Hot Take Review based on Shadowra tests

KnownStormChaser said:
I was the one debating him in that, plus another thread. The fact that he claims that Emsisoft was the only product to block his samples while VIPRE, ESET, Kaspersky, Windows Defender, G-Data and Trend Micro all failed, I find very hard to believe.
Click to expand...
It's not hard to believe at all.

I can come up with samples that will bypass Emsisoft, but not any of the others you mention here.

This is the world of security software and its reality.

¯\_(ツ)_/¯
 
  • Like
  • Hundred Points
Reactions: Miravi, Trident, Khushal and 3 others
RoboMan said:
fml

Application Control

support.kaspersky.com support.kaspersky.com
Click to expand...
Kaspersky also includes proactive defence module:
encyclopedia.kaspersky.com

Heuristic and proactive detections

Defining objects detected by the heuristic analyzer or proactive defense module The Kaspersky Lab antivirus databases contain an enormous number of heuristics (no prefix is used in the names of these heuristics). Furthermore, in 2007, the company introduced a separate
encyclopedia.kaspersky.com encyclopedia.kaspersky.com
The proactive defense module is a module that monitors the sequence of actions conducted by an application in the system, and if suspicious activity is detected, the application is blocked to prevent it from conducting further activity. If an object is detected by the PDM, the name of the object begins with the “PDM:” prefix.
 
  • Like
  • Hundred Points
Reactions: Miravi, Sorrento, Trident and 3 others
Khushal said:
Kaspersky also includes proactive defence module:
encyclopedia.kaspersky.com

Heuristic and proactive detections

Defining objects detected by the heuristic analyzer or proactive defense module The Kaspersky Lab antivirus databases contain an enormous number of heuristics (no prefix is used in the names of these heuristics). Furthermore, in 2007, the company introduced a separate
encyclopedia.kaspersky.com encyclopedia.kaspersky.com
The proactive defense module is a module that monitors the sequence of actions conducted by an application in the system, and if suspicious activity is detected, the application is blocked to prevent it from conducting further activity. If an object is detected by the PDM, the name of the object begins with the “PDM:” prefix.
Click to expand...
Is not that the system watcher?
 
  • Like
Reactions: Khushal, Sorrento and Jonny Quest
Trident said:
In general I am against the writing of custom malware, there is no malware deficiency. It is way smarter to harvest.
Click to expand...
I agree, because then nobody can point the finger at the custom malware writer (which is usually just modification of harvested malware) and state "You are not using malware found in-the-wild." However, just to prove a point or POC, there's nothing wrong in my estimation with using custom written malware (from square one - completely freshly written from a blank IDE page using no source code from anywhere).
 
  • Like
Reactions: simmerskool and Trident
KnownStormChaser said:


I thought I'd mention, the Reddit user in question has an updated post. Seems his findings have changed, Emsisoft has failed his latest experiment and now only Bitdefender blocked whatever he built.
Click to expand...

That Eset is heavily reliant on User Mode components, he didn’t need to waste time writing tools and testing, he could ask me and I would tell him 🤣

Eset doesn’t keep it a secret that the behavioural monitoring is HIPS with heuristics. They further disclose that it operates in user mode.

So he is testing whatever Eset clearly wrote in a whitepaper…
Very useful!

Anyway, again there are few faults:
First of all, the author is mentioning “these are the same techniques”. Yes, they are. But in home AVs, often single techniques are not blocked as vigorously as they are in business products.

“They should block in kernel mode”….
They would, but the sample is not malicious enough.

Also, additional protection layers like reputation and so on haven’t been accounted for.

This doesn’t come down to the “true infection source”, even executables on the desktop have their reputation inspected.

It comes down to configuration. As well as I am getting the sense that his sample may have been excluded and some products may have been tweaked a little bit to allow the sample to run.

The author is not biased but is expecting very aggressive response just from one isolated module (behavioural blocking). But this is not how things work.

I dare him to sit down and try to build 20 malware detection behavioural profiles. Then let him test on 20 trusted executables (perhaps base the profiles on sandbox reports) and let him see how many false positives he will get. His profiles will flag at least 10/20.

Then he will change his mind.

Bottom line is we know very well what’s malicious but it often intersects with poorly written. Hence, single techniques cannot be an accurate point to block samples.

In the case of “stealing your discord token”, there will be more indicators, the discord tokens will be accessed (handles will be open to files), probably archive will be created in the temp folder, domains will be contacted, eventually persistence hooks will be creates… these are the high confidence indicators that can produce a block (though these can be iffy as well).

It’s ok, he’s a newbie and will learn.

@KnownStormChaser you can send him this post.
 
Last edited:
  • Like
  • Hundred Points
  • Applause
Reactions: Nevi, Sorrento, Shadowra and 5 others
KnownStormChaser said:


I thought I'd mention, the Reddit user in question has an updated post. Seems his findings have changed, Emsisoft has failed his latest experiment and now only Bitdefender blocked whatever he built.
Click to expand...

and the trophy goes to ........ Bugdefender
Excited Season 6 GIF by The Office
 
  • HaHa
  • Like
Reactions: Divine_Barakah, Nevi, Sorrento and 6 others
KnownStormChaser said:
I thought I'd mention, the Reddit user in question has an updated post. Seems his findings have changed, Emsisoft has failed his latest experiment and now only Bitdefender blocked whatever he built.
Click to expand...
The person is a "security researcher."

I've never known or met any "security researcher" who:
  1. Was NOT a PITA in one manner or another; and
  2. Had any skills at articulating what they wanted to say and eliminate any perceptions of bias or were willing to be thorough and complete - by providing all detail needed for the layperson; and
  3. Most important of all - that the typical online reader (layperson) was capable of truly understanding what the researcher was really saying
Two part problem.

Security Researcher + Readers (and their interpretations) = Problems.
 
Parkinsond said:
and the trophy goes to ........ Bugdefender
Click to expand...
Bugdefender quality has improved greatly over the past 5 to 10 years. It has reached a quality standard where even I can live with it. But my recommendation is add default deny protections to the system to supplement Bugdefender's weaknesses - which are the abuse of LOLBins and exploitation of various areas of the operating system (OS). Hard_Configurator is a good supplement. Very solid.

Can get legitimate Bugdefender-direct licenses at dirt poor 3rd world prices too. Which is a +1.
 
  • Like
Reactions: Divine_Barakah

You may also like...