What non-signature-based malware detection programs and techniques do you use?

Discussion in 'other anti-malware software' started by MrBrian, Jan 5, 2015.

  1. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The term HIPS has become an advertising term. SSM for instance is currently referred to as a classic HIPS. The original designer called it an application-firewalling tool.
     
  2. 142395

    142395 Guest

    Currently application control/firewall and HIPS means almost the same thing, but originally it's not. Think about Tripwire, one basic and well-known HIDS. It basically monitor changes in vital area and if it detected, it reports. So even file change monitor can be said as HIDS/HIPS in wider meaning. However, actuall implementation and usage of HIPS had changed from HIDS, HIPS is no more just HIDS + prevention.
    As always, a meaning of word changes along with time go by, just like SPI, currently it means one of firewall formats that dynamically allow replied connection, but originally not. Some people even call BB as HIPS. So maybe what we can do is just always make it clear what any term actually mean?
     
  3. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    Sandboxie 4.13.1 introduced a fix which solves an important compatibility problem between Sandboxie and BSA:

    "1) Special flag added to OpenWinClass to restore Buster Sandbox Analyzer (BSA) message logging. /IgnoreUIPI allows low integrity sandboxed processes to send WM_COPYDATA msgs to windows in higher integrity processes.
    Example Sandboxie.ini entries (both lines required):

    OpenWinClass=TFormBSA
    OpenWinClass=TFormBSA/IgnoreUIPI

    (This does not fix all the problems with BSA, but it is a start)"

    There are still a few minor glitches:

    - Sometimes Sandboxie returns the path to real folder on disk.

    - There is a bug in duser.dll which causes reentrancy when LOG_API.DLL is used. This causes applications like Notepad to crash when you call functions like "SaveAs".

    These problems have been catalogued as low priority by Invincea and they have not solved them yet.

    I decided to keep BSA development stopped meanwhile Invincea does not support BSA project actively, as Roned used to do.

    I do not have much hopes about resuming the project because Invincea´s support went down drastically compared to the support Ronen used to give.

    This thread gives a good idea of how bad the support is right now:

    http://forums.sandboxie.com/phpBB3/viewtopic.php?f=11&t=19481
     
  4. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    That's good to know, thanks.
     
  5. Behold Eck

    Behold Eck Registered Member

    Joined:
    Aug 23, 2013
    Posts:
    574
    Location:
    The Outer Limits
    Seemed to have skimmed past your post somehow but got it now of course, thanks.

    Yes thanks for the heads up it has saved me a 4 in the morning light bulb moment ...if ever ?

    Regards Eck:)
     
  6. Behold Eck

    Behold Eck Registered Member

    Joined:
    Aug 23, 2013
    Posts:
    574
    Location:
    The Outer Limits
    Is that not what a HIPS is detection + prevention ? Or do you mean a HIPS in the classic stand alone sense is gone ?

    Regards Eck:)
     
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Classic HIPS regulate running processes based on their ruleset. In many ways, they behave just like rule based internet firewalls. Whether they just prevent intrusion or alert to attempts depends on how the user configures it. You can run them to allow only whitelisted applications. You can use them to enforce blacklists. You can set up a combination of the 2. You can set them to alert to anything not pre-approved or have them block silently. They can log everything, specific items, or nothing at all. It's totally up to the user.
     
  8. Behold Eck

    Behold Eck Registered Member

    Joined:
    Aug 23, 2013
    Posts:
    574
    Location:
    The Outer Limits
    Thanks for your informed rep[y noone_particular but isn`t the silent block option somewhat dangerous in that it may block a critical system file at some stage and mess up your system without the chance to stop this via an alert ?

    Anyway at least I know for sure PFW is a "proper" BB because if it were HIPS my system would be well borked by now with running ST HIPS as well.

    Regards Eck:)
     
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    If the HIPS is operated in that mode before the rules for system critical processes are finished, that is a possibility. On the pro version of SSM for instance, about 3 core processes were whitelisted as were their activities. They found that interfering with them or suspending their actions pending a reply to a prompt was crashing the OS. I can't speak for other HIPS but I'd assume that the better ones have addressed most of those possibilities. The biggest problems in that regard would be tied to system updates and updates to applications that need kernel level access like AVs. Issues like these convinced me to end all auto-updating. The silent block option is best used on finished, near static systems that seldom change. The rulesets have to be complete before it's used. The newer and more complex the OS, the harder it becomes to address all of those details.
     
  10. Behold Eck

    Behold Eck Registered Member

    Joined:
    Aug 23, 2013
    Posts:
    574
    Location:
    The Outer Limits
    Yep, that`s why I like the non silent route after the initial training period just to see what exactly is causing an alert.

    Regards Eck:)
     
  11. 142395

    142395 Guest

    Aim of HIDS is to detect intrusion on host computer, so originally it need not necessarily to focus on processes. Free version of Tripwire is basically file/directory checker, while enterprise version monitor many more items. And HIDS don't necessarily need to employ huge whitelist or learning-mode as FPs on HIDS is not as serious as HIPS (it doesn't mean any whitelist or testing is needless though).
    But difference btwn IDS and IPS is more clear on NIDS/NIPS where the difference even changed where it should be located on network.
     
