Author Topic: VoodooShield v5 STABLE Thread  (Read 2944 times)

Offline HempOil

  • Youngling
  • *
  • Posts: 22
    • View Profile
Re: VoodooShield v5 STABLE Thread
« Reply #75 on: June 09, 2019, 07:36:28 pm »
Hi Dan,

I'm excited to hear about all the updates you are contemplating. Using an established mechanism (SS) to lower the number of false positives in an algorithm (VoodooAi) that tries to maximize the number of true positives sounds like a win-win to me.

Edit: Unless Shmu26 is correct  :-\
Windows 10 Home 64-bit, version 1809, build 17763.529
Comodo Internet Security Premium 12.0.0.6818
VoodooShield 5.01
HMP.A 3.8.0 Build 839 CTP 1 & HMP 3.8.14 b304 (64-bit)
Google Chrome 75.0.3770.80 (Official Build) (64-bit) run in Comodo sandbox

Offline oldschool

  • Jr. Member
  • **
  • Posts: 77
    • View Profile
Re: VoodooShield v5 STABLE Thread
« Reply #76 on: June 09, 2019, 08:01:56 pm »
@VoodooShield @shmu26

Andy's opinion is this:

"Forced SS can be easily introduced to VS as on-demand feature (my italics) for making installations (like in Hard_Configurator). I think that this would be a very good idea.:giggle:"
"... still trying to find the answers to life's persistent questions..." - Guy Noir, Private Eye

W10 1903 Kaspersky Free AV + VoodooShield Pro

Offline Shmu26

  • Jr. Member
  • **
  • Posts: 67
    • View Profile
Re: VoodooShield v5 STABLE Thread
« Reply #77 on: June 09, 2019, 09:05:46 pm »
Smartscreen could be useful if the algorithm works something like this:
Smartscreen allowed + unsigned = whitelist. 
This could significantly decrease FPs in Voodooshield.

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 481
    • View Profile
    • VoodooShield
Re: VoodooShield v5 STABLE Thread
« Reply #78 on: June 09, 2019, 10:32:41 pm »
Yea...ironically  ;D
It is sad that SS don't have additional info when it block something  :-\

SmartScreen in Windows 10 system wide but I have it turned off.
Hey TH!  Either way this will be an optional feature.  I am thinking more along the lines of a cloud based API anyway so that it will work with all versions of Windows.  At a minimum, it would be nice to at least be able to offer the end user the SS results as file insight.  SS has come a very, very long way the last year or two... it is an amazing feature now.

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 481
    • View Profile
    • VoodooShield
Re: VoodooShield v5 STABLE Thread
« Reply #79 on: June 09, 2019, 10:33:25 pm »
This version took a pile of messing around (to put it mildly_) on both systems with errors, retries and double checking settings in AV I'm running to get it installed
Finally got it done.....too much messing around for my liking. :-\

Edit
Very cool, thank you for letting me know!

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 481
    • View Profile
    • VoodooShield
Re: VoodooShield v5 STABLE Thread
« Reply #80 on: June 09, 2019, 10:34:20 pm »
This version took a pile of messing around (to put it mildly_) on both systems with errors, retries and double checking settings in AV I'm running to get it installed
Finally got it done.....too much messing around for my liking. :-\

Edit
Sorry, I should have mentioned that since the digital signature changed, it is best to exit out of VS before upgrading to this version.

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 481
    • View Profile
    • VoodooShield
Re: VoodooShield v5 STABLE Thread
« Reply #81 on: June 09, 2019, 10:40:19 pm »
SmartScreen can be fooled by relatively new malware that bears a valid digital sig, in certain cases. It is rare, but it happens.

Here is a relevant quote from Andy Ful that explains the issue more in depth:
"if the never-seen-malware uses Extended Validation Certificate (requires verification of the requesting entity's identity by a certificate authority) or digital certificate stolen from a very popular application, then it can usually bypass SmartScreen. That happened twice in @askalan tests (one malware cannot infect the testing system anyway)."
https://malwaretips.com/threads/do-you-consider-this-a-block-or-a-fail.91621/page-2#post-807932
Very true!  But this also applies to the traditional and next-gen engines which rely on the digital signature.  If a file is signed and the signature is valid and verified, it makes it extremely difficult for any engine (traditional or next-gen) to correctly identify malware, mainly because the signature is one of the most important features that engines use to detect malware.  This is actually why VS pretty much ignores the digital signature, however, VoodooAi is quite dependent on it... but since VS is going to block the file anyway, it kind of all works out in the end ;).

