Update VoodooShield 7.0

Thread Tags
  1. Developer is currently beta testing this product.

danb

From VoodooShield
Thread author
Verified
Top poster
Developer
Well-known
May 31, 2017
1,284
Same here.
I spent some time on this and there are several ways to fix this issue.

1) The best option is for devs to not have their apps throw powershell command lines from a randomly named C:\Windows\Temp\ folder. If this can be fixed in CD by possibly moving the binary from Windows Temp to Program Files, that is by far the best option.

2) Another option would be for VS to add special rules to the contextual engine for CD. There are currently only around 20 or so special rules in our contextual engine, and they all are related to Microsoft, and most to MD ;). This is not the best option, but if all else fails we might consider this.

3) Another great option is to simply put VS in training mode, then click around in CD for 1-2 minutes. VS will quickly learn the command lines so it will not block them in the future. Or just keep VS on Smart or Always ON and allow the 5-6 blocks it creates. I tested this 2 different times, once while in Training Mode (no blocks) and once in Smart ON Mode (5-6 blocks). The command line algos in VS are pretty smart… the command lines do not have to match exactly in order to auto allow a slightly different command line. So 5-6 blocks is about all you will experience.

BTW, the training on the new VoodooAi is going really well and should be ready in 3-5 days!
 

danb

From VoodooShield
Thread author
Verified
Top poster
Developer
Well-known
May 31, 2017
1,284
Hey Guys!

Here is VS 7.22, it should be ready for public release.

There were a couple of small changes from the last version, but by far the biggest change are the new ML/Ai models. I created an app to completely automate the process of preparing the training data set by sorting the samples, removing duplicates, and basically just making sure we are only using high quality samples. So now if you guys have any really great malware packs, please let me know and I can add them to the training dataset. Now that the process is completely automated, we are going to be adding even more high quality samples over the next few months, so our models will just keep getting better and better.

Also, if you have any malware packs that need to be cleaned and sorted so that you are only using high quality samples for testing, I would be happy to do that as well.

I also created a portable app to test the new VoodooAi. I have not spent a lot of time on it so it is a little rough around the edges (but very stable), and it is kinda fun to play around with. You can test hundreds or thousands of file very quickly. At some point we will probably make this a full blown desktop app, but I still have a few things we need to finish up with VS like the Rules feature.

Here is the portable VoodooAi Desktop app…


And here is VS 7.22

VS 7.22
SHA-256: be9ac38c96a561408bd8b910d25bf7651467363b4bef0611266b4aae226a4d42


Thank you guys!

Dan

VoodooAiDesktop.PNG
 

kC77

Level 5
Verified
Well-known
Aug 16, 2021
201
thanks for the updates, just took the ai tool for a spin, I didn't expect to see quite so many items classified as safe nor invalid

also not sure if its a bug, but you need to wait for analysis of the entire folder to complete before you can click on a sample to open up virus total. this worked ok in the example below

if I then click a different sample in the safe list, virus total page loads but says "404 page cannot be found"
it appears only one virus total submission can be viewed per analysis

voodooai.png
 
  • Like
Reactions: tipo, Nevi and danb

danb

From VoodooShield
Thread author
Verified
Top poster
Developer
Well-known
May 31, 2017
1,284
thanks for the updates, just took the ai tool for a spin, I didn't expect to see quite so many items classified as safe nor invalid

also not sure if its a bug, but you need to wait for analysis of the entire folder to complete before you can click on a sample to open up virus total. this worked ok in the example below

if I then click a different sample in the safe list, virus total page loads but says "404 page cannot be found"
it appears only one virus total submission can be viewed per analysis

Yeah, depending on which malware repository it comes from, there are usually tons of invalid, duplicates and safe files mixed in with the real malware. This skews the results in a very big way. The invalid files will never execute, so they need to be excluded completely. The duplicates should be removed because if, for example, you have a malware pack with 100 samples, and 10 of them are dups, then the results are skewed by 10%... especially if the dup is a safe file ;). And the safe files need to be removed as well, for obvious reasons. I think what I will do is add some features in VoodooAi Desktop to remove the duplicates. The invalid files are already sorted automatically if your malware pack is located on your desktop. The reason the sorting is limited to the desktop is because we did not want a user to analyze the Windows directory and have VoodooAi Desktop move the Windows files to the sorted directories.

