Advice Request I am head of research at Emsisoft. Ask me anything! :)

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

LDogg

Level 33
Verified
Top Poster
Well-known
May 4, 2018
2,261
Talking about signature tools. I almost forgot. This is, for example, one of the tools we developed internally. It's called "Signature Maker". It's a clever name, I know. It's kind of like an IDE, except for creating detection signatures for our scan engine:

View attachment 210180

In general signatures for the Emsisoft engine are essentially functions that are being called by the scan engine depending on certain filter flags, like the file type for example. The signature flags you can see on the right are pretty much functions that perform certain tests. We can match signatures against certain version information fields for example or based on specific PE header fields. Things like imported APIs or exported APIs. But also more advanced information. Programming languages like .NET or Delphi, for example, leave a bunch of meta information behind, that our scan engine is capable of parsing and use as flags and information to feed into the actual detection functions (which is what signatures for our engine actually are).

Fields can be matched using a variety of methods. The most obvious one is literal matching, so checking whether the value of the file to be scanned is exactly like a given value. But it's also possible to use wild cards or regular expressions, to create more complex strings to match against. This applies to binary strings as well by the way.

One way we apply machine learning, for example, is by automatically suggesting our analysts flags and fields that are high-quality candidates for an actual signature, depending on which samples they are currently working on. You can see those red pins in front of some of the signature flags, which indicate attributes that are anomalies and therefore likely flags that would make a good signature.

But we aren't limited to just these flags. Signatures can also be made up or contain more complex patterns:

View attachment 210182

You can simply highlight the areas of the file that should be used for detection and how to locate that area. Whether it should be relative to certain points of interest for example. Patterns can have ranges. So even if they move around in the file, they still can be found. Obviously doing those by hand is a bit tedious. So you can also, once again using machine learning techniques, let the tool figure out good candidates for you:

View attachment 210181

This one, for example, parses all the functions inside the code of the file and extracts the code blocks and fragments that are most unique and don't appear in other good files. But it also works for normal strings:

View attachment 210183

At the very end of all of this, whether you decided to create the signature manually or let all the machine learning stuff help you, you end up with a small function in our own domain-specific programming language that is used by our scan engine:

View attachment 210184

This function will then be compiled into native machine code. The code of hundreds of thousands of these signatures is then combined into signature files that are being shipped to our users.

This is just a very small portion of what Signature Maker can do, but it outlines roughly how we would go about adding detection of a new malicious file. Ultimately there are a whole bunch of additional features, especially for clustering vast amounts of samples to find all the samples that are related to each other for example, so we can extract a single signature that matches all of them (often tens of thousands of variations).

It also signifies something, that I don't think a lot of people realise: For a lot of AVs, there is no difference between the engine and the signatures. In many cases, the "engine" is just a loader or a virtual machine, that loads and executes the actual logic and functionality that is part of the signature files. I only showed you a very small amount of what we can do, but in general, it can get a lot crazier and "signatures", which are really just normal code running on your system, can end up being entire algorithms and perform complex operations (for unpacking for example) and can interact with the entire Windows API.

I hope that little excursion was interesting. :)
This is fab insight into how you make signatures for EAM et al. Such a great and open little company you are, may need to make a future purchase. :p

~LDogg
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
A brief break from Emsisoft stuff: you know how you piece together an online picture to go with several avatars of someone and you appear as no-nonsense, and occasionally harsh. Is your change of physical environment starting to fundamentally change and dilute you? I used to read some of your replies to people who seriously annoyed you, one could only silently thank the powers above one wasn't on the receiving end.
 

Fabian Wosar

From Emsisoft
Thread author
Verified
Developer
Well-known
Jun 29, 2014
260
Thanks for taking the time to make it clear. Sorry if I am making you repeat yourself, I am still learning, so sometimes understanding how things are done does take take a few goes at it.;)
Don't worry about it. Everyone has to start somewhere and I prefer asking questions and making sure you got it right over making incorrect assumptions.

This is fab insight into how you make signatures for EAM et al.
A lot of people have like really wrong impressions of how signatures are generated and what they actually are. So glad to give you some insights.

What about Non-PE direct detection. Is it do-able? Is is needed?
It's doable and it is needed. Especially for stuff like VBS, VBA, JScript and Powershell. It's actually quite interesting, as a lot of "Next-Gen AV" handle these vectors poorly, if at all. Especially when it comes to attacking company networks, you often see that attackers don't use classic malware at all. Everything is done through Powershell.
 

