Question Scanner find malware hidden in file with several functions?

Please provide comments and solutions that are helpful to the author of this topic.

Oblivion99

Level 1
Thread author
Nov 6, 2023
47
Dear all

If a malicious file has several functions, for example the malicious file contains malware and the malware will be activated after a given time.
Part A - timer activation
Part B - malware

Would a scanner still find the malware / threat in the file?

I assume the malware would be the same, wether it was alone or included in a malicious file?
The bits / code would be the same.

Thank you
 
F

ForgottenSeer 114834

Dear all

If a malicious file has several functions, for example the malicious file contains malware and the malware will be activated after a given time.
Part A - timer activation
Part B - malware

Would a scanner still find the malware / threat in the file?

I assume the malware would be the same, wether it was alone or included in a malicious file?
The bits / code would be the same.

Thank you
It depends.


Understanding the Challenge:

Malicious files often employ sophisticated techniques to evade detection.

Obfuscation: Malware can be hidden or disguised to look like legitimate code, making it difficult for scanners to identify.

Polymorphism: Malicious code can change its form to avoid detection, requiring constant updates for scanners.

Metamorphism: Malware can modify its structure while maintaining functionality, making it even harder to detect.

Packing: Malware can be compressed or encrypted, requiring unpacking before analysis.

Time-based Activation: As you mentioned, malware can be designed to activate after a specific time, making it harder to detect before execution.

while modern scanners are capable of detecting many types of malware, including time-based ones, there's no guarantee of complete protection.


A couple forms of possible detection:

Signature-Based Detection: This traditional method relies on identifying known malware patterns, but it's less effective against new threats.

Static Analysis: Scanners examine the file's structure and code without executing it to identify potential threats.

The likelihood of a scanner detecting the malware depends on several factors:

Scanner's Capabilities: Advanced scanners with multiple detection methods are more likely to identify the threat.

Malware Sophistication: Highly complex malware with strong anti-detection features is harder to detect.
 
Last edited by a moderator:

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,355
Would a scanner still find the malware / threat in the file?
Time-based malware can potentially fool dynamic analysis (where portions of the file are executed in memory), or full blown emulation, where the whole file is executed and monitored.

Although vendors take care to “trick” the malware and perform the so called push-forward emulation, some attackers may be more clever than others. For example, instead of checking the local system time, they can query a server.

Time-based tactics don’t affect other detection technologies.

Whether or not the malware will be detected would ultimately depend on what other tactics the malware authors have employed, such as packaging.

Certain products also use much more aggressive heuristics on files originating from the web and/or age + popularity (reputation heuristics). Some products use aggressive yara rules and/or memory content checks, where evasion tactics may be detected. There are loads of variables.
 

Oblivion99

Level 1
Thread author
Nov 6, 2023
47
Obfuscation: Malware can be hidden or disguised to look like legitimate code, making it difficult for scanners to identify.
Polymorphism: Malicious code can change its form to avoid detection, requiring constant updates for scanners.
Metamorphism: Malware can modify its structure while maintaining functionality, making it even harder to detect.
Packing: Malware can be compressed or encrypted, requiring unpacking before analysis.
Time-based Activation: As you mentioned, malware can be designed to activate after a specific time, making it harder to detect before execution.
I use Windows Defender as scanner.

1.
Would you trust, that Windows Defender scanner will detect malicious files, that use one or more of above methods?

while modern scanners are capable of detecting many types of malware, including time-based ones, there's no guarantee of complete protection.

2.
Is Windows Defender scanner what you would categorize as a "modern scanner"?

Signature-Based Detection: This traditional method relies on identifying known malware patterns, but it's less effective against new threats.
Static Analysis: Scanners examine the file's structure and code without executing it to identify potential threats.

3.
What type is Windows Defender scanner?
Both?

Scanner's Capabilities: Advanced scanners with multiple detection methods are more likely to identify the threat.

4.
Is Windows Defender scanner an advanced scanner?

Thank you
 

Oblivion99

Level 1
Thread author
Nov 6, 2023
47
Time-based malware can potentially fool dynamic analysis (where portions of the file are executed in memory), or full blown emulation, where the whole file is executed and monitored.

