Please teach me about scanners

Good Static unpacker = KAV, Bitdefender?

Good Emulation = Ewido , VBA32?

Good heuristics = NOD32 (anymore?)

Good behaviour blocker = A2 squared IDS/ Panda Truprevent?

Questions

1) What is the difference if any between 'Emulation' and generic unpackering? Are there other ways to do generic unpacking other than through emulation?

2)

This means detecting malware, without 'really' unpacking ?


3) What is the difference between heuristics and behaviour blocker. Also Would behaviour blocking involve emulation as well?

4) If I have a 'real memory scanner' why should I worry about whether the scanner can do generic unpacking or static unpacking? Won't the memory scanner pick it up when i try to run it ?

I apolgise if my questions are so basic, I'm a newbie at this, so I crave your words of wisdom.

Regards
Pollmaster

 

It may not answer all your questions, but Technodrome's tour de force is a good starting point

 

Blackcat

I read this already thank you. That's where I learnt all these buzz words like "emulation", true "memory scanner". I also heard of active versus passive emulation already.

You are a AV expert, can you help me?

 

1)Consider the difference between emulation and generic unpacking similar to the difference between heuristics and generic signatures

2)No. It means that the NOD heuristic engine has a built-in generic unpacker

3)A behaviour blocker is like a firewall, that is, it will only alert you once the suspicious program executes itself.

On the other hand, heuristics can also detect suspicious files via the general on-demand/real-time scans.

As far as my young brain understands, a behaviour blocker would not make use of emulation, but heuristics might emulate.

4)Unpackers are not so important if there is a real memory scanner because the scanner would catch the malware running in memory.

 

Darn, lots of "Cats" in the AV forum.

Thank you, that cleared things up a lot.

Obviously, I'm going to try Bitdefender 8 then.

 

That's rather a hazardous statement. When a "real memory scanner" detects the malware in memory, it's probably too late. The malware is active, running, and may have already caused the damage (including deactivation of the antivirus, for example).

 

Yep... Firecat that was a "mutal tanam" comment

 

not necessarily, think of boclean, thguard, ewido for example.
but true in the sense that no av currently has a real time memory scanner. all av's i'm aware of( with memory scanners, whether true memory scanners, or filedumpers )perform the memory scan only on demand. and then its too late

 

Do you mean Boclean, THguard, Ewido have the memory scan 'all the time'? Cool.

So basically if I go with Ewido that has a true memory scanner and generic packers, I should supplement it with a AV that uses lots of static packers like KAV,bitdefender?

 

Honestly, I cannot imagine any other way of doing it. You cannot scan the memory of a process after every instruction performed (as the last instruction may just have been the one that finishes the unpacking and starts the unpacked program). Well, you could if you turned all the running applications into full emulation (or tracing), but that would slow the computer down by order of (lots of) magnitudes.
So, either you scan the file before you allow it to execute (either using packed signatures, or specific unpackers, or some kind of generic unpackers/emulators), or you let it run and scan the memory afterwards using some "real memory scanner" - but you simply risk activating the malware in the later case.

Or, maybe I just don't understand what exactly you mean by "real memory scanner"

 

I think ewido has a real memory scanner, so does trojanhunter, I don't think any AV's currently have one. With that being said, Ewido and Kav or Mcafee would make a good combination becuase of the strong definitions of either Kav/Mcafee and the memory scanner in Ewido.

I'm also a noob at this, I am learning as well.

 

I'm going for a bitdefender/Ewido combination, I hope this isn't a big mistake?

 

ewido, or any other quality anti-trojan and any quality av( mcafee is on my not wanted list... ) be it KAV, NOD, etc
thats called layered defense
its the gospel we preach here @ wilders


@gigaman ( is it you NTL?)
AFAIK most avs that "scan the memory" dump it to a file, then scan it. again AFAIK only drweb has a "real" memory scanner> it really scans the contents of memory, not a dump.. altho that can have changed, its been a while since i've been able to do any av testing.. too many infected logs ITW

 

Well i know for avast! that it can check memory directly. But you have to use avast! Quick Scanner with special commandline to trigger Thorough memory scan. It can also be triggered easy way via my avast! External Control

 

My mistake.

I'll be more specific about that statement in the future.

 

Ah so if I pick from one of say 5 AT - Ewido,Boclean,TDS-3, Trojanhunter, BOclean

and 1 from the following AV - KAV, NOD 32, Bitdefender, Norton, McAfee, Panda, F prot, Dr Web , VBA32....

I'll be safe? There's no combination that works particularly well, or works particularly bad? No combination that are great because the strength of one covers the weakness of the other. No combination that are weak because they have exactly the same weaknesses?

 

hmm that would still leave the weakest link in the chain, that sits between the chair and the screen..
also add some anti spyware( the free ones ), a firewall, a patched OS etc

all of the av's you listed have unique features, same for the at's. i cant pick a weak combination of the lot.
for example nod is able to protect agains previously unknown malware, same for panda and bd, mcafee and kav have largest bases, kav is the fastest, most frequent updater etc
luckily all have trials available so you can experiment to find the combo thats optimal for your system and habits

edited tpyos

 

Thanks illukka for pointing out the fallacy in my thinking. I was trying to keep things simple by just considering 2 variables, while keeping the rest fixed.

