AV Detection

[Deleted member 2913]

In PCMAG tests, sometimes tester tests the detected samples modifying them. And most of the AVs couldn't detect all modified samples. Guess this means those AVs are not flexible.

Some AVs could detect all the modified samples. Guess those AVs are flexible & good.

I read Bitdefender free review & it detected all the modified samples.
Fsecure couldn't detect all the modified samples.

He doesn't perform modified samples test in all the reviews, dont know why?

Which are the AVs that are flexible & detect the modified samples the same as the original?

 

[Deleted member 21043]

Hello,

The reason a security product may not have detected a sample after modification is because it may have detected the sample via a hash checksum like MD5, SHA1 or SHA256. When the bytes in the executable are changed, the hash checksum will also change. Therefore, the vendor may have a signature for a sample, but then the sample modification will cause the hash checksum to change. If the vendor does not have that new hash checksum in their database for the modified copy, then it will not detect the sample.

BitDefender (as an example) may have detected the sample after modification because they had generic detections for those sample. For example, HEX. HEX detection (included for generic detection/heuristics) is where the bytes in the executable (or file, not just executable) are scanned. The product will look for a pattern in the bytes which it can detect and classify as a certain threat.

For generic detection, if the pattern is in any sample with the HEX then it will be detected. This means a change in the bytes won't remove the product from detecting it, unless they removed the bytes from the application which consisted of the pattern of bytes the AV product had been picking up.

Hope that helped.

Cheers.

 

[Piteko21]

@kram7750 you are the guy great explanation.
I confess that I was waiting for your comment too.

PS:. Can I marry with your brain?

 

[jamescv7]

That's a typical problem of AV, signatures are been enforced however modified samples makes everything altered therefore Heuristics/Generic detection (as mentioned) will be the basis for matching any similar behavior.

Speaking of behavior, Behavior Blocking can be another option as it will check for any suspicious criteria for infection. Usually they trained that component to be a quicker immediate response if signatures bypass.

Modified samples can be equivalent to polymorphic viruses which changes its hash to bypass any scanners.

 

[Atlas147]

I think most of the modifications you are talking about are mostly done by packers? If so then yes the AVs can't detect the files when they have been packed differently, however when they are executed they all have to return to their normal state that they were originally in, which means they will be in fact unpacked. This would reveal the hashes to the AV again and then the sample would get picked up as malicious.

If however the modifications were to the specific parts of the code that the AV uses for detection of the sample and the file doesn't need that code then the malware would probably run just fine even if the AV are suppose to detected that type of malware.

 

[Deleted member 2913]

PCMAG tester modifies the samples as "I renamed each file, appended nulls to change the size, and tweaked a few non-executable bytes".