Video Voodooshield - Test simulation of potential MBR Malware (bypass)

Status
Not open for further replies.

SHvFl

Level 35
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Nov 19, 2014
2,338
Voodooshield not doing so well with test simulation of potential mbr malware. The developer needs to look about it in his VAi thing.
Test is in always on mode to show % of VAi. In the automatic modes, the malware just runs without an alert.

Malware is not made by me and I can't share it as the malware can be used for criminal usage. Sorry for the long video but the vm is rather slow and I had to wait a few times.

mbr bypass vs - Streamable

EDIT: Because some people can't fathom an aspect of a test lets see how VS does on autopilot mode and uac off.
mbr encrypt test short - Streamable

EDIT2: Because some have an even less ability to understand concepts I edited the post and title to show that this is not a malware running on thousands of machines with many detections. It's a simulated test of an mbr NEW and never seen before malware.
In such cases you don't hate on the messenger but instead try to improve on the issue through the developer if he wants to do something and you report it.
 
Last edited:

stefanos

Level 28
Verified
Top poster
Well-known
Oct 31, 2014
1,725
Voodooshield not doing so well with mbr malware. The developer needs to look about it in his VAi thing.
Test is in always on mode to show % of VAi. In the automatic modes, the malware just runs without an alert.

Malware is not made by me and I can't share it as the malware can be used for criminal usage. Sorry for the long video but the vm is rather slow and I had to wait a few times.

mbr bypass vs - Streamable
Thanks for the test. Good information for Voodooshield
 

Threadripper

Level 9
Verified
Well-known
Feb 24, 2019
414
Not a big deal, VoodooShield isn't a standalone solution for starters and would (or should, at least) be combined with a solid AV solution. Regardless of the AI and VT results, if the user presses allow and presses yes on a UAC prompt, who's fault is the infection?
 

SHvFl

Level 35
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Nov 19, 2014
2,338
Not a big deal, VoodooShield isn't a standalone solution for starters and would (or should, at least) be combined with a solid AV solution. Regardless of the AI and VT results, if the user presses allow and presses yes on a UAC prompt, who's fault is the infection?
Use your brain and read the first post which explains that in the automatic modes, which you can see it was on until I changed it, the malware bypasses Vs because of the 0 VT detection and 0 VAi detection.
Also we are not talking about uac protection but yes I agree with you that users should uninstall Voodooshield and just use uac which is why I let uac enabled in this test.
 

Andy Ful

Level 78
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,799
The "0 VT detection and 0 VAi detection" will be extremely rare in the wild. It can happen in targeted attacks on organizations and Enterprises. So no worry.
I would not put too much faith in Ai detection - it is only another security layer.
 

shmu26

Level 85
Verified
Helper
Top poster
Content Creator
Well-known
Jul 3, 2015
8,130
Use your brain and read the first post which explains that in the automatic modes, which you can see it was on until I changed it, the malware bypasses Vs because of the 0 VT detection and 0 VAi detection.
Also we are not talking about uac protection but yes I agree with you that users should uninstall Voodooshield and just use uac which is why I let uac enabled in this test.
Thanks for the vid.

In automatic mode, it will toggle to "On" when a web app is running or a flash drive is inserted, and that's usually when the user is running a crack or opening an email attachment.

On the other hand, you proved that VS file rating is fallible. I think most users rely on a "safe" rating from VS, so when it fails, we are all gonna get infected...
 
Last edited:

shmu26

Level 85
Verified
Helper
Top poster
Content Creator
Well-known
Jul 3, 2015
8,130
Because some people can't phantom an aspect of a test lets see how VS does on autopilot mode and uac off.
mbr encrypt test short - Streamable
@SHvFl please note that Autopilot is not the recommended mode. Dan has repeatedly warned against the weaknesses of autopilot mode, for exactly this reason. The recommended, default mode will block the execution, if it is toggled "On" by a web app. (I think it will block execution in typical user-space locations even when toggled "Off", but I don't remember for sure.)
Don't misunderstand me -- I do think VS failed the test, but for the reason that most users will rely on the VS file rating when it says a file is clean. VS has so many false positives, you tend to say to yourself, "If even VS says it's clean, it MUST be clean!"
 
