Author Topic: Questions (Read 5082 times)

hozewm · « **on:** December 10, 2021, 07:22:14 AM »

Same file , but avast engine in virustotal doesn't detect it.
https://www.virustotal.com/gui/file/5ee4d962d00340fe06ca92435cffbc95011c3420348ecbacb8723eb58b22db7d

https://virusscan.jotti.org/en-US/filescanjob/b9s0qewhob

hozewm · « **Reply #1 on:** December 10, 2021, 07:29:58 AM »

And I also wondering what is the meaning of the X in the detection name.

Pondus · « **Reply #2 on:** December 10, 2021, 08:28:30 AM »

Quote from: hozewm on December 10, 2021, 07:29:58 AM

And I also wondering what is the meaning of the X in the detection name.

variant letter

(CARO) Malware naming scheme, this is how it works
https://cyberwarzone.com/caro-malware-naming-scheme-this-is-how-it-works/

RejZoR · « **Reply #3 on:** December 10, 2021, 08:51:06 AM »

Jotti runs Linux version, VT runs Windows version. Might be problem there as engine itself should be the same.

hozewm · « **Reply #4 on:** December 10, 2021, 09:22:22 AM »

after rescan the file, it seems now the engine on VT is also detected the sample now !

Pondus · « **Reply #5 on:** December 10, 2021, 12:59:23 PM »

More fore those who want to read about malware naming ......

Malware Naming Hell
https://www.gdatasoftware.com/blog/2019/08/35146-taming-the-mess-of-av-detection-names

Malware family naming hell is our own fault
https://www.gdatasoftware.com/blog/malware-family-naming-hell

CARO http://www.caro.org/articles/naming.html

It is relatively tempting to want to name malicious code based on its date of activation, this can create confusing duplication of names. For instance, if we were to name every new virus with some word derived from its payload, like "March6", "January Friday 13th" or "CrashWindows" the fictional exchange illustrated below could become commonplace:

(A1 - Analyst1, works for the respectable AV company C1)
(A2 - Analyst2, works for the most respectable AV company C2)
(A3 - Analyst3, works for the (even more) respectable AV company C3)

A1: "Hey A2, have you seen that new beast, the 'Newyork' virus?"
A2: "You mean the one which fills all the files on disk with 'New York'?"
A1: "No, that's the 'NYFiller' virus, I mean the one which shows a message box with the text 'New York New York'"
A2: "Could be, I remember having seen two of them, one was a macro virus and the other one infecting Linux ELF files"
A1: "Hm, the 'Newyork' I was thinking of actually infects Windows PE files"
A2: "Ah, but I think I know what you mean, however, the one I've seen shows a message box stating 'New Orleans New Orleans'. We are calling it 'NewOrleans', of course."
A1: "Hm, that must be a new version of our 'NewYork' virus with a modified message. I think you should rename your 'NewOrleans' virus to something like 'NewYork(version:Orleans)'."
A2: "Hey, wait a minute, why not rename _your_ virus to 'NewOrleans(York)'?"
A3: "Hey guys, have you seen the new virus which fills all the files on disk with 'New Delhi'? We're calling it 'NewDelhi', of course."
A1: "Arghhh..."
A2: "Who designed this stupid payload-based naming scheme anyway...?"

https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=78995af3-e961-46da-ad80-f6547bbce3b7&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

Asyn · « **Reply #6 on:** December 10, 2021, 01:08:05 PM »

Quote from: Pondus on December 10, 2021, 12:59:23 PM

It is relatively tempting to want to name malicious code based on its date of activation, this can create confusing duplication of names. For instance, if we were to name every new virus with some word derived from its payload, like "March6", "January Friday 13th" or "CrashWindows" the fictional exchange illustrated below could become commonplace:

(A1 - Analyst1, works for the respectable AV company C1)
(A2 - Analyst2, works for the most respectable AV company C2)
(A3 - Analyst3, works for the (even more) respectable AV company C3)