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 481
    • View Profile
    • VoodooShield
Re: VoodooShield v5 STABLE Thread
« Reply #82 on: June 09, 2019, 10:49:31 pm »
Hi Dan,

I'm excited to hear about all the updates you are contemplating. Using an established mechanism (SS) to lower the number of false positives in an algorithm (VoodooAi) that tries to maximize the number of true positives sounds like a win-win to me.

Edit: Unless Shmu26 is correct  :-\
Well, if a digital signature is stolen and used to sign malware, especially an EV sig, not much can be done until that signature is revoked.  But like I was saying, this will be an issue for pretty much any engine that I can think of.  If anything, since VS ignores the signature and blocks the file anyway, this should not be an issue either way, except for the fact that pretty much all of VS's file insight will render a safe verdict.  Then again, that is why VS shows the mini prompt, and blocks the file and basically says "VS blocked a file, if it happened to block an item you are wanting to allow, then click the mini prompt to see the full prompt."  If you ask me, one of the most dangerous elements for any giving security product is having an affirmative user prompt.  In other words, the user should never be forced to make a decision then and there on any particular item.  Doing so will essentially ensure that they are going to click yes ;).  I bet more infections have occurred because of this than all other infections combined.

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 481
    • View Profile
    • VoodooShield
Re: VoodooShield v5 STABLE Thread
« Reply #83 on: June 09, 2019, 10:51:15 pm »
@VoodooShield @shmu26

Andy's opinion is this:

"Forced SS can be easily introduced to VS as on-demand feature (my italics) for making installations (like in Hard_Configurator). I think that this would be a very good idea.:giggle:"
Very cool, thank you Andy and OS!  I am still thinking more along the lines of a cloud based API, but we will see how it all plays out... assuming we get approval in the first place ;).

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 481
    • View Profile
    • VoodooShield
Re: VoodooShield v5 STABLE Thread
« Reply #84 on: June 09, 2019, 11:04:29 pm »
Smartscreen could be useful if the algorithm works something like this:
Smartscreen allowed + unsigned = whitelist. 
This could significantly decrease FPs in Voodooshield.
Yeah, something like that would certainly be one of the rules, but there will need to be several other rules as well.
This is completely off the top of my head, but something like this maybe...

Safe verdict
Smartscreen Safe + Unsigned + VoodooAi < 50 = Safe
Smartscreen Safe + Signed (Verified and Valid) + VoodooAi < 75 = Safe
Smartscreen Safe +  Signed (NOT Verified and Valid) + VoodooAi < 90 =  Safe
Smartscreen Unsafe + Signed (Verified and Valid) + VoodooAi < 90 = Safe

Unsafe verdict
Smartscreen Unsafe + Unsigned = Unsafe
Smartscreen Unsafe +  Signed (NOT Verified and Valid) = Unsafe

Offline Shmu26

  • Jr. Member
  • **
  • Posts: 67
    • View Profile
Re: VoodooShield v5 STABLE Thread
« Reply #85 on: June 10, 2019, 06:29:19 am »
Safe verdict
Smartscreen Safe + Unsigned + VoodooAi < 50 = Safe
Smartscreen Safe + Signed (Verified and Valid) + VoodooAi < 75 = Safe
If I understand this right, you are giving more trust to Smartscreen Safe + Signed.
IMHO, Smartscreen Safe + Unsigned should get more trust. Why? Because we know that the file has a good prevalence and age rating. So as long as it has a low rating on Virus Total, it should be clean. Whereas Smartscreen Safe + Signed is not a guarantee of prevalence and age. It might be relying on the signature, which can be stolen or purchased illegally. And if the file is new enough, it will have a low VT rating, too.   
« Last Edit: June 10, 2019, 08:00:34 am by Shmu26 »

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Sr. Member
  • *
  • Posts: 481
    • View Profile
    • VoodooShield
Re: VoodooShield v5 STABLE Thread
« Reply #86 on: June 10, 2019, 08:10:30 am »
Safe verdict
Smartscreen Safe + Unsigned + VoodooAi < 50 = Safe
Smartscreen Safe + Signed (Verified and Valid) + VoodooAi < 75 = Safe
If I understand this right, you are giving more trust to Smartscreen Safe + Signed.
IMHO, Smartscreen Safe + Unsigned should get more trust. Why? Because we know that the file has a good prevalence and age rating. So as long as it has a low rating on Virus Total, it should be clean. Whereas Smartscreen Safe + Signed is not a guarantee of prevalence and age. It might be relying on the signature, which can be stolen or purchased illegally. And if the file is new enough, it will have a low VT rating, too.
Ooops, yeah, I totally agree... that was basically what I was trying to do but I had it backwards.  Does something like this look right to you?

