Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
The peculiarity of EXE malware testing.
Message
<blockquote data-quote="Andy Ful" data-source="post: 979407" data-attributes="member: 32260"><p><strong><span style="font-size: 18px">The peculiarity of EXE malware testing.</span></strong></p><p></p><p>Let's look at the distribution of malware in the wild by file types:</p><p></p><p>[ATTACH=full]265013[/ATTACH]</p><p></p><p>[URL unfurl="false"]https://static.poder360.com.br/2021/07/relatorio.pdf[/URL]</p><p></p><p>We know that archives contain mostly EXE files, documents, and scripts. So, we can conclude that roughly 1/3 of initial malware are EXE files, 1/3 documents (PDF, Office), and 1/3 scripts. The attacks started with documents or scripts can often include EXE files at the later infection stage. <span style="color: rgb(0, 168, 133)"><strong>So, most EXE malware will not be initial malware but EXE payloads that appear later in the infection chain.</strong></span></p><p></p><p>Let's inspect the protection of two AVS ("A" and "B") which have got identical capabilities for detecting unknown EXE files, but the "A" has got additional strong protection against documents and scripts. It is obvious that:</p><p><strong><span style="color: rgb(41, 105, 176)">Protection of "A" > Protection of "B"</span></strong></p><p></p><p>The "A" can detect/block the document or script before the payload could be executed. So, there can be many 0-day EXE payloads in the wild attacks that will compromise "B" and will be prevented by "A".</p><p>After being compromised, the "B" creates fast signature or behavior detection, and for the "A" the payload is invisible.</p><p></p><p>If we will make a test on AVs "A" and "B" the next day the results will be strange:</p><p>The "B" will properly detect these payloads and the "A" will miss them. The result of the test:</p><p><span style="color: rgb(184, 49, 47)"><strong>Protection of "A" < Protection of "B"</strong></span></p><p></p><p><strong>The above false result holds despite the fact that "A" and "B" have got identical capabilities for detecting EXE files and despite the fact, that in the wild the "A" protects better.</strong></p><p><span style="color: rgb(0, 168, 133)"><strong>The error follows from the fact that the AV cloud backend can quickly react when it is compromised, and much slower if it is not. </strong></span></p><p>There are many people involved in threat hunting, so after some time most of these invisible (for "A") EXE payloads are added to detections (even if they did not compromise "A" in the wild).</p><p><em><strong>Anyway, this reasoning does not apply to AVs that use file reputation lookup for EXE files. Such AVs will block almost all EXE samples both in the wild and in the tests.</strong></em></p><p></p><p>How to minimize this error?</p><ol> <li data-xf-list-type="ol">Using initial attack samples (like in the Real-World tests).</li> <li data-xf-list-type="ol">Using many 0-day unknown samples. The more unknown samples the smaller will be the error.</li> <li data-xf-list-type="ol">Using prevalent samples (like in the Malware Protection tests made by AV-Comparatives and AV-Test). The "A" has more chances to quickly add the detections of prevalent samples.</li> </ol><p>For a less technical explanation, please look here:</p><p>[URL unfurl="false"]https://malwaretips.com/threads/pecuriality-of-exe-malware-testing.112854/post-979714[/URL]</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 979407, member: 32260"] [B][SIZE=5]The peculiarity of EXE malware testing.[/SIZE][/B] Let's look at the distribution of malware in the wild by file types: [ATTACH type="full" alt="1647451715025.png"]265013[/ATTACH] [URL unfurl="false"]https://static.poder360.com.br/2021/07/relatorio.pdf[/URL] We know that archives contain mostly EXE files, documents, and scripts. So, we can conclude that roughly 1/3 of initial malware are EXE files, 1/3 documents (PDF, Office), and 1/3 scripts. The attacks started with documents or scripts can often include EXE files at the later infection stage. [COLOR=rgb(0, 168, 133)][B]So, most EXE malware will not be initial malware but EXE payloads that appear later in the infection chain.[/B][/COLOR] Let's inspect the protection of two AVS ("A" and "B") which have got identical capabilities for detecting unknown EXE files, but the "A" has got additional strong protection against documents and scripts. It is obvious that: [B][COLOR=rgb(41, 105, 176)]Protection of "A" > Protection of "B"[/COLOR][/B] The "A" can detect/block the document or script before the payload could be executed. So, there can be many 0-day EXE payloads in the wild attacks that will compromise "B" and will be prevented by "A". After being compromised, the "B" creates fast signature or behavior detection, and for the "A" the payload is invisible. If we will make a test on AVs "A" and "B" the next day the results will be strange: The "B" will properly detect these payloads and the "A" will miss them. The result of the test: [COLOR=rgb(184, 49, 47)][B]Protection of "A" < Protection of "B"[/B][/COLOR] [B]The above false result holds despite the fact that "A" and "B" have got identical capabilities for detecting EXE files and despite the fact, that in the wild the "A" protects better.[/B] [COLOR=rgb(0, 168, 133)][B]The error follows from the fact that the AV cloud backend can quickly react when it is compromised, and much slower if it is not. [/B][/COLOR] There are many people involved in threat hunting, so after some time most of these invisible (for "A") EXE payloads are added to detections (even if they did not compromise "A" in the wild). [I][B]Anyway, this reasoning does not apply to AVs that use file reputation lookup for EXE files. Such AVs will block almost all EXE samples both in the wild and in the tests.[/B][/I] How to minimize this error? [LIST=1] [*]Using initial attack samples (like in the Real-World tests). [*]Using many 0-day unknown samples. The more unknown samples the smaller will be the error. [*]Using prevalent samples (like in the Malware Protection tests made by AV-Comparatives and AV-Test). The "A" has more chances to quickly add the detections of prevalent samples. [/LIST] For a less technical explanation, please look here: [URL unfurl="false"]https://malwaretips.com/threads/pecuriality-of-exe-malware-testing.112854/post-979714[/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