A1: "Hey A2, have you seen that new beast, the 'Newyork' virus?"
A2: "You mean the one which fills all the files on disk with 'New York'?"
A1: "No, that's the 'NYFiller' virus, I mean the one which shows a message box with the text 'New York New York'"
A2: "Could be, I remember having seen two of them, one was a macro virus and the other one infecting Linux ELF files"
A1: "Hm, the 'Newyork' I was thinking of actually infects Windows PE files"
A2: "Ah, but I think I know what you mean, however, the one I've seen shows a message box stating 'New Orleans New Orleans'. We are calling it 'NewOrleans', of course."
A1: "Hm, that must be a new version of our 'NewYork' virus with a modified message. I think you should rename your 'NewOrleans' virus to something like 'NewYork(version:Orleans)'."
A2: "Hey, wait a minute, why not rename _your_ virus to 'NewOrleans(York)'?"
A3: "Hey guys, have you seen the new virus which fills all the files on disk with 'New Delhi'? We're calling it 'NewDelhi', of course."
A1: "Arghhh..."
A2: "Who designed this stupid payload-based naming scheme anyway...?"

hozewm · « **Reply #7 on:** December 10, 2021, 02:16:42 PM »

Another question , do avast automated system identify the malware type for those sample that don't require human to check ? (such as trojan or ransomeware and what if it is a trojan and ransome at same time ?)
And do avast automated system auto unzip the zip file ?

Asyn · « **Reply #8 on:** December 10, 2021, 02:38:15 PM »

-> https://www.avast.com/technology/ai-and-machine-learning

hozewm · « **Reply #9 on:** December 10, 2021, 02:50:21 PM »

I mean classify the type of new malware , not detect the new malware .

DavidR · « **Reply #10 on:** December 10, 2021, 03:01:01 PM »

Quote from: Pondus on December 10, 2021, 12:59:23 PM

More fore those who want to read about malware naming ......

Malware Naming Hell
https://www.gdatasoftware.com/blog/2019/08/35146-taming-the-mess-of-av-detection-names

Malware family naming hell is our own fault
https://www.gdatasoftware.com/blog/malware-family-naming-hell

CARO http://www.caro.org/articles/naming.html
<snip>

Isn't this a bit of a joke, doesn't GData use two other companies virus engine/database ?

Even then there really is no way there is ever going to be standardisation in malware naming when the method of detection is in many cases are different.

When you are talking of heuristic, generic, artificial, machine learning methods of detection when one signature detects multiple variants of the same/similar malware.

As Asyn's link shows.

Quote from: Asyn on December 10, 2021, 02:38:15 PM

-> https://www.avast.com/technology/ai-and-machine-learning

So I rather doubt that Avast is alone in this development it would make it near impossible for any standardisation on malware naming.

hozewm · « **Reply #11 on:** December 10, 2021, 03:06:44 PM »

so , can anyone tell avast team to add a option to disable the local sandbox analysis ? since it is pretty useless , and will allow the malware run on the user computer.
https://forum.avast.com/index.php?topic=273698.0
or they can make the analysis longer (such as 1 minute or 30 seconds so it can actually detect malicious software)

Asyn · « **Reply #12 on:** December 10, 2021, 03:41:00 PM »

You can adjust/disable it in the settings.

hozewm · « **Reply #13 on:** December 10, 2021, 03:42:43 PM »

if i disable it , will avast detect the sample as suspicious ?

Asyn · « **Reply #14 on:** December 10, 2021, 04:05:56 PM »

-> https://support.avast.com/en-ww/article/150/

Author Topic: Questions (Read 5082 times)

hozewm

Questions

hozewm

Re: Virustotal engine

Pondus

Re: Virustotal engine

RejZoR

Re: Virustotal engine

hozewm

Re: Virustotal engine

Pondus

Re: Virustotal engine

Asyn

Re: Virustotal engine

hozewm

Re: Virustotal engine

Asyn

Re: Virustotal engine

hozewm

Re: Virustotal engine

DavidR

Re: Virustotal engine

hozewm

Re: Virustotal engine

Asyn

Re: Virustotal engine

hozewm

Re: Virustotal engine

Asyn

Re: Questions