Advice Request I am very disappointed by some antivirus solutions [copycats]

[Nightwalker]

Guys, today I was just doing some tests with Windows Defender Testground website and I realized how mediocre some antivirus solutions actually are; let me explain below.

In this website there are some files to test if Windows Defender protection is working correctly. So I tried the CloudBlock file and noticed after execution that it shows a GUI similar of a Ransomware, but ofcourse without any functionality. (it just tests if cloud protection of WD is working)

I uploaded the sample at VirusTotal just for the lolz and noticed that many antivirus solutions detected it as if it was a real malware.

See here:
Cloud-delivered protection - Windows Defender Testground
Antivirus scan for cb49bb09669c7a55fe1963c73aefa940f7775ec4eb17f0044e0bdd68889c69ac at 2018-02-26 21:05:36 UTC - VirusTotal 28/66

So whats the problem with this?

The problem is that many antivirus players just copy Microsoft or Kaspersky signatures (Microsoft in this case) and it is done, no real research or advanced heuristics at play. I remember that some years ago Eugene Kaspersky complained about this and it seems that this situation still remains.

Serious guys, dont waste your money with those copycats, just use Comodo with @cruelsister settings or buy a real antimalware solution like Kaspersky or Emsisoft.

Ps: I am especially disappointed with ESET.
Ps 2: Pardon me for my english, I was at a hurry and it isnt my native language.

 

[Sunshine-boy]

I also don't pay for any av but what is the problem with Eset?the VT don't show the Eset(or other Avs) copy pasted smth Microsoft.

no real research or advanced heuristics at play

Ps: I am especially disappointed with ESET.

ESET DNA Detection:
Detection types range from very specific hashes (useful, for example, in targeting specific malicious binaries or specific versions of malware, for statistical purposes or simply to give a more precise detection name to malware that we have previously detected heuristically) to ESET DNA Detections, which are complex definitions of malicious behavior and malware characteristics. The pattern matching used by old-school antivirus products can be bypassed easily by simple modification of the code or use of obfuscation techniques. However, the behavior of objects cannot be changed so easily. ESET DNA Detections are precisely designed to take advantage of this principle. We perform deep analysis of code, extracting the “genes” that are responsible for its behavior. Such behavioral genes contain much more information than the indicators of compromise (IOCs) that some so called “next-gen” solutions claim to be ”the better alternative” to signature detection. ESET behavioral genes are used to construct DNA Detections, which are used to assess potentially suspect code, whether it’s found on the disk or in the running process memory. Additionally, our scanning engine extracts many discriminator genes, which are used for anomaly detection: anything which does not look legitimate is potentially malicious. Depending on the adjustable threshold level and matching conditions, DNA Detections can identify specific known malware samples, new variants of a known malware family or even previously unseen or unknown malware which contains genes that indicate malicious behavior. In other words, a single well-crafted DNA behavioral description can detect tens of thousands of related malware variants and enable our antivirus software not only to detect malware that we already know about, or have seen before, but also new, previously unknown variants.
https://cdn1.esetstatic.com/ESET/INT/Docs/Others/Technology/ESET-Technology-2017.pdf
And also:Advanced heuristics/DNA/Smart signatures – Advanced Heuristics is one of the technologies used by ESET Smart Security to provide proactive threat detection. It provides the ability to detect unknown malware based on its functionality through emulation. This new binary translator helps bypass anti-emulation tricks used by malware writers. Its latest version introduces a completely new way of code emulation based on binary translation. This new binary translator helps to bypass anti-emulation tricks used by malware writers. In addition to these improvements, DNA-based scanning has been significantly updated to allow for better generic detections and address current malware more accurately.
Eset detected it as a variant of Generik.EVOWXVD while Microsoft detected it as Trojan:Win32/Skeeyah.A!rfn! the name is also different.I believe the Generik name is smth related to Eset DNA Detection.so?:notworthy:

 

[Deleted member 65228]

Eset detected it as a variant of Generik.EVOWXVD while Microsoft detected it as Trojan:Win32/Skeeyah.A!rfn! the name is also different.I believe the Generik name is smth related to Eset DNA Detection.so?

Initially I wondered the same thing and thus pursued to quickly put it to the test.

