New Update FS Protection PC 18.4 releases (beta)

Anthony Qian

Anthony Qian

Level 10
Verified
Well-known
Apr 17, 2021
454
struppigel said:
I know. That's why I wonder why you feel the need to discuss this with me.
It was MacDefender who said it, but corrected it later.


That is a complex topic because how would this simple check look like? If you are interested to learn more about FPs in antivirus software, you will find some answers here: The real reason why malware detection is hard—and underestimated
Click to expand...
When it comes to antivirus products, false positives must be manageable and a corresponding tolerance rate definitely has to be lower than 0.001%.
Click to expand...
Totally agree with the above statement!
According to this article, F-Secure's FP control is really bad.
 
  • Like
Reactions: roger_m, Miyagi and SeriousHoax
upnorth

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Click to expand...
I said it before elsewhere on this forum. This specific disclaimer been around too long and is impossible to miss, unless one deliberate ignore it. Btw, MalwareBazaar since day one it opened always had a mix of non malicious and broken and dead samples. It's also completely normal on any malware repository when for example C&C ( command and control ) servers goes down or gets changed etc. Many samples is also poorly coded and simply not compatible enough etc etc. Time is a normal well known super important key factor for malware hunters, testers and re-searchers. That non malicious samples also gets submitted to that repository and others is neither a surprise or anything new under the sun, as the exact same occur on VirusTotal. It is after all a platform open for anyone to submit.

A very important factor that clearly is missing in this thread is that big AV companies like F-Secure handle a extreme amount of samples. Around 400k samples per day ( official numbers from 2021 ). Those are impossible for any human hands to handle all and everything correct 24/7. Claim otherwise is just, plain. :rolleyes:
 
  • Like
  • HaHa
Reactions: Zartarra, struppigel, roger_m and 4 others
Shadowra

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,641
Hello,

To answer quickly about MalwareBazaar, I use this site when I have to sample my packs.
Only, as @upnorth says, many of them are broken or not malicious (they can say it's a RAT when it's a Putty clean...)

Personally, I ALWAYS test and analyze my samples before use. I use VirusTotal, AnyRun and a dedicated VM.
If the file does nothing, it goes in the trash. If vice versa, I integrate it.
It takes me 1 hour of sampling, but at least I have quality samples.

For F-Secure, I had already noticed this new detection during my video test.
I've also seen detection in Kwala during JS, either via DeepGuard or in the Cloud.

I think they need to give it time. I don't think F-Secure only uses abuse.ch, I think they must have a network of Honeypot or others to fish for malware and improve detection.
And I think @struppigel 's detailed it well 😉
 
  • Like
Reactions: Zartarra, struppigel, roger_m and 2 others
upnorth

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
Shadowra said:
I think they need to give it time. I don't think F-Secure only uses abuse.ch, I think they must have a network of Honeypot or others to fish for malware and improve detection.
And I think @struppigel 's detailed it well 😉
Click to expand...
Very true, as they use many different sources and that basic information is actually even available in some of their whitepapers. It's not any hidden or secret information and I'm pretty sure they are very happy chappie if someone would just reach out and ask them. What can be better then themselves? But here, it's automatic a bit of a dead end.
 
  • Like
  • +Reputation
Reactions: roger_m, MacDefender and Shadowra
M

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
784
Shadowra said:
Hello,

To answer quickly about MalwareBazaar, I use this site when I have to sample my packs.
Only, as @upnorth says, many of them are broken or not malicious (they can say it's a RAT when it's a Putty clean...)

Personally, I ALWAYS test and analyze my samples before use. I use VirusTotal, AnyRun and a dedicated VM.
If the file does nothing, it goes in the trash. If vice versa, I integrate it.
It takes me 1 hour of sampling, but at least I have quality samples.

For F-Secure, I had already noticed this new detection during my video test.
I've also seen detection in Kwala during JS, either via DeepGuard or in the Cloud.

I think they need to give it time. I don't think F-Secure only uses abuse.ch, I think they must have a network of Honeypot or others to fish for malware and improve detection.
And I think @struppigel 's detailed it well 😉
Click to expand...

With unsigned samples I’ve had good luck making slight modifications or packing the executable to change the hash to get around the abch style rules.

For me, from an end user perspective, this kind of early zero day blacklisting is a good automatic defense against emerging threats before a human analysis can get around to it. It’s a good thing.

As a tester? I guess it’s uninteresting to me that F-Secure tells me “oh I found it in MalwareBazaar”. Guess what, I did too! I kind of want to see how the other engines respond to this threat. In my opinion it’s basically made MB a useless source of PE samples for F-Secure testing. Pretty much within an hour or two of the sandbox returning a negative verdict, the hash is blocked. Even trivially changing the hash bypasses that protection and results in the old behavior I wanted to test.
 
  • Like
  • +Reputation
Reactions: roger_m, Shadowra and SeriousHoax
Shadowra

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,641
MacDefender said:
As a tester? I guess it’s uninteresting to me that F-Secure tells me “oh I found it in MalwareBazaar”. Guess what, I did too! I kind of want to see how the other engines respond to this threat. In my opinion it’s basically made MB a useless source of PE samples for F-Secure testing. Pretty much within an hour or two of the sandbox returning a negative verdict, the hash is blocked. Even trivially changing the hash bypasses that protection and results in the old behavior I wanted to test.
Click to expand...

I was talking about myself for my videos, not the F-Secure lab...
Anyway, if you know how to modify an executable, you destroy all detections, except if Hexa detection
 
  • Like
Reactions: MacDefender
M

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
784
Shadowra said:
I was talking about myself for my videos, not the F-Secure lab...
Anyway, if you know how to modify an executable, you destroy all detections, except if Hexa detection
Click to expand...
Not always. ESET signatures are often written in a way that makes it hard to lose the detection altogether with modifying and sometimes even repacking the binary with an off the shelf packer. It mostly defeats cloud based hash lookups as a first line of defense.

Kaspersky also does a great job with heuristic detections for both PE and MSIL malware, just the presence of certain win32 API calls alone will get you a heuristic detection.
 
  • Like
Reactions: Gandalf_The_Grey, roger_m, Anthony Qian and 1 other person

Similar threads

Lord Ami
    • Like
    • +Reputation
    • Applause
New Update FS Protection PC 19.3 releases (beta)
Replies
18
Views
2,155
F-Secure
Jonny Quest
Jonny Quest
Lord Ami
    • Like
    • +Reputation
    • Sad
New Update F-Secure beta version updates
Replies
81
Views
5,047
F-Secure
bazang
bazang
Lord Ami
    • Like
    • +Reputation
    • Thanks
New Update FS Protection PC 19.2 releases (beta)
Replies
20
Views
3,093
F-Secure
Moonhorse
Moonhorse

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top