New Update FS Protection PC 18.4 releases (beta)

Anthony Qian

Level 9
Verified
Well-known
Apr 17, 2021
448
I know. That's why I wonder why you feel the need to discuss this with me.
It was MacDefender who said it, but corrected it later.


That is a complex topic because how would this simple check look like? If you are interested to learn more about FPs in antivirus software, you will find some answers here: The real reason why malware detection is hard—and underestimated
When it comes to antivirus products, false positives must be manageable and a corresponding tolerance rate definitely has to be lower than 0.001%.
Totally agree with the above statement!
According to this article, F-Secure's FP control is really bad.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
I said it before elsewhere on this forum. This specific disclaimer been around too long and is impossible to miss, unless one deliberate ignore it. Btw, MalwareBazaar since day one it opened always had a mix of non malicious and broken and dead samples. It's also completely normal on any malware repository when for example C&C ( command and control ) servers goes down or gets changed etc. Many samples is also poorly coded and simply not compatible enough etc etc. Time is a normal well known super important key factor for malware hunters, testers and re-searchers. That non malicious samples also gets submitted to that repository and others is neither a surprise or anything new under the sun, as the exact same occur on VirusTotal. It is after all a platform open for anyone to submit.

A very important factor that clearly is missing in this thread is that big AV companies like F-Secure handle a extreme amount of samples. Around 400k samples per day ( official numbers from 2021 ). Those are impossible for any human hands to handle all and everything correct 24/7. Claim otherwise is just, plain. :rolleyes:
 

Shadowra

Level 33
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,246
Hello,

To answer quickly about MalwareBazaar, I use this site when I have to sample my packs.
Only, as @upnorth says, many of them are broken or not malicious (they can say it's a RAT when it's a Putty clean...)

Personally, I ALWAYS test and analyze my samples before use. I use VirusTotal, AnyRun and a dedicated VM.
If the file does nothing, it goes in the trash. If vice versa, I integrate it.
It takes me 1 hour of sampling, but at least I have quality samples.

For F-Secure, I had already noticed this new detection during my video test.
I've also seen detection in Kwala during JS, either via DeepGuard or in the Cloud.

I think they need to give it time. I don't think F-Secure only uses abuse.ch, I think they must have a network of Honeypot or others to fish for malware and improve detection.
And I think @struppigel 's detailed it well 😉
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
I think they need to give it time. I don't think F-Secure only uses abuse.ch, I think they must have a network of Honeypot or others to fish for malware and improve detection.
And I think @struppigel 's detailed it well 😉
Very true, as they use many different sources and that basic information is actually even available in some of their whitepapers. It's not any hidden or secret information and I'm pretty sure they are very happy chappie if someone would just reach out and ask them. What can be better then themselves? But here, it's automatic a bit of a dead end.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
Hello,

To answer quickly about MalwareBazaar, I use this site when I have to sample my packs.
Only, as @upnorth says, many of them are broken or not malicious (they can say it's a RAT when it's a Putty clean...)

Personally, I ALWAYS test and analyze my samples before use. I use VirusTotal, AnyRun and a dedicated VM.
If the file does nothing, it goes in the trash. If vice versa, I integrate it.
It takes me 1 hour of sampling, but at least I have quality samples.

For F-Secure, I had already noticed this new detection during my video test.
I've also seen detection in Kwala during JS, either via DeepGuard or in the Cloud.

I think they need to give it time. I don't think F-Secure only uses abuse.ch, I think they must have a network of Honeypot or others to fish for malware and improve detection.
And I think @struppigel 's detailed it well 😉

With unsigned samples I’ve had good luck making slight modifications or packing the executable to change the hash to get around the abch style rules.

For me, from an end user perspective, this kind of early zero day blacklisting is a good automatic defense against emerging threats before a human analysis can get around to it. It’s a good thing.

As a tester? I guess it’s uninteresting to me that F-Secure tells me “oh I found it in MalwareBazaar”. Guess what, I did too! I kind of want to see how the other engines respond to this threat. In my opinion it’s basically made MB a useless source of PE samples for F-Secure testing. Pretty much within an hour or two of the sandbox returning a negative verdict, the hash is blocked. Even trivially changing the hash bypasses that protection and results in the old behavior I wanted to test.
 

Shadowra

Level 33
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,246
As a tester? I guess it’s uninteresting to me that F-Secure tells me “oh I found it in MalwareBazaar”. Guess what, I did too! I kind of want to see how the other engines respond to this threat. In my opinion it’s basically made MB a useless source of PE samples for F-Secure testing. Pretty much within an hour or two of the sandbox returning a negative verdict, the hash is blocked. Even trivially changing the hash bypasses that protection and results in the old behavior I wanted to test.

I was talking about myself for my videos, not the F-Secure lab...
Anyway, if you know how to modify an executable, you destroy all detections, except if Hexa detection
 
  • Like
Reactions: MacDefender

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
I was talking about myself for my videos, not the F-Secure lab...
Anyway, if you know how to modify an executable, you destroy all detections, except if Hexa detection
Not always. ESET signatures are often written in a way that makes it hard to lose the detection altogether with modifying and sometimes even repacking the binary with an off the shelf packer. It mostly defeats cloud based hash lookups as a first line of defense.

Kaspersky also does a great job with heuristic detections for both PE and MSIL malware, just the presence of certain win32 API calls alone will get you a heuristic detection.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top