Advice Request Any real-time software that uses non-traditional ways to find malware?

Please provide comments and solutions that are helpful to the author of this topic.

roger_m

Level 41
Verified
Top Poster
Content Creator
Dec 4, 2014
3,015
I did some scans with a number of antiviruses and this was the number of files left after scanning.

360 Total Security 24
Bitdefender AntiVirus Plus 26
ESET Internet Security 12
Huorong Internet Security 31
IObit Malware Fighter Pro 13
K7 Antivirus Premium 13
Max Internet Security 16
McAfee Internet Security 13
Norton AntiVirus 18
Panda Dome 27
Tencent PC Manager 24
Symantec Endpoint Protection 19
Webroot SecureAnywhere 7

While Webroot did the best, it's worth noting that while it's preforms poorly at detecting new malware, it seems to have very good signatures for older malware, which explains the result. The Bitdefender powered IObit Malware Fighter did a lot better than Bitdefender itself, presumably because of its own signatures. Tencent, which also uses Bitdefender signatures alongside its own, did slightly better than Bitdefender. I scanned with Tencent while it was still updating its signatures, as it takes a long time to update them.

The results, don't meant too much, as it's only a static scan, with none of the samples being executed. Also, some of the missed files may have been harmless PUPs or corrupt files which won't actually launch.
 
F

ForgottenSeer 89360

I did some scans with a number of antiviruses and this was the number of files left after scanning.

360 Total Security 24
Bitdefender AntiVirus Plus 26
ESET Internet Security 12
Huorong Internet Security 31
IObit Malware Fighter Pro 13
K7 Antivirus Premium 13
Max Internet Security 16
McAfee Internet Security 13
Norton AntiVirus 18
Panda Dome 27
Tencent PC Manager 24
Symantec Endpoint Protection 19
Webroot SecureAnywhere 7

While Webroot did the best, it's worth noting that while it's preforms poorly at detecting new malware, it seems to have very good signatures for older malware, which explains the result. The Bitdefender powered IObit Malware Fighter did a lot better than Bitdefender itself, presumably because of its own signatures. Tencent, which also uses Bitdefender signatures alongside its own, did slightly better than Bitdefender. I scanned with Tencent while it was still updating its signatures, as it takes a long time to update them.

The results, don't meant too much, as it's only a static scan, with none of the samples being executed. Also, some of the missed files may have been harmless PUPs or corrupt files which won't actually launch.
What’s Max Internet Security?
 
  • Like
Reactions: Behold Eck and Nevi

roger_m

Level 41
Verified
Top Poster
Content Creator
Dec 4, 2014
3,015
What’s Max Internet Security?
It's not a product I recommend. It has its own signatures, but I have a feeling it once used Bitdefender's.
 
F

ForgottenSeer 89360

It's not a product I recommend. It has its own signatures, but I have a feeling it once used Bitdefender's.
Their interface looks like a hybrid of Dr. Web and Trend Micro :D
 

Nagisa

Level 7
Thread author
Verified
Jul 19, 2018
341
McAfee ATP detected one more sample post-execution. Though few samples able to run and install (PCMedik, Reimage Repair). It hadn't detected a powershell ransomware as well (on-acess and ATP) when I tested it few days ago and some files were encrypted. I got the impression that its protection is not that great, maybe.
 
F

ForgottenSeer 89360

McAfee ATP detected one more sample post-execution. Though few samples able to run and install (PCMedik, Reimage Repair). It hadn't detected a powershell ransomware as well (on-acess and ATP) when I tested it few days ago and some files were encrypted. I got the impression that its protection is not that great, maybe.
It's great, if you configure it properly :)
 

Nagisa

Level 7
Thread author
Verified
Jul 19, 2018
341
It's great, if you configure it properly :)
I had maxed out all possible settings. GTI heuristics very high, DAC set to block that are might be malicious and clean that are most likely malicious. Exploit prevention; all high, medium and low signatures are enabled, as well as the ones that contain 'fileless, suspicious' in them. Unless I enable this option too, but this doesn't change the fact that ENS hasn't been able to caught the malware both by signatures and ATP module, am i right?

Screenshot_4.png
 
F

ForgottenSeer 89360

I had maxed out all possible settings. GTI heuristics very high, DAC set to block that are might be malicious and clean that are most likely malicious. Exploit prevention; all high, medium and low signatures are enabled, as well as the ones that contain 'fileless, suspicious' in them. Unless I enable this option too, but this doesn't change the fact that ENS hasn't been able to caught the malware both by signatures and ATP module, am i right?

