- May 31, 2017
- 1,742
I should explain a little better... the raw VoodooAi result for ransomware.exe was 66, even though the user prompt reported 100, and since it was below the former threshold of 75, it was allowed. The user prompt has some algos / decision trees that increase the VoodooAi result if other indicators are detected, simply as a precaution to discourage the user from allowing something potentially malicious... but this is LONG after the relaxed security posture would have allowed a bypass. So I was thinking... we might be able to move these other algos / decision trees to an early part of the code so they can be included in the security posture / autopilot decision to auto allow something. I will play around with it and see... it will be a few months before the VoodooAi / WLC is fully optimized (after replacing VT with WLC). And as I was saying, the tests you guys have performed has made HUGE steps in optimizing the new WLC integration, and I think we are getting close, but there might be a little tweak or two in the next few months.
I was not able to find a sample for ransomware.exe, but the version below has a raw VoodooAi threshold of 50 for unsigned files that bypasses SS (when on the Relaxed security posture), so it should block it... but if not please let me know .
VS 6.11
SHA-256: 89bf0b3c7e5fad4b55866b7d2b4c65c4e42a2024f2bfb01a0f6b8fe9cb97a840
BTW, the code conversion is going amazing. I was always reluctant to do it because I knew it would be a total mess. But I have to say, it is funny seeing squeaky clean VS code . The conversion streamlines and corrects the code in a very big way. And actually, a lot of the VS 6.0 code has already been streamlined and fixed while I have been playing around with converting the code the last few months... it found a lot of small bugs and made a lot of small optimizations.
Thanks again you guys, I really appreciate all of your help!
I was not able to find a sample for ransomware.exe, but the version below has a raw VoodooAi threshold of 50 for unsigned files that bypasses SS (when on the Relaxed security posture), so it should block it... but if not please let me know .
VS 6.11
SHA-256: 89bf0b3c7e5fad4b55866b7d2b4c65c4e42a2024f2bfb01a0f6b8fe9cb97a840
BTW, the code conversion is going amazing. I was always reluctant to do it because I knew it would be a total mess. But I have to say, it is funny seeing squeaky clean VS code . The conversion streamlines and corrects the code in a very big way. And actually, a lot of the VS 6.0 code has already been streamlined and fixed while I have been playing around with converting the code the last few months... it found a lot of small bugs and made a lot of small optimizations.
Thanks again you guys, I really appreciate all of your help!