how good is a2?

Coming back to the original question raised. How good a²? The freeware version can be considered for the moment as nearly useless as all the other products that don't provide no unpacking/mem scanning feature.

So looking at the commercial version: It's not finished and therefore to test and rate it would be unfair against the programmer.

This gives a rather simple conclusion: Unless the commercial version is finished it's better to go with an established product if you are looking for protection now. The free version is not enough for protection and might be only usefull for all the "I have 200 different security tools just on one pc"-type people.

wizard

 

<g> I must be doing something wrong here (or looking at the wrong page).

I'm looking at this page: http://www.emsisoft.com/en/software/personal/ .

I closed the tab in Mozilla, then re-clicked on that link - it's either not there, or it's not in the body of the main page. Same with IE 6.0.

Can anyone else see it? I'll check back later - gotta get to work. Pete

 

wizard - OUCH! lol! Pete

*But you know, come to think of it - how else am I supposed to be able to keep up with everybody else's stuff?? Let them know about false positives, or problems that new components may cause?

Now, if I could just find someone that would buy me an additional five or so high-end computers.....

 

>Coming back to the original question raised. How good a²? The freeware version can be considered for the
>moment as nearly useless as all the other products that don't provide no unpacking/mem scanning feature.

a² free and personal both providing process memory scan and process module memory scan .

 

Its on the download and the purchase page ... .

 

Yes you are right I remember the process memory scan was there but the memory signatures where missing - that's why I could not test it. Are now all missing (memory) signatures included? Than I will redownload the program and redo my testings.

wizard

 

Not all, but we started adding them ...

 

Redo testing...
Glad to see someone is still testing. How are you going to test this a2 and against what ?

This is now the third test mentioned in this thread and no one has yet even qualified how they are going to be doing it or the test bench..but rather just a sunday drive after they state they have "done it before and were not happy " or " they are going to do it again cause their NAV found some tojans but they just can't seem to remember which ones. "


Which ones are you going to be using..or is it an empirical type test. ?

 

Tests for my personal intrest are rather simple. I take some samples out of my private collection and do some functional tests: Like how does the program perform against runtime packing or how easy it is to avoid detection by patching.

My findings so far on a² freeware: of course no unpacking capabilities, mem scan was not working or better for the trojan I tried a signature was not available yet. I also tried some easy tests with patching. Overall I must say that I was not really impresed.

wizard

 

Well ... a² free only uses fingerprints. Its quite easy to patch them. But well ... that will change, too ... .

 

It seems to me that the process & module memory scanner is currently the main benefit which a2 can offer to the user.

Therefore, adding signatures for the memory scanner should have priority. The filescanner does not need any signatures for trojans until it is supported by a generic unpacking engine (see, for example, BOClean which does not have a file scanner at all). Consequently, the trojan fingerprints should be removed. The file scanner could still be responsible for detecting dialers etc.

 

Well that is a honest answer and much appreciated in this silly thread so thank you That is a type of empirical testing - based on experience or observational information and not necessarily on proven scientific data.

The a2 free is not much at this point and all know Andreas well enough, that if you just ask him a point blank questions on what anything he has developed will do and/or will not do at the point and how it works technically... he will tell you.. he has never tried to tell me at least anything that was not true..even at his own site.

So anyway you could help him with the explanations of the different products that you think will be more understandable in English or German to the majority of people who read his forum..or the write ups..I am sure would be appreciated.

 

>Therefore, adding signatures for the memory scanner should have priority.

In fact it has not. a² has a time problem while loading signatures. So the next release of the engine has priority.

>The filescanner does not need any signatures for trojans until it is supported by a generic unpacking engine

Well ... generic unpacking has weaknesses and is exploitable. Emulators are quite slow. So you can simply fool them by adding useless loops to the code at the entry point of the file. They will simply stand still or will stop emulation. And generic unpacking has a second weakness: The scanner has to detect that a file is packed using a kind of heuristic that can be easyly fooled sometimes.

Not to mention that its in my opinion simply impossible to unpack/decrypt modern protectors like XtremeProtector or Armadillo that reassemble its own code into the the binary code of the application or that use kernel mode decryption/protection/unpacking. So generic unpacking helps only if the script kiddies are "outdated" and still use "normal" EXE packers like UPX or ASPack ... .

>Consequently, the trojan fingerprints should be removed.

Consequently, not. For unpacked files and memory images it would use strong code based signatures. You can not add code based signatures of a packed file cause the only code inside is the unpacking/decrypting stub. So you would detect every packed/crypted file. In this cases a² will use a checksum over the packed code as done in the current version.

 

"Why? Its good to have a fall back detection method and in fact it doesn't cost that much time to scan a file using the simple fingerprint ... "

O.k. ... I assumed the removal of the fingerprints would help you to solve the speed problem so that additional mem signatures can be added. If this does not work ... no reason to remove the fingerprints.

"in my opinion simply impossible to unpack/decrypt modern protectors like XtremeProtector or Armadillo"

You are possibly right. Against this background it may be worth considering the use of backup signatures taken from a file's resource section (like McAfee does).