As they say, that is not a bug, it is a feature ;). I actually added that feature and I cannot remember why at the moment, but I will play around with it and if it is possible to click on the item before the analysis is complete then I will remove that feature ;).

Yeah, if you see a 404 error that means the sample has not been uploaded to VT yet. What we might do is make it so when the user right clicks on an item, it will take them directly to the file so they can manually upload the file to VT and to WLC. If WLC says the file is safe, you can be almost 100% certain that it is safe, especially if the VT results are safe as well.

There is a limit to how many files can be analyzed with VT without having to respond to Captchas, so I just made it do one at a time. Thank you!
 

danb

From VoodooShield
Thread author
Verified
Top poster
Developer
Well-known
May 31, 2017
1,284
BTW, if anyone finds actual malware samples that VoodooAi Desktop misses, please send them to me and I will add them to the training data set, thank you!
 
  • Like
Reactions: Zartarra and tipo

Digmor Crusher

Level 15
Verified
Top poster
Well-known
Jan 27, 2018
711
Just a couple of comments.

Every time I install VS I go thru all my installed programs and saved programs, open them and then see if VS reacts. I have 3 versions of Shadow Defender saved, I open them and every time VS throws up a block, so I click on Report a False Positive and Allow (my wording my be off from the actual wording). So I've done this numerous times with Shadow Defender and a couple other programs, why do I have to do it every time, does reporting a False Positive not do anything?

And, VS is supposed to be a "simple" computer lock, well the idea and execution is superb, but its not so simple once you open the gui, way too many options and settings imo. I think that 98% of computer users would be lost trying to figure them out. Not sure if this is even possible to fix, doubt it.
My idea of a perfect, simple program has 5 buttons, On, Off, Update, Block, Allow. You want everyone and anyone to use/like a program, then use these 5 buttons. Just some thoughts and questions Dan, your program is probably one of the best for computer security.
 

kC77

Level 5
Verified
Well-known
Aug 16, 2021
201
Yeah, depending on which malware repository it comes from, there are usually tons of invalid, duplicates and safe files mixed in with the real malware. This skews the results in a very big way. The invalid files will never execute, so they need to be excluded completely. The duplicates should be removed because if, for example, you have a malware pack with 100 samples, and 10 of them are dups, then the results are skewed by 10%... especially if the dup is a safe file ;). And the safe files need to be removed as well, for obvious reasons. I think what I will do is add some features in VoodooAi Desktop to remove the duplicates. The invalid files are already sorted automatically if your malware pack is located on your desktop. The reason the sorting is limited to the desktop is because we did not want a user to analyze the Windows directory and have VoodooAi Desktop move the Windows files to the sorted directories.

As they say, that is not a bug, it is a feature ;). I actually added that feature and I cannot remember why at the moment, but I will play around with it and if it is possible to click on the item before the analysis is complete then I will remove that feature ;).

Yeah, if you see a 404 error that means the sample has not been uploaded to VT yet. What we might do is make it so when the user right clicks on an item, it will take them directly to the file so they can manually upload the file to VT and to WLC. If WLC says the file is safe, you can be almost 100% certain that it is safe, especially if the VT results are safe as well.

There is a limit to how many files can be analyzed with VT without having to respond to Captchas, so I just made it do one at a time. Thank you!
excellent thanks for this!!
 
  • Like
Reactions: tipo and danb

Freki123

Level 11
Verified
Top poster
Aug 10, 2013
517
So I've done this numerous times with Shadow Defender and a couple other programs, why do I have to do it every time, does reporting a False Positive not do anything?
Afaik the option just creates an entry on Dans FP list or so. He then has do check them. And when he does that every now and then you may get lucky with your FP. So whenever I have a really annoying FP I use the email support. Because I had that every now and then.
I like VS I just also hope for a better FP solution for it.
 

danb

From VoodooShield
Thread author
Verified
Top poster
Developer
Well-known
May 31, 2017
1,284
Just a couple of comments.

Every time I install VS I go thru all my installed programs and saved programs, open them and then see if VS reacts. I have 3 versions of Shadow Defender saved, I open them and every time VS throws up a block, so I click on Report a False Positive and Allow (my wording my be off from the actual wording). So I've done this numerous times with Shadow Defender and a couple other programs, why do I have to do it every time, does reporting a False Positive not do anything?

