Andy Ful

Level 48
Verified
Trusted
Content Creator
I have already commented Juan Diaz video's:
https://malwaretips.com/threads/wisevector-stopx-vs-ransomware.95058/#post-835181
But, this one requires some additional notes because OSArmor is not an AV. It is not designed to detect the PE malware (like EXE, DLL etc.), but can harden the system in many ways to avoid suspicious files/actions.
  1. It is easy to compile the signed malware which could bypass OSArmor if one knows how the system is hardened. Similarly, it is easy to go out of the labyrinth if one knows the right way. But, most widespread malware in the wild will be blocked, anyway.
  2. Most EXE malware in the wild is not delivered as a direct download. Usually, they are delivered by using scripts (directly or embedded in spam, documents, etc.), ZIP archives, or LOLBins. This delivery method is blocked well by OSArmor, which can be seen on the video.
For example, the delivery method of Ordinypt Wiper malware from the post:
Security Alert - Fake résumé emails attempt to spread Ordinypt Wiper to German recipients,
uses ZIP archive (spam attachment) with the malicious EXE file (Lebenslauf.pdf.exe) that pretends to be a PDF document. This also will be blocked by OSArmor.

If the author wanted to show that OSArmor can be bypassed, then this is nothing new.
If the author wanted to show how effective is OSArmor, then he failed as I commented in the post about his test on WiseVector.
If the author wanted to show how OSArmor works by using some malware examples, then the video is probably OK.
 
Last edited:

Andy Ful

Level 48
Verified
Trusted
Content Creator
Conclusion: Don't use security software at all, because it will fail anyway
I don't know how you arrived at that conclusion, and especially the bit about no security software at all. What I got out of it was don't rely on NVT OSA to be your complete security apparatus.
@ebocious,
I think that his conclusion was a justified irony.;)
 
9

93803123

I have already commented Juan Diaz video's:
https://malwaretips.com/threads/wisevector-stopx-vs-ransomware.95058/#post-835181
But, this one requires some additional notes because OSArmor is not an AV. It is not designed to detect the PE malware (like EXE, DLL etc.), but can harden the system in many ways to avoid suspicious files/actions.
  1. It is easy to compile the signed malware which could bypass OSArmor if one knows how the system is hardened. Similarly, it is easy to go out of the labyrinth if one knows the right way. But, most widespread malware in the wild will be blocked, anyway.
  2. Most EXE malware in the wild is not delivered as a direct download. Usually, they are delivered by using scripts (directly or embedded in spam, documents, etc.), ZIP archives, or LOLBins. This delivery method is blocked well by OSArmor, which can be seen on the video.
For example, the delivery method of Ordinypt Wiper malware from the post:
Security Alert - Fake résumé emails attempt to spread Ordinypt Wiper to German recipients,
uses ZIP archive (spam attachment) with the malicious EXE file (Lebenslauf.pdf.exe) that pretends to be a PDF document. This also will be blocked by OSArmor.

If the author wanted to show that OSArmor can be bypassed, then this is nothing new.
If the author wanted to show how effective is OSArmor, then he failed as I commented in the post about his test on WiseVector.
If the author wanted to show how OSArmor works by using some malware examples, then the video is probably OK.
That person uses malware grabbed off of Hybrid-Analysis and other online malware repos. They aren't making custom, targeting malware.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
That person uses malware grabbed off of Hybrid-Analysis and other online malware repos. They aren't making custom, targeting malware.
Wow, impressive results. Certainly something worth considering as an addition if I move away from Comodo at any point. I'll have look into it.
The samples in the test are not random samples, but specially selected samples. The last sample had to be digitally signed to bypass OSArmor. The guy knows how OSArmor works and selected the last sample to bypass OSArmor. Generally, such a test alone is worthless for showing the efficiency of tested security.

It would be more interesting if the malware in the test could bypass one of the OSArmor features.
 
Last edited:
9

93803123

The samples in the test are not random samples, but specially selected samples. The last sample had to be digitally signed to bypass OSArmor. The guy knows how OSArmor works and selected the last sample to bypass OSArmor.
I did not say they are using random samples. They are getting the samples from the usual online sources. They aren't making their own malware.

Of course one would make a video of a sample that knowingly bypasses the protections. The whole point of the video is to show what can happen. Otherwise, there is no point in making the bypass video.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
I did not say they are using random samples. They are getting the samples from the usual online sources. They aren't making their own malware.
Yes, I know. I also did not say that the author uses custom made malware. Anyway, selecting samples to bypass something has the same effect as preparing the custom malware to bypass something.

Of course one would make a video of a sample that knowingly bypasses the protections. The whole point of the video is to show what can happen. Otherwise, there is no point in making the bypass video.
That is also my opinion. The video uses selected samples to show how OSArmor can block malware, and that it is not 100% efficient. It cannot show anything interesting about the effectiveness of tested software. I do not think that the author's intention was showing this.
 
Last edited:
9

93803123

Yes, I know. I also did not say that the author uses custom made malware. Anyway, selecting samples to bypass something has the same effect as preparing the custom malware to bypass something.


That is also my opinion. The video uses selected samples to show how OSArmor can block malware, and that it is not 100% efficient. It cannot show anything interesting about the effectiveness of tested software. I do not think that the author's intention was showing this.
People don't care about "1000 random sample selected and tested, result 100% protection." When it comes down to it, they only care about bypass video and failed protections. That is what the video author feeds. That demand. This person's videos are just as legitimate as anyone else's.

Most people measure security by the number of failures, and not the number of successes. So to them, they don't care if there is a single fail in 1000. To them, a single fail is significant. A fail is a fail, no matter the context or statistics. That's just how the average human mind works and the industry cannot do anything about this psychology. It is what it is.
 
Last edited by a moderator: