Avira new heuristics

But if you already have a (free) HIPS installed in your PC, do you need a HTTP scanner at all?

Best regards,
Firefighter!

 

No HIPS here.

I'm interested in Avira because I'm helping someone out with their PC who

1) Doesn't want to pay for any software, thats definitely out of the question.

2) Is a high risk surfer & a hard headed newbie (this is why I asked about the http scanner)

Also just trying to stay on topic with Avira

 

F-Prot doesn't have an a http scanner. It's a fine AV. It didn't get along well on my computer otherwise I'd still be using it.

To me, it comes down to how comfortable you are with having viruses on your computer that are harmless because they are not executed. I used to be terrified of such a thing and even found testing with eicar to be scary. That was a number of years ago. I had the good fortune of becoming friends with someone here who taught me how to handle virus samples safely. That was empowering and I learned not to fear the simple presence of a virus. The concern is if you have no AV and it executes or if your AV does not detect it when it tries to execute. The concern is NOT IMO that the virus should under no circumstances get onto your computer. That, I believe to be a mislaid concern growing out of fear that is unnecessary in this instance.
I have over 300 viruses in a test file on my computer. That doesn't worry me. I won't ever execute them! No one else uses my computer. If they did, I would keep the file zipped and password protected so that another user couldn't accidentally execute any of them. Besides, aVira detected all but six of them (said the six were corrupted) which is the best detection I've seen of all AVs I've tested. So, even if I, or someone else, accidentally executed one of them...no worry...aVira would stop the execution.

So, to me, what is important is how good the AV real time scanner is not whether or not it catches the virus before it gets on your computer. I am not a high risk surfer though and perhaps for them having the http scanner is good.

 

It is good to have HTTP scanning. I though think it is not so much needed with my system since I run Firefox inside Sandboxie.
Email scanning would be nice too. I had allowed Sandboxie 2.64 that access to my local mails.

But email programs like Thunderbird
Lost my profile yesterday, when playing with SSM free on my not so stabile system. It is hardware problems for sure. Anyways was a refreshing not so nice time to find the old posts. Got them back.
Same problem as with Firefox, loosing bookmarks cause of a corrupted profile. I do keep them for safekeeping, but for that I run Sandboxie, not to need to make a new profile. and NOT sharing bookmark access.
But it was SSM free and my unstable system, possible conflict with it and maybe sandboxie too.

So from now on I am most to gmail email.
And happy with Antivir. I have no suspect it has none to do with my above problems. No viruses involved etc.

 

but htttp scanners also block dangerous scripts.
but if you use eiether firefox with no script or opera with java script off global and only allow javascript on known safe sites you will be fine.
also sandbox in IE should be fine as well.
lodore

 

When the new heuristics are released, I wonder if the dreaded update problems that plague many Avira users will occur. Not me though I am lucky.

 

So how does AntiVir use its heuristics now if they don't use emulation, and how will they change when they are updated?

 

Heuristics = code analysis = low-level analysis.
Emulation = behaviour-based analysis = higher-level analysis.
So, using the heuristics only requires a bit of unpacking and, after that, comparing the unpacked file with the heuristic rule. Emulation requires running the file in a virtual machine and see how it behaves. Some malware fools detection by emulation because they won´t run if a virtual machine is detected.

 

It really isn't complicated: HTTP scanners can catch malicious content before they reach your browser, whereas standard real-time monitors can only catch them after the fact. This can help prevent (1) Malicious code from being saved to your system; and (2) Browser exploits from being effective.

Whether or not this seems worthwhile to you is your own decision, but the good HTTP scanners available these days are quite unobtrusive. FWIW, I've only seen one case where an HTTP scanner would have prevented a browser exploit from taking place, and NOD32's IMON component missed it anyway (and still would today, because detection for it has still not been added).

I am not monitoring this thread for replies.

 

I also think it's quite easy to understand why the HTTP scanner is needed to protect against some kind of malware, but of course, all depends on individual needs, knowledge (how stuff works), personal experience, etc.

Here's the AV expert's description about why HTTP scanner is needed...

https://www.wilderssecurity.com/showpost.php?p=720580&postcount=29

 

Emulation is much more than that. You can use an emulator for unpacking or to decrpyt some code, it can help in signature detection or in behaviour analysis.
Maybe you have read something about a method to detect if a programs run inside a virtual machine (VMWare, VPC) but don't be confused, a VM is not really an emulator. It is very hard to detect if your program is emulated or not. One way will be to used some very obscure API's or to use external dll's that were made by you and that are not loaded by the emulator.
Also a VM will run the application code on the CPU, but an emulator will not.