The mem scanner of course should be able to decrypt Armadillo. But it seems that you have already found a solution for this problem.

Looking forward to test the mem scanner with a least one trojan ... ;-)

 

Seltsam, you have tricked me.

Since your post has been edited my post does not fit anymore. I cannot edit my own post. That's unfair ;-)

 

Register and login ... quite easy ...

 

Yes play fair andreas..now edit your post back...guest are in a disadvantage when you move so fast.

 

nautilus should remember the password and just use the login button to post here
ok you can 'fool' each scanner..also the best of the best bla etc mem scanners it depends on the signature. So if a scanner has a real..i mean real mem scanner - an not a fake one which only catch the pid and re-scan the file local on hard drive or something like that - you can also make a malware undetect if you know which kind of signature use the scanner to detect the malware. so a mem scanner is nice but useless if the scanner use weak signatures.
and i think a unpacking engine is nice and useful, i like the one from kaspersky, ok it has also some weak points, but again it can be useful..see the evolution of av programs, kav was one of the first program with this (or not ?)..and symatenc..lol they just added such kind of unpacking stuff in their latets version, also other av vendors try of just added just a useful funcation into their product.

 

"now edit your post back...guest are in a disadvantage when you move so fast."

No problem. I won't give up ;-)

@Seltsam


"Well ... generic unpacking has weaknesses and is exploitable. Emulators are quite slow. So you can simply fool them by adding useless loops to the code at the entry point of the file. They will simply stand still or will stop emulation. And generic unpacking has a second weakness: The scanner has to detect that a file is packed using a kind of heuristic that can be easyly fooled sometimes."

Agreed. I have already planned to patch a loop (using CPU time) into a UPX packed sample in order to test ewido's and TDS-4's emulation.

"Consequently, not. For unpacked files ... "

I believe there are almost no unpacked trojans. Only stupid testers may require a2 to have signatures for unpacked trojans.


"... and memory images it would use strong code based signatures."

This makes indeed a whole lot of sense.

"You can not add code based signatures of a packed file cause the only code inside is the unpacking/decrypting stub. So you would detect every packed/crypted file. In this cases a² will use a checksum over the packed code as done in the current version."

If possible, the checksum should not cover the entire file because this will make it easier to patch a trojan. In many cases it will suffice to take a signature from the resource section (see Armadillo). If this is not possible, however, you can still use a big fingerpint.

 

>Agreed. I have already planned to patch a loop (using CPU time) into a UPX packed sample in order to test
>ewido's and TDS-4's emulation.

Would be interesting .

>I believe there are almost no unpacked trojans. Only stupid testers may require a2 to have signatures for
>unpacked trojans.

But if I add the a² emulator or some other kind of unpacking I don't have to add new signatures .

>If possible, the checksum should not cover the entire file because this will make it easier to patch a trojan.
>In many cases it will suffice to take a signature from the resource section (see Armadillo). If this is not
>possible, however, you can still use a big fingerpint.

As I said: "In this cases a² will use a checksum over the packed code as done in the current version."

Signatures cought from the ressources are sometimes usefull. Maybe as a fall back method. We will see.

 

no, they don't stand still....they emulate the loop and after that they can successfully unpack the file. the only disadvantage ist the cost of time...

to fool a heuristic is harder than to fool a simple signature of the entrypoint!

compare this two "disadvantages" to static unpacking:
if i add loops to the unpack stub, the signature of the entry point changes and the static unpacker has NO CHANCE to unpack the file....an emulation has the chance! it only takes time...

only one word -> polymorphic crypter.....

 

@
blablabla

1.
"only one word -> polymorphic crypter....." Actually, two words. "Morphine" would be one ;-)

2.
Can you estimate the ratio between CPU (real) speed and emulation speed? (For example, a ratio of 10:1 would mean that a 1-minute loop would take the ewido emu 10 minutes to process.)

@
Seltsam

I can understand that you want to complete the file scanning engine first. It's probably a matter of having unfinished business or not.

A working mem scanner, however, would be a real "added value" which could be combined with the multitude of file scanners which are already on the market.

 

>no, they don't stand still....they emulate the loop and after that they can successfully unpack the file. the
>only disadvantage ist the cost of time...

And the fact that some emulations will stop emulation after a certain number of steps (don't know if this is the case in ess ... ).

>to fool a heuristic is harder than to fool a simple signature of the entrypoint!

Right . But i did not defend static unpacking cause in fact static unpacking is way more stupid then generic unpacking using an emulator *fg*. But well ... In my opinion unpacking in general (no matter if generic or static) is an ungrateful venture .

>only one word -> polymorphic crypter.....

Well ... poly plugin .

 

>I can understand that you want to complete the file scanning engine first. It's probably a matter of having
>unfinished business or not.

I want to complete the new SCAN ENGINE first. Not the file scan engine.

 

Anybody know why the A 2 forum is down?

controler