01-11-2013 06:12 AM
Ran a very quick and dirty test with Wildfire using a few malicious files I could find online. 2 out of 8 of these were judged "benign" by Wildfire (the 2 that were missed were very similar, so 1 out of 7 may be more accurate). Anyway, I know that nothing like this is going to be perfect, so I'm not complaining about the false negatives.
Questions:
1) Is it useful to feed false negatives back to you? If you want the samples, what is the best way to share them?
2) Are executables signed by a trusted CA completely whitelisted, or is that just one element used to score the file?
3) Any plans to include analysis of other file types such as jar or pdf?
Thanks in advance!
Michael
01-11-2013 01:52 PM
1) I guess that PA already stores a copy of the files being identified as malware (to share with partners etc) but it would be interresting to know if the same goes for files identified as "benign" (or are all unique files store in a ring buffer over at Amazon so oldest gets deleted first if the storage runs out of space))?
2) Thats what the SE told me, however I think this is somewhat flawed. Just look at stuxnet which used a true Realtek cert to sign itself (in order to avoid detection by Microsoft components).
3) Been told that more filetypes will be added in future. One problem is the permutation of OS-versions and application-versions. I dont know how many adobe acrobat reader versions there are out there - more than 100? And with 10 or so OS-versions (various service packets etc) the same file must be opened or executed 1000 times or more.
Regarding the benign vs malware verdict I had a discsussion with my support about this about a year ago.
The answer from the support ended up with:
"
Regarding WildFire "false negatives", it's important to keep in mind that WildFire verdicts are based on behavioral analysis, and it is intended to help alert you of unknown malware that didn't have AV coverage.
Sometimes, malware will run but not do anything overtly malicious upon initial execution. And often times, samples will be detected by other AV vendors in Virus Total because they fall into a "potentially unwanted program" category, where they are not necessarily overtly harmful by themselves, but at the same time they may have piggybacked adware, or they might fall into several categories of hacker tools, network tools, remote access tools, etc.
In the case of the file below, for example, the sample only performed generic behaviors during our analysis like spawning processes and modifying certain registry keys. This alone is generally not enough to flag a file as malicious.
It is important to note that even though WildFire may not categorize every malware as malicious, this doesn't mean we won't create a signature for it. The file is still analyzed to see if our partners in the AV community have decided it is actually malicious based on other analysis, honeypots, etc. If the file is deemed to be malicious through these other channels, it still typically ends up in our AV database.
"
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
