<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d33547542\x26blogName\x3dNotes+%26+Thoughts\x26publishMode\x3dPUBLISH_MODE_BLOGSPOT\x26navbarType\x3dBLUE\x26layoutType\x3dCLASSIC\x26searchRoot\x3dhttps://jonpoon.blogspot.com/search\x26blogLocale\x3den_US\x26v\x3d2\x26homepageUrl\x3dhttp://jonpoon.blogspot.com/\x26vt\x3d3412814716534773350', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe" }); } }); </script>

Monday, October 02, 2006

detecting test files

Recently, i came across a set of files that were only flagged by one of the av products as being possibly malicious, specially as a trojan.

Since these were executables, i was able to use the sandbox technologies, Norman and Sunbelt among others, to try to figure out why these files are triggering the flag.

The sandbox output from the above tools didn't show anything malicious in the executables, even with my low level of assembly language knowledge.

I also used VirusTotal and Jotti's malware Scan to get the scanning results from scanners that i do not use, and the results were the same. Only one of the scanner sets (the same one that triggered my initial analysis) on both sites flagged the files.

I then loaded the files into a Virtual PC session, and launched tools like filemon/netmon/regmon and other similar tools and found nothing that indicate typical malicious behavior.

After doing these analysis, and it was truly a "DUH" moment, i re-examined the scanner log file.

Next to the flag of trojan, was an additional note of testfile. In the log, it was shown like (format changed somewhat below):

xxx.exe - a possible trojan--testfile

This led me to switch my train of thought. Assuming that these were indeed correct flags by this one single product, could these files be created to show that the product can detect the set of files, and that the product (at least its detection) works? Think of it as a scanner's own version of the Eicar test file.

I have not verified whether these are indeed files created for this purpose, but assuming that they are, what do this set of file truly represent? Probably in the hands of the marketing folks of that product, it could be used as a demonstration of how good the product is, no matter how one-sided it is.

Would these files be eventually detected by other antimalware products? Why would they do so? If they do not, would that just add ammunition to this company's salesforce?

In the hands of the uninformed, would the testing results be skewed unfairly to one product vs the others?

Don't we have enough confusion already?

Technorati tags: ,


Post a Comment

Links to this post:

Create a Link

<< Home