App Review Voodooshield - Test simulation of potential MBR Malware (bypass)

[SHvFl]

Content source

https://streamable.com/rjm00

Voodooshield not doing so well with test simulation of potential mbr malware. The developer needs to look about it in his VAi thing.
Test is in always on mode to show % of VAi. In the automatic modes, the malware just runs without an alert.

Malware is not made by me and I can't share it as the malware can be used for criminal usage. Sorry for the long video but the vm is rather slow and I had to wait a few times.

mbr bypass vs - Streamable

EDIT: Because some people can't fathom an aspect of a test lets see how VS does on autopilot mode and uac off.
mbr encrypt test short - Streamable

EDIT2: Because some have an even less ability to understand concepts I edited the post and title to show that this is not a malware running on thousands of machines with many detections. It's a simulated test of an mbr NEW and never seen before malware.
In such cases you don't hate on the messenger but instead try to improve on the issue through the developer if he wants to do something and you report it.

 

[stefanos]

Voodooshield not doing so well with mbr malware. The developer needs to look about it in his VAi thing.
Test is in always on mode to show % of VAi. In the automatic modes, the malware just runs without an alert.

Malware is not made by me and I can't share it as the malware can be used for criminal usage. Sorry for the long video but the vm is rather slow and I had to wait a few times.

mbr bypass vs - Streamable

Thanks for the test. Good information for Voodooshield

 

[davisd]

I feel sad for those who believed in VS "Ai". People would be clicking "allow" on the prompt believing the file is safe.

 

[ForgottenSeer 72227]

Good test!

I think it goes to show and reinforce the point that there is no such thing as a perfect product. Every product, no matter how good will fail at some point.

 

[Arequire]

I'd like to see Dan tweak the behaviour of VS so that anything unsigned triggers a prompt regardless of what mode it's in.

 

[Threadripper]

Not a big deal, VoodooShield isn't a standalone solution for starters and would (or should, at least) be combined with a solid AV solution. Regardless of the AI and VT results, if the user presses allow and presses yes on a UAC prompt, who's fault is the infection?

 

[SHvFl]

Not a big deal, VoodooShield isn't a standalone solution for starters and would (or should, at least) be combined with a solid AV solution. Regardless of the AI and VT results, if the user presses allow and presses yes on a UAC prompt, who's fault is the infection?

Use your brain and read the first post which explains that in the automatic modes, which you can see it was on until I changed it, the malware bypasses Vs because of the 0 VT detection and 0 VAi detection.
Also we are not talking about uac protection but yes I agree with you that users should uninstall Voodooshield and just use uac which is why I let uac enabled in this test.

 

[Andy Ful]

The "0 VT detection and 0 VAi detection" will be extremely rare in the wild. It can happen in targeted attacks on organizations and Enterprises. So no worry.
I would not put too much faith in Ai detection - it is only another security layer.

 

[shmu26]

Use your brain and read the first post which explains that in the automatic modes, which you can see it was on until I changed it, the malware bypasses Vs because of the 0 VT detection and 0 VAi detection.
Also we are not talking about uac protection but yes I agree with you that users should uninstall Voodooshield and just use uac which is why I let uac enabled in this test.

Thanks for the vid.

In automatic mode, it will toggle to "On" when a web app is running or a flash drive is inserted, and that's usually when the user is running a crack or opening an email attachment.

On the other hand, you proved that VS file rating is fallible. I think most users rely on a "safe" rating from VS, so when it fails, we are all gonna get infected...

 

[LDogg]

App Whitelisting software has it's Pros & Cons like many others however computing experience is essential as this type of software ois very user dependent compared to other solutions.

~LDogg

 

[SHvFl]

Because some people can't fathom an aspect of a test lets see how VS does on autopilot mode and uac off.
mbr encrypt test short - Streamable

 

[shmu26]

Because some people can't phantom an aspect of a test lets see how VS does on autopilot mode and uac off.
mbr encrypt test short - Streamable

@SHvFl please note that Autopilot is not the recommended mode. Dan has repeatedly warned against the weaknesses of autopilot mode, for exactly this reason. The recommended, default mode will block the execution, if it is toggled "On" by a web app. (I think it will block execution in typical user-space locations even when toggled "Off", but I don't remember for sure.)
Don't misunderstand me -- I do think VS failed the test, but for the reason that most users will rely on the VS file rating when it says a file is clean. VS has so many false positives, you tend to say to yourself, "If even VS says it's clean, it MUST be clean!"

