TechSavvyy 0 Posted February 21 Report Share Posted February 21 this seems to be very obvious malware. why emsisoft couldn't detect it? I ran ONS as well executed file for behaviour detection - both time Emsisoft failed :( https://www.virustotal.com/gui/file/49655a2807a24adb5ae7625fbcdbef2d441e4461a9b67feee82c8e111270578b/detection IMG__New Orders 2021 and Specifications .com Quote Link to post Share on other sites
JeremyNicoll 80 Posted February 21 Report Share Posted February 21 What is "ONS"? Quote Link to post Share on other sites
GT500 873 Posted February 22 Report Share Posted February 22 It looks like the detections are all heuristic, and fairly generic. I'll run it by our malware analysts to see if they can tell what it is. Quote Link to post Share on other sites
GT500 873 Posted February 22 Report Share Posted February 22 It's confirmed as malicious. Detection had already been added by BitDefender before our analysts took a look at it. Quote Link to post Share on other sites
TechSavvyy 0 Posted February 22 Author Report Share Posted February 22 18 hours ago, JeremyNicoll said: What is "ONS"? On-Demand Scan Quote Link to post Share on other sites
TechSavvyy 0 Posted February 22 Author Report Share Posted February 22 1 hour ago, GT500 said: It's confirmed as malicious. Detection had already been added by BitDefender before our analysts took a look at it. BD was not detecting it earlier, only 17 out of 71 scan engins were detecting it on Virustotal. BD started detecting it only after 5-6 hours when I uploaded on virustotal. And does that mean, behaviour based detection, AI etc are all myth? finally signature based scaning is only affective way ? Quote Link to post Share on other sites
JeremyNicoll 80 Posted February 22 Report Share Posted February 22 Behaviour-based detection only happens if someone runs the malware /and/ EAM (or whatever anti-malware app someone uses) decides that what it is doing looks suspicious. You said at the start that you thought this one was "very obvious malware". What made you think that, other than the filename looking suspicious for an executable? Was that before or after running it? What did it do that made you sure it was malware? (And, did you do that in a sandbox?) Heuristics are informed guesswork. It means the anti-malware program is looking for code inside an executable that resembles other known-to-be-bad code. Quote Link to post Share on other sites
GT500 873 Posted February 23 Report Share Posted February 23 16 hours ago, TechSavvyy said: And does that mean, behaviour based detection, AI etc are all myth? finally signature based scaning is only affective way ? Did you actually execute it? Behavioral detection doesn't detect files that are just sitting on your hard drive doing nothing, nor does it detect files that are being downloaded. In order for behavioral detection to kick in, malicious code has to be executed, and perform some sort of action that the behavioral detection monitors for. As for "AI", that's just a marketing buzzword. Quote Link to post Share on other sites
TechSavvyy 0 Posted February 23 Author Report Share Posted February 23 12 minutes ago, GT500 said: Did you actually execute it? Behavioral detection doesn't detect files that are just sitting on your hard drive doing nothing, nor does it detect files that are being downloaded. In order for behavioral detection to kick in, malicious code has to be executed, and perform some sort of action that the behavioral detection monitors for. As for "AI", that's just a marketing buzzword. yup, i executed the file. it was there in task manager too. After a minutes, i termintaed the task. Quote Link to post Share on other sites
GT500 873 Posted February 23 Report Share Posted February 23 4 minutes ago, TechSavvyy said: yup, i executed the file. it was there in task manager too. After a minutes, i termintaed the task. That means it didn't have a chance to do anything that our Behavior Blocker monitors for. Sometimes malware doesn't do anything malicious right away, especially if it's trying to contact a Command and Control server that's no longer operational. Quote Link to post Share on other sites
TechSavvyy 0 Posted February 23 Author Report Share Posted February 23 2 minutes ago, GT500 said: That means it didn't have a chance to do anything that our Behavior Blocker monitors for. Sometimes malware doesn't do anything malicious right away, especially if it's trying to contact a Command and Control server that's no longer operational. well, may be. But File Reputation rating should come in to picture here. If emsisoft not yet using it; it must start. Containerize or at least flag the files / display notification with no reputation. Quote Link to post Share on other sites
GT500 873 Posted Wednesday at 05:48 AM Report Share Posted Wednesday at 05:48 AM 23 hours ago, TechSavvyy said: But File Reputation rating should come in to picture here. It only comes in to play if a running process actually does something the Behavior Blocker monitors for. If a program isn't doing anything that appears malicious, then there's no need to verify whether or not it's safe, and doing it any other way would be a huge performance drain on your system. 1 Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.