Please provide comments and solutions that are helpful to the author of this topic.
People often accuse us of doing decisions without reason. The opposite is the case actually. Our decisions are incredibly data-driven. Whenever something changes on the website, it is usually the result of months of A/B testing. A/B testing means, that for a time, we have multiple versions of the same webpage online. Users visiting the website get one of those different versions randomly assigned. We have multiple goals defined for each test run and measure which of those versions is more successful.
In real-time. It's actually one of the reasons why submitting samples to VT before you test it at the Malware Hub is kind of a bad idea. There are a lot of AVs out there that will blindly copy VT results without further thoughts, so you hand them all your samples before you test them pretty much, guaranteeing 100% detection.
There are different piles of samples. Submitting them to us directly will get human attention and may lead to a more high quality detection/signature while submitting through VT will get it processed automatically by our automated systems.
They use the command line scanner that is also available on our website. They do use their own update mechanism though, which sometimes causes issues. Essentially what they do is they have one server they run the different vendor updates on and then replicate those using their own mechanism to all their scan slaves.
Depends on what kind of rules. At the moment there are two bits and pieces to the rules. There are local rules, which are part of a2core.dll and a2hooks.dll, which are updated about once a month and then there are rules in the backend, which are updated constantly (usually multiple times per second).
Sure, I will show you in a moment.
We use statistical methods to figure out and detect compromised certificates. That means, there may be some "patient zeroes" until the model collected enough data to blacklist the certificate. Especially recently there has been a surge in signed malware, so we are considering switching the model to distrust any certificate until proven trustworthy instead of the other way around.
Binary planting is an issue, yes. In the current trust model, it may be trusted until the certificate was revoked automatically by our backend systems.
That's a good habit actually. My bank offers the same and so do a lot of different payment services like Paypal for example, where you can cancel the authorisation unilaterally.
Unless you are a lifestyle brand, brand awareness doesn't pay rent or put food on our developer's tables.
You can check out our job listings here:
www.emsisoft.com
malwaretips.com
What do you think about an option to restrict or block Windows scripts (VBS, VBA, JScript/JavaScript, and Powershell) when run by the user (with medium integrity level). Some MT members would prefer this in the home environment. There are not many applications which use Windows scripts.
May work for you guys, but not for home users. You have to keep in mind: The user already decided they want to open the script at that point because they decided that file was legit and it contains an important invoice, delivery notification, celebrity nudes or whatever. So they won't be stopped by an application asking them if they REALLY want to open it.
That is true for motivated home users (I know some personally), but most of home users open scripts by an accident, because they are fooled by the embedded icon, or another trick. Many home users do not touch AV settings, at all. Such option would be especially useful for children or computer illiterate users. There are many families where one person has above average knowledge about computers. Such a person could configure restricting/blocking scripts in AV.
Started when I was 11. I didn't start with comp sci though. Just started with programming and being interested in computers in general.
I am definitely not a king. There are plenty of much more talented people out there. There is a lot of practice involved, yes. But it never felt like work since I loved doing it. It helps that I have kind of an obsessive personality. I get really into things and don't stop pursuing them no matter how boring people find it.
First time I saw a PC was at 7. My dad did some educational courses as he was unemployed and at least in Germany when there is little chance for you to get a job in what you previously did your apprenticeship/education in, they try to teach you new stuff to get you into other jobs. I visited him a few times at his school and they had PCs there. It was clear that I wanted one, but my family was incredibly poor. Plus I grew up in the GDR. So PCs weren't that common, to begin with. I spent the next 4 years with saving money. Like I collected bottles on the street, saved my allowance, did anything a small kid can do really to get a bit of money.
At 10/11 I bought my first PC. I was so happy. It was a pretty decent one as well for the time and served me well for the next 6 years or so. It didn't take long until I was infected by a virus though (Tequila.B). I got it from a game I copied from a school friend most likely. Back then it was normal to just trade floppies on the school campus.
I didn't know what to do so my first reaction was to just go to the local library and look up computer viruses. To my surprise, they actually had a couple of books there for me to read. So I did that. It became obvious quickly that I would need to learn assembly to truly understand what was going on. So I did that. Bought a book about assembly and wrote my first little tool to clean up my messed up files.
Assembly was nice, but it was kind of tedious to write programs in. So I asked my school's computer science teacher what he would suggest. I literally dumped all kinds of questions on him actually, none of which he could answer. I really struggled with pointer arithmetic for example, but I really wanted to write a memory scanner. But he recommended Pascal to me. So when I was 12 I started to learn Pascal.
