Hi all,
I am performing a research at the moment to analyse the possibility to use AV products within a forensics investigation. The basis for this research is to verify to what extent an AV product is able to identify a certain malware with the correct type and family name. There are of course a lot of discussions about the lack of consensus between different Av products when it comes to naming malware, hence the purpose of this study to see if there are products which try to have a consensus in the naming.
I consider two factors to evaluate the AV prodcuts their detection performance and their identification performance. Both are of course very important but I would be very interested to know how you would rate the importance of those two factors.
On a scale from 1 to 10 how important do you think is the detection performance and the identification performance of an AV product if it should be used within a forensics investigation?
Many thanks for your input.
Yves
The basis for this research is to verify to what extent an AV product is able to identify a certain malware with the correct type and family name.
I am not sure to get it.
Wouldn't it be essential that the tool actually FINDS the malware, then once you have identified the file you just analyze it by uploading it to Virus Total
http//
or similar site? ?
This way you have the "response" by many of the major AV's (and in their most current version), and "consensus" (if any) becomes evident without much "research". wink
jaclaz
The identification of malware by AV software is secondary or irrelevant for forensic purposes. When an AV product "identifies" a malicious file, it pretends to be able to predict that the behavior of the malware on a target system would be similar to the documented behavior of "TR.somethingxyz".
In fact, the applied detection techniques can not lead to such a conclusion, as they are designed to keep a system clean and leave it at a first glance. To protect a system by detecting malware and to reliably identify it are mutually exclusive aims.
For modern day incident analysis I've long since given up on using AV products for a current unknown malware compromise.
AV is fine, and we use it, but it has two (actually more) limitations for my analysis
1. The malware does not detect the 0day compromise or component of the 'kill chain' (dropper, to persistence mechanism, to propagation if any).
2. With so many new variants appearing daily, the AV vendors can barely scrape together a detection name let alone any infection mechanism information.
What I mean by #2 is that if AV detects something, you will be very lucky if that AV vendor can tell you how the malware operates, installs, file system indicators etc etc.
And this is exactly what you need for forensics. So we take it to the next step and conduct malware analysis.
Your idea of running multiple AV tools against the same suspected malware is not a new one, BUT I commend you for thinking about it anyway. It has its place for sure.
Hi,
Ok this was basically the reaction I was expecting.
Concerning VirusTotal. Yes you may use VirusTotal but then you may think about confidentiality issues or the fact that your results will show so many different identifiers that it is very difficult to know what has been identified.
Yes AV are there to protect and keep a PC clean, but by changing the configuration you can tell it to only report on findings. The goal is to only use the on-demand scanner and not any on-access functionality.
The main goal is not to say that using an AV will make malware analysis unnecessary. The goal is to try to identify a malware as accurate as possible and based on the information found on the Internet for example may help to find useful artefacts. But by no means should AV replace malware analysis, the idea is to ease the subsequent analysis and as you may know, not all forensic practitioner have the skills to perform malware analysis.
Many tools are used in forensics and I think AV may have a good place within that portfolio.
Yves
Concerning VirusTotal. Yes you may use VirusTotal but then you may think about confidentiality issues or the fact that your results will show so many different identifiers that it is very difficult to know what has been identified.
So, what is your idea for an alternative?
Like having on a "work machine" some 40 different AV's (and pay a license for those of them that are not Free also for Commercial use), then scan with each of them, avoiding the possible confilicts that may arise (AFAIK/AFAICR some AV's do not have a "self-standing" on-demand scanner or at least modify the install to have it working by itself is a nightmare). ?
In any case, by analyzing the publicly available results from VirusTotal, examples here
http//
http//
you can gather how names different AV vendors attribute to the find (if any) rarely have *anything* "in common"….
Maybe you should convince them AV programmers to join into something like
http//
but producing UPDATED (real-time) results….
…. right now a monthly list seems like being of very little use.
As explained in the FAQ's
http//
the CARO "naming scheme" is ignored by many AV makers….
http//
It's YEARS that the need of a "common naming scheme" is considered to be VITAL, and years that NOTHING is done about it (
http//
With all due respect for the guys/gals involved, this is the actual base document
http//
that does't EVEN have a date of publication!
And it's "live" version
http//
is pretty much useless, IMHO.
Not that EICAR
http//eicar.org/
does much more, apart organizing conferences….
We have a nice "test file" updated in 2006…. roll
jaclaz
No the goal is not to use 40 AVs. That's basically the purpose of the research to find the AV which has the best consensus among different AVs. Some AVs tend to name malware with good consensus and the goal is to find those AVs.
Concerning your references about the different conventions I agree that it is a big problem and it seems that this will never be solved since not enough effort is put into it. I think the general approach is to protect the user, the main goal of an AV, and not to provide any exact name.
I think the general approach is to protect the user, the main goal of an AV, and not to provide any exact name.
You are an optimist. )
I think that whenever obfuscation (no matter if intentional or accidental) is implemented, it is because there is NO (or not enough) $ in doing it in the open or clearly or documenting it.
I think that most of the good AV guys (or more probably their accountants/chairmans/whatever) probably find that by using "random names" they somehow "keep the edge" or however make things more difficult to their competitors.
jaclaz
Hi,
Optimistic or not, I think the goal is to find out if an AV would be interesting within forensics if it could provide a good identifier to find more information at different sources. Even if the research will be negative, this will just confirm your thoughts.
This brings me back to my initial question how important would you rate the detection performance and the identification (naming) performance on a scale from 1 to 10?
Yves
Well on your scale detection importance is 10 and naming importance 0. I'll run several virus scanners on a machine, Superantispyware, MSE, MBAM all with the sole purpose of finding files which may possibly be infected. Once it has found them then I'll examine them myself and if necessary see what they do in a virtual environment, I don't need to know what the vendors name the virus at all. If they call one friendly.virus and the other megakillworm.trojan I'll examine them the same way.
It's also worth noting that running the machine your examining in a virtual environment and then running any anti-virus they have installed is important and the naming conventions of that anti-virus software may be relevant to an investigation. If the user thought that a trojan was just a tracking cookie because that's what his anti-virus program told him, it could lead to a possible trojan defence.