Fabian Wosar

From Emsisoft
Thread author
Verified
Developer
Well-known
Jun 29, 2014
260
A brief break from Emsisoft stuff: you know how you piece together an online picture to go with several avatars of someone and you appear as no-nonsense, and occasionally harsh.
Most people would call it being German, but yes. ;)

Is your change of physical environment starting to fundamentally change and dilute you? I used to read some of your replies to people who seriously annoyed you, one could only silently thank the powers above one wasn't on the receiving end.
That has little to do with it. The fact that I seriously worked on reducing my stress levels and my blood pressure, which at one point was at 230/110 resting despite being on every blood pressure medication on the planet, over the past 2 years probably helped a lot though.
 

LDogg

Level 33
Verified
Top Poster
Well-known
May 4, 2018
2,261
It's doable and it is needed. Especially for stuff like VBS, VBA, JScript and Powershell. It's actually quite interesting, as a lot of "Next-Gen AV" handle these vectors poorly, if at all. Especially when it comes to attacking company networks, you often see that attackers don't use classic malware at all. Everything is done through Powershell.

With this being said about Powershell at the latter half of your sentence, would this mean if Powershell was restricted or blocked complete would this mitigate malware executing via Powershell?

~LDogg
 

Fabian Wosar

From Emsisoft
Thread author
Verified
Developer
Well-known
Jun 29, 2014
260
Have you plans to launch a free av for example ?
That question already popped up a few times. We do not at the moment, as we would be required to turn our users into a product we sell to advertisers or other third-party companies. If we ever find a way to monetise a completely free product without compromising our principles, we will likely do it.
 

Fabian Wosar

From Emsisoft
Thread author
Verified
Developer
Well-known
Jun 29, 2014
260
With this being said about Powershell at the latter half of your sentence, would this mean is Powershell was restricted or blocked complete would this mitigate malware executing via Powershell?
You can just uninstall it if you don't use it (and most users won't). That being said, Powershell is a tricky beast. Even if you block the Powershell executable or uninstall it, it is still there in the form of System.Management.Automation.dll for example. There are multiple other applications that parse command lines or configuration using Powershell for whatever reason. Those can be used to run Powershell code even though they have nothing to do with Powershell at all. MsBuild is one of those for example.
 

Weebarra

Level 17
Verified
Top Poster
Well-known
Apr 5, 2017
836
Fascinating reading although the majority of it is beyond my compression unfortunately but my burning question is (sorry if it's too personal) :emoji_flushed: But i need to know if you take your Panda suit off before you go to bed ? Think carefully because this is important stuff.

And just for the record, try the pineapple, there's something wonderful about sweet and savoury together :)
 

BigWrench

Level 19
Verified
Top Poster
Well-known
Apr 13, 2014
946
Fabian, Hope all is well with you. I have spoken with a couple of your fellow developers in the past concerning adding an antispam “module” , if you will, into EAM. As most of us now are seeing, new ways to hide malware. Any chance of such an addition being incorporated into EAM in the foreseeable future?
 

Vasudev

Level 33
Verified
Nov 8, 2014
2,250
Some of them do pretty good work. But especially once they try to tell you, that all "legacy AVs" do are signatures, they are blatantly lieing to your face.


Thanks. :)


Well, we discontinued our firewall precisely because we don't see much benefit compared to the firewall in Windows 7 even. The biggest issue with the Windows firewall is tamper protection. Meaning: Everything running on your system can create rules and allow itself. EAM actually blocks that. So only applications you allow can interact with the Windows firewall.


It's funny because for 2019 we decided to drop out of AV Comparatives.


Their slogan used to be: "CVS done right." There is no way you can do CVS right, hence why it was doomed to failuget-gom the get go.


Thanks. :)


Honest question: Why did you stop? :)


I unfortunately no longer do. But my first stuff were small anti-virus tools that detected one specific virus and cleaned infected files. I then quickly moved to heuristic stuff, because I thought it was stupid to create new signatures and detections for every new virus. Back then there were literally only like a hundred or so of them in the first place though.


