Your browser is obsolete!

The page may not load correctly.

The workshop

Кухня

Other issues in this category (28)
  • add to favourites
    Add to Bookmarks

The border guard stands strong!

Read: 1524 Comments: 7 Rating: 13

Attackers have learnt to bypass conventional security mechanisms. For example, they obfuscate malicious code and sign it with legitimate certificates to evade anti-virus detection.

Source

Because this issue's author has a bit of a perfectionist streak, statements about obfuscated code bypassing anti-viruses particularly irritate him. One comes across this wording or variations of it quite often—and it is totally incorrect.

If in this situation an anti-virus fails to detect malware, two scenarios are possible. The first: Malicious code is hidden in a process that an anti-virus can't access (in “ancient” times, there was a proof-of-concept program whereby one CPU core processed only its code). And the second: when a known malicious program has been modified to change its signature. To accomplish this, attackers can compress it, obfuscate (re-arrange) its code, etc. And in such cases, one can speak about malware bypassing anti-viruses.

But, in fact, nothing gets bypassed. An anti-virus sees a program whose signature has been changed, examines it, and does nothing else. And you'll probably object: What's the difference? One way or the other, malware remains undiscovered. But, there is one difference, even two.

First, failure to detect a new modification of a well-known program can easily be remedied by updating the virus databases—something an anti-virus does routinely without interfering with the user experience. And to equip an anti-virus with a new monitoring and detection routine, one needs to upgrade it to a newer version. And that is something users don't like to do (and do not do).

Second: Code modification can only help circumvent detection routines that use virus databases. But once a program is examined against known signatures, it will remain under the anti-virus's scrutiny. From that moment on its activity will be monitored by behaviour analysis routines (Preventive Protection).

This technology doesn't rely on conventional signature databases even though it gets updated too, albeit somewhat less often. In this case, preventive protection and process behaviour analysis routines and the trusted application database are updated.

The Preventive Protection watches over certain system areas and running processes, and follows what code is being executed, how, and in what sequence. Who starts a process, what parent and child processes are associated with the execution of a certain file, who has launched the file and from what location, etc. This is a complex mechanism that utilizes a comprehensive approach to system security. It prevents malicious code that can't be detected by its signature from being deployed in a system.

I can't go into details because, first of all, we are talking about a trade secret and, second, because the algorithms are so many and diverse that describing each and every one of them briefly is impossible.

Yet, there’s even more.

An anti-virus may take no action when you run a .bat file if you have downloaded it to a location on your computer and then opted to run it as administrator. In this situation, the sequence of actions indicates that an administrator has taken it upon themselves to perform all these actions with the file and supposedly knows about the file's origin and content.

Meanwhile, if the file is downloaded by some process into a temporary folder, the anti-virus may prevent it from running. This situation can be regarded as suspicious behaviour and, depending on the subsequent actions taken, may be flagged as malicious.

Therefore, the way something is being run can be more important than what kind of code is being executed. And it also matters whether the action is being performed by you or by a system routine.

A reply from Doctor Web’s Technical Support Service

So everything's under control. The border guard stands strong!

#malware #Dr.Web_settings #Preventive_Protection #Dr.Web_technologies

Dr.Web recommends

Do not disable Preventive Protection—it is an important line of defence against disguised malicious programs.

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.

[Twitter]

Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments