Not all companies adore the deny-by-default that Comodo has advertised heavily again, ages ago. Every vendor has a different understanding and concept of how their product should behave. ESET and McAfee for example focus solely on accuracy, performance and false positives reduction in their home products.If that were the case, then all mainstream products (besides MalwareBytes) would utilize deny-by-default instead of allow-by-default. Even BAFS is a simple 20 second sandbox analysis, which ultimately is a pre-analyzed blacklist.
Any real-time software that uses non-traditional ways to find malware?
- Thread starter Nagisa
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
- May 31, 2017
- 1,650
I agree, currently WLC only detects .exe files, but that does not mean we cannot add other file types in the future. WLC is only about a year old and there are a lot of really cool things we can do with it. Give it time
.I was referring to Panda, NortonLifeLock and Trend Micro that rely heavily on a whitelist, didn’t comment on WLC.I agree, currently WLC only detects .exe files, but that does not mean we cannot add other file types in the future. WLC is only about a year old and there are a lot of really cool things we can do with it. Give it time
- May 31, 2017
- 1,650
I see. The items you mentioned are best handled pre-execution anyway, right?
I’m sorry, I don’t understand what you mean. In theory, pre-execution handling is always best. In practice, it’s not always possible with some products.
i'm not sure what non-traditional wouldn't really encompass, but suppose you are pointing to non-signature detection. that would leave behavioural detection: but behavioural detection isn't a new concept (i mean, threatfire/cyberhawk was for XPs), in truth, much of the hoopla and hype about AI leaning detection is likely only behavioural detection with a new marketing angle. there does seem to be a newer form of behavioural detection, where they upload the file to a cloud sandbox and execute it, and then analyze it, but truth be told, this analysis is still just the old sigs and behavioural triggers of old, but performed in a safer environment. most AVs have all these aspects integrated now and it is hard to find a dedicated behavioural detection program. off the top of my head ... there is still winpatrol WAR. it hasn't been updated for a while, but it isn't sig based, so it likely still has some merit for what you're after (?).
how about this, take daily system snapshots and compare them over a regular time frame. if you get infected, it will be visible and can be rolled back ... but what a cumbersome headache that would be, heheh.
edit: yes, I see someone mentioned comodo above. execution control and user permissions can alert you to malware as well. so a good two-way firewall that asks you questions might be what you're looking for.
how about this, take daily system snapshots and compare them over a regular time frame. if you get infected, it will be visible and can be rolled back ... but what a cumbersome headache that would be, heheh.
edit: yes, I see someone mentioned comodo above. execution control and user permissions can alert you to malware as well. so a good two-way firewall that asks you questions might be what you're looking for.
Behavioural detection dates back to 2003 (Whole Security, later acquired by Symantec and the backbone of SONAR) and in official documentation, which I have already pointed to in my ESET review, reveals ESET has been using Machine Learning since 1995.
Cloud emulation/detonation has been around in various enterprise products for ages and Avast/AVG have been offering it for the past 5 years, if not more. So either way, nothing new
- May 31, 2017
- 1,650
I am saying that the items you mentioned are not properly handled pre-execution when the security product is allow-by-default and the item is not determined to be malicious. In other words, pre-execution works best with deny-by-default.
The items I mentioned might not be handled both by deny-by-default and allow-by-default products, other approaches are needed there. For example on my test with obfuscated PowerShell loaders (reputation is not applied on documents, bat and ps1 files) relying on BITS and benign website, I saw Kaspersky, ESET and QuickHeal were able to detect my malware using static heuristics.
ESET was easy to bypass, by removing -windowstyle hidden and other attributes.
Avast/AVG and WiseVector were able to intercept the PowerShell invocation through CMD and the WMI calls. AVG were quick to blacklist the links I generated specially for the download (2-3 minutes after behavioural blocker kicked in). Others, like Dr. Web failed.
You can have a look at my thread “How well are you protected against Emotet” for more details.
Last edited by a moderator:
- May 31, 2017
- 1,650
Call me crazy, but I personally believe that all vulnerable processes should be blocked when the user is browsing the web and checking email, especially when spawned from a web app.
There are various approaches how this can be done, applied in various products (mainly enterprise). McAfee ENS features extensive set of rules that can completely deactivate many vulnerable parts of the OS (to an extent where its critical components are not broken). AVG/Avast IDP contains many profiles and policies that reduce the attack surface without any intervention.
Defender ATP and even the home version might be tweaked to reduce the attack surface as well.
- May 31, 2017
- 1,650
I am happy to see that someone else recognizes that critical components can be broken
.Here is some info on McAfee ENS, released in 2017. Certainly cool stuff they are working on...
"With the latest McAfee Endpoint Security, you don’t have to wait for a signature. If an executable has never been seen before, your endpoints automatically classify it as “greyware” and treat it with appropriate suspicion. Your endpoints first conduct pre-execution scanning of its code base—essentially a static look at the code (before it runs). Then, they perform dynamic analysis of the behavior during execution. All of these capabilities, and others, are part of protection at each endpoint that limits the damage and spread of greyware to other endpoints. And they’re designed and integrated to close that window of vulnerability—to stop malware even before security systems know exactly what it is."
Stories | Trellix
The latest cybersecurity trends, best practices, security vulnerabilities, and more.
I just find our approach a little easier, and if the user happens to allow something they should not, then McAfee would probably block it.
Fun conversation, but I have a lot to do, thank you!
