What non-signature-based malware detection programs and techniques do you use?

Discussion in 'other anti-malware software' started by MrBrian, Jan 5, 2015.

  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    What non-signature-based malware detection programs and techniques do you use? Either realtime or on-demand is ok. Please don't mention prevention-only programs/techniques here. If a program uses both signature-based and non-signature-based techniques, you may mention it here, provided that you actually use the non-signature-based aspects of it.
     
    Last edited: Jan 5, 2015
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Hi Brian

    I use:

    Appguard
    NoVirusthanks Exe Radar Pro
    Sandboxie
    Hitman Pro Alert

    Pete
     
  3. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    Emsisoft Internet Security. Behavior blocker is not signature based.
     
  4. KaptainBug

    KaptainBug Registered Member

    Joined:
    Dec 26, 2013
    Posts:
    484
    AppGuard
    MBAE
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thanks to those who participated so far :). Just as a reminder, for the purposes of this thread, I'm interested only in programs/techniques that can indicate the presence of malware (or help a human analyst to do so), not prevent it. If a program/technique can both prevent and detect, then it's ok to mention here.
     
    Last edited: Jan 5, 2015
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    1. Before I install software, I use both Autoruns and What's Running to compare against the most recent snapshot made by these two programs. I look for anything suspicious that changed. After installing software, I do another comparison with the most recent snapshot, and save a new snapshot if things that these programs check for have changed during the software installation.

    2. Very seldomly, I run Microsoft's System File Checker, sometimes offline.

    3. Very seldomly, I use MBRtool (found on Ultimate Boot CD for DOS, among other places) to check if MBR has changed from a copy that it previously stored on the hard disk.

    4. I have UAC slider set to the highest position.

    5. Around once a month, I use FileVerifier++ to check if any of my documents/data files have unexpectedly changed contents (by comparing current hash to previous hash).
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Does Chromium with phishing and malware protection enabled, count? If so, that's what I use
     
  8. DX2

    DX2 Guest

    AppGuard, MBAE, NVT, SRP.
     
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Malware detection software is generally signature based. I'm a bit at a loss as how software is supposed to detect malware without something to base that detection on. The program can look for specific types of activity, but then it's up to the user to determine if those actions are being performed by legitimate software or malware. To do so, the user will generally start with a signature based scanner.
    Anti-executables don't actually detect malware. They detect anything that attempts to execute that's not whitelisted as do HIPS. Sandboxes and virtual systems confine whatever runs in them, whether malicious or legitimate. Actual malware detection is only necessary on systems that employ a default-permit security policy. HIPS and anti-executables treat everything that isn't whitelisted as undesired by blocking it. If effect they are signature based except that they use the signatures of the executables that are allowed.
     
  10. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,239
    I don't use any software for non signature based malware detection. I don't run anything unless I have chosen to download it myself. That includes not installing any software that the various file hosting sites try to trick you into downloading instead of the actual file you are trying to download. Also, I always am careful when installing software to uncheck any options to install unwanted third party software.

    That's it for me, and is enough to keep me malware free. I use no signature based malware detction at the moment, with the exception of Microsoft's SmartScreen Filter in Windows 10 which pops up from time to aelrt me about unknown downloads.
     
  11. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    I agree, and actually behavior blocker is also much signature-based as all current strong BB rely heavily on behavior signature, though it can be better described as 'rule-based'. Also anti-exploit is basically not for detecting malware but for preventing exploit (!= malware).
    I'm at a loss about why people don't read or ignore OP.
     
  12. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    So is. For this I think that HIPS and BB too match the MrBrian question.
     
  13. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Might match or might not as you can't selectively use BB's non-sig-based part (classical scoring system and cloud-based classification), that depends on def of "signature".

    And IMO there's clear difference btwn HIPS & BB, while HIPS can be used as behavior whitelister, BB is behavior blacklister.
     
    Last edited: Jan 6, 2015
  14. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe

    Sure ! I only said that both they match the question.
     
