Improve Cloud Detection and SONAR

Archive
1

Cloud detection (such as WS.Repuration.1, Suspicious.Cloud.x, etc.) are used only directly after download or first access it. After that - restoring from Quarantine, or unpack it again - Norton is not recognize a threat in this file. What is the regognize algorithms? First - delete all, after - use as long as you want. Threats if they are recognized as bad - must be recognized as bad untill next update (engine, definitions, behav. or heur. engines, cloud information).

 

u3.png

 

Although bad Cloud information - threat was able to start own procedures:

1) downloaded 1 MB file from the Internet

2) fully rewrited hosts file and write in it about 10 own entries (!not recognized by NPE!)

3) maked Task Manager disabled via the appropriate registry item (recognized by NPE, !but can't be fixed!)

4) maked Command Prompt disabled (!not recognized by NPE!)

 

u1.png

 

5) other (not recognized by NPE)

 

u2.png

 

Where SONAR was? Where it looked? So many malware actions from must-be-restricted-in-actions bad reputation file!

Previously I saw many malware that SONAR blocks at once. Here I saw no bahaviour monitoring in this case.

May be this sample uses slightly new model of infection tactics

How many (different tactics) and (actions of the same tactics) samples can I write to make product saw and protect against this? :)) Are there in company a specialists of different malware actions? You are analysing thousands malware samples everyday, you know how actions can be executed in Windows. So why you can't recognize suspicious actions or at least display to user this list of actions and processes that made them like Windows Defender (at least on WinXP does and better)?

 

Please! Improve your product! Sophisticated to end users? Make an option to turn off and on it (make off by default)

Lets start to fight agains malware together! Display user messages about system changes made and make at once suspicious sample auto-submissions!

 

Missed threats at sendspace and rapidshare.  

 

---

NIS 18.5.0.125 (fully updated)

WinXP Prof. SP3 32bit x86

 

[Edited Idea subject for clarity and removed links to third-party sites as per the Participation Guidelines and Terms of Service]

2

Hi Niko233!  I am happy you took the time to give NIS product recommendations.  Are you saying that the logic behind reputation scanning needs to be re-thought?  If so, let me see if a Symantec employee who works on that feature can respond.  

3

Alright, if I do not forget it, I will tell you.

And if you submit malware sample on that I posted non-direct link in this idea message to Norton team - it will be great! :)

4

Tracking #19582565

 

>microsoftoffice2010activatorkeygenbythecrew.exe Our automation was unable
to identify any malicious content in this submission. 

 

Can't execute this under Virtual machine Environment or some test software and see why SONAR detect this? :))))

Than improve automation detection!!! I open an America? Nothing at all! And I think that just sometimes a brain can help to organize, create and improve anything. Head just need to be in use to reach something, not for wear a hat only. Why to be so frozen, so classic, trivial and non-original?

 

By the way - how many antiviruses have Sandbox feature for users? Not a few.

Symantec till now can't provide this feature for itself automation detectors and users. Bad.

5

Different results: my PC vs. Symantec <on> virustotal.com

http://community.norton.com/t5/Norton-Internet-Security-Norton/Different-results-my-PC-vs-Symantec-virustotal-com/td-p/419440

6

Thanks Nico, the file is indeed malicious.


It drops a file which modifies the host file and attempts to download other malicious files. Detection for both dropper and dropped files has been added as Trojan.Horse.

JohnM
7

Thanks on comments, but I want to this sample been analyzed as slightly new threats infection methods - to add this into SONAR. It is download trusted file and may be use it in giving it own malware actions. the tree of processes need to be detected (constructed) and analyzed for initiation process for malware. That is I really want. Today is no way to definitions as main component, it is only can help to heart of AV: behaviour monitor (SONAR in Norton).

 

Where are the such times?

http://www.youtube.com/watch?v=EjWh0AJh58M

Fragment from 29 min 30sec to 30:30

How joyfully and elegant it was!! :)

 

---

My thoughts:

Every respectable by itself Virus must be hidden by rootkit

Every respectable by itself Antivirus must have behaviour monitor component to detect malware actions of new/unknown threats.

 

 

[edit: Fixed posting error.]