False positives / Missing detections thread

Discussion in 'Prevx Releases' started by EraserHW, Jun 14, 2009.

Thread Status:
Not open for further replies.
  1. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    This malware appears to use a new form of obfuscation - it is only found by one vendor on VirusTotal, but we've added protection now for it.
     
  2. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    This was on a my friends PC. He wanted to crack CS.
    So this is not a threat to me cause i would not execute the file but he is a "normal" user and now he has problems.
     
  3. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The file doesn't actually do anything bad - the only functional piece of it is that it will try and spread on IRC so your friend shouldn't have any problems.
     
  4. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Following Vendors catch the sample by behavior analysis:
    Bitdefender
    G-Data
    Kaspersky
    Norton (Sonar)

    Following Vendors catch the sample by heuristics:
    Kaspersky

    And that are only the AV progs i tested.

    So where is prevx's behavior analysis?
     
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    At no point do we claim our protection is perfect - we simply missed this sample. The products you mentioned miss many samples every day as well.
     
  6. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    I never said that you claim your product as perfect. I absolutely know that no AV product is perfect.

    But i thought that this file should easily be caught by behavior analysis. And i have the slight feeling that there is nearly no behavior analysis done by prevx. Thats all i think about cause i want to know what a product, i use and i pay for, is able to afford.
     
    Last edited: Aug 17, 2009
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    This is incorrect - I'm not sure how I can convince you without divulging company secrets but Prevx is entirely based on behavior, just using unique identifiers/signatures ("PX5s" as you'll see in the log) so that we can track back to individual files if they're reported as incorrect.
     
  8. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Hm, ok. Let me ask some questions and you try to answer without divulging company secrets.

    1. How can your server do behavior analysis on a completely unknown file by only transmitting informations to your server?
    Normally a bahavior analysis should base on special rule packets. For example a file should be marked as bad if: It runs without visible window, creates an autostart entry and sends e-mails.

    But if this is the case i think a programm witch writes to the autorun, opens myspace and sends itself via instant messenger should easily be caught.

    2. I have the strong feeling that prevX is missing absolutely new files very often. If the file is seen by the cloud it reacts very very fast! but if the threat is completely unknown i cant see protection.
    So is there an "unknown threat protection" or not?

    3. Can you give an example of what an unknown malicious file has to do to be caught by prevx?

    Thank you very much.
     
    Last edited: Aug 17, 2009
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    This is similar to the information which we send up - instead of trying to decide on a file locally, we make the decision centrally.

    Sometimes yes, sometimes no. This particular sample uses a different technique to interface with Messenger than most worms which is probably why it got past. We'll be updating our engines accordingly, but there isn't a function in Windows named "SpamToMSNContacts()" so malware authors try various odd techniques to do so :)

    I'd be interested in seeing what is causing you to make this assumption. It is likely that a file may not be found if it has literally never been seen before, but in that case, it would usually be caught by the Age/Popularity protection.

    I can't, as the system is extremely dynamic. A file may be caught because it shares structure with another malicious file or family of files, or it could be caught because of similarities in behavior (or by a number of other factors).

    I can't say exactly why your file wasn't caught, but I do know that we aren't seeing the MSN traffic properly for this sample and we will be updating our engines to better handle this type of behavior. Your file is also extremely new - seen by only a couple of users and seen for the absolute first time at 17:45 today (I determined it as malicious at 19:57, about 8 minutes after your report).

    It is starting to spread wider now (up to some dozen users in the span of < 3 hours) but everyone past the second user has been protected from it.
     
  10. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    I understand that.

    :D Ok. I got that.


    It is just a feeling, as i said.
    And i am a user who always want to know more or less exactly what is going on on his maschine. A least i have to understand what is going on. Otherwise i am not satisfied.

    Ok, so it is more about similarity then about behavior?

    You always do and you do your job quit well! No question about that.
    YES! :D And i am very happy about that cause it is very difficult to catch real zero-hour threats to test some antivirus programms and other defending techniques.

    Yes, cause i throwed it up here or would it has been caught without my intervention?

    And why did my PrevX (with highest settings) didn't stop it by age protection?


    PS: Do i have to change to Apply after Age/Popularity detection?

