Anti-malware network questions

[spywar]

So will you make a way for us to be able to submit files directly to Emsisoft Anti Malware Network ?

 

edit: It would be good to have somehow an automated analysis system with web interface (online malware analyser) for us to be able to directly upload files then system will clasify everything it can as malware. All files not classified will be sent for manual process.

[spywar]

No reply ? 

[Fabian Wosar]

Weekends do apply to most of the development staff. So don't expect immediate responses over the weekend.

In general we have no plans for automatic submissions or for allowing users to submit files to the cloud manually.

[spywar]

Thanks for reply.

 

I'd like to know a last thing : Why are there some files which are not detected by EAM on a static scan, are detected as malware once you look them up with the Anti Malware Network ?

[Fabian Wosar]

Cloud signatures are a lot more aggressive than local signatures. They are only used if EAM is observing a malicious behavior to begin with, which allows us to be less concerned about false positives and release them early with only rudimentary QA, making them usually more current. Cloud signatures may end up as local signatures some time later, after they passed our usual QA processes.

[spywar]

Many thanks. And are you allowed to tell us how EAMN classifies a new unknown file never seen before as malware ? Perhaps there are AI engines ? Dynamic analysis ? Similarity Search ?

[Fabian Wosar]

We usually apply rather complex statistical models to unknown files, allowing us to determine whether or not a file is malicious based on many different factors like location on the system, behavior on our client's machines, similarity to existing threads, user feedback, source, and so on.

[spywar]

Many thanks for explanations, great support 

 

spywar

[spywar]

Since EAM does not submit a hole file ... Where do you get the files from ? currently Currently 20,581,602 files in database.

 

[Fabian Wosar]

Various sources. VirusTotal, download portals, various file crawlers we use to automatically harvest files, trading agreements with other companies and so on.

[spywar]

We usually apply rather complex statistical models to unknown files, allowing us to determine whether or not a file is malicious based on many different factors like location on the system, behavior on our client's machines, similarity to existing threads, user feedback, source, and so on.

And does this also apply for safe files (identified as unknown by the Anti Malware Network) ? Usually, how long does this process take ? thanks.

[Fabian Wosar]

Same for safe files. How long this process takes depends largely on the amount of data we have. More popular programs get picked up a lot faster than less popular programs.

[spywar]

Thanks.

Is it possible to know how many files get whitelisted automatically everyday ? I have correctly understood that any unknown files safe or bad, get a classification by Anti Malware Network depending on many factors (BTW, bad files are classified MUCH faster than white, just because of the similarity which should really be doing great....)

thanks again.

 

Last Q : How long does a detected file need to be added to local DB ? I mean they are TONS of Adware not detected by EAM but all classified as malware by AMN. I'm sure there is something to do here. I had no adware samples not detected by AMN as malware. 

[Fabian Wosar]

Around 2000 - 5000 files a day are being whitelisted at the moment. The number of files being blacklisted is a lot higher though (around 100k per day). Adware signatures for the most part will never be included in the local signature files, unless the adware shows malicious behavior and could be considered illegal in some countries.

[spywar]

Thanks again Fabian

 

So do you get samples from virustotal continuously ? 24/7 ? I see there is a product called MalAware which essentially relies on this database for scanning. Do you plan such a scan called Cloud Scan for the future of EAM ?

[Fabian Wosar]

I see there is a product called MalAware which essentially relies on this database for scanning. Do you plan such a scan called Cloud Scan for the future of EAM?

Not likely.

[spywar]

Hi!

 

Take a look at this test on 22 samples pack from me

 

http://malwaretips.com/Thread-Malware-Pack-22-fresh-samples--16954?pid=127641#pid127641 (really fast)

 

I'm impressed by OA I must say...

 

Question is how can it identify something as malicious ? (dangerous) ? Does it look it up throught the Anti Malware Network database ? Cause I checked these files with isthisfilesafe.net and if I remember right all were caught as Malware. 

 

Thanks again for all those replies and also to the tester.

[Fabian Wosar]

Correct. Online Armor utilizes the Emsisoft Anti-Malware Network cloud for those detections as well as some basic heuristics integrated within Online Armor itself. But the majority is cloud based.

[spywar]

Strange that EAM asks AMN only when Behavior Blocker sees something with malicious behavior...Maybe I am wrong here ? Do you plan some more things for EAM like checking every .exe with AMN ? Thanks again.

[Fabian Wosar]

No, we have no such plans.

[spywar]

Basically you don't have any plans on bringing the AMN even more in interaction with EAM ? It's really active with OA, nothing goes through and if one pass the OA's cloud lookup, Mamutu takes care of it....

 

I mean...even adware all all covered by AMN ! and if you take a look at some malware removal forums, you'll see ppl get infected a lot by Adware it would be pretty good to bring up this AMN to check every execution on EAM...But I bet you know better than me.

[Fabian Wosar]

The Emsisoft Anti-Malware Network is extremely aggressive. Querying it for every application you run, would cause a huge amount of false positives. Which is why we only query it if we have an initial suspicion to begin with.

[spywar]

My suggestion : Why not make an upload area on the AMN website so that I can upload never seen malware by the backend.

[Fabian Wosar]

Because creating signatures manually will ensure that both cloud as well as offline signatures will be available in a timely manner. It takes a lot longer for automatically created cloud signatures to eventually be converted into local signatures.

[spywar]

I gathered 58 fresh samples

 

http://malwaretips.com/Thread-Malware-Pack-58-fresh-samples--17062?pid=128440#pid128440

 

Did a scan with EEK updated and left 9 samples

 

did submitted those 9 and also checked all of them one per one using SHA-1 value

 

http://malwaretips.com/Thread-Malware-Pack-58-fresh-samples--17062?pid=128447#pid128447

 

Pretty impressive and agressive.

[spywar]

I can't find AntiMalwareNetwork website with all stats etc ... Is it normal ? 

[Fabian Wosar]

What kind of stats are you looking for? There are a couple of stats available here:

http://www.isthisfilesafe.com

[spywar]

Ah yes.....I did forgot the site name, I was searching for Antimalwarenetwork.net .... thanks

[spywar]

Oh I can see that DB is now reaching the 50 M files.... Considering it was at 20 M at the time I started this thread...nice.

[Fabian Wosar]

Also keep in mind that those files are almost exclusively malware files. Statistics of the last 30 days:

We are processing around 150k - 200k new malware files each day.

[spywar]

Yes it is quite quite powerfull...I was just testing it with fresh MD5 values of fresh malware samples...Even safe samples are great covered.

"Around 2000 - 5000 files a day are being whitelisted at the moment"

so we can consider that AMN is whitelisting around 60 000 / 150 000 of new safe files each month then..

[spywar]

In that case, Elise manually whitelisted an app

http://support.emsisoft.com/topic/13617-cubicexplorer-false-positive/#entry98357

I guess this was also able to be done automatically right ?