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    They do match, as long as they have detection capabilities. Also, originally I had said to not mention antivirus software, but I removed that, so you can mention for example Bitdefender's Active Virus Control.
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I'm looking for programs/techniques that may indicate that one has malware, other than the usual signature-based ones. For example, if Microsoft's System File Checker reports a file as corrupt, it could then be scanned via signature-based programs.
     
  17. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Although AppGuard and Sandboxie have both been listed, in my view neither of these fits the critieria for inclusion in this thread, as both programs are prevention-only and malware is silently blocked and contained without detection. With both of these programs, the intent of the application for good or bad is irrelevant.

    It seems to me that meeting the criteria for inclusion depends on whether a security program raises alerts based on application behaviour that the user can respond to, which can be used as a guide to a classification of the intent of the application for good or bad.

    Apart from anti-virus programs, classical HIPS, intelligent BBs, anti-executable, anti-exploit programs, etc all might qualify, but prevention-only programs like AppGuard and Sandboxie don't.

    On that basis, the only two programs I use that might qualify for inclusion in this thread are: HitmanPro (on demand) and HitmanPro Alert (real time).
     
  18. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,015
    Sandboxie
     
  19. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    433
    Location:
    Hengelo
    I would suggest HitmanPro. I look at it as a 'Crime Scene Investigator', as it offers a LOT of details about an infection. An example: https://hitmanpro.wordpress.com/2014/01/05/malware-served-via-yahoo-affected-millions/

    The user just has to click twice on a detected item to reveal the actionable intelligence. Especially its Forensic Cluster capability is pretty interesting as it show what happened prior to the infection, revealing how it happened as well.

    HitmanPro does NOT have to be installed on the machine when an infection happens. It searches for and correlates time and objects that are (still) there, establishing a case against a suspicious object. Even when a machine was infected days or weeks ago, HitmanPro can tell you what happened and who's involved. It saves a security engineer a lot of time. Example:
    hitmanpro-flagging-malware-and-giving-insight-into-the-attack-without-signatures.jpg
     
  20. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    I too sometimes use Sandboxie on demand, but I wouldn't classify it as a malware detection program, which is what the OP is asking. Unles I'm wrong, Sandboxie is prevention-only, not detection.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    I don't think that is true of Emsisoft EIS. You can turn off File Guard, which is the signature checking component, and behavior blocking still does the job. For example watching for DLL injection into other processes, watching for patching executables, or watching for installation of services and drivers isn't signature based.
     
  22. phalanaxus

    phalanaxus Registered Member

    Joined:
    Jan 19, 2011
    Posts:
    499
    I believe what you are looking for are programs like the old HijackThis! . They don't exactly tell what is malware and what is not but they provide a list of things to investigate. Was using lots of different low level scanners when I was at my previous job, wasn't able to catch up with recent developments. I remember using DDS, OTL, Combofix, Blitzblank and AVZ (I know this one is still developed).
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    This all to me is starting to come under the "Frankly my dear, I don't give...". We are getting so lost in the tree's we've forgotten we are in a forest. Frankly I don't really care about these fine distinction in definition. Only one thing matters. Does the software protect my system. If you yes, then all the debate over what we call it doesn't matter, and if no, then it doesn't matter. Bottom line it doesn't really matter.
     
  24. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Thinking along similar lines with ESET SysInspector which is a diagnostic tool that can help you identify what kind of malware is infecting your system and seek further help from malware removal experts.

    Emsisoft HiJackFree which is a system analysis tool for advanced users to detect and remove malware
    manually. Use to be part of EEK , but now is absent from latest version.

    Also FreeFixer a general purpose removal tool that performs a scan that shows locations where potentially unwanted software may appear. User has to decide what to keep or remove.
    You can click the "more info" links for each item in the scan result, which will open the FreeFixer web site
    with additional information about the item and see what others have chosen to do.
     
    Last edited: Jan 6, 2015
  25. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Yes. When I used Windows XP I used HijackThis for this purpose. Now I'm using Autoruns and What's Running (see post #6).
     
    Last edited: Jan 6, 2015
Loading...