I appended some random bytes to the end of the Portable Executable, meaningless bytes to be precise (0 and 1). This isn't just a file pumping technique, but can be used to force the hash checksum of the Portable Executable to change. The reason for this is because the hash checksum (e.g. MD5, SHA-1 and SHA-256) are calculated based on the bytes (which represents the data for the PE), so if you add/change bytes, the hash checksum will be different on the next re-calculation.

I re-uploaded the sample afterwards to VirusTotal: VirusTotal

ESET no longer flags the sample. Bear in mind that all the bytes from the original sample which triggered a flag by ESET are still present, there's just a few additional 0s and 1s at the end of the bytes for the PE which is pretty meaningless in terms of difference - this did cause a hash checksum change though.

At the same time, you may notice how Avast and AVG still flag the sample. They could have still relied on hash checksum detection for the record, despite the overall hash checksum having changed and the detection still being caused... you can actually hash sections of the Portable Executable.

Personally it means nothing to me, I still think the same of the vendors. It's just a test sample so why care?

 

[Faybert]

If you take this path, then all AV programs are copies of G Data, since it was the first company to create an AV program. G Data uses two engines, Bitdefender and its (Close Gap) with its own signatures, without copying anything from anyone, as well as several other AVs have their own searches on signatures and engines (eset, avast, panda, and etc - just a few examples) and you commented "The problem is that many antivirus companies only copy the signatures of Microsoft or Kaspersky," which ones?

 

[Nightwalker]

I also don't pay for any av but what is the problem with Eset?the VT don't show the Eset(or other Avs) copy pasted smth Microsoft.


Eset detected it as a variant of Generik.EVOWXVD while Microsoft detected it as Trojan:Win32/Skeeyah.A!rfn! the name is also different.I believe the Generik name is smth related to Eset DNA Detection.so?:notworthy:

I know about ESET heuristics, thats why I am disappointed, there isnt anything in that file that is malicious whatsoever, nothing at all. (the detection name is irrelevant).

So why Eset or any other antivirus flagged it? Why those next gen solutions flagged it?

More info about this stealing database situation:
On the way to better testing
Kaspersky tipped to be sabotaging rival anti-virus software

What we did pretty much replicated what the German computer magazine did last year, only with more samples. We created 20 clean files and added a fake detection for 10 of them. Over the next few days we re-uploaded all twenty files to VirusTotal to see what would happen. After ten days, all of our detected (but not actually malicious) files were detected by up to 14 other AV companies – in some cases the false detection was probably the result of aggressive heuristics, but multi-scanning obviously influenced some of the results. We handed out all the samples used to the journalists so they could test it for themselves. We were aware this might be a risky step: since our presentation also covered the question of intellectual property, there was a risk that journalists might focus on who copies from whom, rather than on the main issue (multi-scanning being the symptom, not the root cause) But at the end of the day, it’s the journalists who have it in their power to order better tests, so we had to start somewhere.

 

[Nightwalker]

Initially I wondered the same thing and thus pursued to quickly put it to the test.

I appended some random bytes to the end of the Portable Executable, meaningless bytes to be precise (0 and 1). This isn't just a file pumping technique, but can be used to force the hash checksum of the Portable Executable to change. The reason for this is because the hash checksum (e.g. MD5, SHA-1 and SHA-256) are calculated based on the bytes (which represents the data for the PE), so if you add/change bytes, the hash checksum will be different on the next re-calculation.

I re-uploaded the sample afterwards to VirusTotal: VirusTotal

ESET no longer flags the sample. Bear in mind that all the bytes from the original sample which triggered a flag by ESET are still present, there's just a few additional 0s and 1s at the end of the bytes for the PE which is pretty meaningless in terms of difference - this did cause a hash checksum change though.

At the same time, you may notice how Avast and AVG still flag the sample. They could have still relied on hash checksum detection for the record, despite the overall hash checksum having changed and the detection still being caused... you can actually hash sections of the Portable Executable.

Personally it means nothing to me, I still think the same of the vendors. It's just a test sample so why care?

I personally care, because it shows how mediocre some antivirus heuristics and database actually are, they are just flagging everything that some players detect.


Edit: Now it is 31/67, lets see how the number will grow after more uploads to VirusTotal.

