Wednesday, October 4, 2017

A first "generic detection" test

So, anyway, this is interesting...
As I mentioned in an earlier blog post, I'm interested in finding out who can detect malware "generically", as opposed to signature detection.
To achieve this, I find a pretty new bit of malware, something with low scanner detection, and run it against an unprotected machine, to see what it does. I then run it, in turn, against each of my protected machines, and see who blocks it.
Currently, I have just six products installed, but they are major av products. The malware sample is almost certainly a new variant of a trojan generally named Dimnie, but here's the interesting thing...
Only two of the six products detected it, and they detected it with a signature. They got the name wrong, but that's irrelevant. No one detected it "generically".
I'm not naming products (at this point), and I'm not knocking signature scanners. They are an absolutely vital layer of defense, and, with greater than a million new and unique, samples every _day_, it is not possible for them to catch all samples every day. (Unless we use Dr Solly's Perfect.bat, of course, but that's story for another day)
This simply proves how vital it is that we testers start looking at "generic" detections.
A White-lister would have stopped it, of course, but they have their own set of issues, especially in a corporate environment, or when confronted with macro or scripted malware.
Now I need more products installed, and more new samples.
Watch this space some more.

No comments: