Advice Request I am very disappointed by some antivirus solutions [copycats]

[Deleted member 178]

I don't have to even test the file, and i clearly understand the thread.

"Generic" means the file is classified as suspicious but not (yet) flagged as a threat.

Typically, generic detections are a type of detection used by anti-virus and anti-malware programs to identify files with malicious characteristics...meaning they have features or behaviors similar to known malware or possible new malware. A generic detection does not necessarily mean the file is malicious.

generic malware

which is clearly what your test file is doing !

Your statement has no grounds, you didn't do a bit of research and you state accusation out-of-nowhere...come on...

 

[Deleted member 178]

Jesus Umbra, even if he's wrong or out of place just go to another thread. You don't have to comment.

I could but this is a forum where people look for serious infos not baseless assumptions/statements...
If at least, he shown valid proofs that they "copied" the signature (like Iobit did with MBAM) , i won't say anything.

 

[Nightwalker]

I don't have to even test the file, and i clearly understand the thread.

"Generic" means the file is classified as suspicious but not (yet) flagged as a threat.


generic malware

which is clearly what your test file is doing !

Your statement has no grounds, you didn't do a bit of research and you state accusation out-of-nowhere...come on...

Not necessarily, some antivirus vendors just use the nomenclature "generic" for "everything".

And anyway, why this file is suspicious? It doesnt do anything at all!

What about those detections below, are they generic?

Win32.Trojan.Agent.SI3Z8S
Trj/GdSda.A
Win32/Trojan.b2b
Msil.Trojan.Msilperseus.Fhz
Trojan.Skeeyah
Win32/Trojan.b2b
W32/Trojan.OHCY-0429

Should a executable file that just shows a Skull be considered a Trojan? If they arent just adding signatures because of VirusTotal reputation they really have bad heuristics and a potencial dangerous false positive prone engine.

 

[Nightwalker]

I could but this is a forum where people look for serious infos not baseless assumptions/statements...
If at least, he shown valid proofs that they "copied" the signature (like Iobit did with Malwarebytes Anti-Malware) , i won't say anything.

Kaspersky Labs has proved my point before.

Ex-Kaspersky Lab employees say security firm created fake malware | Daily Mail Online

The former Kaspersky employees said company researchers were assigned to work for weeks or months at a time on the sabotage projects.

Their main task was to reverse-engineer competitors' virus detection software to figure out how to fool them into flagging good files as malicious, the former employees said.

The opportunity for such trickery has increased over the past decade and a half as the soaring number of harmful computer programs have prompted security companies to share more information with each other, industry experts said.

They licensed each other's virus-detection engines, swapped samples of malware, and sent suspicious files to third-party aggregators such as Google Inc's VirusTotal.

I dont have the link anymore from the Kaspersky blog where they demonstrated this, but it was a very interesting read in that time.

Baseless assumptions? Anyone can see, try and judge for themselves if a executable that just shows a interface similar to a Ransomware should be considered a Trojan from most antivirus vendors.

 

[Deleted member 178]

And anyway, why this file is suspicious? It doesnt do anything at all!

did you analyzed the code?
probably the code loading the GUI is similar to ransomwares?

What about those detections below, are they generic?

Did you contacted those vendors to ask them why they flagged it.

Should a executable file that just show a Skull be considered a Trojan? .

when a cop see from afar a guy pointing a fake gun to people? should he ignores him because he is not sure if it is a serious threat?

If they arent just adding signatures because of VirusTotal reputation they really have bad heuristics

Maybe be their heuristic is too high, and it is the issue most small vendors have, because they don't have the resources or network like big ones to do a better filtering. They are more often subject to FPs.

I am aware of the Kaspersky statement, to me this is more marketing to look awesome: "hey guys they copy us, we are so awesome "...
Most vendors often share their results between each others, and most of them use VT. So Kaspersky statement is quite funny.

To me the problem in this thread is not that the file was flagged as malicious or not, it is your "copy" statement without any valid investigations.

 

[Nightwalker]

did you analyzed the code?
probably the code loading the GUI is similar to ransomwares?

Did you contacted those vendors to ask them why they flagged .

Yes, I tried to do some reverse engineering, I ran the file at a specialized sandbox and I used some forensic tool at it ( I will post it later).

I will contact some vendors and Microsoft ofcourse.

Code to launch the GUI similar to a Ransomware? Are you serious?
You really should run the file and stop make assumptions.

It seems that you got personal agravated because of your work at Emsisoft, but I am a very long time user of Emsisoft anti-malware and I know it is the "real deal", why you dont share this question with Emsisoft lab experts and let me know if this file should be considered a trojan.

