deal with obfuscation technology

Discussion in 'ESET NOD32 Antivirus' started by viruscraft, Mar 12, 2008.

Thread Status:
Not open for further replies.
  1. viruscraft

    viruscraft Registered Member

    Joined:
    Sep 22, 2007
    Posts:
    114
    Toady, more and more virus writers become to use obfuscation technology such as packing,encrpyting or polymorph in order to escape form detecting by anti-virus software.

    And more and more virus is designed to aim at specific anti-virus software which are mainly used.

    As the security expert siad,the major anti-virus software such as NORTON does not perform best detection rate is mainly because the increased sophistication of malware authors, who have developed a wide range of approaches to minimizing the susceptibility of their product to heuristic detection, and who test the effectiveness of these approaches against suitably updated and configured scanners.

    When NOD32 has more and more users,ESET will face that issues.

    As a matter of fact,a lot of virus has been designed to against advanced heuristic of NOD32 by using obfuscation technology.For example,some packers are used to obfuscate emulation technology.

    IMO,there are two solutions.One is use multi-engine,another is quickly update.

    How will ESET solve this issues?
     
  2. Don johnson

    Don johnson Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    77
    As I know,eset use a different approach to detect them(eg. Win32/Obfuscated,Win32/Genetik,Win32/Agent).
     
  3. dr pan k

    dr pan k Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    204
  4. viruscraft

    viruscraft Registered Member

    Joined:
    Sep 22, 2007
    Posts:
    114
    Thanks mate,I have read it before.

    But usually the development of advanced heuristic engine is much slower than the evolution of the virus.There is still a "window" left.
     
  5. dr pan k

    dr pan k Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    204
    i believe that viruses r and will remain one step ahead of all av programms, even ahead of hips... simply because u first create the problem and then find the solution. the immagination of the creators is wild....
     
  6. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Stunning inexperience and lack of knowledge. Show me the virus that bypasses ProcessGuard, please, even though it hasn't been updated since 2003.
     
  7. dr pan k

    dr pan k Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    204
    Process guard is useless for unexperianced users, infact provides protection only if you know what you are blocking. Diamond cs reccomends it for advanced users as u can see here : http://www.diamondcs.com.au/processguard/download.php besides that many users had major problems during uninstallation with system failures and some even disable it during installation of new progs that are supposed to be considered safe...

    4 your info latest v3.410 is 10/2006.... http://www.softpedia.com/get/Security/Security-Related/Process-Guard.shtml
     
  8. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    That wasn't the question. You said viruses were ahead of HIPS, so I'm just asking for the evidence to that statement, or the basis for that opinion.
     
  9. viruscraft

    viruscraft Registered Member

    Joined:
    Sep 22, 2007
    Posts:
    114
    Indeed,there are few malware which mostly use rootkit technology can escape form been blocked by HIPS.
     
  10. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    And which ones exactly are those, and how do they "escape" from being blocked by a HIPS?

    Any specifics, instead of just obscure mumbo-jumbo?
     
  11. techie007

    techie007 Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    125
    Location:
    Ontario, Canada
    As grand as HIPS is, if it doesn't know what to look for it's not going to do anything about it.

    So in the future I'm sure someone will create a new malware that looks and acts like something most current HIPS think is acceptable and it'll walk right through it. At least until someone get infected, figures it out and then the HIPS' are updated with new detection routines/rules.

    It's a response-based cycle:

    Someone invents a new threat that no-one else had thought of, so nothing can stop it, someone figures it out and creates a defence, repeat.

    If we think ANY single form of security is a magic bullet and will pro-actively protect against ALL unknown future threats we'd be living in a fantasy land, whether Viruscraft or Dr Pan K can name specifics or not. How can one name something that hasn't been discovered yet?

    People are inventive, and able to think out-side of the box, computers aren't and can't.
     
  12. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    ESET has a generic unpacker and an emulator designed to deal with packed/crypted stuff. That said, it's relatively easy for malware writers to add garbage code in order to stall the emulator or make the emulation so slow that the AV engine decides to abort the unpacking at some point.
    Neither generic unpacking or static unpacking can be considered "bullet-proof" against the tools/techniques available to malware writers (antidebuggers, antiemulation, garbage code, detection of VM, custom packers, patched cryptors, hand-written packers, poly engines, etc)
    IMO, it's nothing short of a miracle that AVs manage to have some proactive and variant detection with the odds against them.
     
  13. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    A HIPS only needs to hook the CreateProcess call, because it's used by all and every executable (i.e. compiled code/binary files) to launch. If you grant execution permissions, that's a whole different topic.
    Execution control is the main line of defense offered by HIPS and, so far, hasn't been breached.
     
  14. piranha

    piranha Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    623
    Location:
    Laval, Qu?bec, Canada
    .......quickly update, check your log files..... nod32 update its virus database 2-3 times a day. That's not enough for you ?
     
  15. viruscraft

    viruscraft Registered Member

    Joined:
    Sep 22, 2007
    Posts:
    114
    Yeah,I know.

    But I am in China where the security situation is much more complex.Eset need to put more effort in dealing with the virus in China.
     
  16. dr pan k

    dr pan k Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    204
    Imo techie is right. its only a matter of time before new hips technics get breached by new virus technics....

    @ viruscraft: maybe u should try some regional antivirus allong with eset. maybe kingsoft http://en.kingsoft.com/antivirus.htm or rising http://www.rising-global.com/

    i suppose u know everything about them, but maybe by using them along with esav will help
     
  17. piranha

    piranha Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    623
    Location:
    Laval, Qu?bec, Canada
    the use of 2 AV => possible bug or conflict

    keep confident with nod only ;)
     
  18. viruscraft

    viruscraft Registered Member

    Joined:
    Sep 22, 2007
    Posts:
    114
    Thank u all,mates!

    I am familiar with those two anti-virus products.But I really do not trust their quality.The regional vendors put much effort in advertisement rather than technique.

    And as the piranha said ,using them along with nod32 will cause conflict.
     
  19. dr pan k

    dr pan k Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    204
  20. techie007

    techie007 Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    125
    Location:
    Ontario, Canada
    You make it sound like an impenetrable fortress that will do everything for us, very easily. :)

    A HIPS needs to do considerably more that hook a createprocess call. They respond to activity, and if it's deemed to be dangerous it stops the process before it continues. Ones that do it in virtualization or sandbox are going to prevent any damage (where as not doing that would only stop further damage beyond what was done originally that caused the trigger).

    The problem with what's out there now needs to be trained, or tied to a network of users' training files, whitelists, blacklists etc.

    So like an outgoing firewall, and along the same lines as Windows UAC (similar to a basic HIPS, it "hooks the CreateProcess" and determines it's behaviour -- specifically if the activity needs/requests to run as an admin), people who are "bugged" by those pop ups, or don't really know what's going on are just going to hit "go ahead" and possibly poison the training, rendering it almost useless.

    Look at good Anti-Spam -- OCR, pattern recognition, whitelists, blacklists, greylists, personal and networked version of each, bayesian filters, signatures, multi-billion dollar research companies pouring tons of money into stopping it, and they're getting maybe 80% stoppage on a good day.

    Mainly because sometimes the Boss, who hates spam, is expecting a real Pill Advertisement, and if he doesn't get it heads will roll. :)
     
Thread Status:
Not open for further replies.