  12. Behold Eck

    Behold Eck Registered Member

    Joined:
    Aug 23, 2013
    Posts:
    574
    Location:
    The Outer Limits
    So the IDS/NIDS will detect and alert and the IPS/NIPS will detect and block...right ?

    Regards Eck:)
     
  13. 142395

    142395 Guest

    Right, but NIPS have to be set "inline" of network to block malicious communication so faster processing is needed, and any problem can cause entire network down which don't occur in NIDS.
    Also NIPS have to lower FPs than NIDS.
     
  14. Behold Eck

    Behold Eck Registered Member

    Joined:
    Aug 23, 2013
    Posts:
    574
    Location:
    The Outer Limits
    As with a lot of things there`s always a trade off with regard to the pros and cons of these apps.

    Thanks for the clarifications Yuki.

    Regards Eck:)
     
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Today I tested all of the online automated malware analysis services in my bookmarks with several suspicious samples.

    I added Payload Security to my bookmarks today. It seems quite good, with supposedly 150+ generic behavioral signatures; example report: hxxps://www.hybrid-analysis.com/sample/be1e156b50e2c060b872ba234001ace1e13d6d81eeb8b0697cd83ee2d121679d/. All of the file submissions are downloadable after analysis has finished.
    Here are the other ones that I kept in my bookmarks (not including primarily signature-based and hash submission sites):
    Anubis
    Comodo File Verification Service - it didn't work for me today because it was "too busy."
    Comodo Instant Malware Analysis
    Malwr
    ThreatExpert - sometimes didn't work for me today for whatever reason

    Lists of such sites:
    http://zeltser.com/reverse-malware/automated-malware-analysis.html
    https://aggressivevirusdefense.wordpress.com/2009/09/23/can-you-trust-that-file/ (has been updated since the initial post)
     
    Last edited: Feb 1, 2015
  16. 142395

    142395 Guest

    As Norton Power Eraser is listed, I guess aggressive heuristic scanner can also be candidate tho they use signature partly.
    I think Kaspersky AVZ and McAfee Getsusp is in this category other than NPE and HMP (EWS scan). Thor will be too, but unfortunately Loki will be not. If anyone know other such scanner, please add it.
    Thanks for informing us about Payload Security, I didn't know it and their interface seems very user-friendly.
    Also I didn't know Visual Threat in your link, though it is for Android.
     
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :).

    Payload Security is different from the others because its behavioral signatures involve not just observed behaviors, but potential behaviors (via code analysis).
     
  18. 142395

    142395 Guest

    So it combines some kind of reverse engineering?
    Interesting.
     
  19. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  20. 142395

    142395 Guest

  21. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    This just shows your lack of imagination :)

    Sandboxie has functionality which can make it very easy to detect malware, when the user has made sufficiently strong rules. This can be whitelisting which apps have rights to run or net access, or making strict rules about file and registry access. As soon as something attempts to do something it shouldn't, then the user is immediately notified.

    For example, if a exploit kit was successful and dropped a trojan, then this file would immediately blocked from running and would give a Sandboxie notification to that effect. I used this method to audit my security setup years ago. I had to disable a lot of of layers, and deliberately use vulnerable Java plugins for exploit kits to ever run.
     
  22. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    See post #40 on page 2 of this thread where I have already admitted that what I said previously was incorrect.
     
  23. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    I've already read the thread through. Let's review what you wrote earlier:

    Well, no. As I said, this just shows your lack of imagination. Using Sandboxie to investigate unknown PE's and manually looking at the changes is just one way and certainly not the only way as you suggest.

    Sandboxie can act as a surveillance tool in general usage, by notifying the user immediately when dropped trojans attempt to run, access the net, or when processes attempt read access of disallowed parts of the registry or file system. A strong configuration turns Sandboxie into an anti-executable and software policy, with immediate detection and notification for abnormal behaviour. Again, it just comes down to the imagination (and understanding) of what the program can offer beyond just the default configuration of containment.
     
  24. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
  25. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Sometimes it's pretty obvious when a file is malicious. Randomly named, and running from locations they shouldn't. RogueKiller is pretty good at using this as a rule to detect malicious files, without needing a signature to determine a specific piece of malware or malware family. Personally I don't see "rule based" meaning the same thing as "signature" based.

    A case in point on a infection I helped someone with a few months ago:

    - Antispyware program detected a suspicious change to the registry, so they asked for my help;
    - I looked by hand in the usual suspects and found 2 randomly named exes and a log file in %appdata%;
    - Logfile showed many unsuccessful attempts to connect to a remote server;
    - My assumption was that one file was a keylogger, and the other was to upload a keylog;
    - Autoruns: autostart for the keylogger, but nothing else amiss;
    - OTL: found a 4th file, the keylog itself which was in ProgramData.

    I ran some AV/AM scans to see which programs could find it. Not even MBAM found anything. The only signature based program to find anything was HMP, but only the keylogger itself (identified as a financial malware). HMP wasn't worried about the remote file uploaded sitting in the same root folder of %appdata% though.

    RogueKiller OTOH found all 4 files including the keylog, but without a signature.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.