From Pascal the natural transition was to Delphi which I used almost exclusively and still do from time to time. On the road, I picked up C (which I thought was stupid in the beginning, as I had an irrational hatred for curly braces), then later C++. Then came the transition to Windows 95 and my interest in that.
Stubbornness. The same kind of attributes that get me regularly into trouble with people in real life.
For malware research there are a lot of great resources now, that didn't exist before. OpenSecurityTraining is a good one. MalwareUnicorn has a nice tutorial for basics as well. There are some amazing books as well. I can recommend these:
Amazon.com: Low-Level Programming: C, Assembly, and Program Execution on Intel® 64 Architecture eBook : Zhirkov, Igor: Books
Buy Low-Level Programming: C, Assembly, and Program Execution on Intel® 64 Architecture: Read Books Reviews - Amazon.comwww.amazon.comPretty much everything related to C++ written by Bjarne Stroustrup, Herb Sutter, Scott Moyer and Andrei Alexandrescu.Amazon.com: C++ Primer (5th Edition): 9780321714114: Lippman, Stanley, Lajoie, Josée, Moo, Barbara: Books
Amazon.com: C++ Primer (5th Edition): 9780321714114: Lippman, Stanley, Lajoie, Josée, Moo, Barbara: Bookswww.amazon.com
Malware and reverse engineering specifically:
Art of Computer Virus Research and Defense, The: Szor, Peter: 9780321304544: Amazon.com: Books
Buy Art of Computer Virus Research and Defense, The on Amazon.com ✓ FREE SHIPPING on qualified orderswww.amazon.comPractical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation: 9781118787311: Computer Science Books @ Amazon.com
Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation: 9781118787311: Computer Science Books @ Amazon.comwww.amazon.comPractical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software: Sikorski, Michael, Honig, Andrew: 8601400885581: Amazon.com: Books
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software [Sikorski, Michael, Honig, Andrew] on Amazon.com. *FREE* shipping on qualifying offers. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Softwarewww.amazon.com
I would start with C. From there transition to C++. Don't bother learning old C or C++ standards. They will only teach you bad habits. If your book/material starts to tell you to use new and delete for memory management, toss it and get a better one. Modern C++ (starting with the C++11 standard) is one of the most beautiful and expressive languages there is. Also Python is incredibly useful as well.
I wouldn't rule it out, but probably not for a while.
Can't talk about it yet. But it is a valuable feature.
You will see.
They require certain groundwork that isn't in yet, because it is specific to Windows 8/10 only and we still need to support Windows 7.
Security theatre. Only reliable way is sticker or some kind of cap to put over your webcam.
Download wrappers
A download wrapper is an installation program that is wrapped around the actual program a user wants to install. It often contains sponsor offers which are optional, but often presented in such a way that a user is persuaded to install these additional features.
Download wrappers will be detected when one or more of the following conditions are true:
Toolbars/Browser Helper Objects/Browser Extesions
- There is no (clear) link to, or description of the EULA and/or Privacy Policy of the product(s) presented before the installation starts.
- There is no (clear) option to decline the installation of sponsor applications/features present or the way this option is presented is misleading or third-party options are prechecked.
- During installation the browser settings (e.g. homepage, search settings) are modified without user consent and/or notification.
- Sponsor applications/settings are installed/changed without user consent.
- The included application(s) does not have an uninstall option.
A toolbar/BHO/Extension is an addition to an internet browser that can have a variety of functions. They will be detected when one or more of the following conditions are true:
PC Optimizers
- (One of) the objective(s) of the toolbar/BHO/extension is to track personal data and/or transmit this to third parties without sufficiently informing the computer user about this.
- There is no (clear) link to, or description of the EULA and/or Privacy Policy of the toolbar/BHO presented before the installation starts.
- During installation the browser settings (e.g. homepage, search settings) are modified without user consent and/or notification outside the scope of the toolbar/BHO.
- The toolbar/BHO/extension is installed silently (without asking for user consent).
- The toolbar/BHO/extension does not have an uninstall option.
PC Optimizers are applications that pretend to scan for problems on a computer (this can be malicious content, outdated drivers, performance issues and so on). This type of program will be detected when one or more of the following conditions are true:
Risktools
- The application presents fake or non-existent threat detections and removal or does not present details about found objects.