 

[Deleted member 178]

Code to launch the GUI similar to a Ransomware? Are you serious?
You really should run the file and stop make assumptions.

i told you i dont care about the file itself being flagged or not, my issue was your accusation.
Beginners may be wrongly influenced by it and take your words as truth.
You are lawyer right? so you know that baseless accusation are invalid.

 

[Nightwalker]

i told you i dont care about the file itself being flagged or not, my issue was your accusation.
Beginners may be wrongly influenced by it. You are lawyer right? so you know that baseless accusation are invalid.

You don't need definitive proof for a trial, substantial evidence (like in this case) is enough.

I don't have a agenda so I don't care if they are influenced or not, all I wanted was to share my feelings about this situation.
If someone stops a discussion because they are afraid to influence another person they are not living in a democracy, that's for sure.

 

[Deleted member 178]

substantial evidence (like in this case) is enough.

i don't see any evidences, just a test file being flagged as suspicious by some, doesn't meant they copied MS.
Like EICAR is a test file flagged as malicious by some and not by others , do they copy each other?

You need to know how vendors categorize files as supsicious/malicious, which take time.
It is why i said before accusing, do your research.

 

[Nightwalker]

i don't see any evidences, just a test file being flagged as suspicious by some, doesn't meant they copied MS.
Like EICAR is a test file flagged as malicious by some and not by others , do they copy each other?

Not really, EICAR is a convention and it is clearly detected as not a virus or as a virus test, anyway because it is a convention of the industry it makes sense that everyone detects it, it isn't the case with Microsoft CloudBlock.

 

[Deleted member 178]

Not really, EICAR is a convention and it is clearly detected as not a virus or as a virus test, anyway because it is a convention of the industry it makes sense that everyone detects it, it isn't the case with Microsoft CloudBlock.

Which lead again to the same question to you: "did you ask those labs how they handled this MS test file?"

To me all the labs detecting it, is more about their engine flagging something in it, rather than copy MS. Honestly, i dont see ESET or others needing to copy MS....

 

[Mahesh Sudula]

As i said in past only a handful of vendors have their own labs and technologies and rest depend on VT..its truth..
Dr web , G data , Symantec , Kaspersky , Escan , Bit defender , Sophos , Trend Micro...These are the only vendors i trust ...same would be in future too..
Only the above vendors try mostly to DISINFECT a file which is a heavy task and needs a lot of basics and expertise in their own field...
Emsisoft is an overrated product but still belong to same category..i have the proof :- Few weeks ago i got a link from openphish --vms.drweb.com(Dr web website)
to my surprise Emsi and F secure gave a stink eye blocking it through web shields..F secure allowed the same after 1 week (HIT!)..but emsisoft still blocking it
till i tested..REgarding the same i posted a article in MT..but till now it is not approved and posted publicily..What a PITY!!..They may corrected it now..
LESSON LEARNT :- Trust those who have expertise and patents at their back with advanced capabilities like rollback and disinfect(A symbol for a true vendor)..with their own R&D..Ditch all the other vendors except the above( I STAND BY WHAT I SAY)...

Thats the reason i always oppose those vendors who simply integrate all third party components and run their day..without their own technologies
NEVER RELY ON VT RESULTS..SINCE IT DIFFERS IN REAL WORLD..
they may be generic detections and may/may not be added into databases after scrutinizing..
Engines differ in Virustotal and User ...They are not all the FINAL VERDICT

 

[Deleted member 178]

@Mahesh Sudula At Emsisoft we have our own lab since we develop our own engine while complementing it with the Bit Defender one.

 

[Mahesh Sudula]

@Mahesh Sudula At Emsisoft we have our own lab since we develop our own engine while complementing it with the Bit Defender one.

Sorry to say because if my ARTICLE has been posted then we would have reached a verdict..I LIKE EMSI..i have used it for 3 yrs continuously..I love its BB..
But fact should be fact..ROLLBACK and DISINFECTION are the basic features but still most of the competing AV lack in ....

 

[Deleted member 178]

But fact should be fact..ROLLBACK and DISINFECTION are the basic features but still most of the competing AV lack in ....

Rollback has nothing to do with AVs, AV are supposed to detect and prevent and possibly offer basic remediation.
Deep disinfection requires more than tools and need serious expertise, which is out of the scope of any AVs.

 

[Mahesh Sudula]

Rollback has nothing to do with AVs, AV are supposed to detect and prevent and possibly offer basic remediation.
Deep disinfection requires more than tools and need serious expertise, which is out of the scope of any AVs.

