Info AV collects

If it doesn't fit anywhere else, it will fit here.
Post Reply
glouwe
n00b
Posts: 3
Joined: Sun Dec 11, 2011 7:14 am

Info AV collects

Post by glouwe » Sun Dec 11, 2011 12:20 pm

Hi guys,
I read about this new mechanism the Anti virus companies mark as the future AV technology - Reputation protection.
I'm curious to know how such thing might work,
will they send every file of mine to check (even private files? or my executables?),
if they won't send the whole file, what would they? and what if I'm not online? will it buffer the info or just ignore it?...
Is this thing already working, 'cause I haven't notice any difference...

Thanks,

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: Info AV collects

Post by Cool_Fire » Mon Dec 12, 2011 5:55 am

All I found on the matter is this article: http://www.scmagazineuk.com/symantec-re ... le/213609/

The gist of it seems to be that they keep a whitelist of known clean files, and that the dynamically add to this whitelist when one of their installs comes across a new file.
I would guess that they have the whitelist cached for offline use.

As far as sending the entire file, they don't. It's still signature based, so your personal information is still safe. (For now.)

But most of this is probably going to be slightly different for every AV vendor's implementation.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

glouwe
n00b
Posts: 3
Joined: Sun Dec 11, 2011 7:14 am

Re: Info AV collects

Post by glouwe » Mon Dec 19, 2011 2:40 am

Thanks for the reply,

But what will happen in case they see an unknown file? you can't just add it to the whitelist since it might be malicious, and if you scan it on the client's computer the result might not be accurate...

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: Info AV collects

Post by Cool_Fire » Thu Dec 22, 2011 4:47 am

As far as I understand, it'll only be added to the whitelist if the file is detected on a, or several machines that have never been infected so far. But again, this would be highly vendor implementation dependent of course.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

glouwe
n00b
Posts: 3
Joined: Sun Dec 11, 2011 7:14 am

Re: Info AV collects

Post by glouwe » Sun Dec 25, 2011 6:47 am

mmmm.... I can understand the what's behind this idea, but I'm in doubt if it's that simple, :???:
as it will be trivial to bypass by creating a new "clean" machine and copying the malicious file into it.
There should be a way to manage such trials to subvert the mechanism.

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: Info AV collects

Post by Cool_Fire » Tue Dec 27, 2011 3:07 am

Everything can be bypassed. But I don't expect any AV vendors to rely entirely on this mechanism.
Instead, what you'd expect to see is this being implemented alongside existing stuff, and having this new technique be applied to try and stem the tide of payloads generated on the fly.
Besides, having it run from a clean machine is not as easy as it sounds. You could fairly easily set up a VM, but you would probably also need a clean IP address/address block.

Also, you should take into account that they'll probably not whitelist an item when they have one place where it is. And even if they do, I'd expect they'll quickly reverse that whitelisting if it then shows up on 80 bad machines.

I would imagine that it's mostly useful in preventing polymorphic worms and viruses from evading detection as easily as they do now.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

Post Reply