As I showed in the tool we use, we already do that. There is no way we can keep up with the number of samples we get otherwise. We obtain more than 450.000 new malicious files every single day. What I showed you there was pretty much the "manual" mode.


That's already the case for the behaviour blocker. If we see a malicious file on a single system and it is being picked up by the behaviour blocker there, automatic blocks are issued for all other users using EAM already.


Ah, sorry. They do use SSL. But they send the entire URL to their servers, while most browsers or our extension for example, only send hashes and non-specific information that can't be turned back into URLs.


Both are fine.


Windows doesn't get a list of all the websites you look at. Unlike Traffic Light:

View attachment 210195
MS Edge syncs the browsing history with my Phone/PC as well, so it becomes cumbersome.
 

Mahesh Sudula

Level 17
Verified
Top Poster
Well-known
Sep 3, 2017
825
Hi Fabian,
Good to see you here engaging actively regarding your product ..
However just consider my opinion (if) found legit :
Drop the Bit fender engine if possible, since their signatures are over rated means cracks, keygens pua etc as Trojans.
Trust me even now more than 80% + normal users still use pirated softwares..So atleast if you don't support them, but do not make them believe the cracks are virus..
Bit defender is not that speed in reacting faster to newer threata..May be Eset, Avira are much better in responding faster than BD.
If possible kindly make your company to wiki..Almost nill information exists..
Thank you !
 

pesus

New Member
Dec 4, 2018
3
We may. The problem is, that ultimately with these free AVs you as a user pay with your data. That's generally speaking something we don't feel very comfortable with. Especially given that not a lot of people are even aware of it.

Recently I was kind of surprised to see that an otherwise super privacy conscious user had Traffic Light installed for example. It doesn't seem to be common knowledge that Traffic Light and a bunch of other browser extensions (Comodo Online Security Pro, Norton Safe Web, Avira Browser Safety, Avast Online Security being the biggest ones) like it will literally send every single URL you visit in clear text off to the vendor's server. The privacy policies aren't always clear and kinda sketchy at times. I am sure that some people don't mind. But I am also sure that a lot of people do mind, but simply don't know.


A REAL EYE OPENER!

I personally dont use that kind of extensions(only umatrix in block all mode), but I have recommended and installed those extension to friends.

I did quick test:
  • avast online security, avira browser safety, bitdefender trafficlight,... all report complete url address, with private things like your search, bank info,...
  • windows defender browser protection strips url
  • malwarebytes browser extension with disabled telemetry, downloads "virus definition", use only local database, no cloud checks...
  • emsisoft: url hash > Thank you!

Testing chrome extensions(!) I found out that avira and bitdefender are the quickest at detecting new things, followed by windows defender.
Avast, comodo, norton,mcafee ... are slow at detecting new things.
Emsisoft isnt as quick at adding detection for new urls, but it shines at detecting pup serving sites and other site scamming you to install chrome extensions,...

Warning of emsisoft extension should be more scary looking like warning of chrome windows defender and google safe browsing and not skippable with just one click


Emsisoft looks like good privacy oriented company. I will recommend buying your antivirus to my friends, but in the age of "free"(even if it cost your soul) it is hard sell.
 

Fabian Wosar

From Emsisoft
Thread author
Verified
Developer
Well-known
Jun 29, 2014
260
Is lifetime license available ?
Lifetime licenses are an unsustainable business model that requires hourly or even minutely updates. If you see someone offering lifetime licenses, run. Because chances are they already know that the lifetime of the product will be rather limited. I have seen quite a few companies that knew they were going to sell their business offer lifetime licenses to squeeze some last minute cash out of their userbase knowing that actually honoring those lifetime licenses will be none of their concern or knowing that the product will be renamed/rebranded/merged anyway so that lifetime licenses become useless.

Fascinating reading although the majority of it is beyond my compression unfortunately but my burning question is (sorry if it's too personal) :emoji_flushed: But i need to know if you take your Panda suit off before you go to bed ?
It's a polar bear onesie and of course not!

Fabian, Hope all is well with you. I have spoken with a couple of your fellow developers in the past concerning adding an antispam “module” , if you will, into EAM. As most of us now are seeing, new ways to hide malware. Any chance of such an addition being incorporated into EAM in the foreseeable future?
We don't scan or touch your email. The only effective way doing that would be to decrypt your traffic through a MITM attack, which is something we don't want to do at the moment.

