Q&A Any real-time software that uses non-traditional ways to find malware?

Nagisa

Level 6
Verified
Jul 19, 2018
286
Screenshot_17.png
Screenshot_2.png

Screenshot_1.png
Screenshot_2.png

Screenshot_1.png
Screenshot_2.png

Need somebody else to test VirusCope's abilities. Had no time to run hundreds of files one by one.
 

McMcbrad

Level 20
Oct 16, 2020
960
I am extracting the archive at the moment and browsing the folder "Clean". With my intuition as a malware hunter, I can tell you much of the stuff there is far away from "clean". Anyway, just out of curiosity, I'll do a scan with F-Secure.

The files I've highlighted are very suspicious before I've started any analysis.

1606481460644.png


F-Secure results:
Folder "Clean" that is not so clean: 248 detections
Folder "Malware": 943 detections
Folder "PUP": 1048 detections

Folder NameTotal Files Before ScanTotal Files After ScanDetection rate in %
Clean2202195411.26
Malware104910689.89
PUP10651798.40
 
Last edited:

Nagisa

Level 6
Verified
Jul 19, 2018
286
Screenshot_2.png
Screenshot_1.png
Screenshot_2.png
Screenshot_2.png
Screenshot_1.png
Screenshot_2.png
Screenshot_1.png
Screenshot_2.png
Screenshot_1.png

SensitivityLowMediumHigh
Clean%2.4%21.75%45.77
PUP%64.3%97.37%99.34
Malicious%33.71%87.52%97.14
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
828
Thank you guys for testing, the result are extremely interesting for a lot of reasons. To make a very long story short, these samples were sent to me all in one folder, and the well-known vendor had me analyze the entire folder with VoodooAi and to send the results back to them. It was not until the other night when I found the samples that I wrote a little code that sorted the files into the three folders, based on the results they returned to me. I have not manually inspected any of the files at all, but as I was saying, I trust their verdicts.

I should also mention that the vendor and I disagreed on one point for sure. The vendor believed that cracks, keygens, trainers, etc. should only be considered malware if they exhibit malicious behaviors on the actual endpoint. I personally believed, and still believe today that if a file contains any malicious code, it cannot be considered Safe, simply because we have no idea what else it might contain. So that would explain why there will probably be some greyware in the Clean samples. Who knows, we might even find a bunch of malware in the clean samples, and vice-versa ;).

Either way, as McMcbrad previously mentioned, the results are going to be fuzzy at best, along with malware detection in general. It is scary to me that in this day and age new, non-whitelisted code is executing all over the world as people are carelessly browsing the web and checking email, especially with highly variable and inconsistent malware results.

And we wonder why cybercrime and malware infections increase year after year. Malware infections are no different from human virus infections... If everyone did their part and made it a point to not be so careless, we could make the malcoder’s “job” difficult enough that we might actually see a drop in malware infections. We are on a very dangerous path, as illustrated by the breaches that continue to occur on a daily basis.
 

McMcbrad

Level 20
Oct 16, 2020
960
AVG Internet Security Detection Results:

Folder NameTotal Files Before ScanTotal Files After ScanDetection Rate in %
Clean2202182517.12
Malware10493896.37
PUP10652997.27

Disclaimer: These are only scan results and do not show the effectiveness of other components, such as IDP, CyberCapture or Web Blocker.
All samples are not pre-analysed and false positives, as well as false negatives are not guaranteed to be real.

I found a game in folder "Malware": VT 1/72 VirusTotal
Due to this reason I've reduced malware number from 1050 to 1049.
1606487295630.png
 
Last edited:

SeriousHoax

Level 34
Verified
Mar 16, 2019
2,335
I tried to test Windows Defender's detection rate but it was taking too long and also the UI crashed every time I clicked Protection history which is a known bug. I also made the mistake of extracting it into my HDD instead of SSD. I waited more than 2 hours and only 20% threats were removed by that time so it would have taken 6-7 hours more maybe. Lol. Couldn't afford to wait that long. Anyway, scanning and deleting over 4000 malwares all at a time is not ideal in any universe so I'll not blame WD too much for taking time.
 
Last edited:

SecurityNightmares

Level 31
Verified
Jan 9, 2020
2,058
I tried to test Windows Defender's detection rate but it was taking too long and also the UI crashed every time I clicked Protection history which is a known bug
This is fixable:
  1. Launch the command prompt via Safe Mode
  2. Enter the following command in the prompt:
  3. del "C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db"
  4. reboot
The db file will be regenerated at the next start.
For me that fix the UI crash (y)

Source:
 

SeriousHoax

Level 34
Verified
Mar 16, 2019
2,335
This is fixable:
  1. Launch the command prompt via Safe Mode
  2. Enter the following command in the prompt:
  3. del "C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db"
  4. reboot
The db file will be regenerated at the next start.
For me that fix the UI crash (y)

Source:
There's another easier way. Disable Tamper Protection then delete everything inside this folder "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service" and then enable Tamper Protection again.
Anyway, this bug has been known for a long time. I'm disappointed that it hasn't been fixed yet. The UI needs some change. The Protection History UI management is awful.
 

roger_m

Level 31
Verified
Content Creator
Dec 4, 2014
2,086
The vendor believed that cracks, keygens, trainers, etc. should only be considered malware if they exhibit malicious behaviors on the actual endpoint. I personally believed, and still believe today that if a file contains any malicious code, it cannot be considered Safe, simply because we have no idea what else it might contain.
I agree with the vendor. I think it's reasonable to classify cracks which do nothing malicious, as safe, or as is sometimes the case, identify them as a cracks. I do however understand that antiviruses often identify cracks as malware due to their heuristics, rather than intentionally identifying cracks with signatures.

