Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Random Musing
Message
<blockquote data-quote="cruelsister" data-source="post: 941427" data-attributes="member: 7463"><p>Don't know if this will be of interest to anyone, but will post it anyway.</p><p></p><p>As there are always questions about which AV product to pick and should a given test be trusted, I was just curious and tried a few things for giggles.</p><p></p><p>To begin, let's consider Windows Firewall. As one may or may not want it enabled, one can either disable it manually through the GUI or instead enter a command (running as Administrator) to do so. But if instead we would rather create an executable to accomplish our goal (of disabling WF), how would a typical AV react?</p><p></p><p>The test:</p><p>A script to disable WF was written. It was converted to an executable in different ways (don't real know if one would actually consider any of these truly malicious, but that's not really the point):</p><p></p><p>1). a baseline version with the option to show the command box (visible) on run, or to hide the command box (invisible). These will be the baseline.</p><p>2). to add run as Administrator to the above baseline programs.</p><p>3). To add an icon to the baseline programs</p><p>4). To compress the baseline thingies with something like UPX</p><p></p><p>(Please note that ONLY the exe's that would be run with Admin Privilege will actually disable the Firewall)</p><p></p><p>Results: when run against various AV applications, it was seen that stuff like Microsoft, Kaspersky, Emsisoft would not find issue with any of the above, while Symantec and McAfee flagged them all.</p><p></p><p>G-Data found that adding an icon to the Invisible FW baseline exe to be fine, as was the Visible form but will flag as malicious the Invisible form without an icon (Win32.Trojan.PSE.DR6CWW).</p><p></p><p>Avira didn't have an issue with any except hated the compressed versions, both of which were blocked.</p><p></p><p>Avast found all fine except the Invisible Icon exe which was blocked.</p><p></p><p>Conclusion- obviously I have much too much time on my hands this morning.</p></blockquote><p></p>
[QUOTE="cruelsister, post: 941427, member: 7463"] Don't know if this will be of interest to anyone, but will post it anyway. As there are always questions about which AV product to pick and should a given test be trusted, I was just curious and tried a few things for giggles. To begin, let's consider Windows Firewall. As one may or may not want it enabled, one can either disable it manually through the GUI or instead enter a command (running as Administrator) to do so. But if instead we would rather create an executable to accomplish our goal (of disabling WF), how would a typical AV react? The test: A script to disable WF was written. It was converted to an executable in different ways (don't real know if one would actually consider any of these truly malicious, but that's not really the point): 1). a baseline version with the option to show the command box (visible) on run, or to hide the command box (invisible). These will be the baseline. 2). to add run as Administrator to the above baseline programs. 3). To add an icon to the baseline programs 4). To compress the baseline thingies with something like UPX (Please note that ONLY the exe's that would be run with Admin Privilege will actually disable the Firewall) Results: when run against various AV applications, it was seen that stuff like Microsoft, Kaspersky, Emsisoft would not find issue with any of the above, while Symantec and McAfee flagged them all. G-Data found that adding an icon to the Invisible FW baseline exe to be fine, as was the Visible form but will flag as malicious the Invisible form without an icon (Win32.Trojan.PSE.DR6CWW). Avira didn't have an issue with any except hated the compressed versions, both of which were blocked. Avast found all fine except the Invisible Icon exe which was blocked. Conclusion- obviously I have much too much time on my hands this morning. [/QUOTE]
Insert quotes…
Verification
Post reply
Top