AV software and "sharing samples"
A good part of the fight against malware relies on "the good guys" sharing samples and intel. For some reason though, many anti-virus (AV) companies seem to make it exceedingly hard to "extract" usable samples from their tools and quarantines. They insist on a quarantine in proprietary format, and more often than not, the only option given in the GUI is "Send to Vendor" or "Delete".
Send to vendor? Well duh, how about sending to _more than one_ vendor? How about letting me extract the sample in an industry standard format, so that I can share it with the other AV vendors whose products I'm using to protect my corporation or university ?
Exasperated by a recent run-in with the quarantine mechanism of a particularly stubborn yellow product, I googled some, and found out that there's actually an IEEE Working Group looking into standardizing an open Malware Exchange format. Good news. Though even better news would be if the format chosen were simply an existing forensic file format, maybe with added encoding or encryption to turn the sample inert.
But, no matter which format gets selected eventually, I sure hope that (a) this happens soon and (b) that the AV vendors actually adopt the idea and make extracting and sharing samples and intel easier than they do today. Because most of their products today ... to me look a whole lot like the vendors don't care [beep] about their client's security and efficient malware defense. Not anywhere as much as they care about their own revenue.
Comments
No, I don't want you to delete that false positive.
No, I don't want you to delete that high risk false positive.
No, I don't want you to delete my entire mail folder because one of my emails contains a virus I'm promptly going to delete because I wasn't expecting a .exe from anybody.
I finally got sick of ridiculous false positives and bad performance and purged it. I wasn't ever getting viruses anyway.
Joshua
Mar 1st 2011
1 decade ago
bup files can be extracted using "7z" and then xor the files (Details, File_0 etc.) with 0x6a/106
smettler
Mar 1st 2011
1 decade ago
The entire setup seems to be designed around the assumption that the admin has no interest in knowing what went on with an infection as long as it was "cleaned." Given that SEP tends to detect only part of the problem, that's an unfortunate way to operate.
sb
Mar 1st 2011
1 decade ago
MSB
Mar 1st 2011
1 decade ago
sb
Mar 1st 2011
1 decade ago
The group is now exploring how AV companies can more efficiently share samples.
These are all positive steps forward. I'd like to see even broader, more open sharing of samples (and also of malware URLs and other relevant data), but it's a tough sell to profit-minded companies.
Maxim Weinstein
Mar 1st 2011
1 decade ago
Whatever. I guess the versions I'm using and updating every day are different from their versions.
M
Mar 1st 2011
1 decade ago
dsh
Mar 1st 2011
1 decade ago
I have been working on solving part of this problem by creating a way to share malicious PDF documents. The tool is still in testing and I haven't released the major components, but if interested you can see it here:
https://github.com/9b/malpdfobj
The goal is to get a malicious PDF in a json format that can be sent around through web services and shared. Feel free to email me fore more information.
9bplus
Mar 1st 2011
1 decade ago
M Guirao
Mar 1st 2011
1 decade ago