 

Yeah sure, whatever you say. Can u enlighten me what makes you think it is "difficult" to detect if something is emulated or runs on a real machine?

 

your the man Mike
lodore

 

Detect if your program is running inside a Virtual Machine

 

Lucas, the antivirus programs don't use virtual machines such as VMWare. Those actually execute the code inside the VM and virtualize access to some devices. The antivirus programs completely emulate the execution - which is much slower than a VM but much safer. However, it is easy to detect both things.
There were actually a few antivirus progams that performed unpacking by execution and placing debug breakpoints, though. Not reliable and safe at all. Same as performing hooking in user mode only.

 

That's exactly the point.

 

For example you can use the SIDT (Store Interrupt Descriptor Table Register) to see if you are running inside a virtual machine. A good emulator should not be catched with this trick.

 

Because it's much slower, some AV companies have implemented only a partial emulator and others are thinking/trying to implement Dynamic Translation.

 

So what's your point with this? That is not the only method to determine if you're running inside an emulator. Have you ever heard about speed profiling? (And your possible answer that you can skip this or just return emulator suitable results doesn't apply) I cannot go into details here, since this would reveal ideas how to "prevent emulating" but you can trust me on this it is pretty easy to determine if you're running emulated...

 

My point is that an emulator is different than a Virtual Machine and is harder to detect it.
By the way, speed profiling is good for old emulators. Like I have said in a previous post, modern emulators should concentrate in Dynamic Translation.
Here is a definition of DT.

http://wiki.cs.uiuc.edu/cs427/Bochs Dynamic Translation Framework

So the execution time inside an emulator should be very close to the execution time in real environment.
I don't argue the fact that it's not possible to detect that you are running inside an emulator, just the fact hat is much more easy to see if you are running inside a VM.

 

LOL. Don't you think that a emulator is MUCH MORE limited in functionality than a Virtual System? Do you handle nanomites (Interprocesscalling with so called jumptables) there or process communication between kernel mode and usermode? There we go AGAIN... Or ever thought of the fact that you have on real systems always other programs running? Something like explorer.exe for example. Did you know that you can check that in at least 1000 different ways if something runs beside yourself in the same "operating system"?

 

You are right ... if you are referring to an old generation of emulators .

But new ones are beeing developed to be more closely related to the way the OS works.
If you are talking about an emulator that can't handle threads or can't handle FPU instructions, etc.. (and such kind of emualtors are currently used by some AV's) then you are totally right.

 

I know Each AV company has developed their own emulation engines which are quite different from VMware/Virtual PC.
I´ve read (mental note: it´s time to reorganize the bookmarks ) that is easy to detect virtual execution using timers (?) which determine the delay between instructions.
BTW, this thread has evolved into a good discussion It´s nice to read the posts made by AV experts.

 

It looks like, after a very superficial overview of its code, that the open source emulator Bochs can handle the cpuid/rdtsc trick (maybe somebody more knowledgable can confirm ?). It looks like most of the tricks relying on GetTickCount, GetSystemTime or msvcrt.time that are actually used for anti-debuging purpose only check if the returned value is lower than a given threshold (which would make it easy to bypass). Moreover, it might be possible to handle these by linking system time to pseudo-ticks count.

Moreover, there are some emulators that log the use of known anti-debug tricks and that use this as a criterion for heuristic detection (see e.g. outputs of the Norman sandbox).

IMHO, a more efficient and much easier approach to detect emulation is - as evoked by Inspector Clouseau - to check if the environment (simulated OS, with processes running, file system, registry, etc.) in which the malware runs is realistic enough or if it is emulated. The easiest way I can imagine would be to query the existence of a file with a random name in the windows directory (real OS would answer that it does not exist) and then to query the existence of a real - but quite insignificant, e.g. jdbgmgr.exe - file of windows (real OS should answer that it exists). A wrong answer means that the malware is running inside the matrix.

Since simulating the whole OS isn't really an option, the only solution would be to forward all the "read only" (safe) queries to the real OS, eventually "caching" the answer (i.e. creating a new jdbgmgr.exe in the virtual file table for our example, and copying it's content if the malware attempts to read/write to that file, a kind of generic "delay loading" for files, processes, etc.), when it is obvious that the emulator cannot have the answer. But I suspect the overhead would be excessive. However, I would be curious to know if this approach have already been tried somewhere.

 

Very interesting ideea , but fortunatelly I have saw some emulators (some used by AV companies) that can handle this trick ;-)