- The application is installed without user consent.
- The application does not have an uninstall possibility.
- The application presents alerts/pop ups meant to scare the user into purchasing the product without such alerts being warranted by the severity of the found issue(s).
- The program is not able to address detected problems but requests payment to unlock this feature nonetheless even though no form of trial is available.
Risktools are applications that provide a functionality that in itself is non-malicious but can be used by third-parties to conduct malicious activities. Applications will be detected when one or more of the following conditions are true:
Remote administration tools
- The application facilitates the monitoring/capture of networks or network traffic.
- The application facilitates the monitoring/capture of text input.
- The application facilitates modification of access levels/policies on a computer in an insecure manner.
In general, we allow our analysts certain freedoms and to use their common sense though. These standards are also regularly updated.
- Remote administration tools are applications that can be used to access a computer from a remote location. This type of application is detected when one or more of the following conditions are true:
- The application allows a connection from/to a remote computer insecurely and/or without requiring consent/authentication from the (remote) user.
- The application is installed silently (without asking for user consent).
The behaviour blocker is able to detect a whole bunch of them. But especially removal is heavily driven by signatures.
Mostly because especially enterprises don't want their users to use cracks/pirated software.
You probably noticed a loophole in such reasoning.
Modern C and C++ standards, yes.
It's the reason why we changed most of the defaults.
If you ever tried to contact Microsoft looking for help for literally anything, you will be able to answer that question yourself. Despite that, I was always wondering: Literally like half the time Smart Screen, for example, seems to be down for me. I get messages "Oh, we can't reach the cloud. Do you want to run this anyway?". Not sure if that's a thing with my internet connection or a general observation. Since I did have that behaviour with different internet connections, I am leaning towards the later.
Obviously. But there is a difference between an alert: "Do you really want to run this?" and "Listen, this thing is a virus. I put it in quarantine.".You probably noticed a loophole in such reasoning.
All points mentioned by you are valid also for any file - for EXE files, too.
How do you think so many people catch ransomware, even ancient well detected ones, that are spread through pirated software? Is it particularly sophisticated? No. Is it using some ultra-secret obfuscation technique that prevents the ransomware from staying undetected for months? No. It's the user who throws caution out of the window because they really want to play Call of Duty right now!
AVs usually don't ask "Do you want to run this?". They just take care of it. Big difference.
I think you greatly underestimate the prevalence of scripts in a home environment. In fact, Windows ships quite a few scripts that are enabled by default to run for maintenance tasks. A lot of installers and updaters will run scripts automatically in the background to do things. Some developers are just outright stupid and run cmd.exe just to copy files because using the CopyFile API would be too easy.Furthermore, in the case of scripts, the issue can be solved easier than in the case of EXEs, because the scripts in the home environment can be restricted/blocked silently.
There are always customers and users who see it differently. We do these test runs to see what the general consensus is.
We already see Emsisoft Anti-Malware as a service. Moving to a subscription and therefore a true software-as-a-service concept is a very logical step in that context. I wouldn't be surprised if we offered monthly subscriptions at one point that you can cancel whenever you want.
And the other way around the customer who wants a subscription must take at least one more step than the customer who doesn't. Which of those two customer groups is right? The way to quantify that is to test and figure out what the majority of your customers want. Again, we did the research on this using extensive A/B testing over 3+ months.
So why do not care about scripts? Oh, wait! AVs cannot do it properly, so let's allow scripts to run, and block an EXE payload. Hmm, but the payload is often fresh malware and the detection of such malware is poor, even with a good BB.
I do not think so. I could say the same about AV vendors, but in fact such a statement would be hard to prove, because the people can have very different home environments. For example, in the home environments known by me, the scripts can be restricted/blocked without any issues. There are probably many similar home environments, and probably some which will require scripts.
The scripts in the home environment can be blocked with medium integrity level, and then there will be no problem with Windows maintenance tasks.
'A lot' means probably 1% or fewer. Let's allow home users to block scripts when they install 99% of the other applications. There is a thread about OSArmor, and after reading all posts, I can say that people had problems with scripts rarely.
None of them has an HP Printer? Lucky you. Their install packages are literally held together by a bunch of batch and VBS scripts.
It's a lot less than 1% who use scripts. The problem is that it is high profile software packages that do it. VMware, Office, HP driver installers. In fact, a single installer doing it is enough to make it a blocker (no pun intended) for a general purpose product if that single installer has a large installation base.
