Can a rule be auto revoked?

Forums VoodooShield Support Forum General VoodooShield Discussions Can a rule be auto revoked?

  • Post
    pkillpeers
    Participant
    PT
    Hey there.

    I was thinking about that issue where ccleaner got injected with malware, and also the torrent client (transmission). In what ways could it be avoided with voodooshield?

    Since those apps are already whitelisted, in those cases what would happen? would voodooshield revoke the whitelist rules? I guess this is more of an antivirus job, but i was wondering.

    cheers

    0
    0
Viewing 2 replies - 1 through 2 (of 2 total)
  • Replies
    Dan
    Keymaster
    US
    Yes, the hash of the compromised file would be changed to Not Safe, but since the analysis result is stored in the database for quick lookups, this would still be an issue.  The only way to fix this issue, for any security product (traditional signatures, next-gen, reputation based), is to reanalyze the file, manually or automatically.  As an example, when you visit virustotal.com to upload files, it does not analyze the file from scratch each and every time.  It will do a quick database lookup of the previous result.  You can click the Reanalyze File button at the top right to manually reanalyze the file.

    So we basically have a choice… we can either have quick database lookups, or we can upload and analyze the file each and every time it is encountered on an endpoint.  Obviously, uploading and analyzing the file each and every time would never work, so we have to find the right balance.  WLC is set to automatically reanalyze the file if the result is older than 1 week, which is probably about the right balance.

    Having said that, supply chain attacks are quite rare.  I mean, there are up to 1 million new malware files each day, and you and I have only heard of 3-4 supply chain attacks ever.

    1
    0
    pkillpeers
    Participant
    PT
    I got it.Thanks for the explanation Dan!
    1
    0
Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.