 

[Nightwalker]

If you take this path, then all AV programs are copies of G Data, since it was the first company to create an AV program. G Data uses two engines, Bitdefender and its (Close Gap) with its own signatures, without copying anything from anyone, as well as several other AVs have their own searches on signatures and engines (eset, avast, panda, and etc - just a few examples) and you commented "The problem is that many antivirus companies only copy the signatures of Microsoft or Kaspersky," which ones?

Como você é brasileiro irei responder em português pois é mais fácil para mim, já que a questão é bem técnica.

Sua linha de raciocínio difere e muito do que eu quis mostrar neste tópico; o que eu quis demostrar é que a maioria dos antivírus não fazem o seu "dever de casa", eles simplesmente automatizam a detecção usando o VirusTotal sem fazer uma analise real do arquivo em questão, ou seja, se alguns players detectam um arquivo como malicioso eles simplesmente criam uma detecção automática e pronto.

Sobre o G-Data, o conceito é diferente, só porque eles foram os pioneiros no setor não significa que empresas como Kaspersky Lab, Emsisoft, Bitdefender e Microsoft copiaram a sua base de dados e assinaturas (como muitos fazem).

 

[Sunshine-boy]

DNA sig detection is smth that is disabled by default(see the photo I uploaded)also vt only access Eset cloud blacklist. I meant it will not analyze the file inside the Eset cloud(at least we are not sure about it and we also know VT results Doesn't Prove Anything)
does VT use Eset cloud technology?

The ESET Cloud Malware Protection System
is one of several technologies based on ESET’s
cloud-based system, ESET LiveGrid. Unknown,
potentially malicious applications and other
possible threats are monitored and submitted
to the ESET cloud via the ESET LiveGrid
Feedback System. The samples collected
are subjected to automatic sandboxing and
behavioral analysis, which results in the
creation of automated detections if malicious
characteristics are confirmed

The DNA sig detection isn't available in VirusTotal but only in ESET AV and Eset IS same for cloud analyze (probably?)
Eset works like this(from someone who is close to Eset):
With default real-time scan settings, Eset will first scan the file on download. Besides sig. detection, it will also perform heuristic scanning on it running the file in its local sandbox. So any default HIPS rules and DNA behavior sig. will be deployed.
At this point, things get "murky." If heuristics detect anything suspicious, Eset will submit the file to the cloud for additional detailed analysis on its cloud servers. Whether it will actually blacklist the file while awaiting confirmation from the cloud servers is debatable. Everything Eset has stated publically to date states the file is not blacklisted or blocked from execution at this point. If the cloud server analysis confirms the file is malicious, it, it will then be blacklisted.
Opcode thanks for the test and your time. I also don't completely understand your comments becuase they are too techy for me XD but as an avergae user i think your Test Results Aren't Accurate

 

[Nightwalker]

DNA sig detection is smth that is disabled by default(see the photo I uploaded)also vt only access Eset cloud blacklist. I meant it will not analyze the file inside the Eset cloud(at least we are not sure about it and we also know VT results Doesn't Prove Anything)

ESET Advanced heuristics/DNA signatures are enabled by defaut for newly created or modified files as well as for executed files.

I know about ESET, but I didnt understand your post, could you please clarify?

 

[Sunshine-boy]

I know about ESET, but I didnt understand your post, could you please clarify

It's not enabled but you can ask @Daniel Hidalgo who tested the Eset:notworthy:
https://malwaretips.com/threads/19-12-2017-20.78264/#post-698671(Check Spoiler: Custom Settings)
P.S Enable or disable is not the point( I just wanted to mention it) because the DNA detection only works if you have Eset Av! Virustotal doesn't use this technology.

 

[vtqhtr413]

Sunshine-boy, I think Nightwalker said he was disappointed in Eset is because he probably holds it in high regard, to a higher standard, Node 32 is my favorite security software ever. To me, it was a compliment to Eset. Also, you didn't finish your thought in post 8.

