Advice Request Any real-time software that uses non-traditional ways to find malware?

Please provide comments and solutions that are helpful to the author of this topic.

F

ForgottenSeer 89360

What do you consider a non-traditional way?
I've tested many so-called "next-gen" and the results have never been brilliant.
An infusion of standard methods + cloud (which is now standard as well) + machine learning (now standard as well) is always better.
@danb, this is sales opportunity :D
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
I assumed he meant a malware detection mechanism that is "outside the box". You know, not traditional and not next-gen ML/Ai. Something that is not simply just another clone.

WLC is free (and so is VS) ;).
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
The term "next-gen" is meaningless, which is why we have never and will never use that term in our marketing ;). I think he means something outside the box.

The OP proposed a great question. A tough question. Also, I think it is important to exclude anything that is a clone of another tech.

BTW, I read the other day that some company was trying to implement block chain into their engine. I could be completely wrong about this, but I do not see how block chain is going to help in any meaningful way... I guess we will see.
 
F

ForgottenSeer 89360

The term "next-gen" is meaningless, which is why we have never and will never use that term in our marketing ;). I think he means something outside the box.

The OP proposed a great question. A tough question. Also, I think it is important to exclude anything that is a clone of another tech.

BTW, I read the other day that some company was trying to implement block chain into their engine. I could be completely wrong about this, but I do not see how block chain is going to help in any meaningful way... I guess we will see.
I honestly can't even see that applied on practice. What benefit are they seeing in that?
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
I honestly can't even see that applied on practice. What benefit are they seeing in that?
I don't get it either... perhaps we have overlooked something ;).

BTW, one reason I think it is such a great question is because the scope is specifically narrowed to Detection.

Honestly, I think detection is currently about as good as it is ever going to get, with sigs, BB, ML/Ai, etc. It might get a little better in 20-40 years when Ai reaches Artificial General Intelligence... but then the malcoders will be utilizing the same tools, so it will be a wash.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
WiseVector StopX
Yeah, I have heard a lot of great things about WV recently and have considered pairing VS with WV because WD is quite slow and not at all user-friendly, so I ran a test (unlisted on youtube)…



WV did pretty well with the really bad malware, but as you can see, they probably need to add some more PUP’s to their training data sets.
 
F

ForgottenSeer 89360

WV did pretty well with the really bad malware, but as you can see, they probably need to add some more PUP’s to their training data sets.
Adding PUP's to their training set might increase false positives and this is already a product, not coupled with a whitelist. PUPs are just a step away from a fully legit program.
 
Last edited by a moderator:

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
Adding PUP's to their training set might increase false positives and this is already a product, not coupled with a whitelist. PUPs are just a step away from a fully legit program.
Very true, but they could create a completely different algo and training data set just for PUP's, then make PUP detection optional.

Most of these PUP's are pretty bad PUP's... most of them are much closer to real malware. You would not want any of them on your machine, but on the other hand, they are not nearly as bad as a lot of stuff that is out there.
 
F

ForgottenSeer 89360

Very true, but they could create a completely different algo and training data set just for PUP's, then make PUP detection optional.

Most of these PUP's are pretty bad PUP's... most of them are much closer to real malware. You would not want any of them on your machine, but on the other hand, they are not nearly as bad as a lot of stuff that is out there.
Anomaly detection would be better in this case, if trained properly, with a large set of trusted programs and installers. And still, identifying them manually and creating simple, generic heuristics would be the best.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
Yeah, I have played around with anomaly detection machine learning algos and it makes sense that would be the way to go, but I personally never had much luck with these. Same with deep learning and neural networks... they certainly work, but not much better than binary classification algos.

No matter what detection mechanism you use, it is going to fail. Turing taught us this 80 or so years ago. To me, it is best to cut your loses and only allow known safe items ;).
 

roger_m

Level 41
Verified
Top Poster
Content Creator
Dec 4, 2014
3,015
Most of these PUP's are pretty bad PUP's... most of them are much closer to real malware. You would not want any of them on your machine, but on the other hand, they are not nearly as bad as a lot of stuff that is out there.
I've spent many years testing every PUP I've been able to find. In my opinion anything that is actually malicious can be classified malware, whereas actual PUPs are not malicious and can usually be easily uninstalled. They certainly can be an annoyance, particularly when they come bundled as unwanted with other software and in some cases can cause problems. For example, a cleaning app which has an unsafe registry cleaner, that mistakenly deletes important registry keys. But in that example, any problems caused are not intentional, but rather due to a poorly coded registry cleaner.

While it is good to be able to remove PUPs from the point of view they can be an annoyance. On the other hand, if they're not actually doing anything malicious and can be uninstalled, then I don't think the ability to have an excellent detect rate for PUPs is too critical, particularly when it could possibly increase false positives.

Can you give some examples of PUPs, which as you said - are closer to real malware? I'm just curious.
 
F

ForgottenSeer 89360

In my opinion only misleading apps, apps with no clear privacy policy and apps with no proper uninstall routine should be covered by PUP detection. Some of these can't be detected with machine learning algos, behavioural blocker or any other automated classification system. They have to be manually detected and then signatures/heuristics can be created/tweaked.
Everything else might be removed at user's discretion.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
I've spent many years testing every PUP I've been able to find. In my opinion anything that is actually malicious can be classified malware, whereas actual PUPs are not malicious and can usually be easily uninstalled. They certainly can be an annoyance, particularly when they come bundled as unwanted with other software and in some cases can cause problems. For example, a cleaning app which has an unsafe registry cleaner, that mistakenly deletes important registry keys. But in that example, any problems caused are not intentional, but rather due to a poorly coded registry cleaner.

While it is good to be able to remove PUPs from the point of view they can be an annoyance. On the other hand, if they're not actually doing anything malicious and can be uninstalled, then I don't think the ability to have an excellent detect rate for PUPs is too critical, particularly when it could possibly increase false positives.

Can you give some examples of PUPs, which as you said - are closer to real malware? I'm just curious.
Here is an example... SAP has been labeled by reputable AV's as a PUP for a very long time, even though it is not.

SAP VT.PNG


When a PUP trashes your computer, spies on you, corrupts your files or OS, etc... then that is a bad PUP.

Here are the samples used in the WV PUP test, feel free to install them on your computer.

hxxps://drive.google.com/file/d/1-jCMgNjCMPk2RypMnunZ49mQWEmNE8SN/view?usp=sharing

Please let me know if you understand the distinction.
 
Last edited by a moderator:

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
In my opinion only misleading apps, apps with no clear privacy policy and apps with no proper uninstall routine should be covered by PUP detection. Some of these can't be detected with machine learning algos, behavioural blocker or any other automated classification system. They have to be manually detected and then signatures/heuristics can be created/tweaked.
Everything else might be removed at user's discretion.
Please see above ;).
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top