View attachment 249601
Execution Policy Bypass in PowerShell is something that I don't see necessary for any home user, even less for a business environment. There is a reason for this policy to be in place. So even though it might have not caught the malware with signatures, this doesn't change the outcome, which would have been <no files encrypted>. If you are looking for software to block high majority of malware pre-executionally, you should have a look at Kaspersky/ESET.
 

WiseVector

From WiseVector
Verified
Top Poster
Developer
Well-known
Dec 14, 2018
643
@danb
Thanks for your time and testing.
1) We also tested and ran all the samples you posted. The samples are old and some of them even more than 6 years old. Most samples missed by the our static scanning that are too old cannot perform malicious actions because their cc server has died. There are only two of the samples had obvious malicious behavior. One of them deleted itself immediately after starting without further action, the other released a Trojan which is blocked by our behavior detection. Anyway, we have added detection for the missed samples, thank you for sharing.

2) Old samples like you posted play an unimportant role in our deep learning process, since they can hardly infect computers nowadays. WV performs better to detect recent PUPs.
Yes, scan for Safe files instead ;).

It is the only way I know of to reliably detect FUD's.
I have a few questions about your point of view.
1) There are numerous of different files in the world and even the largest whitelist appears to be not enough. How do users know if a file is safe or not? Upload to VT to see the results before making a decision? I don't think this approach is very reliable. If the user think a program is safe to run, means the program is allowed to do everything on the computer? For example, encrypting the user's files or steal user's data?

2) How to block DLL side-loading attack by running only safe files? Malware often utilize APPs which are released by well-known companies (including Microsoft) to perform malicious behavior. It is a disturbing fact.

3) I think AI based Events Analysis is the trend and multi-layers defenses are very necessary. Default Deny works well in most cases, but once there is a wrong selection, defenses would be completely ineffective.
 
Last edited:
F

ForgottenSeer 89360

@danb
Thanks for your time and testing.
1) We also tested and ran all the samples you posted. The samples are old and some of them even more than 6 years old. Most samples missed by the our static scanning that are too old cannot perform malicious actions because their cc server has died. There are only two of the samples had obvious malicious behavior. One of them deleted itself immediately after starting without further action, the other released a Trojan which is blocked by our behavior detection. Anyway, we have added detection for the missed samples, thank you for sharing.

2) Old samples like you posted play an unimportant role in our deep learning process, since they can hardly infect computers nowadays. WV performs better to detect recent PUPs.

I have a few questions about your point of view.
1) There are numerous of different files in the world and even the largest whitelist appears to be not enough. How do users know if a file is safe or not? Upload to VT to see the results before making a decision? I don't think this approach is very reliable. If the user think a program is safe to run, means the program is allowed to do everything on the computer? For example, encrypting the user's files or steal user's data?

2) How to block DLL side-loading attack by running only safe files? Malware often utilize APPs which are released by well-known companies (including Microsoft) to perform malicious behavior. It is a disturbing fact.

3) I think AI based Events Analysis is the trend and multi-layers defenses are very necessary. Default Deny works well in most cases, but once there is a wrong selection, defenses would be completely ineffective.
I tested WiseVector against malware I created myself (obfuscated PowerShell loader) and WV did great.
“Scan for safe files instead” is nothing new and nothing original/next-gen. These are tricks that “old mice”, such as Symantec/Norton, Trend Micro and many others have learned long time ago. These “tricks” are not bad, but you can’t rely solely on them, they have to be combined with other approaches as well.

What’s your opinion on using set of clean files as a training set and then using this both as anomaly detection and as a way to reduce fps?

What techniques WV currently supports to exclude safe files from constant scans and reduce FPs?
 
Last edited by a moderator:

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
@danb
Thanks for your time and testing.
1) We also tested and ran all the samples you posted. The samples are old and some of them even more than 6 years old. Most samples missed by the our static scanning that are too old cannot perform malicious actions because their cc server has died. There are only two of the samples had obvious malicious behavior. One of them deleted itself immediately after starting without further action, the other released a Trojan which is blocked by our behavior detection. Anyway, we have added detection for the missed samples, thank you for sharing.

2) Old samples like you posted play an unimportant role in our deep learning process, since they can hardly infect computers nowadays. WV performs better to detect recent PUPs.

