What non-signature-based malware detection programs and techniques do you use?

Humans need courage to admit their mistakes...

 

I just tried the the latest Norton Power Eraser's Reputation Scan on the whole system partition of a virtual machine, and it worked fine . The difference between this and a typical signature-based scan is that Reputation Scan seems to classify files as good, bad, or unknown, instead of just bad or not bad.

 

webroot antivirus and hitmanpro

 

https://code.google.com/p/volatility/wiki/CommandReferenceMal22

 

I didn't know this. Looks interesting.

 

OfficeMalScanner is great tool to find malicious Office documents.
http://www.reconstructer.org/code.html
For PDF, techy people will be able to use e.g. PDF Stream Dumper or PDFiD, but I'm not and instead use PDF examiner (online service).
https://www.malwaretracker.com/pdf.php
And for other malware, Anubis and Malwr are good. I once used Comodo File Verdict but no more. Also I don't use ThreatExpert.
https://anubis.iseclab.org/
https://malwr.com/

 

@142395
I have a friend who is an malware reverse engineer and used to work for a Dutch bank corporation. (we were colleagues 30 years ago when we implemented one of the first real time banking applications in the Netherlands, there were no frameworks, everything had to be developed from scratch). He now works in HongHong, so I do not have access to fresh malware of his honey-pot anymore. We mail each other from time to time. When I ask him questions, he sometimes answers with cheek in tongue replies (when the question triggers an answer which is over my head). I decided to post his result, for the people with deeper knowledge on security. For fun I will reply him with your post #56

 

Looking forward to it, but I'm not malware expert so I'm sure the result will be over my head too!
Tools/services I mentioned in #56 can be used even w/out advanced knowledge (of course I can't draw full potential from them as I don't have such deeper knowledge), only Anubis and Malwr requires at least some experience of playing with malware.
Anyway, that will be great benefit as long as at least one person can interpret and explain it!

 

Spyware Terminator,Privatefirewall,Sandboxie,HMP and Process Explorer.

Regards Eck

 

I thought this one was abandoned...hadn't seen any program updates since v2012.

 

I forgot to mention Copernicus (for BIOS firmware changes).

 

Correct it appears to be abandoned but it`s the only standalone HIPS for 64 bit that I know of plus HIPS don`t need updated.

Regards Eck

 

MrBrian

Don't forget ALL the ARK's, AntiRootkits ! Plus,

ESET,s SysInspector

tweaking.com svchost.exe lookup tool

 

I have never seen any HIPS activity from it beside asking whether or not to run some file.
This can be also achieved by some anti-exec application.
Can you show me popup with any other questions?

Did you try SpyShelter?

 

It`s a proper HIPS alright in that even if you allow a malicious process initially ST will still keep "tabs" on it giving you a chance to still block and terminate.An anti-exe gives only the one allow or block so I just like the extra options.Plus ST has a review list showing what you`ve already allowed.

As I`m running Privaatefirewall which includes a very good BB so I think A HIPS is a perfect compliment to it.Add Sandboxie into the mix and things are tight and light.

The questions from a popup may look similar but can be from different shields if i remember right when testing some time ago.I`ll try and show a popup when ever I get a bit more time to do it.

Never tried Spyshelter but have heard a lot of good things about it same with Voodoo Shield.

Regards Eck

 

Isn't Process Monitor in PFW actually a HIPS, not a behavior blocker?

 

No it`s a BB with HIPS like capabilities that used to be Dynamic Security Agent which was incorporated into PFW.Hence you can run a full HIPS with it.

https://www.wilderssecurity.com/threads/seeking-copy-of-dynamic-security-agent.276982/

See post #17.

Regards Eck

 

Yeah, PFW's HIPS is somewhere between a BB and CHIPS. Although to me it is closer to a CHIPS. Outpost was too quite though, unless I misconfigured it somehow.

 

Everything quiet here for the most part with PFW and ST but I wouldn`t want it too quiet though just the odd pop-up here and there to confirm that they are still working.

I had Outpost Pro giving me alerts to it`s own outbound connection which was a bit disappointing but it would be great to see some testing with regard to HIPS/BB`s old and new.Would make for some interesting results.

What does the C stand for when you mention CHIPS, Graf ?

Regards Eck

 

Classic HIPS?

 

https://www.youtube.com/watch?v=gk0esAgO-zE

 

Gratz buddy, you cheered me up after a long and tiring day!

 

LOL......so it stands for California now I know.

Those guys were an Intrusion Prevention System in their own right,I want them on my system.

Regards Eck

 

@FleischmannTV all BTW, back to the ol 'avatar (nice move). Had to check it out and caught "Computer Freak" via YouTube. Made me wish to "heck" I could sing German in the shower. Hilarious stuff!! Salud.

As for staying on topic, may as well throw in Spyshelter Firewall into the works. And dismiss any other thread advisement that the user interface is in effect "difficult." The security status even at max can be set to automatically block persistent notifications for user-based decisions. Check out the on-line reviews and also consider that this firewall is compatible with Sandboxie, Shadow Defender (then again, what isn't?), and a plethora of AV/AM applications.

 

As siketa has mentioned, it stands for Classical HIPS. It makes me easier to differentiate types of HIPS, as I consider "HIPS" as an umbrella term.