What non-signature-based malware detection programs and techniques do you use?

Discussion in 'other anti-malware software' started by MrBrian, Jan 5, 2015.

  1. guest

    guest Guest

    I'm sure EMET is qualified for this thread. :cool:
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Yes :).
     
  3. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,411
    Location:
    Lancashire
    SecureAPlus
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I didn't realize what you meant in the original post. You mean something like change detection software, something that says:
    These files are new.
    This file is missing.
    This file is altered or replaced.

    Many of the applications I use for this are unsupported and may not run on current or 64 bit operating systems. For on-demand use:
    NIS Filecheck. On it's first run, it creates and stores a hash for all of the files and folders it's given to monitor. Afterwards, it checks every file in that list against the database it created and alerts you to any changed files.
    Sentinel Discontinued. Description at the Wayback machine. Combination integrity checker, registry watcher, secure shutdown. Not sure if it's compatible with XP.
    Filemap-Bootalert Not compatible with NT systems. Scans the root, Windows, and System folders during bootup. Alerts to any new, modified, or deleted files in those directories.
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I used NIS Filecheck for system files integrity checking when I used Windows XP :thumb:.
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I use Autoruns, Sigcheck and Event Viewer.
     
  7. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    It seems to me that this thread is moving towards tools that do system/file/data integrity checks.

    Anyway, I can understand if people do not want signature updates as part of their real-time setup but....why take signatures out of the picture for on-demand malware detection? Against known malware families and samples, it aids in identification and removal process. With cloud scanners like Hitman Pro, signature updates becomes less of an issue....

    If the criteria is strictly non-signature based, take an AV and disable the signature updates; leaving the other components to do the automated code(static) analysis or behavioral (dynamic) analysis.

    A Survey on Automated Dynamic Malware Analysis Techniques and Tools
    http://iseclab.org/papers/malware_survey.pdf

    Malware Analysis: An Introduction
    http://www.sans.org/reading-room/whitepapers/malicious/malware-analysis-introduction-2103
     
  8. 142395

    142395 Guest

    I don't know much about EIS, but at least Bitdefender, Kaspersky, and Symantec uses behavior signature ant it seems you misunderstand behavior sig. It is not like classical sig to detect malware on scan (so File Guard should be no relevant), but is rules sets which describes what sets of behavior should be detected by BB. Those behavior sig don't need frequent update as malware's behavior don't as quickly change as malware itself, and size of database won't be massive. Major AV company began to adopt behavior sig from around 2011-2012 as reflection to malware evolution where classic scoring system (give + points to good behavior and - points to bad behavoir, and if it excelled certain threshold block it) began to be not able to catch latest malware. At least Norton (SONAR) loose significant accuracy if they can't use those behavior sig, but probably same goes for Kasp & BD. But currently more and more AV company integrates BB with automated classification in cloud which uses machine language, and this is again signature-less.
     
  9. 142395

    142395 Guest

    I also uses Autoruns to compare difference. While New function in SUPERAntiSpyware seems useful and more thorough, I don't want to pay annual fee just for it (if it was lifetime, I would buy it.) And Norton File Insight, it shows all executable on my machine and its reputation, so it helps me to locate low reputation files. Those reputaions are calculated w/out behavior info, so I still have to investigate more.
    And though it is more of case for file brought from outside rather than one on my system, I use PEStudio and SBIE with resource access monitor after I can't get meaningful VT result and can't upload file to e.g. Anubis (their file size limitation is sucks). And finally after I setup everything (strict firewall rule, maximum setting for HIPS, delete all possible privacy info, make backup) I finally execute it on virtual environment (if it shows sandbox-aware behavior, that itself is suspicious enough for me).
    [EDIT: on execution, I also use Process Monitor]

    Well, HijackThis is still not relic of the past, it's very good simple analysis tool, much compact than OTL. But I don't use them usually.
     
    Last edited by a moderator: Jan 7, 2015
  10. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,501
    Location:
    .
    The OP also refers to the term "Techniques". Peter, here, listed Sandboxie, too.
    +1! :thumb:
     
  11. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    If you re-read post #1, you will see that MrBrian is referring to programs and techniques used for detection, not prevention. Sandboxie is prevention-only, so not relevant to this thread.

