Malware Hub Report VoodooShield 6 - December 2020 Report

Disclaimer
  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
I should explain a little better... the raw VoodooAi result for ransomware.exe was 66, even though the user prompt reported 100, and since it was below the former threshold of 75, it was allowed. The user prompt has some algos / decision trees that increase the VoodooAi result if other indicators are detected, simply as a precaution to discourage the user from allowing something potentially malicious... but this is LONG after the relaxed security posture would have allowed a bypass. So I was thinking... we might be able to move these other algos / decision trees to an early part of the code so they can be included in the security posture / autopilot decision to auto allow something. I will play around with it and see... it will be a few months before the VoodooAi / WLC is fully optimized (after replacing VT with WLC). And as I was saying, the tests you guys have performed has made HUGE steps in optimizing the new WLC integration, and I think we are getting close, but there might be a little tweak or two in the next few months.

I was not able to find a sample for ransomware.exe, but the version below has a raw VoodooAi threshold of 50 for unsigned files that bypasses SS (when on the Relaxed security posture), so it should block it... but if not please let me know ;).

VS 6.11
SHA-256: 89bf0b3c7e5fad4b55866b7d2b4c65c4e42a2024f2bfb01a0f6b8fe9cb97a840

BTW, the code conversion is going amazing. I was always reluctant to do it because I knew it would be a total mess. But I have to say, it is funny seeing squeaky clean VS code ;). The conversion streamlines and corrects the code in a very big way. And actually, a lot of the VS 6.0 code has already been streamlined and fixed while I have been playing around with converting the code the last few months... it found a lot of small bugs and made a lot of small optimizations.

Thanks again you guys, I really appreciate all of your help!
 

harlan4096

Super Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,922
With this new build sample ransomware.exe is blocked in Auto Pilot -> Relaxed:

1609268244929.png

Also sample darkside.exe from the last pack:

1609268376267.png

But still sample Sett4545.exe is missed without any warning, encrypting only 1 rar file in Desktop...
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
With this new build sample ransomware.exe is blocked in Auto Pilot -> Relaxed:

View attachment 252147

Also sample darkside.exe from the last pack:

View attachment 252148

But still sample Sett4545.exe is missed without any warning, encrypting only 1 rar file in Desktop...
Cool, thank you for letting me know! Yeah, there is not much that can be done about Sett4545.exe... except to lock the computer ;).
 

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,345
Well, finally month testing has just finished, We will revisit VS malware testing in some months :)

Thanks @danb for the support :)
I think that @danb must thank you.
A lot of bugs were found by your testing and he resolved them all very quickly.
It was great to see such interaction (y)
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
Well, finally VS month testing has just finished, We will revisit VS malware testing in some months :)

Thanks @danb for the support :)
Thank you very much, I truly appreciate your help! You guys helped to harden the heck out of VS's AutoPilot and Relaxed security posture. I have always been focused on the locked modes, so I am happy that we spent time hardening the other modes. Thanks again!!!
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
I think that @danb must thank you.
A lot of bugs were found by your testing and he resolved them all very quickly.
It was great to see such interaction (y)
I have to say, it was a rather productive month ;). I really did not expect for things to go as they did (as far as releasing a hundred new versions in a month), but I am happy that things turned out as they did.

@harlan4096 and I do not seem to agree whether the computer should be locked when it is at risk or not, but more importantly, we figured out that we work very well together ;). If I could just get him to understand and imagine how cool it would be for Kaspersky to utilize something like VS instead of their TAM, then we would be 100% on the same page ;). Most people forgo traditional application whitelisting because it is a huge pain. VS has always been about making application whitelisting user-friendly for the masses.
 

mazskolnieces

Level 3
Well-known
Jul 25, 2020
117
It's not clear... maybe due to performance issues, maybe for not being very used by users... 🤔
Kaspersky stated that they removed TAM because very, very few home consumers used this default deny feature. Plus, Kaspersky support got tired of all the home user support requests because they don't read the manual, don't follow security advice and cannot handle security alerts. That's why Interactive Mode was removed as well. Based upon some discussions there was mention of reducing and optimizing code across Kaspersky products as well. If you look at what Kaspersky is doing, it is obvious that they are moving in the direction of as much automation for consumers as makes security sense, but sticking to the traditional multi-layered approach for enterprise.

Actually, Application Control is already pretty much default deny with optimal configuration for the typical user. You're already aware of those optimizations.

You can ask Dmitry, Yury or any of the other mods on the Kaspersky forums. If you ask the right questions, they'll get you the same answers from product management as above.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
To be honest and I'm a Kaspersky user I did not find TAM to be user friendly.
Yeah, making a deny-by-default product user-friendly enough for the masses is not an easy thing to do... I should know since that has been my primary focus for 9 years now ;). It takes time, patients, dedication, testing tons of beta versions, etc..

I have a few clients in KC who combo Kaspersky Small Office with VS, and have always left TAM disabled. It really is an amazing combo. What a lot people do not understand is that there are endpoints that have to be protected at all costs. For example, I have a lot of clients in the medical space who do not mind putting in the required extra effort to follow sound security practices, basically so they can sleep at night. I wish our banks, government, other medical facilities, etc. would do they same. We need to start holding companies and governments accountable for not sufficiently protecting endpoints that personally affect individuals when they are breached.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top