have been a very long time before we discovered this bug.

I did not have the same .jar file that @harlan4096 tested with, so I used a different sample, but if it is okay with @harlan4096, it might be a good idea to test the first .jar sample again... because if for some reason the bug is not fixed then I would probably need to debug with the actual sample to make sure the bug is completely fixed before we continue testing. Thanks again!

VS 6.06c
SHA-256: 083dd2ac20fa6fb6bed29969fabcdfbdb9caf4094ced85b70563911e85d8545c
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
1,031
Very cool, thank you for letting me know! Luckily this bug appeared after the current public 6.06 release, otherwise I would be scrambling to release a fixed version to the public since this is a pretty big bug (probably the biggest, most significant bug we have ever had), and it was all due to one line of code... "Exit For" ;). So anyone running the public version 6.06 or the beta version 6.06c is safe.
 
Top