    If I understand Peter2150 correctly, Pete is saying that from a prevention point of view, it doesn't matter how a security program protects the system, providing it is effective. This is a sentiment that I wholeheartedly endorse.
     
  12. phalanaxus

    phalanaxus Registered Member

    Joined:
    Jan 19, 2011
    Posts:
    509
    Actually you can use sandboxie as an analysis tool with Buster's sandbox analyzer or with snapshot comparison methods. It is quite tedious work but provides invaluable information on how the file in question is behaving. As for the second part I agree with the main idea if it works(protects) I don't care how it does so. However detection after infection and prevention are different concepts.
     
  13. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    Yes, if Sandboxie is being used in conjunction with BSA for analysis purposes then I can see that the combination of the two would qualify for inclusion in this thread.

    I thought that all development of BSA ceased in 2013 with version 1.88 though due to unresolved incompatibility of BSA with version 4 of Sandboxie. I assume that people still using BSA are using it with Sandboxie version 3.76.
     
  14. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Sandboxie can also be used to analyze a programs behavior that are run inside the sandbox
    as mentioned already. Check the manual analysis method to.

    You can also analyze the registry changes made by expanding HKEY_USERS in Windows registry
    while app is still running sandboxed or use the Load Hive method when sandbox is closed.

    https://www.raymond.cc/blog/how-to-investigate-suspicious-file-using-sandboxie/
     
  15. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    Yes, I agree. Whilst Sandboxie itself doesn't use any detection techniques and is solely concerned with containment, you are of course correct. Because all file system and registry changes made by a sandboxed program are contained within the sandbox, the changes can be analysed manually.

    On further reflection, I agree that Sandboxie does fit the criteria for inclusion in this thread and I was wrong to suggest otherwise.

    Regards
    pegr
     
  16. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Another tool that can serve this role are install monitors. Inctrl5 for example can monitor sessions as well as installs. Take a snapshot, do whatever it is you're going to do, then take another. The "sessions" can last as long as you want, from minutes to months. Inctrl5 will report everything that changed in that time period. This can be very useful for investigating malicious sites and for finding many of the new types of trackers that sites are turning to.
     
  17. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I don't know how well this will work on operating systems after XP.
    From a command prompt running with system permissions, make a full list of all of the files and folder on the system partition, saving it as a text file.
    Using a live CD, DOS disk, etc, make the same file and folder list, saving it as another text file.
    Open both files using WinMerge or another comparison tool. This will expose any files hidden from the operating system.
     
  18. 142395

    142395 Guest

    Yes, I sometimes use SBIE for that as wrote in #34. But additional measure and caution are needed because there's no guarantee that malware never bypass sandbox.
    Woops, I forgot to mention about Process Monitor which I sometimes also use to hunt down a cause of issue.
    Resource access monitor on SBIE makes that work bit easier.:)
     
  19. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Oh I'm not denigrating either signature-based programs, nor prevention. Those topics have had better Wilders coverage than this one though.
     
  20. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Does anyone know of free programs that provide file prevalence data? I know Norton Power Eraser can to some extent (Reputation Scan in Advanced Options).
     
    Last edited: Jan 7, 2015
  21. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    I am still running XP, and I have used all three of these tools in the past...but I haven't run [any of] these for at least the last 5 years.
     
  22. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    Matter of fact, I just found a copy of a HiJackThis scan. .. I just took a screenshot of the first few lines of the scan which was run back in 2009.

    ScreenShot_HiJackThis_very old log_01.gif
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I use tools like Process Explorer, Pserv, AutoRuns, System Explorer and CurrPorts.
     
  24. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    A few tips for those using Autoruns for snapshot comparisons:
    1. I use Autoruns v11.42 because it's the last version that doesn't have this issue.
    2. Each user account that you use should have its own snapshot.
     
  25. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    HitmanPro also has the option of using Early Warning Scoring scan mode.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.