ROLLBACK is very important feature..because if the file is highly malicious and does its work immediately after execution..Then rollback is the only rescue...where BB may not be that fast...BB + Rollback go hand in hand according to me..U know why kaspersky BB never gives false alarms..because it comes in only after a few sec of file execution along with its ROLL BACK..Hit!
Do u think experts like Kaspersky and G data give an immediate rollback if verdict cant be so fast with only BB...it has its importance....Especially in reducing FPs and gives a True Verdict

 

[Sunshine-boy]

i trust

You forget about Symantec?! even Eset, Avast(AVG)have their own labs.every av has some labs.

 

[Mahesh Sudula]

You forget about Symantec?! even Eset, Avast(AVG)have their own labs.every av has some labs.

There is no need to mention SYMANTEC..they are always the best..and they even particpate in most of lab tests i follow(Hit) ..they continously participate in Mrg effitas and Virus bulletin which is in favour of my tastes..
The only thing is its Fp's (not from BB) but from their cloud signatures..only concerns me is this..

 

[ZeroDay]

Guys, today I was just doing some tests with Windows Defender Testground website and I realized how mediocre some antivirus solutions actually are; let me explain below.

In this website there are some files to test if Windows Defender protection is working correctly. So I tried the CloudBlock file and noticed after execution that it shows a GUI similar of a Ransomware, but ofcourse without any functionality. (it just tests if cloud protection of WD is working)

I uploaded the sample at VirusTotal just for the lolz and noticed that many antivirus solutions detected it as if it was a real malware.

See here:
Cloud-delivered protection - Windows Defender Testground
Antivirus scan for cb49bb09669c7a55fe1963c73aefa940f7775ec4eb17f0044e0bdd68889c69ac at 2018-02-26 21:05:36 UTC - VirusTotal 28/66

So whats the problem with this?

The problem is that many antivirus players just copy Microsoft or Kaspersky signatures (Microsoft in this case) and it is done, no real research or advanced heuristics at play. I remember that some years ago Eugene Kaspersky complained about this and it seems that this situation still remains.

Serious guys, dont waste your money with those copycats, just use Comodo with @cruelsister settings or buy a real antimalware solution like Kaspersky or Emsisoft.

Ps: I am especially disappointed with ESET.
Ps 2: Pardon me for my english, I was at a hurry and it isnt my native language.

One of the reasons I respect Kaspersky so much. It's not just that they have excellent products across the board, well in my opinion Kaspersky is and has been top dog for a very long time it just use to slow your system down but they've even sorted that out now. But I respect the amount of research they do, they don't just copy people they innovate. And Windows defender is going to be a force to be reckoned with in a year or 2, just imagine all that cloud data Microsoft are getting on malicious files because WD is built into every system even if the user uses a third party solution MS are still getting a LOT of cloud data.I think it's nothing short of fantastic what MS have done with Windows defender and integrated exploit and folder protection.

Great thread. Thanks.

 

[Deleted member 65228]

I did actually take a look at the test sample regardless of it being a test one and it does show a deceiving GUI. It also lacks PE details, isn't digitally signed, has no icon, etc... It checks many boxes for being at-least "suspicious", so I'd hope it'd get flagged by an AV product, even if it truly isn't "ransomware".

The interface for the sample will claim that your file's are/will be encrypted and request payment, which of course is non-functional feature as it's a test sample. While nothing is actually going to be encrypted (there is not even support for enumeration of files - it's not even a fake simulation, it's literally just a UI with a timer), you could in theory claim that it should be marked as "malicious software" due to it's deceiving form. Obviously, the malicious was not intent because the intent was for it to be a test sample which would do absolutely no harm, but if someone were to share it around regardless, how would an average user feel coming confronted by it?

To be precise, it's a MSIL executable which has a UI which meets a criteria to appear like in-the-wild ransomware would. It has a timer, dark background, a payment button, etc. There's no functionality other than the timer, but that's not the point. It could still scare an average user and put them into distress if they really believed it.

Advanced users will know that it's a test sample and where it came from, but if someone starts trying to prank people and shares it around, an average unknowing user might not feel so good about the joke. It's Anti-Virus vendors jobs to protect people from malicious software as much as they can, therefore it only makes sense for them to flag it, even if no encryption capabilities are present - you could argue that there's no genuine use for the sample in a real-world environment because of it's interface and that is a reason to justify blocking it. It's also worth a mention that generic detection's are used to detect new malware which has not yet been seen (the actual sample - the variant may be known but the sample may be different) and there's many different forms of static heuristic analysis.

On that note, the same detection names does not equal stealing detection's. Stealing detection's is when a vendor blatantly flags a sample because another vendor did, but there's actually no evidence what-so-ever here that any vendor which flags the sample did this, even if the detection name is similar/the same. As I've already noted, the interface of the sample looks like what you could expect from ransomware in the home user market despite the lack of actual malicious code, and this could justify a detection.