 

[SHvFl]

@SHvFl please note that Autopilot is not the recommended mode. Dan has repeatedly warned against the weaknesses of autopilot mode, for exactly this reason. The recommended, default mode will block the execution, if it is toggled "On" by a web app. (I think it will block execution in typical user-space locations even when toggled "Off", but I don't remember for sure.)
Don't misunderstand me -- I do think VS failed the test, but for the reason that most users will rely on the VS file rating when it says a file is clean. VS has so many false positives, you tend to say to yourself, "If even VS says it's clean, it MUST be clean!"

I could show you but it defeats the purpose of the test. The test shows VAi is not doing well with mbr malware. I don't know what more to say than that. VT will pick the samples after a bit of time but nothing to do with my test. I assumed my first post made it clear but I guess not.

The developer needs to look about it in his VAi thing.

 

[shmu26]

I could show you but it defeats the purpose of the test. The test shows VAi is not doing well with mbr malware. I don't know what more to say than that. VT will pick the samples after a bit of time but nothing to do with my test. I assumed my first post made it clear but I guess not.

So Dan needs to train his Ai better for MBR malware. And that is indeed what you said in your first post.

 

[SHvFl]

So Dan needs to train his Ai better for MBR malware. And that is indeed what you said in your first post.

He can do whatever he wished as it's his product. If his users report it to him, as he is not here, he can decide to act or it or not.

 

[ForgottenSeer 69673]

Dan has always recommended smart-aggressive mode. I wish he would remove autopilot mode altogether. I am not sure if both autopilot and always on were tested. Dan did comment on this @ COU and is releasing a new version later today.

 

[shmu26]

Dan has always recommended smart-aggressive mode. I wish he would remove autopilot mode altogether. I am not sure if both autopilot and always on were tested. Dan did comment on this @ COU and is releasing a new version later today.

Always on was tested in the first vid. The file was blocked. If you leave it at that, you are safe.
The problem is that lots of us "advanced" users run Voodooshield with prompts, instead of with automatic blocking. I don't have Voodooshield installed, but when I did, I set it to prompt for me, and to automatically block for the other users. So a "smart" guy like me would be likely to shoot himself in the foot when he sees that the prompt declares the file to be clean.

 

[ForgottenSeer 69673]

Always on was tested in the first vid. The file was blocked. If you leave it at that, you are safe.
The problem is that lots of us "advanced" users run Voodooshield with prompts, instead of with automatic blocking. I don't have Voodooshield installed, but when I did, I set it to prompt for me, and to automatically block for the other users. So a "smart" guy like me would be likely to shoot himself in the foot when he sees that the prompt declares the file to be clean.

I have always run in smart-aggressive mode and always get prompts, unless I am away and it times out. So far 4 engines on VT are tagging CylanceSuxx.exe on VT. And so it would not pass VS if run again.

VirusTotal

VirusTotal

www.virustotal.com

 

[oldschool]

Malware is not made by me and I can't share it as the malware can be used for criminal usage.

If you have malware that can be used with criminal intent, why can you not share it with Dan? - who I think it is safe to assume, has no criminal intent. Have you even contacted Dan to report your findings? I am unable to follow your logic.

 

[SHvFl]

If you have malware that can be used with criminal intent, why can you not share it with Dan? - who I think it is safe to assume, has no criminal intent. Have you even contacted Dan to report your findings? I am unable to follow your logic.

I am not a paid employee of VS to have to do anything. Users of Vs can report it if they want.
About giving it to him I don't get why it is needed for me to do it. He has the file on his VAi. I am not sending malware to someone just because he is a developer. Regardless, having the sample does nothing as he can find the same principal malware, block VT or change the malware and then do as many tests as he wishes.
I really don't get how I am the bad guy about showing an issue and you are all so upset about it. All software have issues and people should aim for software to improve and not complain each time someone posts something.