I have a few questions about your point of view.
1) There are numerous of different files in the world and even the largest whitelist appears to be not enough. How do users know if a file is safe or not? Upload to VT to see the results before making a decision? I don't think this approach is very reliable. If the user think a program is safe to run, means the program is allowed to do everything on the computer? For example, encrypting the user's files or steal user's data?

2) How to block DLL side-loading attack by running only safe files? Malware often utilize APPs which are released by well-known companies (including Microsoft) to perform malicious behavior. It is a disturbing fact.

3) I think AI based Events Analysis is the trend and multi-layers defenses are very necessary. Default Deny works well in most cases, but once there is a wrong selection, defenses would be completely ineffective.
1. Sure, I chose those samples because they were 3 years old. They were not new 1 day old samples and were not old 5 year old samples. They were middle of the road and arguably the fairest way to test.

2. That’s your call.

1. I absolutely agree with you… scanning a file with VT is not a good way to determine if it is Safe or not. But scanning a file with WhitelistCloud certainly is. VT and WLC are polar opposites. VT detects malicious files and WLC detects Safe files.

You said “I don't think this approach is very reliable. If the user think a program is safe to run, means the program is allowed to do everything on the computer? For example, encrypting the user's files or steal user's data?”

Yes, this is how VS works… VS is a toggling computer lock. It does not try to compete with AV’s. VS is designed to be paired with your favorite AV, and the last thing we want is for VS to be blocking behaviors in real time when that is the AV’s job.

2. If you can find a way to bypass VS, please post it publically.

3. Webroot has been using something like “AI based Events Analysis” for a very long time. Either way, enough said ;).

Yes, I believe multi-layer defenses are very necessary too. The computer should be locked when it is at risk. Mitigating incorrect selections is the AV’s job. If it is a concern, there are several ways to block the user from allowing new items in VS… either locally or in the Web Management Console (which the admins can review and allow as required). Either way, at least VS gives the user pause, and does not automatically execute new, unknown and arbitrary code… especially when a web app is running.

BTW, maybe you could describe what features and mechanisms differentiates WV from the other products already on the market. Here is a short list of what I have contributed to the security industry so far. 1) Toggling computer lock 2) Dynamic levels of protection / Security postures 3) Anti Exploit mechanism that many others have now cloned 4) Realtime whitelist scanning
 
  • Like
Reactions: Protomartyr
F

ForgottenSeer 89360

3. Webroot has been using something like “AI based Events Analysis” for a very long time. Either way, enough said ;).
Unfortunately, Webroot continues to rely on dated mechanisms and last time I tested it, didn’t even have an AMSI integration...
Webroot seems to be trained only with *.exe files and throwing it *whatever* non-exe, it fails.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
I tested WiseVector against malware I created myself (obfuscated PowerShell loader) and WV did great.
“Scan for safe files instead” is nothing new and nothing original/next-gen. These are tricks that “old mice”, such as Symantec/Norton, Trend Micro and many others have learned long time ago. These “tricks” are not bad, but you can’t rely solely on them, they have to be combined with other approaches as well.

What’s your opinion on using set of clean files as a training set and then using this both as anomaly detection and as a way to reduce fps?

What techniques WV currently supports to exclude safe files from constant scans and reduce FPs?
As far as I know, scanning realtime for safe files is new. If there is already a realtime whitelist scanner, please let me know... it will save me around 50-100k.
 
F

ForgottenSeer 89360

As far as I know, scanning realtime for safe files is new. If there is already a realtime whitelist scanner, please let me know... it will save me around 50-100k.
It’s something that Trend Micro has come up with maybe about 8 years ago (I remember same year they killed the “Update” button). They use multi-layered approach that scans for trusted files and everything *not trusted* is deemed suspicious. They advise user not to execute such files. If user goes ahead, there are other components that come into play, which you can read about in various Trend Micro white papers.
Everything gets topped off with Aegis Behavioural Blocker.

This renders their results on independent tests, which normally prove TM very effective in protection, but mediocre in terms of accuracy (protection vs number of FPs).
There are many others that throughout the years have integrated this approach to some extent.

Norton/Symantec started working on this approach in 2006 and released it in Jun 2008. Their approach is not too different, they check whether a file is “trusted” as we say and if it’s not on the list, they either delete it, or make behavioural blocking(SONAR) far more suspicious and eventually, file ends up removed/remediated again.
This has caused millions of complaints from small software developers, who don’t have enough money to get their software signed.
 