    What is safer?
     
    Last edited: Aug 17, 2009
  11. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Its about similarity, behavior, and similarity of behavior :) Generally, most threats are variants of existing threats so its easy to tie them back. If something is absolutely brand new, it takes a bit more work to correlate - possibly requiring additional data.

    Thank you :)

    I suspect it would have been automatically caught very soon after I marked it based on the speed at which it is spreading (and the additional data we now have on the file).

    That is indeed a very good question... and one I'm not sure I can answer currently. Could you let me know how you originally got/tested the file? (i.e. did you run it from a browser or double clicking in Windows Explorer?) Age/Popularity protection doesn't apply to a right-click scan so that could be one reason, but it would be good to know how the file came in so that I can investigate it closer :)
     
  12. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Apply before is safer - it says that the advanced heuristics (different than the rest of our heuristics) are considered regardless of the age of the file.
     
  13. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    O.k. This is what i thought.

    I did not get that yet.
    Plz. explain the procedure again. In case i wouldn't had thrown it up here (hope that is grammatical correct !? ^^)...

    I opened the link with Sandboxed FireFox.
    FireFox asked me if i want to download this .jpg.exe file and i did so.
    After that i executed the file in the sandboxed explorer by doubleclicking it.
    The reptile.exe was created but wasn't able to connect to the internet because of my sandbox settings.
    Thats it.
    System is a Vista HP SP2 Laptop.
     
    Last edited: Aug 17, 2009
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Our database automatically determines files in realtime and analyzes them constantly as new data is found. We automatically find ~20-30,000 new files every day as malicious - we manually determine only a few :)

    That's the reason - executing it sandboxed will completely change the behavior and may cause us to not detect a file we would have normally detected.
     
  15. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    So it would has been analysed automatically and marked as bad without user intervention?!

    Hm, behavior, Ok. but i thought the age protection would work like "only allow programs which have been seen by a very large percentage of the PrevX Community". So if sandboxed or not: The file is brand new and wasn't seen by any percentage of the PrevX Community.

    Can you reproduce if prevx would have caught the file outside the sandbox?
     
  16. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yes, except in some stray cases, all of our research is done automatically which allows us to have a microscopic research team in comparison to most AV companies with hundreds/thousands of researchers :)

    I will need to take a closer look at this. There may be an issue in the fact that the sandbox would prevent any behaviors from happening, so we wouldn't see the file doing anything within the system which would lead to the "missed" detection.

    There is an ongoing thread at the moment with other users that have problems under a sandbox and I suspect the same issues are what you're encountering. We're nearing the end of massive changes for Prevx 3.5 which is why we haven't tested the sandbox issue yet (as we will be waiting until 3.5 to release any fix).

    I will let you know as soon as I have an answer :)
     
  17. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Very good.

    Thanks for your open ears and longanimous answers Joe. :thumb:
     
  18. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    This sounds a lot like the issues discussed in this thread; PrevxHelp said they're investigating the Sandboxie problem.
     
  19. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    I guess password protected zip files are no longer good enough for prevx? I'm not sure what google has to do with this, no I'm not using a google account.
     
  20. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I think we're using Google for part of the email hosting of the report@prevxresearch.com domain. Could you try sending the file in a rar/7z/other archive type to see if it gets through?

    I'm not sure why Google blocks password protected zips but it is quite annoying :doubt:
     
  21. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    QIP and some of it's registry entries is detected as malicious.
    I am a bit confused cause Virustotal shows a problem with that file but i think it is safe.
    ~snip~VirusTotal URL removed as per policy


    And i have the slight feeling that something is terrible wrong here. Several other legitimate apps are marked as
    in the log. But they dont show up in the scan results. (God save cause they are clean.)

    I will PN Joe my log.
     
    Last edited by a moderator: Aug 18, 2009
  22. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
     
  23. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Of course i will send you the file.

    ~snip~Possible malicious URL removed

    Password is

    infected

    Hopefully not! :eek: I run qip on my productive PC here....
     
    Last edited by a moderator: Aug 18, 2009
  24. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
  25. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    Win32.induc.a
    ~snip~Possible malicious URL removed
     
    Last edited by a moderator: Aug 18, 2009
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.