Please provide comments and solutions that are helpful to the author of this topic.
Someone said it was. UDS is a cloud signature. Not behavioural.
Wrong file aswell, the Nulloy.zip is a UDS detection.Someone said it was. UDS is a cloud signature. Not behavioural.
I'm taking a look at this sample in more detail tonight on workstation/lab. Maybe your right about the UDS.
It's not actually. It's mainly used for cloud-based early blacklisting which can be both automated and manual. It can automatically be derived from behavior blocking & ML models metadata, big data analysis but can be totally unrelated also. There were cases when even Kaspersky analyst manually created UDS signatures for samples I sent to them.UDS is a behavior based detection.
PDF’s always have weird detections, I see them have heuristic detections when it’s a signature. Anyways, the object was detected via automatic methods as opentip says it’s a Behavioral Stream Signature detection.It's not actually. It's mainly used for cloud-based early blacklisting which can be both automated and manual. It can automatically be derived from behavior blocking & ML models metadata, big data analysis but can be totally unrelated also. There were cases when even Kaspersky analyst manually created UDS signatures for samples I sent to them.
View attachment 278331
Yes, completely possible for that to happen. I’ve never seen a signature have a UDS detection besides documents, and the one that they sent. Majority of the times it’s a automatic system in which PDM systems pickup an object, sending it to processing in KSN then creating a preventative cloud detection for the file.I've seen a PDF trigger PDM.Exploit. but that's their ML catching an adobe exploit.
Because no human actually took a look?Well, in that case, it definitely is evasive, bypassing Opentip, Intellix, and a lot of human researchers.
I myself don’t know how to code, nor really know how malware works, but how could it bypass human researchers?
Also, which file was it? I checked the opentip link someone sent and it’s currently listed as clean on Opentip with 1,000 users.
Ahh, didnt know thats how it works.Because no human actually took a look?
Maybe that company runs a triaged system?
If only single file is received then direct to internal sandbox that's more sensitive than the public one. If the sandbox says Clean then inform the user that it's clean. Meanwhile flag the file for review with importance LOW
If more than 1 user but less than x reports it then perform the same as above but set importance to Normal
If major IT corporation or more than x users report it then inform the users to standby while the file is analyzed then flag the file with High Importance Requires Human in the loop
For us we think we are the most important people and our submissions should take priority. But for the person receiving your file they don't know you from a panicking old lady that saw a naked dude suddenly jump on her screen and being a good US bible belt evangelist she could not stand for such lude behavior from her computer! So she sent her whole download folder to the antivirus company for them to analyze.Ahh, didnt know thats how it works.