Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Malcore: Simple File Analysis
Message
<blockquote data-quote="struppigel" data-source="post: 1076689" data-attributes="member: 86910"><p>I haven't tried this yet because I did not want to provide my email without seeing what the advantage is over other sandboxes. So I watched the promotion video by Hammond, which is 3 days old, but the things shown in that video do not look good to me.</p><p></p><p>First he advertises that the site can be used for free. I do not see any possibility to use this for free on the website. The price listing has no such plan. There is a demo button, but that's not the same as free usage.</p><p></p><p>Second point raised is private submissions -- all the other automatic analysis systems provide that too, just not for free accounts, which does not seem to exist here.</p><p></p><p>The rest of the promotion is doing it a disservice:</p><p></p><ul> <li data-xf-list-type="ul">There is misaligned text in several places. In a promotion video.</li> <li data-xf-list-type="ul">It claims UPX0 is an "Unknown Section" and listed it as Risk Factor / Suspicious. For reference, UPX is a compressor and standard for many language implementations, e.g. PyInstaller, AutoIt, Go executables. For the same reasons high entropy is also not suspicious at all.</li> <li data-xf-list-type="ul">Another riskfactor mentioned is a Rich Header Anomaly - while the Rich Header is explained correctly, the sandbox assumes an anomaly if the Rich Header is not present, which makes no sense to me. It must be added by Visual Studio compilers, so not being present is actually normal and putting it in yellow warning colors is rather a misrepresentation. Not everyone uses Visual Studio for compilation. Also, this is still the UPX file, of course it has no Rich Header</li> <li data-xf-list-type="ul">The automatic Yara rule creator is promoted as being the best feature here, but the rule that it creates in the video looks for "!This program cannot be run in DOS mode." which is in 98% percent of all PE files.</li> </ul><p>The whole thing looks unfinished like the results haven't been looked at by anyone. In a promotion video.</p></blockquote><p></p>
[QUOTE="struppigel, post: 1076689, member: 86910"] I haven't tried this yet because I did not want to provide my email without seeing what the advantage is over other sandboxes. So I watched the promotion video by Hammond, which is 3 days old, but the things shown in that video do not look good to me. First he advertises that the site can be used for free. I do not see any possibility to use this for free on the website. The price listing has no such plan. There is a demo button, but that's not the same as free usage. Second point raised is private submissions -- all the other automatic analysis systems provide that too, just not for free accounts, which does not seem to exist here. The rest of the promotion is doing it a disservice: [LIST] [*]There is misaligned text in several places. In a promotion video. [*]It claims UPX0 is an "Unknown Section" and listed it as Risk Factor / Suspicious. For reference, UPX is a compressor and standard for many language implementations, e.g. PyInstaller, AutoIt, Go executables. For the same reasons high entropy is also not suspicious at all. [*]Another riskfactor mentioned is a Rich Header Anomaly - while the Rich Header is explained correctly, the sandbox assumes an anomaly if the Rich Header is not present, which makes no sense to me. It must be added by Visual Studio compilers, so not being present is actually normal and putting it in yellow warning colors is rather a misrepresentation. Not everyone uses Visual Studio for compilation. Also, this is still the UPX file, of course it has no Rich Header [*]The automatic Yara rule creator is promoted as being the best feature here, but the rule that it creates in the video looks for "!This program cannot be run in DOS mode." which is in 98% percent of all PE files. [/LIST] The whole thing looks unfinished like the results haven't been looked at by anyone. In a promotion video. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