If the cloud server analysis confirms the file is malicious, it

 

[ForgottenSeer 58943]

It's not enabled but you can ask @Daniel Hidalgo who tested the Eset:notworthy:
https://malwaretips.com/threads/19-12-2017-20.78264/#post-698671(Check Spoiler: Custom Settings)
P.S Enable or disable is not the point( I just wanted to mention it) because the DNA detection only works if you have Eset Av! Virustotal doesn't use this technology.

Also note, some of these online scanners also use their command line scanners and/or Linux scanners. Most of them don't reflect accurate detection levels in products. I'd take all online scanner results with a grain of salt to be honest.

 

[Nightwalker]

Sunshine-boy, I think Nightwalker said he was disappointed in Eset is because he probably holds it in high regard, to a higher standard, Node 32 is my favorite security software ever. To me, it was a compliment to Eset. Also, you didn't finish your thought in post 8.

Yes, exactly!

ESET is a favorite of mine, its a security vendor that do some serious research, always had low false positive and great zero day protection (emulation/generic signatures and so on).

 

[Nightwalker]

"Machine Learning" they said, next generation they said.

Spoiler

Its more like VirusTotal sample sharing reputation score with a fancy name ...


Ps: Look at VBA32 and CAT-QuickHeal detection name (Skeeyah), Microsoft probably used this name at this particular file because of the cloud (sky) feature testing.

 

[ForgottenSeer 58943]

FortiClient does source one aspect of it's product (Cloud) from VT. This is reflected in the CONF file on FortiClient (Cloud Scanning) in the paid and free offering. But it's not used in the most absolute sense for detection or naming conventions. Those come from FortiGuard Labs themselves on manual analysis.

Untangle also sources VT for it's ScoutIQ gateway VT scanning. Which is real-time scanning of inbound files via VT. But it's only one aspect of many used to determine malicious files and isn't used for absolute flagging.

 

[Nightwalker]

Now it is 37/67, most antivirus vendors are detecting this harmless file as malware and as expected, Kaspersky (that actually does malware research properly) does not detect it at all.

 

[Deleted member 178]

@Nightwalker So basically you submitted a test file and you are disappointed because many AVs detected it...?

1- do you even know how to read the VT results? did you notice the "generic" term used by the vendors?
2- Do you know how each of the vendors operate submitted files? did you contacted them before stating they "copy" MS?

Also:

Virus Bulletin :: VB2017 paper: VirusTotal tips, tricks and myths

 

[vtqhtr413]

@Nightwalker So basically you submitted a test file and you are disappointed because many AVs detected it...?

1- do you even know how to read the VT results? did you notice the "generic" term used by the vendors?
2- Do you know how each of the vendors operate submitted files? did you contacted them before stating they "copy" MS?

Also:

Virus Bulletin :: VB2017 paper: VirusTotal tips, tricks and myths

Jesus Umbra, even if he's wrong or out of place just go to another thread. You don't have to comment.

 

[Nightwalker]

@Nightwalker So basically you submitted a test file and you are disappointed because many AVs detected it...?

1- do you even know how to read the VT results? did you notice the "generic" term used by the vendors?
2- Do you know how each of the vendors operate submitted files? did you contacted them before stating they "copy" MS?

Also:

Virus Bulletin :: VB2017 paper: VirusTotal tips, tricks and myths

You clearly didnt understand the topic, please read it again and take a look at the Windows Defender Testground Website (official from Microsoft ofcourse).

Cloud-delivered protection - Windows Defender Testground

These "great" generic detections are from a totally harmless file that doesnt do anything at all, NOTHING, NADA, please read it again before you make assumptions.

Please run the file yourself and you will understand (or maybe not).

Does the file try to set persistance? Does the file try to modify user files? Does the file try to access the hard disk directly? Does it inject its code in any process? The answer is a big NO, it just shows a GUI pretending to be a Ransomware.

Why any security vendor should add detection (generic or anything) to a Microsoft cloud test? Only if they dont do their work properly, just adding detection from files that others players detect as such.
Really, I would be okay if they had detected the file as something like "Not-a-virus:WDcloud", "Not-a-virus:FakeRansomware Simulator".

And Im done here ...

 

[Nightwalker]

Also:

Virus Bulletin :: VB2017 paper: VirusTotal tips, tricks and myths

Are you kidding me?

You serious think that I dont know how virus naming convention or VirusTotal works? Give me a break, you are better than this.