Anti-Virus Capabilities

Hi,
I have been investigating AV products for quit some time. I also been investigating some other anti-virus like XYZ (i cant mention specific name for security reasons). I figure it out some basic methodology using by anti-virus products which are as follows:-
1. Signature based scanning .
2. Algorithmic detection (which mainly covers some of variant ).
3. General purpose monitors.
4. Access control shells.
5. Heuristics binary analysis.

Please correct me if i miss anything.

I was camparing anti-virus products(commercial). I have been able to found some false positive in some other commercial anti-virus
products.
For example, i been successfully modified a target WIN x86 binary to generate false positive of anti-virus and then frame a comparative study of scanning tehniques.
Results says that on a respective binary some other commercial anti-virus gives some false positive while scanning that respective binary.
That binary is nothing but false sections are embedded into it and just compressed with UPX packer.
But the some AV product response was far most appreciable than others.

So, my focus turn to the peheader and pe-executable scanning api. After a short investigating the behaviuor of AV i figure it out there can be some more advancement of those API for scanning infection inside the Win PE executable file.
i believe there are some sort of other techniques for infecting Win PE executable which are not consider while writing cAV. [Please reply with some sort of technical idea regarding this. If i m wrong point out the areas for which those two api is working correctly and with corresponding limitation].

For example,
A PE file can be infected in various ways which are as follows:--
1. No. of sections more than 100 and embedded code inside it.
2. Adding new object to the object table and the pointing Entry poiint RVA to this new object.
3. Modifiying raw data by increasing few bytes. etc
[Please point out other methods or i made a mistakes regarding PE infection].

These all above techinques can be done for exploiting or bypassing Anti-virus or for triggering false poisitive from AV.
My point is that what sort or techniques incorporated in AV for handling such techniques. I may not be able to point out all methods of PE infection but some others could be like packing virus code inside a executable which may be packed with other packers[ point it out if i m wrong].
I m pretty much sure about the areas of polymorphic and metamorphic virus which are not fully covered by AV .

Virus code can be packed with the following known packer:--
1. UPX
2. FSG
3. Petite
4. Crinkler
5. Win32
6. WWPack32
7 ASPACK
8. ASPR
9 MEW
10. MPRESS
11. PKLite32
12. Shrinker32
13. Upack
14 PESpin etc
[Please report me if other exits]

I have no idea what is the AV support for such packer. All i know AV support UPX , MEW packer generally.
My point is, what are the measures taken by AV products for handling suck huge packer facilities and what are the genral measure AV products have taken for
upcoming packers. Is there is any generic rule for Alerting user in packer are unkown. I guess it do exist but how will AV confirm for non-existence of viral code inside it.
[Please reply with full technical point regarding each issue.]

i may have not done complete Virus infection issue. but as far as i could do i pointed out pretty much.
i need a handfull reply on this matter.

Thanks.
[Please reply covering each issue if not please make a point regarding each issue.. I urge developers of AV to take this discussion healthy and appreciable].
[For non-AV user , reply with some sort of proof if available or just make a point in brief or point to other discussion which are applicable to my views.]

 

Dr.Web introduced the "fly-code" technology in v5 which allows scanning of files that are packed with unknown packers.

 

Thanks for repy. i will try that software and report you back. But that not only the problem PE infection could be triggered in different way.
For instance, supose No. of section inside the PE file greater that 100. Most of anti-virus software wont even suspect those kind of file , i know some of them very well i couldn't name it.

My point is even if the anti-virus software had very well mechanism for searching viral code inside the executable file. What if the file parameter like no. of section crosses the boundary of max number.. It might have a viral code inside thise section . Is there is any standard which defines the parametr barrier for executable format file.

 

I am not sure what your trying to ask. I assume your wondering which av's just detect packers instead of viruses, and which ones decompile packers and then search for viruses. Here is a test of which av's actually break down packers before assuming their viruses: http://malwaretestlab.com/more.aspx?entry=23 Results on page 13. Kaspersky and Bitdefender engines support the most packers.

Some av's have emulators which open the file in a virtual environment before launching them so it unpacks itself and then scanned.
I am sure most av's could unpack and unpack again if the developer wants it to, but most don't so they can improve speed instead of protection.

 

Oh kaspersky! I got it . I ask some of my query in their forum aand the result was they deleted my query saying that its a technical query we wont answer that.
i dont know about Bitdefender yet. i will test that stuff.
kaspersky dont even talk about their engine workins or their algorithm. There are lots of barrier . Thats the another story.

All i want to investigate the capability of general AV software if you have any problem in understanding my point ask me back.

I'm making those sort of techincal point coz i want to knw the complexity of binary and their limitatin by which they are implemented and how good anti-virus software able to solve those problem related to those binary.

Some peolpe belive that we are working on a computer which are very small part of that machine which was imagined by great mathematican.
if i remmember they want to build "POLY UN_SATUREDTED 100% NATURAL COMPUTER". If that was the case i just wanna to do survet how well we got that stuff and how far... [Really i mean this]

Thanks

 

Well if your talking about how the av engine works with each file then you won't get an answer. But if your talking about the methods the engine uses to detect viruses like heur/sig/emu than the forum mods for each product might be able to list all of them.

 

[ **i think you read this**]

thanks

 

hi,
When infecting windows executable there are number of possible ways for infecting. Here are the some list of possible ways:--
1. Use Slack space inside the code section of the target executable.
2. Expanding the last section of section table.
3. Add totally new section into the section table.
[please specify if other know methods exists or i miss out something.]

