Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Security Statistics and Reports
Real-World Protection Test Feb-Mar 2020
Message
<blockquote data-quote="MacDefender" data-source="post: 905094" data-attributes="member: 83059"><p>I’m certainly not downplaying the importance of low false positives, and accurate signature detections especially for things like PUPs and software piracy tools, which a lot of AVs struggle with accurately identifying (even Windows Defender and BitDefender frequently label such tools under generic trojan or generic machine learning signatures)... But whether it’s signature detection or heuristics, it’s hard to achieve this.</p><p></p><p>For example, a lot of Windows activation bypass tools will automate disabling SFR so they can replace a DLL with a doctored one to fool Windows into activating against the wrong server. Rufus (the USB stick tool) modifies group policy settings and has code for installing bootloaders. All of these behaviors can easily be rootkit like behaviors used by malware, and it’s really easy to accidentally write signatures that flag these binaries. I did a test by just hexediting a few inconsequential strings in a Rufus release and it was picked up as malware by at least a dozen engines. We just had a recent thread about Kaspersky mis-identifying a Firefox password backup tool as a password stealer.</p><p></p><p>In reality, most AVs maintain some sort of cloud or offline whitelist of popular applications and those get to simply skip signature detections and sometimes even behavior blocking. That’s where I worry a bit about the accuracy of these formal false positive tests. How sure are we that they are truly low false positive engines, instead of knowing (either via experience or partnerships with the testing firms) what binaries to whitelist or what set of default settings to use to minimize FPs in the tests?</p><p></p><p></p><p>EDIT: <a href="https://malwaretips.com/threads/rufus-3-8-infected-with-malware.95772/post-840682" target="_blank">Rufus 3.8 | Infected with malware?</a></p><p>[URL unfurl="true"]https://www.virustotal.com/gui/file/0732dfa7bee7c4867688cd6e697a6497832def294bf14a4b1d94fe93cfeb86d6/detection[/URL]</p><p></p><p>Look at that. F-Secure (via Avira), Avira, BitDefender, and a few others all think this is malware. All I did was UPX unpack the stock Rufus binary and repack it at a different compression level. They don’t detect the stock UPX-packed binary. There is clearly some sort of whitelisting going on, and if you run a dynamic test against behavior blockers, you’ll find that many behavior blockers will flag that repacked binary too as soon as it requests UAC elevation to write to group policies.</p></blockquote><p></p>
[QUOTE="MacDefender, post: 905094, member: 83059"] I’m certainly not downplaying the importance of low false positives, and accurate signature detections especially for things like PUPs and software piracy tools, which a lot of AVs struggle with accurately identifying (even Windows Defender and BitDefender frequently label such tools under generic trojan or generic machine learning signatures)... But whether it’s signature detection or heuristics, it’s hard to achieve this. For example, a lot of Windows activation bypass tools will automate disabling SFR so they can replace a DLL with a doctored one to fool Windows into activating against the wrong server. Rufus (the USB stick tool) modifies group policy settings and has code for installing bootloaders. All of these behaviors can easily be rootkit like behaviors used by malware, and it’s really easy to accidentally write signatures that flag these binaries. I did a test by just hexediting a few inconsequential strings in a Rufus release and it was picked up as malware by at least a dozen engines. We just had a recent thread about Kaspersky mis-identifying a Firefox password backup tool as a password stealer. In reality, most AVs maintain some sort of cloud or offline whitelist of popular applications and those get to simply skip signature detections and sometimes even behavior blocking. That’s where I worry a bit about the accuracy of these formal false positive tests. How sure are we that they are truly low false positive engines, instead of knowing (either via experience or partnerships with the testing firms) what binaries to whitelist or what set of default settings to use to minimize FPs in the tests? EDIT: [URL='https://malwaretips.com/threads/rufus-3-8-infected-with-malware.95772/post-840682']Rufus 3.8 | Infected with malware?[/URL] [URL unfurl="true"]https://www.virustotal.com/gui/file/0732dfa7bee7c4867688cd6e697a6497832def294bf14a4b1d94fe93cfeb86d6/detection[/URL] Look at that. F-Secure (via Avira), Avira, BitDefender, and a few others all think this is malware. All I did was UPX unpack the stock Rufus binary and repack it at a different compression level. They don’t detect the stock UPX-packed binary. There is clearly some sort of whitelisting going on, and if you run a dynamic test against behavior blockers, you’ll find that many behavior blockers will flag that repacked binary too as soon as it requests UAC elevation to write to group policies. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