1.
If the malware part is executed in memory aswell, why can it then fool the dynamic analysis?

Although vendors take care to “trick” the malware and perform the so called push-forward emulation, some attackers may be more clever than others. For example, instead of checking the local system time, they can query a server.

2.
I assume this require internet connection?

Time-based tactics don’t affect other detection technologies.

3.
Meaning that a scanner will still find the threat / malware?

Whether or not the malware will be detected would ultimately depend on what other tactics the malware authors have employed, such as packaging.

Certain products also use much more aggressive heuristics on files originating from the web and/or age + popularity (reputation heuristics). Some products use aggressive yara rules and/or memory content checks, where evasion tactics may be detected. There are loads of variables.

4.
I use Windows Defender scanner.
Would you trust, that Windows Defender scanner would detect the malware / threat?

Thank you
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,355
If the malware part is executed in memory aswell, why can it then fool the dynamic analysis?
because the dynamic analysis and/or emulator may (the keyword is may, not guaranteed that it will) simply look for malicious behaviour. If this behaviour is scheduled for current time + 2.5 hrs, the malicious behaviour is not delivered, observed and classified. Hence, there is no detection.
It is important to note that foul play with time is not new and vendors have many tricks up their sleeve to handle time-based malware. Majority of time-based malware will not evade dynamic analysis and emulation.


I assume this require internet connection?
Not always, for example, malware may create a scheduled task for next reboot. The emulator can run the task right away. Dynamic analysis (local in-memory emulation) is not internet-connected. Cloud detonation sandboxes are.


Meaning that a scanner will still find the threat / malware?
Yes, the scanner has many other tactics. Just time-based tricks are not enough to escape from the scanner. Attackers will have to study your specific scanner, how it works, what it covers or doesn't cover. Only then, they can deliver specific bypass. This is very time consuming, scanners frequently change their patterns and coverage, and attacker will have to be really dedicated and sophisticated, assuming that you are using one of the top quality products. Not something like Webroot, Protegent, etc.


I use Windows Defender scanner.
Would you trust, that Windows Defender scanner would detect the malware / threat?
Microsoft Defender is one of the quality solutions.
 

Oblivion99

Level 1
Thread author
Nov 6, 2023
47
Majority of time-based malware will not evade dynamic analysis and emulation.
1.
Does Microsoft Defender Antivirus have both dynamic analysis and emulation?

If yes, when are they used? During Full scan or real-time protection scan?

The emulator can run the task right away. Dynamic analysis (local in-memory emulation) is not internet-connected. Cloud detonation sandboxes are.
2.
So if the antivirus scanner has both dynamic analysis and emulator, it will detect the malware?


Would you trust, that Windows Defender scanner would detect the malware / threat?
Microsoft Defender is one of the quality solutions.

3.
So yes?


Thank you!
 

lokamoka820

Level 18
Mar 1, 2024
898
In regard of my above follow-up questions Aug 21

Would anyone kindly try to answer them?

Thank you
1. yes, Microsoft Defender have both dynamic analysis and emulation, and they are used on real-time protection.

2. yes, Microsoft Defender will mostly detect the malware / threat, it has a cloud scan and implement AI in it is cloud for new 0-day malware.

3. here is the latest test for Microsoft Defender on default settings if you want to be more sure:
 

oldschool

Level 84
Verified
Top Poster
Well-known
Mar 29, 2018
7,512
In regard of my above follow-up questions Aug 21

Would anyone kindly try to answer them?

Thank you
Maybe this will answer some of your questions.
Behavior monitoring is a critical detection and protection functionality of Microsoft Defender Antivirus.

Monitors process behavior to detect and analyze potential threats based on the behavior of applications, services, and files. Rather than relying solely on signature-based detection (which identifies known malware patterns), behavior monitoring focuses on observing how software behaves in real-time. Here's what it entails:

Real-Time Threat Detection:

Continuously observe processes, file system activities, and interactions within the system.
Defender Antivirus can identify patterns associated with malware or other threats. For example, it looks for processes making unusual changes to existing files, modifying or creating automatic startup registry (ASEP) keys, and other alterations to the file system or structure.
Dynamic Approach:

Unlike static, signature-based detection, behavior monitoring adapts to new and evolving threats.