As i previously posted , there are possible ways of infecting the taget executable. Somebody can point it out something new methods...

thanks

 

Did you test Dr.Web?

 

hi,
About Dr. web , i m on my way. I need minimal test to be executed with others, then there is some list of test which i expect good result from Dr. webb. I need some more time ...

Thanks

 

I think KL or any other AV vendor don't talk openly about how their engines work for obvious reasons: they don't want malware authors to know too much about their methodology in detecting their creations.

 

[Professionally i dont wan to reply for your comments coz this is not discussion for resolving what malware or virus author will do after knowing that]

I will explain you my point by giving an example.
image open source code wont exist , we will keep on getting lots of attack on windows coz its closed source. What will be the effect of all sort of fighting. Do you think you can stop malware or virus writes to stop writing this attack code. Is that so. really funny. If that would be that case nor PAX security nor linux operating system wont be open .

take this as complement, we stopping the open source research just because some body after seeing the code will attack you violently.
Exploitation and attack wont stop just no matter what the closed source of ant-virus or malware detection system is being built.

So, saying this wont enough to stop open research.
[Note; 100% security not posiible , its a haulting problem mathmatically been proven . I dont cosider this as healthy discussion. i posted my tpoic to investigate the how well anti-virus is being wriitten and how far we can go with this. Not to solve personal bias social affectanate problem of each individuals]

Thanks

 

How about looking at how Clam AV works ?

 

ClamAv oh!
I m much impressed by that product but the only problem is that the developers are not replying me back.
I investigated much part of it . I successfull fool that anti-virus using very small techniques. But after all it is much visible work inside clamAV. I mean we can recommend the anti-virus company if we found some flaw or false positive.
My next target is to compare the working element of clamAV and Dr. Web anti-virus. Some people suggest be good point regarding .

After all the algorithm and heuristics incorporated incise ClamAV , i appreciate that work.

i belive in future i will keep lokking aroung those anti-virus which providing good research and value of work.
These sort of anti-virus really can oinvent new sort of detection mechanism , As far as my point clamAV is nacent but the virus list i have it is doing well..
What you think?

Thanks

 

ClamAV uses a variation of the Aho-Corasick pattern-matching algorithm [1], which is well suited for applications that match a large number of patterns against input text. The algorithm operates in two steps: (1) a pattern matching finite state machine is constructed, and (2) the text string is used as the input to the automaton..
Not only this , ClamAV incorporated the "TRIE" implementation which is very muct stable around the job. I m still testing that implementation , uptill now i dont get any succes against clamAv. There balancing trick is really good and the hash is working fine.

But my part of work only be count if i able to find some improvement around these sort of good anti-viruses.
I heard about cyrpto-virology , these art of work will be counting in the development of anti-virus product but due to lack of resource and knowledge i couldn't make thoose test yet.
but i m pretty much sure that if i get aroung some good known poly-morphic virus or varint , i can give some sort of code of api for improving these sort of anti-virus.

Thanks

 

Dr. Web anti-virus:--
Well after been testing this anti-virus i figure it out , this work is new born.
Apart for result of this anti-virus, i dont have any idea of internal working
elements of Dr. Web. But i my test case , Dr. web do well worked but it fails to return good results.
For instance,
Take a win binary file and i try to add a new section . The result is simple minimalist ifected binary with my ifection code.
Other anti-virus do well report of the infection but Dr. Web failed.
I dont know much of why this happen but my test includes lots of other sort of infection.

If any one can me explain this spefic behavior of Dr. web will be very helpful.

Thanks

 

Is your newly created file working/capable of actually doing anything? Or is the result a corrupted file that contains your malicious code? It is ofcourse possible that it will completely miss your infected code(this could be the case with any av), but if you are trying to test the flexibility of an av-engine, I think you should test with a piece of code that is actually detected. Then try to hide it from the scanner.

 

Thanks for replying.
But the thing is, my infected can be easliy detected by AVG anti-virus. Now i dont know where you messed up . But if you clearify the working of general anit-virus and virus . It would be helpful to understand the challlenge and working behaviuor of other anti-virus.

Thanks

 

xion, so Clam, being an FSA, actually creates another FSA for scanning?

I'm a Clam fan myself.

Dave

 

Yeah ! Right i agree with this.
But the only problem is that clamAv developers are not discussing the design and techiniques for further improvement.
Well i m still trying.


Thanks
[i notice that no body yet replied me back after reading first head of my post. No body talkig of binary infection and better techniques to fool arounf anti-virus and then advice to stop this kind of technique.
i really wonder.]

 

Xion, I think that you are trying to discuss something that's "classified" for AV developers

 

oh Classified! Well then why not everything get classified tag on their head.
If every one thinks like that then linux kernel wont ever get started.

So, take a suggestion there is no "CLASSIFIED" exist in developers world , its only exist inside there mind.

Have fun with Mind Game.

Thanks

 

They run a business and made a choice... you can disagree on their choice but can't oblige them to do as you want...

Fax

 

Well! My choice is to promote anti-viral research and dev rather that putting barrier on my work.

One more thing there is lots of CLASSIFIED info about anti-viral code in Donald Knuth paper work. if that would be the case then knuth wont do that.

[Remark:==My discussion topic not for solving any business/ social personal view. This is not for the social writer blog or whatever. So. please talk technically rather that personally.]

Thanks.

 

No, nothing to do with social issue. You ask for information that companies may not want to disclose regardless of your research aims.
It is very simple and you have to respect their choice as everybody here respect yours

Fax