They have a lot more than that.I am happy to see that someone else recognizes that critical components can be broken
Here is some info on McAfee ENS, released in 2017. Certainly cool stuff they are working on...
"With the latest McAfee Endpoint Security, you don’t have to wait for a signature. If an executable has never been seen before, your endpoints automatically classify it as “greyware” and treat it with appropriate suspicion. Your endpoints first conduct pre-execution scanning of its code base—essentially a static look at the code (before it runs). Then, they perform dynamic analysis of the behavior during execution. All of these capabilities, and others, are part of protection at each endpoint that limits the damage and spread of greyware to other endpoints. And they’re designed and integrated to close that window of vulnerability—to stop malware even before security systems know exactly what it is."
Stories | Trellix
The latest cybersecurity trends, best practices, security vulnerabilities, and more.www.mcafee.com
I just find our approach a little easier, and if the user happens to allow something they should not, then McAfee would probably block it.
Fun conversation, but I have a lot to do, thank you!
Glad you enjoyed our conversation, have a great and productive week ahead!
- May 31, 2017
- 1,650
This obviously can also happen with dynamic analysis if a necessary dependency cannot be located and the sample fails to execute and exhibit malicious behaviors. So if a malware engine returns a not detected verdict for a file that was unable to execute based on dynamic analysis, this poses a serious issue when the malware is executed in the real world and the dependency is available, and the malware executes. In other words, both static and dynamic analysis are important, for different reasons, especially when it comes to building training data sets.
WV did very well and no one expects for any malware detection to be perfect... it never will be. Just look at all of the variation in the results that people posted on this thread.
BTW, I have a REALLY interesting malware pack that I am going to look for and if I can find it, post it somewhere on MT. It is probably 3-4 years old as well, but the results would be extremely interesting for all tested products.
Well unfortunately if we go and get a whole pack of malware, we won’t know if it has a dependancy, dead C&C server, or is just corrupt.
It’s a way of testing I personally don’t promote, but nevertheless, interesting to see.
My preferred type of test:
It’s a way of testing I personally don’t promote, but nevertheless, interesting to see.
My preferred type of test:
Last edited by a moderator:
- May 31, 2017
- 1,650
Interesting... that is a great guide. Do you have a different procedure for deny-by-default products who may or may not have malware detection?
BTW, I found the extremely interesting sample set I was talking about. It is basically an efficacy benchmark that was created by a well-known security company to benchmark VoodooAi three or so years ago. It was intended to test VoodooAi for malware detection efficacy along with false positives. I do not necessarily believe that every sample is classified correctly, but according to the people who chose the samples, each sample was carefully classified 100% correctly, and I trust them, so it is probably a REALLY good benchmark for malware and false positive detection. The samples are 3 or so years old, but that should make zero difference for static ML/Ai analysis.
These files are quite obscure, so WLC should classify most of them as Not Safe (even the clean files). I tested a handful of samples with WLC and sure enough, all were classified as Not Safe. I also ran a static test with WV.
There are 4,317 samples that are divided into 3 category folders… 2,202 clean, 1,065 pup and 1,050 malware. The file is a 15 gig renamed .zip file with the standard password. I tried to upload the file to google drive but it was too big, so if anyone has any ideas where I can store that file please let me know. I could put it on one of our servers, but the last time I did that we ran into some issues. I know that is a large file, but this would be a SUPER interesting test to perform on all products, especially Next-Gen ML/Ai.
I found this:
www.myairbridge.com
I haven't come up with any other procedures at the moment.
Again, downloading a whole malware pack means we don't know what we are dealing with, so results will be fuzzy.
MyAirBridge.com | Send or share big files up to 20 GiB for free
We will transfer your files easily, safely and rapidly from one place to another. You can send them directly to an email address or share files using a unique link.
www.myairbridge.com
I haven't come up with any other procedures at the moment.
Again, downloading a whole malware pack means we don't know what we are dealing with, so results will be fuzzy.
Last edited by a moderator:
@danb Did you try splitting it with archivers(WinRAR, 7-Zip) and upload one by one?
- May 31, 2017
- 1,650
Thank you for the suggestion, but the upload finished on google drive, here is a link...
drive.google.com
As I was saying, the archive is a 15 gig renamed .zip file with the standard password.
It will be really interesting to see the results for various products, especially the static "Next-Gen" ML/Ai results, since that is what this sample set was specifically designed for. If you guys think it is a good idea to move this to a new thread, please do.
Malware Benchmark.zi7
drive.google.com
As I was saying, the archive is a 15 gig renamed .zip file with the standard password.
It will be really interesting to see the results for various products, especially the static "Next-Gen" ML/Ai results, since that is what this sample set was specifically designed for. If you guys think it is a good idea to move this to a new thread, please do.
- May 31, 2017
- 1,650
Results are always fuzzy and highly variable with malware analysisI found this:
MyAirBridge.com | Send or share big files up to 20 GiB for free
We will transfer your files easily, safely and rapidly from one place to another. You can send them directly to an email address or share files using a unique link.
I haven't come up with any other procedures at the moment.
Again, downloading a whole malware pack means we don't know what we are dealing with, so results will be fuzzy.
. Which is why it will never be perfect, or really even close to perfect.I have not looked at this malpak in a while, but this is just not a random group of samples just thrown together. The samples were vetted and chosen for a very specific reason... to benchmark the efficacy of static ML/Ai analysis. Which is why I figured it would be such an interesting malpak... I am just happy I found it
.Similar threads