Last edited:

SHvFl

Level 35
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Nov 19, 2014
2,338
@SHvFl please note that Autopilot is not the recommended mode. Dan has repeatedly warned against the weaknesses of autopilot mode, for exactly this reason. The recommended, default mode will block the execution, if it is toggled "On" by a web app. (I think it will block execution in typical user-space locations even when toggled "Off", but I don't remember for sure.)
Don't misunderstand me -- I do think VS failed the test, but for the reason that most users will rely on the VS file rating when it says a file is clean. VS has so many false positives, you tend to say to yourself, "If even VS says it's clean, it MUST be clean!"
I could show you but it defeats the purpose of the test. The test shows VAi is not doing well with mbr malware. I don't know what more to say than that. VT will pick the samples after a bit of time but nothing to do with my test. I assumed my first post made it clear but I guess not.
The developer needs to look about it in his VAi thing.
 

shmu26

Level 85
Verified
Helper
Top poster
Content Creator
Well-known
Jul 3, 2015
8,130
I could show you but it defeats the purpose of the test. The test shows VAi is not doing well with mbr malware. I don't know what more to say than that. VT will pick the samples after a bit of time but nothing to do with my test. I assumed my first post made it clear but I guess not.
So Dan needs to train his Ai better for MBR malware. And that is indeed what you said in your first post.
 

shmu26

Level 85
Verified
Helper
Top poster
Content Creator
Well-known
Jul 3, 2015
8,130
Dan has always recommended smart-aggressive mode. I wish he would remove autopilot mode altogether. I am not sure if both autopilot and always on were tested. Dan did comment on this @ COU and is releasing a new version later today.
Always on was tested in the first vid. The file was blocked. If you leave it at that, you are safe.
The problem is that lots of us "advanced" users run Voodooshield with prompts, instead of with automatic blocking. I don't have Voodooshield installed, but when I did, I set it to prompt for me, and to automatically block for the other users. So a "smart" guy like me would be likely to shoot himself in the foot when he sees that the prompt declares the file to be clean.
 

ticklemefeet

Level 26
Well-known
Jan 31, 2018
1,519
Always on was tested in the first vid. The file was blocked. If you leave it at that, you are safe.
The problem is that lots of us "advanced" users run Voodooshield with prompts, instead of with automatic blocking. I don't have Voodooshield installed, but when I did, I set it to prompt for me, and to automatically block for the other users. So a "smart" guy like me would be likely to shoot himself in the foot when he sees that the prompt declares the file to be clean.

I have always run in smart-aggressive mode and always get prompts, unless I am away and it times out. So far 4 engines on VT are tagging CylanceSuxx.exe on VT. And so it would not pass VS if run again.
 

oldschool

Level 66
Verified
Top poster
Well-known
Mar 29, 2018
5,589
Malware is not made by me and I can't share it as the malware can be used for criminal usage.

If you have malware that can be used with criminal intent, why can you not share it with Dan? - who I think it is safe to assume, has no criminal intent. Have you even contacted Dan to report your findings? I am unable to follow your logic.
 

SHvFl

Level 35
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Nov 19, 2014
2,338
If you have malware that can be used with criminal intent, why can you not share it with Dan? - who I think it is safe to assume, has no criminal intent. Have you even contacted Dan to report your findings? I am unable to follow your logic.
I am not a paid employee of VS to have to do anything. Users of Vs can report it if they want.
About giving it to him I don't get why it is needed for me to do it. He has the file on his VAi. I am not sending malware to someone just because he is a developer. Regardless, having the sample does nothing as he can find the same principal malware, block VT or change the malware and then do as many tests as he wishes.
I really don't get how I am the bad guy about showing an issue and you are all so upset about it. All software have issues and people should aim for software to improve and not complain each time someone posts something.
 
Status
Not open for further replies.