Finjan Surfinguardpro

[Philip]

FromTheRafters was asking a question about emulation and I downloaded
Finjan's surfinguardpro to test a couple of ideas.

With Finjan's protection running I ran a harmless virus to see it in action.
Nothing. No warnings, and it didn't stop the virus. The exe files in the
directory were definitely modified. I've done this test a couple of times
now with the same result.

I thought SurfinGuardPro was meant to stop malicious code like viruses - Am
I getting something wrong here?

This raises another point. People sometimes ask for a real, but essentially
harmless virus, to test their AV protection (rather than the Eicar test) .
Perhaps they have a point if you are dealing with an AV protection not based
upon signature recognition.

 

[FromTheRafters]

FromTheRafters was asking a question about emulation and I downloaded
Finjan's surfinguardpro to test a couple of ideas.

With Finjan's protection running I ran a harmless virus to see it in action.
Nothing. No warnings, and it didn't stop the virus. The exe files in the
directory were definitely modified. I've done this test a couple of times
now with the same result.

I thought SurfinGuardPro was meant to stop malicious code like viruses - Am
I getting something wrong here?

From the way that the Finjan site belittles the use of signature
recognition scanning, I think that they may only sandbox for
the purpose of heuristic scanning. My question was more
directed toward the execution, during platform emulation, of
metamorphic viruses in order to allow the mutation engine to
execute long enough to reveal the decryptor or the virus body,
and then make use of signature based scanning on the revealed
code.

This raises another point. People sometimes ask for a real, but essentially
harmless virus, to test their AV protection (rather than the Eicar test) .
Perhaps they have a point if you are dealing with an AV protection not based
upon signature recognition.

Maybe someone should write some harmless viruses with each
heuristic method the scanners are looking for being represented,
*and* a built in EOL thrown in for good measure? <g>

Doesn't the EICAR test string also have a behavior that
could be detected by these non-sig based AV scanners?

 

[Philip]

-From the way that the Finjan site belittles the use of signature
-recognition scanning, I think that they may only sandbox for
-the purpose of heuristic scanning. My question was more
-directed toward the execution, during platform emulation, of
-metamorphic viruses in order to allow the mutation engine to
-execute long enough to reveal the decryptor or the virus body,
-and then make use of signature based scanning on the revealed
-code.

AV software will only emulate for a short while. In this case you don't
really need for your code to be 'self-aware' you are being emulated. Whilst
AV software will detect simple loops as time wasting, and presumably ignore
them, it's easy to come up with much more complex 'loops' that AVs will not
emulate past. On top of this it is possible to randomly and polymorphically
generate such complex loops. And if that wasn't enough also have a value
generated from the loops which would be later used to decrypt the main
encrypted virus. (Thus forcing the need to emulate these loops)

In fact why viruses ITW don't all use these techniques I don't know.

Maybe someone should write some harmless viruses with each
heuristic method the scanners are looking for being represented,
*and* a built in EOL thrown in for good measure? <g>

Doesn't the EICAR test string also have a behavior that
could be detected by these non-sig based AV scanners?

EICAR is simply a string, so has no behaviour to test.

Back to Finjan's sandboxing. Looking at Finjan's website a normal person
would expect their software to protect against exe infectors. They don't
actually claim this but they talk about protecting from 'viruses and worms'.
This implies to me exe infectors, and not just email worms.

 

[JW]

I thought SurfinGuardPro was meant to stop malicious code like viruses - Am
I getting something wrong here?

You're misunderstanding the role of SurfinGuard. Its role is to
monitor web traffic, and stop nasty code from executing.

It is designed to stop malicious ActiveX, Java, VBscript traffic from
running on the local machine. It monitors what the code is
attempting, and blocks if nexessary.

It does not protect from traditional viruses, it only looks at what a
web page and associated script is doing.

 

[FromTheRafters]

-From the way that the Finjan site belittles the use of signature
-recognition scanning, I think that they may only sandbox for
-the purpose of heuristic scanning. My question was more
-directed toward the execution, during platform emulation, of
-metamorphic viruses in order to allow the mutation engine to
-execute long enough to reveal the decryptor or the virus body,
-and then make use of signature based scanning on the revealed
-code.

AV software will only emulate for a short while. In this case you don't
really need for your code to be 'self-aware' you are being emulated. Whilst
AV software will detect simple loops as time wasting, and presumably ignore
them, it's easy to come up with much more complex 'loops' that AVs will not
emulate past. On top of this it is possible to randomly and polymorphically
generate such complex loops. And if that wasn't enough also have a value
generated from the loops which would be later used to decrypt the main
encrypted virus. (Thus forcing the need to emulate these loops)

Okay, but if a rather simple test of the environment could
betray the fact that emulation is being used, the mutation
engine could see to it that nothing is revealed in emulation.
From my reading, it seems that MetaPHOR does indeed
accomplish this feat by using the unsupported opcode
method. If this forces an engine rebuild (emulator) to make
the virus marginally more detectable (by adding support
for this opcode), then there should be another similar way
with another opcode or another method.

In fact why viruses ITW don't all use these techniques I don't know.

Most are now only concerned with day zero spreading rates.
(mostly talking about worms in this case though)

EICAR is simply a string, so has no behaviour to test.

EICAR is code (a comfile) and has some self modifying features
I believe. It is more that just a string.

Back to Finjan's sandboxing. Looking at Finjan's website a normal person
would expect their software to protect against exe infectors. They don't
actually claim this but they talk about protecting from 'viruses and worms'.
This implies to me exe infectors, and not just email worms.

It is far too strong a claim. Signature recognition AV should also
be incorporated and I think they do suggest that. Their program
is best used in addition to the use of other tools.

 

[Philip]

You're misunderstanding the role of SurfinGuard. Its role is to
monitor web traffic, and stop nasty code from executing.

It is designed to stop malicious ActiveX, Java, VBscript traffic from
running on the local machine. It monitors what the code is
attempting, and blocks if nexessary.

It does not protect from traditional viruses, it only looks at what a
web page and associated script is doing.

Thanks for the info. Does it make this clear in its advertising?

 

[Philip]

Okay, but if a rather simple test of the environment could
betray the fact that emulation is being used, the mutation
engine could see to it that nothing is revealed in emulation.
From my reading, it seems that MetaPHOR does indeed
accomplish this feat by using the unsupported opcode
method. If this forces an engine rebuild (emulator) to make
the virus marginally more detectable (by adding support
for this opcode), then there should be another similar way
with another opcode or another method.

I'm not familiar with Metaphor, but yes, the use of unsupported opcodes to
mess up emulation has certainly been done before.

You might find http://vx.netlux.org/lib/static/vdat/tudefeat.htm

of interest.

P.S. I looked for that article I mentioned but I'm afraid I couldn't find it

 

[FromTheRafters]

I'm not familiar with Metaphor, but yes, the use of unsupported opcodes to
mess up emulation has certainly been done before.

You might find http://vx.netlux.org/lib/static/vdat/tudefeat.htm

of interest.

P.S. I looked for that article I mentioned but I'm afraid I couldn't find it

That's okay, thanks for looking.
...and thanks for the link too.