And, VS is supposed to be a "simple" computer lock, well the idea and execution is superb, but its not so simple once you open the gui, way too many options and settings imo. I think that 98% of computer users would be lost trying to figure them out. Not sure if this is even possible to fix, doubt it.
My idea of a perfect, simple program has 5 buttons, On, Off, Update, Block, Allow. You want everyone and anyone to use/like a program, then use these 5 buttons. Just some thoughts and questions Dan, your program is probably one of the best for computer security.
Thank you, I appreciate that!

Yeah, I have a custom app that I use to manage VS and to automate certain tedious tasks. For example, I can automatically add a digital signature signer to our list very quickly, and the app allows me to quickly perform the necessary research before adding the signer. The last few weeks I have been working on all kinds of ways to fully automate VS, because making little changes manually takes tons of time. I have not automated the false positive procedure yet, but I am going to do it right now ;). So hopefully by this afternoon it will only take a few seconds to correct false positives, compared to 5-10 minutes for each one the manual way.

I totally agree that the VS settings can be overwhelming, especially for users who are trying VS for the first time. The last couple of years we have eliminated a few options, but it would be great if we could eliminate even more, or somehow organize them better. If anyone has any suggestions on how we might be able to do this, please let me know. I think this is a common problem with cybersecurity software and software in general. That is, once the user starts to explore the advanced settings, there are so many different settings that is quite overwhelming. If anyone has seen a great implementation of advanced settings in any software that would be a great example to work from, please let me know. The good thing is that most users do not need to adjust any of the settings, but it would be really cool if we could somehow optimize this either way.
 

danb

From VoodooShield
Thread author
Verified
Top poster
Developer
Well-known
May 31, 2017
1,284
Afaik the option just creates an entry on Dans FP list or so. He then has do check them. And when he does that every now and then you may get lucky with your FP. So whenever I have a really annoying FP I use the email support. Because I had that every now and then.
I like VS I just also hope for a better FP solution for it.
Yeah, sorry I keep forgetting about this, I am going to fix this right now, thank you!
 

Digmor Crusher

Level 15
Verified
Top poster
Well-known
Jan 27, 2018
711
Afaik the option just creates an entry on Dans FP list or so. He then has do check them. And when he does that every now and then you may get lucky with your FP. So whenever I have a really annoying FP I use the email support. Because I had that every now and then.
I like VS I just also hope for a better FP solution for it.
I sort of thought that.
 
  • Like
Reactions: Nevi, tipo and danb

Digmor Crusher

Level 15
Verified
Top poster
Well-known
Jan 27, 2018
711
Thank you, I appreciate that!

Yeah, I have a custom app that I use to manage VS and to automate certain tedious tasks. For example, I can automatically add a digital signature signer to our list very quickly, and the app allows me to quickly perform the necessary research before adding the signer. The last few weeks I have been working on all kinds of ways to fully automate VS, because making little changes manually takes tons of time. I have not automated the false positive procedure yet, but I am going to do it right now ;). So hopefully by this afternoon it will only take a few seconds to correct false positives, compared to 5-10 minutes for each one the manual way.

I totally agree that the VS settings can be overwhelming, especially for users who are trying VS for the first time. The last couple of years we have eliminated a few options, but it would be great if we could eliminate even more, or somehow organize them better. If anyone has any suggestions on how we might be able to do this, please let me know. I think this is a common problem with cybersecurity software and software in general. That is, once the user starts to explore the advanced settings, there are so many different settings that is quite overwhelming. If anyone has seen a great implementation of advanced settings in any software that would be a great example to work from, please let me know. The good thing is that most users do not need to adjust any of the settings, but it would be really cool if we could somehow optimize this either way.
Thanks Dan, don't envy you if you have to do the false positive procedure manually.
 
  • Like
Reactions: danb

cruelsister

Level 39
Verified
Helper
Top poster
Content Creator
Well-known
Apr 13, 2013
2,871
I can automatically add a digital signature signer to our list very quickly, and the app allows me to quickly perform the necessary research before adding the signer
Hi Dan! Your product is great, but I despair at the thought of the amount of headaches involved in maintaining it. Lately I've noticed a few types of malware that on first glance (and a VERY quick glance at that) seem to legitimate certificates. For instance:

Signed.png

Although the lack of a counter-signature is sort of a giveaway that something is amiss, I wonder is something like this one, if just released into the Wild, would be flagged immediately due to the improper certificate pathway.