Yeah Autopilot, while effective in most cases, has a weakness. Whitelisting Cloud is really really good. When VS gets it integrated it should be quite interesting. Dan's response below;
Yes, VS has a vulnerability in AutoPilot mode where if all 72 engines and VoodooAi initially returns an Undetected / Safe verdict, it will bypass VS in AutoPilot mode.
This vulnerability was first disclosed by a competitor here:
mbr encrypt test short - Streamable, which is what started the wheels in my head turning for WhitelistCloud, which turned out amazing, and will be implemented into VS soon. I sincerely thank the people responsible for the streamable video, you only made VS stronger… as you have done many, many, many times in the past.
Keep in mind that it only takes minutes or hours for the Detected verdicts to appear, at which time VS will block the file. I just wish that our competitor and Juan would have explained this to everyone so they could see the “sleight of hand” they had to utilize to actually get something to bypass VS. Instead they opted for dramatic effect.
If you want to bypass VS this way, simply...
1. Create and executable that encrypts files and has a 0 / 72 detection ratio
2. Make sure you upload it to VT first though, because otherwise VS will block the file
3. Change VS to AutoPilot mode and launch the file.
4. You better hurry up and make the video though because within minutes or hours the detection ratio will no longer be 0 / 72, and VS will block it.
If that is not sleight of hand, I do not know what is.
Juan, can you please recompile the executable, then scan the file with WC, then repeat and post the test again, assuming a Safe verdict is returned from WC?
Attention everyone using VS in AutoPilot mode!!! Please do not execute targeted malware that you create and modify on your machine that initially returns an Undetected verdict for all 72 engines… because it will bypass VS. Or you could always wait a few minutes or an hour, and VS will block it
.
The really funny thing is that I demonstrated a true in the wild bypass VS on AutoPilot and posted it here 4 years ago:
Which was simply to demonstrate that the computer should be locked when it is at risk.
So if you are going to create a bypass for VS, at least make it as impressive as the one I posted 4 years ago. Hehehe.