I've tried downloading from your Google Drive link, but I had issues downloading yesterday and as of now Google has temporarily suspended downloading due to the number of times its been downloaded. Anyway, I'll try again later.
 

McMcbrad

Level 20
Oct 16, 2020
960
There's another easier way. Disable Tamper Protection then delete everything inside this folder "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service" and then enable Tamper Protection again.
Anyway, this bug has been known for a long time. I'm disappointed that it hasn't been fixed yet. The UI needs some change. The Protection History UI management is awful.
These large packs are a bit overwhelming for both testers and antiviruses. That’s why in my opinion, it’s better to do a test with 30-40 samples, that you’ve analysed and know are actively working, scan them quickly, and execute the rest.
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
828
I tried to test Windows Defender's detection rate but it was taking too long and also the UI crashed every time I clicked Protection history which is a known bug. I also made the mistake of extracting it into my HDD instead of SSD. I waited more than 2 hours and only 20% threats were removed by that time so it would have taken 6-7 hours more maybe. Lol. Couldn't afford to wait that long. Anyway, scanning and deleting over 4000 malwares all at a time is not ideal in any universe so I'll not blame WD too much for taking time.
Yeah, it would be extremely interesting how WD does with these samples... especially the PUP samples with PUP detection ON vs OFF. But it will probably be a chore though with WD, it is not the easiest to test. I might fire up a VM and work on it a little each day. We should have the results by Christmas ;).
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
828
I agree with the vendor. I think it's reasonable to classify cracks which do nothing malicious, as safe, or as is sometimes the case, identify them as a cracks. I do however understand that antiviruses often identify cracks as malware due to their heuristics, rather than intentionally identifying cracks with signatures.

I've tried downloading from your Google Drive link, but I had issues downloading yesterday and as of now Google has temporarily suspended downloading due to the number of times its been downloaded. Anyway, I'll try again later.
Yeah, I can certainly see both sides.

Thank you for letting me know... I checked it and tried to reshare it but it looks like we just have to wait 24 hours before they make it available again.
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
828
These large packs are a bit overwhelming for both testers and antiviruses. That’s why in my opinion, it’s better to do a test with 30-40 samples, that you’ve analysed and know are actively working, scan them quickly, and execute the rest.
Yeah, malware testing is not as easy as it looks. And when youtube testers download massive email attacks to test, and do not remove the duplicates or check to see if each file is in fact real malware then the results may not be all that accurate. Supposedly these samples are highly vetted and classified correctly which is one reason they are interesting.
 

cruelsister

Level 38
Verified
Trusted
Content Creator
Apr 13, 2013
2,702
Hi Guys! One thing that could be noticed on a quick perusal of the files contained in the Malware directory is that all of the files are exe's. As there are just oodles of malicious files that exist in other formats this should be kept in mind for anyone testing.

Product X may be the Cat's Meow against PE32 malware, but may be wretched against vbs worms.
 

McMcbrad

Level 20
Oct 16, 2020
960
Hi Guys! One thing that could be noticed on a quick perusal of the files contained in the Malware directory is that all of the files are exe's. As there are just oodles of malicious files that exist in other formats this should be kept in mind for anyone testing.

Product X may be the Cat's Meow against PE32 malware, but may be wretched against vbs worms.
Thanks!
That's why I've made scripts, java malware and PowerShell code standard on all my tests :)
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
828
Hi Guys! One thing that could be noticed on a quick perusal of the files contained in the Malware directory is that all of the files are exe's. As there are just oodles of malicious files that exist in other formats this should be kept in mind for anyone testing.

Product X may be the Cat's Meow against PE32 malware, but may be wretched against vbs worms.
Very true, and I hear that WV does quite well with non PE32 malware. But this sample set was created to test ML/Ai efficacy, so it only contains exe binaries. Finding tens of thousands non PE32 malware to build training data sets has always proved to be challenging, which is probably why most ML/Ai products focus on PE32 malware. If you happen to have a good source for non PE32 malware I would love to know about it!
 

McMcbrad

Level 20
Oct 16, 2020
960
Very true, and I hear that WV does quite well with non PE32 malware. But this sample set was created to test ML/Ai efficacy, so it only contains exe binaries. Finding tens of thousands non PE32 malware to build training data sets has always proved to be challenging, which is probably why most ML/Ai products focus on PE32 malware. If you happen to have a good source for non PE32 malware I would love to know about it!
I author it myself sometimes, when I’m lazy I use any.run and hybrid analysis. Non-pe malware is centred around 2 concepts: concealed downloading and concealed dropping. It’s not too rich in functionality, but the form varies. With one obfuscator you can create thousands of forms that can be used to train ML, but they are easiest to block in real-time.
Java is an exception.
 
Last edited:

danb

From VoodooShield
Verified
Developer
May 31, 2017
828
I author it myself sometimes, when I’m lazy I use any.run and hybrid analysis. Non-pe malware is centred around 2 concepts: concealed downloading and concealed dropping. It’s not too rich in functionality, but the form varies. With one obfuscator you can create thousands of forms that can be used to train ML, but they are easiest to block in real-time.
Java is an exception.
Hmmm, very interesting. What obfuscator do you recommend? I would love to play around with this. My initial thought is that is that it would not produce a diverse enough (or even realistic / effective) training data set, but I would like to play around with it out of curiosity.

Scripts and fileless malware in general are odd compared to PE32. I have read from various sources that ROUGHLY 33% of all PE32 files are malicious.


Whereas both malious and Safe scripts are far less common, and the ratio of malicious scripts to Safe scripts that an end user will encounter is likely higher. In other words, I believe the best practice is to auto allow the obviously safe scripts (high file rep, spawned from a Safe process, etc.), and block the rest, especially if they are located in a common malware hiding spot.
 
Top