Last edited by a moderator:

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
It’s something that Trend Micro has come up with maybe about 8 years ago (I remember same year they killed the “Update” button). They use multi-layered approach that scans for trusted files and everything *not trusted* is deemed suspicious. They advise user not to execute such files. If user goes ahead, there are other components that come into play, which you can read about in various Trend Micro white papers.
Everything gets topped off with Aegis Behavioural Blocker.

This renders their results on independent tests, which normally prove TM very effective in protection, but mediocre in terms of accuracy (protection vs number of FPs).
There are many others that throughout the years have integrated this approach to some extent.
Several products have global whitelist lookups (this is nothing new), but are you saing that Trend Micro also has a product that continuously notifies the user and admins that only safe files are currently executing on the endpoints in realtime?
 
  • Like
Reactions: Protomartyr
F

ForgottenSeer 89360

Several products have global whitelist lookups (this is nothing new), but are you saing that Trend Micro also has a product that continuously notifies the user and admins that only safe files are currently executing on the endpoints in realtime?
By design, their product won’t let you execute certain file types, (supported by whitelisting), unless the file has been whitelisted. And yes, it works exclusively in real time, if you do a scan, it won’t detect a threat.
It’s not a separate product, it’s how all of their products (home and endpoint) have been designed for ages.

This is different from ESET for example, that only uses the cloud lookup as a minor detection enhancement.

Unfortunately the issue that many face with that is, their whitelisting/reputation technologies don’t feature a broad filetype support and they can easily be bypassed with any form of non-process threat (*.jar, *.ps1 and *.dll are a good example). They all try to mitigate that with other technologies.

It’s not *several products * that have global whitelisting lookup, the only product that doesn’t have it currently (mainstream) is MalwareBytes, which relies on anomaly detection. All others have implemented it ages ago.
 
Last edited by a moderator:

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
By design, their product won’t let you execute certain file types, (supported by whitelisting), unless the file has been whitelisted. And yes, it works exclusively in real time, if you do a scan, it won’t detect a threat.
It’s not a separate product, it’s how all of their products (home and endpoint) have been designed for ages.
What you are describing is how application whitelisting works pre-execution. WLC works post-execution. For the longest time people always asked me "Dan, application whitelisting is great and all, but how do you know there is not pre-existing malware, or if something inadvertently snuck in."

So are you saying that users and admins can determine at a glance and are continuously aware that only known safe files are executing on the endpoints at any given time with Trend Micro?
 
  • Like
Reactions: Protomartyr
F

ForgottenSeer 89360

What you are describing is how application whitelisting works pre-execution. WLC works post-execution. For the longest time people always asked me "Dan, application whitelisting is great and all, but how do you know there is not pre-existing malware, or if something inadvertently snuck in."

So are you saying that users and admins can determine at a glance and are continuously aware that only known safe files are executing on the endpoints at any given time with Trend Micro?
Unfortunately whitelisting won’t help against, to put it mildly, nasty documents with embedded OLEs and others. It also won’t protect against Java malware or any other malware that abuses trusted processes.
These can be prevented with various behavioural blocker policies, but Java is an offender that typically gets overlooked.

So if user only downloads *.exe files, yes, they run only *known safe* files. If you broaden the scope of what a user downloads and works with, then no. Some files would be unknown.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
By design, their product won’t let you execute certain file types, (supported by whitelisting), unless the file has been whitelisted. And yes, it works exclusively in real time, if you do a scan, it won’t detect a threat.
It’s not a separate product, it’s how all of their products (home and endpoint) have been designed for ages.

This is different from ESET for example, that only uses the cloud lookup as a minor detection enhancement.

Unfortunately the issue that many face with that is, their whitelisting/reputation technologies don’t feature a broad filetype support and they can easily be bypassed with any form of non-process threat (*.jar, *.ps1 and *.dll are a good example). They all try to mitigate that with other technologies.

It’s not *several products * that have global whitelisting lookup, the only product that doesn’t have it currently (mainstream) is MalwareBytes, which relies on anomaly detection. All others have implemented it ages ago.
If that were the case, then all mainstream products (besides MalwareBytes) would utilize deny-by-default instead of allow-by-default ;). Even BAFS is a simple 20 second sandbox analysis, which ultimately is a pre-analyzed blacklist.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top