A good part of the fight against malware relies on "the good guys" sharing samples and intel. For some reason though, many anti-virus (AV) companies seem to make it exceedingly hard to "extract" usable samples from their tools and quarantines. They insist on a quarantine in proprietary format, and more often than not, the only option given in the GUI is "Send to Vendor" or "Delete". Send to vendor? Well duh, how about sending to _more than one_ vendor? How about letting me extract the sample in an industry standard format, so that I can share it with the other AV vendors whose products I'm using to protect my corporation or university ? Exasperated by a recent run-in with the quarantine mechanism of a particularly stubborn yellow product, I googled some, and found out that there's actually an IEEE Working Group looking into standardizing an open Malware Exchange format. Good news. Though even better news would be if the format chosen were simply an existing forensic file format, maybe with added encoding or encryption to turn the sample inert. But, no matter which format gets selected eventually, I sure hope that (a) this happens soon and (b) that the AV vendors actually adopt the idea and make extracting and sharing samples and intel easier than they do today. Because most of their products today ... to me look a whole lot like the vendors don't care [beep] about their client's security and efficient malware defense. Not anywhere as much as they care about their own revenue.
|
Daniel 385 Posts ISC Handler Mar 1st 2011 |
Thread locked Subscribe |
Mar 1st 2011 1 decade ago |
I found the most common action for quarantine was "Restore".
No, I don't want you to delete that false positive. No, I don't want you to delete that high risk false positive. No, I don't want you to delete my entire mail folder because one of my emails contains a virus I'm promptly going to delete because I wasn't expecting a .exe from anybody. I finally got sick of ridiculous false positives and bad performance and purged it. I wasn't ever getting viruses anyway. |
Anonymous |
Quote |
Mar 1st 2011 1 decade ago |
in case of mcafee, this might help someone
bup files can be extracted using "7z" and then xor the files (Details, File_0 etc.) with 0x6a/106 |
Alex 13 Posts |
Quote |
Mar 1st 2011 1 decade ago |
One of my pain points with the Symantec Endpoint Management console is how little options it gives for this very thing. I really wish there was a way to send all risks to a central quarantine. Even the ones that were "cleaned" or deleted.
The entire setup seems to be designed around the assumption that the admin has no interest in knowing what went on with an infection as long as it was "cleaned." Given that SEP tends to detect only part of the problem, that's an unfortunate way to operate. |
Alex 15 Posts |
Quote |
Mar 1st 2011 1 decade ago |
So many useful utilities have been flagged as Hacker Tools, I can no longer scan my flash drive (and what happened to the Read Only locks on flash drives, they've all gone away.)
|
Anonymous |
Quote |
Mar 1st 2011 1 decade ago |
I actually don't have a huge problem with flagging Hacker Tools. I keep mine in a special folder, and I appreciate knowing if someone with no business having them on our network decides to install one.
|
Anonymous |
Quote |
Mar 1st 2011 1 decade ago |
I serve as a content advisor to this working group. The XML schema the group created for sharing malware samples is valuable and can be found at http://grouper.ieee.org/groups/malware/malwg/Schema1.1/
The group is now exploring how AV companies can more efficiently share samples. These are all positive steps forward. I'd like to see even broader, more open sharing of samples (and also of malware URLs and other relevant data), but it's a tough sell to profit-minded companies. |
Anonymous |
Quote |
Mar 1st 2011 1 decade ago |
I actually enjoy the personalized emails back from Sophos when you submit samples. Unlike another major AV provider (whose name starts with an M and ends in "soft") -- I can scan a piece of code with ForeFront until I'm blue in the face, and a half dozen other things detect it as bad, but when I send it to them for analysis, in all four times I've done this, their response is always: "if you were to scan it with ForeFront... with definition versions... umpty dump... it would detect it as..."
Whatever. I guess the versions I'm using and updating every day are different from their versions. |
Anonymous |
Quote |
Mar 1st 2011 1 decade ago |
I'd be ecstatic if they could use similar names.
|
Dean 135 Posts |
Quote |
Mar 1st 2011 1 decade ago |
I couldn't agree more with this post. I think this should apply to anyone in the community. Services that take samples are notorious for not releasing any data they collect.
I have been working on solving part of this problem by creating a way to share malicious PDF documents. The tool is still in testing and I haven't released the major components, but if interested you can see it here: https://github.com/9b/malpdfobj The goal is to get a malicious PDF in a json format that can be sent around through web services and shared. Feel free to email me fore more information. |
Dean 1 Posts |
Quote |
Mar 1st 2011 1 decade ago |
9bplus, interesting tool!! Do you already have an open central database wher all these results in JSON format can be uploaded and then query by anybody?? I will be happy to provide such database in order to provide intel about malicious PDF files to the community.
|
MGuirao 13 Posts |
Quote |
Mar 1st 2011 1 decade ago |
With the amount and frequency of new malware, I don't believe that signature-based "detection rate" is really that big of a differentiator as it used to be. Sharing malware samples and intelligence helps everyone, not just the AV companies... in my opinion if they want to stand-out among other vendors, they should focus on the management, and HIPS features of their products.
|
Shawn 29 Posts |
Quote |
Mar 1st 2011 1 decade ago |
The same goes for MSSPs. They have the information to contact providers to shut down botnet controllers, downloaders, and share information to detect new exploits... But then if their customers never got popped, that would be bad for business... So they stay quiet and in-house.
|
Shawn 6 Posts |
Quote |
Mar 2nd 2011 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!