Dave, these files was uploaded too.

http://savepic.net/2407936.png

Just tested with the telefonniy_spravochnik_tolyatti.exe executable on XP SP2 with NIS 19.2.

I posted the exe on some remote web server.

I disabled Download Intelligence and Insight Protection (not recommended), just so I can test SONAR detection and not be blocked by these layers.

Using IE, I downloaded the exe and saved it to the desktop.

I then ran it.. and voila .. SONAR detection.

---

shane_pereira wrote:

 

I did another test. I created a sub-directory called "6" on the desktop, just like in the youtube video. I then downloaded the exe and save it to that folder and ran it. It was detected by SONAR.

---

As per the YouTube video, this issue needs to be tested on a Windows 7 machine. The Desktop file path under Windows 7 is not the same as Windows XP:

Windows XP: C:\Documents and Settings\admin\Desktop

Windows 7:  C:\Users\admin\Desktop

Please test this issue under Windows 7 and advise.

Thanks

Thats also not the file that wasn't detected in the desktop folder.

It was called something like 6(7).exe and 6(8).exe  they were in the 6.zip folder.

It's hard to see unless you view the vid on youtube and make it full size

Shane,

What about those malwares which are distributed in archives, and user is advised to download , extract and execute in order of install a program? Can Download Insight and SONAR handle file information properly when file was distributed in Zip or .7z or any other archive format except Rar?

What about synchronization between different protection components? I mean, if some file was detected by download insight will it be detected other time by different protection component(like SONAR or even same Download Insight)? I mean synchronization between components via SYMEFA DB?  

Norton Internet Security 2012 vs Trojan Mayachok: Episode Two

http://www.youtube.com/watch?v=6isxLnBqutc

 Can Download Insight and SONAR handle file information properly when file was distributed in Zip or .7z or any other archive format except Rar?

Download Insight can not recognize any treats in any archive formats except SeftExtracting (exe) archives. maware insdide rar can not be recognized too by these two: Download Insight and SONAR.

Good idea to store already having reputation in cache and share it between components/layers, for example in symefa.db or Norton's folder.

Shane, not tested:

1) on Win7

2) the same samples that was on video

3) no matter there you got this file - download EXE, ZIP or other archive types from local network or Internet or file was stored on the computer before Norton installation or was copied from flash - SONAR (and before it - heuristic engine) must suspend start to running process (or just have been unpacked executable file - I am about heuristic engine), request Reputation info on that file and only after that let it to continue to run and monitor it. In what am I wrong with it? Why now archived files can not be recognized? having no reputation info? request it! and if they have reputation info - than for sure for 99.9% - SONAR let it go cause they are on the desktop.

Any ideas?

EDIT: INDF, very good video. I saw only 1 difference and it is in reputation info. for first piece of malware site where it was downloaded from is present (public site with any content). last piece - with peritation info also but witout any site where was it download from. so site add 1 more suspicious characteristic and SONAR finilly recognize that file malicious. only this another one item - where it from. SONAR need to be updated for many more only inside system actions monitoring!!! Shane, if you release that (more cricitical areas and actions monitoring inside the system) in SONAR it will be 99.8% effectiveness AV. How 1 executable file for example (in video it was) can restart the system file with no users used, new, probably with previously droped DLL or other files to use and wants to restart the system... SONAR (at least) must ask user for such suspicious activity from unknown files with other suspicious characteristics.

Thanks on that video!

I re-ran the test with the following setup:

1. Windows 7 32-bit

2. NIS 19.2

I copied the steps in the video http://www.youtube.com/watch?v=6isxLnBqutc, testing with the file telefonniy_spravochnik_tolyatti.exe and the same file contained in an encrypted .zip.

Test 1

When I download the exe directly from the internet and save it in the Downloads folder (just like in the video) and run it, it is detected. See screenshot below:

Test 2

I then ran a different test.

- I hosted the .zip file containing the exe on a remote webserver.

- I download the zip to the downloads folder. extracted the exe to the same folder. Ran the exe

This time I saw different results from the video. Firstly, the telefonniy_spravochnik_tolyatti.exe downloads and runs a file called flash_player_update.exe from the temp folder. When this file runs I see a UAC prompt. You dont see that in the video, so clearly the tester has disabled UAC before the test. We dont recommend that any of our users disable UAC, not that it woudl affect the outcome of the test as you will see.. but in the real-world it definitely affects whether can successfully run or not.  If I click "Yes" on the UAC prompt, I then get a SONAR alert, which convicts both the flash_player_update.exe and the original telefonniy_spravochnik_tolyatti.exe. See below.

I am not sure why I am seeing different results from the tester, but at this point, we have established two things that this thread was about:

- SONAR does not blindly ignore files run from the desktop. It can and will delete such files if they are found to be malicious

- SONAR does not blindly ignore files that are extracted from a zip file. Such files are monitored and can get deleted by SONAR.