Safe verdict
Smartscreen Safe + Unsigned + VoodooAi < 90 = Safe
Smartscreen Safe + Signed (Verified and Valid) + VoodooAi < 75 = Safe
Smartscreen Safe +  Signed (NOT Verified and Valid) + VoodooAi < 50 =  Safe
Smartscreen Unsafe + Signed (Verified and Valid) + VoodooAi < 25 = Safe

Unsafe verdict
Smartscreen Unsafe + Unsigned = Unsafe
Smartscreen Unsafe +  Signed (NOT Verified and Valid) = Unsafe

Offline Shmu26

  • Jr. Member
  • **
  • Posts: 67
    • View Profile
Re: VoodooShield v5 STABLE Thread
« Reply #87 on: June 10, 2019, 08:25:15 am »
Safe verdict
Smartscreen Safe + Unsigned + VoodooAi < 50 = Safe
Smartscreen Safe + Signed (Verified and Valid) + VoodooAi < 75 = Safe
If I understand this right, you are giving more trust to Smartscreen Safe + Signed.
IMHO, Smartscreen Safe + Unsigned should get more trust. Why? Because we know that the file has a good prevalence and age rating. So as long as it has a low rating on Virus Total, it should be clean. Whereas Smartscreen Safe + Signed is not a guarantee of prevalence and age. It might be relying on the signature, which can be stolen or purchased illegally. And if the file is new enough, it will have a low VT rating, too.
Ooops, yeah, I totally agree... that was basically what I was trying to do but I had it backwards.  Does something like this look right to you?

Safe verdict
Smartscreen Safe + Unsigned + VoodooAi < 90 = Safe
Smartscreen Safe + Signed (Verified and Valid) + VoodooAi < 75 = Safe
Smartscreen Safe +  Signed (NOT Verified and Valid) + VoodooAi < 50 =  Safe
Smartscreen Unsafe + Signed (Verified and Valid) + VoodooAi < 25 = Safe

Unsafe verdict
Smartscreen Unsafe + Unsigned = Unsafe
Smartscreen Unsafe +  Signed (NOT Verified and Valid) = Unsafe
Looks great to me.

On a totally unrelated subject, I got a block today for mpcmdrun.exe, it was signed by microsoft. Running VS 501 on Windows 10 1809, with Windows Defender as active AV.

I just noticed in the log that I also got a few blocks for dismhost.
« Last Edit: June 10, 2019, 08:40:40 am by Shmu26 »

Offline oldschool

  • Jr. Member
  • **
  • Posts: 77
    • View Profile
Re: VoodooShield v5 STABLE Thread
« Reply #88 on: June 10, 2019, 05:27:49 pm »
Thank you, I totally agree with all of your points.  I am thinking more along the lines of outbound firewall monitoring and maybe some more advanced behavior monitoring mechanisms.

This feature could be useful, especially if it maintains VS's light weight.  8)
"... still trying to find the answers to life's persistent questions..." - Guy Noir, Private Eye

W10 1903 Kaspersky Free AV + VoodooShield Pro

Offline gorblimey

  • Jr. Member
  • **
  • Posts: 98
    • View Profile
Re: VoodooShield v5 STABLE Thread
« Reply #89 on: June 13, 2019, 04:29:48 am »
... It might be relying on the signature, which can be stolen or purchased illegally. And if the file is new enough, it will have a low VT rating, too.
...

Why so much reliance on signatures?  When will people wake up to the concept that malware devs can do everything that bonware devs can do?  It is not hard to get a genuine, legitimate Certificate, even an Extended Certificate.

AND, we know that the entire Certificate system is at best rickety, completely dodgy at worst.

Much better to rely on the author's hash...  Although, wasn't there a security house that had its download repository invaded and compromised?  The one that Avast was purchasing?

This is where it pays to run an on-demand scanner over the suspect.
____________________
Win7 HPx64 SP1, VoodooShield, WFC