03-15-2011 11:15 AM - last edited on 03-21-2011 07:46 PM by shannons
Cloud detection (such as WS.Repuration.1, Suspicious.Cloud.x, etc.) are used only directly after download or first access it. After that - restoring from Quarantine, or unpack it again - Norton is not recognize a threat in this file. What is the regognize algorithms? First - delete all, after - use as long as you want. Threats if they are recognized as bad - must be recognized as bad untill next update (engine, definitions, behav. or heur. engines, cloud information).
Although bad Cloud information - threat was able to start own procedures:
1) downloaded 1 MB file from the Internet
2) fully rewrited hosts file and write in it about 10 own entries (!not recognized by NPE!)
3) maked Task Manager disabled via the appropriate registry item (recognized by NPE, !but can't be fixed!)
4) maked Command Prompt disabled (!not recognized by NPE!)
5) other (not recognized by NPE)
Where SONAR was? Where it looked? So many malware actions from must-be-restricted-in-actions bad reputation file!
Previously I saw many malware that SONAR blocks at once. Here I saw no bahaviour monitoring in this case.
May be this sample uses slightly new model of infection tactics
How many (different tactics) and (actions of the same tactics) samples can I write to make product saw and protect against this? :)) Are there in company a specialists of different malware actions? You are analysing thousands malware samples everyday, you know how actions can be executed in Windows. So why you can't recognize suspicious actions or at least display to user this list of actions and processes that made them like Windows Defender (at least on WinXP does and better)?
Please! Improve your product! Sophisticated to end users? Make an option to turn off and on it (make off by default)
Lets start to fight agains malware together! Display user messages about system changes made and make at once suspicious sample auto-submissions!
Missed threats at sendspace and rapidshare.
NIS 220.127.116.11 (fully updated)
WinXP Prof. SP3 32bit x86
03-21-2011 10:01 AM
Hi Niko233! I am happy you took the time to give NIS product recommendations. Are you saying that the logic behind reputation scanning needs to be re-thought? If so, let me see if a Symantec employee who works on that feature can respond.
03-21-2011 06:03 PM
Alright, if I do not forget it, I will tell you.
And if you submit malware sample on that I posted non-direct link in this idea message to Norton team - it will be great! :)
03-21-2011 09:11 PM - edited 03-21-2011 09:13 PM
>microsoftoffice2010activatorkeygenbythecrew.exe Our automation was unable
to identify any malicious content in this submission.
Can't execute this under Virtual machine Environment or some test software and see why SONAR detect this? :))))
Than improve automation detection!!! I open an America? Nothing at all! And I think that just sometimes a brain can help to organize, create and improve anything. Head just need to be in use to reach something, not for wear a hat only. Why to be so frozen, so classic, trivial and non-original?
By the way - how many antiviruses have Sandbox feature for users? Not a few.
Symantec till now can't provide this feature for itself automation detectors and users. Bad.
03-22-2011 01:29 AM - edited 03-22-2011 01:33 AM
Thanks Nico, the file is indeed malicious.
03-22-2011 04:42 AM - last edited on 03-23-2011 07:54 AM by shannons
Thanks on comments, but I want to this sample been analyzed as slightly new threats infection methods - to add this into SONAR. It is download trusted file and may be use it in giving it own malware actions. the tree of processes need to be detected (constructed) and analyzed for initiation process for malware. That is I really want. Today is no way to definitions as main component, it is only can help to heart of AV: behaviour monitor (SONAR in Norton).
Where are the such times?
Fragment from 29 min 30sec to 30:30
How joyfully and elegant it was!! :)
Every respectable by itself Virus must be hidden by rootkit
Every respectable by itself Antivirus must have behaviour monitor component to detect malware actions of new/unknown threats.
[edit: Fixed posting error.]