Drop the Bit fender engine if possible, since their signatures are over rated means cracks, keygens pua etc as Trojans.
That is because a majority of these cracks are using the same kind of packers and obfuscators that malware do. Bitdefender (or we for that matter, because we detect quite a few as well) doesn't target the crack specifically but the obfuscators and packers used as only malware and arguably shady applications use it.

Does Emsisoft have plans to develop a VPN service?
That was asked before and no. Not at the moment. :)

avast online security, avira browser safety, bitdefender trafficlight,... all report complete url address, with private things like your search, bank info,...
Yeah. Some of them even include a unique per-installation ID, so they can group all URLs together and know that they are all the same user/system.

emsisoft: url hash > Thank you!
It's technically not even a URL hash but bits and pieces of the hostname. Like when you visit https://malwaretips.com/threads/i-am-head-of-research-at-emsisoft-ask-me-anything.90999/page-5#post-802453 for example, we will send two hashes for "malwaretips.com" and "com" to the server. The server can use those hashes to quickly eliminate 99.99% of all the patterns of malicious URLs so there are either no patterns at all left that could match or only a few handfuls, which are small enough to just return to the extension so it can do the actual matching.

Emsisoft isnt as quick at adding detection for new urls, but it shines at detecting pup serving sites and other site scamming you to install chrome extensions,...
We are hoping to improve the reaction time in the future. The main focus of the extension is phishing, as phishing is a big issue for our surf protection at the moment and the extension is mostly intended to be an additional layer of protection for EAM users. We just found it silly not to make it available for everyone as it doesn't cost us anything.

Warning of emsisoft extension should be more scary looking like warning of chrome windows defender and google safe browsing and not skippable with just one click
We are considering a few additional changes to the extension at the moment. We got a lot of requests from people asking for markers in search results for example.
 

Ink

Administrator
Verified
Jan 8, 2011
22,490
I see that Emsisoft Anti-Malware currently supports Windows 7, 8 and 10.
  1. How long after will Emsisoft support Windows 7 and 8/8.1 after it becomes unsupported by Microsoft?
  2. What are your (or Emsisoft) views on supporting out-dated Operating Systems?
  3. And what advice would you recommend to anyone still running Windows XP or Vista?
Thank you for your time to answer these.
 

Lord Ami

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 14, 2014
1,041
Hi, Fabian!
Some more from me:

1. There will always be patient zero, right?
What I mean by that is that somebody's gotta get infected in order for cloud to get the sample/behavior etc data?

2. What is your take on cloud reputation? Shouldn't it be easy to block all unknown files (first encounters) to at least verify file's maliciousness? Or is whitelisting (Digital signatures) too limited for that and they require constant updating, as is with other databases?
My guess is that day by day the count of new files rises and there is no server park that could handle it - am I right? Or even if we get all these files stopped (what Avast tries to do with CyberCapture), we still can not make 99% detection ratio out of it as lot of files require human interference?

Thanks again!
 

Fabian Wosar

From Emsisoft
Thread author
Verified
Developer
Well-known
Jun 29, 2014
260
How long after will Emsisoft support Windows 7 and 8/8.1 after it becomes unsupported by Microsoft?
We make it mostly dependant on our own userbase. As long as there is a good enough share of EAM users using those systems, we will keep supporting it. We kept supporting Windows XP for two more years past the official Microsoft support period for example. Vista, for example, we cancelled even before Microsoft stopped supporting it. The critical threshold is about 5%. Below that, having extensive QA tests or additional development efforts because features available on more recent versions of Windows are unavailable on those old versions becomes infeasible.

What are your (or Emsisoft) views on supporting out-dated Operating Systems?
We are a small company. So we can't throw a lot of resources at problems and maintain or implement things in many different ways for different OSes. So whenever we implement new features, for example, we have to implement them with the lowest available feature set in mind. There are a lot of cool things that we would love to take advantage of in Windows 10, but we can't because we would have to split the development for that specific feature into pre- and post-Windows 10. So chances are we will go with a solution that may not be as clean, but works on all supported Windows versions.

And what advice would you recommend to anyone still running Windows XP or Vista?
Upgrade. I understand that you may not be able to buy new hardware, but there are various Linux distributions that will run just fine on your old hardware. If you don't want to do that either, unplug the ethernet cable or rip out the wifi card.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top