Microsoft Defender Antivirus uses predefined patterns, and observes how software behaves during execution. For malware that doesn't fit any predefined pattern, Microsoft Defender Antivirus uses anomaly detection.

If a program shows suspicious behavior (for example, attempting to modify critical system files), Microsoft Defender Antivirus can take action to prevent further harm, and revert some previous malware actions.

Behavior monitoring enhances Defender Antivirus's ability to proactively detect emerging threats by focusing on real-time actions and behaviors rather than relying solely on known signatures.

The following features depend on behavior monitoring.

Anti-malware:

Indicators, File hash, allow/block
Network Protection:

Indicators, IP address/URL, allow/block
Web Content Filtering, allow/block
Note

Behavior monitoring is protected by tamper protection.
Behavior monitoring in Microsoft Defender Antivirus - Microsoft Defender for Endpoint
 

oldschool

Level 84
Verified
Top Poster
Well-known
Mar 29, 2018
7,512
Does Microsoft Defender Antivirus have both dynamic analysis and emulation?
Generally, yes.
If yes, when are they used? During Full scan or real-time protection scan?
Defender is heavily dependent on the cloud for its full capabilities.
So if the antivirus scanner has both dynamic analysis and emulator, it will detect the malware?
Yes.
Yes. It's a quality anti-malware solution.
 

Oblivion99

Level 1
Thread author
Nov 6, 2023
47
Thank you all the answers so far

I hope some of you, might help with answering the rest

Thank you
Obfuscation: Malware can be hidden or disguised to look like legitimate code, making it difficult for scanners to identify.
Polymorphism: Malicious code can change its form to avoid detection, requiring constant updates for scanners.
Metamorphism: Malware can modify its structure while maintaining functionality, making it even harder to detect.
Packing: Malware can be compressed or encrypted, requiring unpacking before analysis.
Time-based Activation: As you mentioned, malware can be designed to activate after a specific time, making it harder to detect before execution.
I use Windows Defender as scanner.

1.
Would you trust, that Windows Defender scanner will detect malicious files, that use one or more of above methods?

Although vendors take care to “trick” the malware and perform the so called push-forward emulation, some attackers may be more clever than others. For example, instead of checking the local system time, they can query a server.
Does Microsoft Defender Antivirus have "push-forward emulation"?
 

Oblivion99

Level 1
Thread author
Nov 6, 2023
47
Signature-Based Detection: This traditional method relies on identifying known malware patterns, but it's less effective against new threats.
Static Analysis: Scanners examine the file's structure and code without executing it to identify potential threats.

3.
What type is Windows Defender scanner?
Both
-
Yes?

Scanner's Capabilities: Advanced scanners with multiple detection methods are more likely to identify the threat.

4.
Is Windows Defender scanner an advanced scanner?
-
Yes?
 

Oblivion99

Level 1
Thread author
Nov 6, 2023
47
2.
So if the antivirus scanner has both dynamic analysis and emulator, it will detect the malware?
2. yes, Microsoft Defender will mostly detect the malware / threat, it has a cloud scan and implement AI in it is cloud for new 0-day malware.
"So if the antivirus scanner has both dynamic analysis and emulator"
It only works with cloud / online scan?
Not with offline scan?
 
  • Like
Reactions: lokamoka820

Jonny Quest

Level 21
Verified
Top Poster
Well-known
Mar 2, 2023
1,045
2.
So if the antivirus scanner has both dynamic analysis and emulator, it will detect the malware?

"So if the antivirus scanner has both dynamic analysis and emulator"
It only works with cloud / online scan?
Not with offline scan?

Its online scanner is much better than offline.

Yes, especially according to AV-Comparatives March report.

online offline.jpg
 

lokamoka820

Level 18
Mar 1, 2024
898
I agree.

But I am trying to understand, if Microsoft Defender scanner use both dynamic analysis and emulator during online and offline detection, or only during online detection?

Thank you
Microsoft Defender Antivirus can provide protection in offline scenarios by regularly provisioning the latest dynamic intelligence to the endpoint throughout the day. However, specific features like behavioral blocking and containment primarily function when the device is connected to the cloud for real-time intelligence.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top