Which leads me to the question, how do I know I have a good combo? Or do I merely randomly pick from the ones that sound good, and if they don't all crash my computer, I'm done? Done at least until the next time my security setup fails me, and I start hunting for new stuff.

Is that what everyone does?

PS What software can I use to solve PEBKAC?

 

It's still in Beta....but CommonSense ver 1 looks promising

 

No

This wouldn't make any difference in my opinion. I'd say the difference is the following: either the program scans the real content of the memory (call it "real" memory scanner), or it simply enumerates the list of loaded modules (EXE, DLL, ...) and scans the corresponding files on disk. The difference, obviously, is that when scanning the files on disk, they may be packed by various executable packers, wheras when scanning the real memory, they will (usually) be already unpacked.

 

i agree with Bubba
best security app is CommonSense ver 1
followed closely by Kn0wlegde 1.00

the first is more difficult to acquire, the latter can be obtained through wilders for example. for a price you wont believe

 

Emulation is a method used for detecting some polymorphic viruses and, sometimes, for unpacking. Polymorphic viruses are composed of :
- a small decryptor, that should alwas be different in two different samples of the virus.
- an encrypted portion of code, that performs all the virus tasks (including the creation of mutated decrypors).

When the virus is launched, the execution is passed to the decryptor and the virus code is decrypted in memory. The decryptor then transfers the execution to the begining of this newly decrypted code.

Emulating through the decryptor is a way to let the virus decrypt its own code while keeping the code execution in a secure environnment (the instructions are not executed on the real CPU).

Runtime packed executables are also composed of two parts, the unpacker and the packed code. When the program is launched, the "unpacker" code is executed first and the execution is then transfered to the beginning of the newly unpacked code.

Generic unpacking consists in :
1/ emulating the "unpacker" part of the executable
2/ detecting when the execution is transfered to the original code
3/ launching a signature scan on the resulting piece of code

There are other methods for doing generic unpacking (all are based on the same principle : let the program unpack itself):
- Single-stepping. This method consists in letting the program execute itself on the real CPU one instruction at a time, which allows to test, between two instructions of the program, if the execution has been transfered to the original code. This is technique uses techniques employed by the debuggers. However, there are two major problems with this method : it's awfully slow and it is not safe (the execution could run out of control). It is therefore not used in antiviruses. You can find the source code of such a generic unpacker here : http://wave.prohosting.com/mackt/projects/guw/guw32b8.zip
However, remember that it must not be used to unpack malware (moreover, I think that it will not work under XP)

- Dynamic translation. Instead of emulating all the instruction, it is possible to rewrite the instructions in such a way that they will not interact directlty with your OS and to run these "translated" instructions on the real CPU afterwards. "Translating" an instruction is not significantly faster than emulating it. The main advantage is that each instruction is translated only once, whereas some instructions would have been emulated several time during the execution of the program (every time a routine is called/for every iterations of a loop). As a result, dynamic translation can be much faster than emulation. I must say that I did not understand yet how it can proceed safely with self-modifying code. Which is the heart of the problem. This topic will be adressed during the next Virus Bulletin conference : http://www.virusbtn.com/conference/vb2005/abstracts/Adrian_StepanTechWeds1700.xml

- There are several "more or less generic" simple methods that can be used when manually unpacking samples (e.g. breaking into some windows API that are almost always called when a program has been created with some compilers), but these method are not secure and they let the code run on the real CPU and interact with the OS. They cannot be used by antiviruses, or should be coupled with emulation, etc...

NOD's heuristic engine uses emulation and/or dynamic translation in order to safely observe the execution flow (which windows API functions are called, etc.) It would be better to say that NOD's heuristic and generic unpacking engines both use the same emulation/translation primitives.

Behaviour blockers let the code run normally on the CPU. They put some filters between the OS functions and the calling programs. When some of these functions are called (i.e. when creating a registry key, writing to a file, etc...) with parameters that look suspicioous (the registry key will allow a program to run at next boot, the file is an executable file), the behaviour blocker raises a warning and stops the execution of the program.

However, some heuristic engines observe the behavior of the program under emulation, and especially which APIs are called, with which parameters, to decide whether the executable should be classified as a malware. This is for example the method used by Norman's Sandbox : http://sandbox.norman.no/pdf/03_sandbox whitepaper.pdf
In this case, the OS "reactions" also have to be emulated, which makes the problem more difficult.

As stated by others, the risk is that the scanner may scan the memory before the malware is unpacked (bringing no improvement compared with a file scanner) or after it has been (partly) executed (and may therefore have already performed some malcicious activities). Notice also that during execution of the unpacked samples, some zones of the memory containing the code will be modified, which means that a signature used for this kind of scans should be chosen with care.