How do malware detectors work?

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 16415
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

How do malware detectors work?

Post by ChrisGreaves »

I think that when I download a ZIP file to my Win10 laptop that malware detectors hunt for Bad Code.
Likewise, I think that when I download an APK file to my Android phone that malware detectors hunt for Bad Code.

But when I use my laptop to d/l an APK file, what can the Win10 malware detector know about an esoteric language that runs on the Android platform?
And likewise, when I use my phone to d/l a ZIP file, what can the Android malware detector know about an esoteric language that runs on the Win10 platform?

In these cross-platform d/l scenarios I later on use a USB cable to drag the file from one platform to another.
Perhaps a good malware detector does the check at that time? :scratch: If not, then I have been living dangerously!

Thanks
Chris
Most of my hair had already fallen out by the time I learned that mousse is spelled with two esses

User avatar
StuartR
Administrator
Posts: 12856
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: How do malware detectors work?

Post by StuartR »

Most malware detectors simply scan downloaded files for specific known malware patterns, they have no need to understand how the code might execute.

Some malware detectors detect unusual behaviour from running programs, and these will obviously only detect things running on the correct platform.

And finally you should only ever download Android apps from a well-known app store that does the malware scans for you. If you have enabled installation from .apk files that you download from other places then you are taking a huge risk.
StuartR


User avatar
BobH
UraniumLounger
Posts: 9628
Joined: 13 Feb 2010, 01:27
Location: Deep in the Heart of Texas

Re: How do malware detectors work?

Post by BobH »

Does zipping a file thwart - or at least confuse - malware sniffers? How about encryption?
Bob's yer Uncle
(1/2)(1+√5)
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs

User avatar
Argus
GoldLounger
Posts: 3081
Joined: 24 Jan 2010, 19:07

Re: How do malware detectors work?

Post by Argus »

Not really. ZIP files and similar should be no problem for AV. Can't find at the moment, but think I did a test with ZIP within ZIP etc.
As it is, in an archive, it's not a direct threat; when you try to interact with the archive the AV should react. If you try with a zipped eicar test file (a test dummy file), you will notice that real time scanning doesn't object during download or when opening file manager for the location. But as soon as you try to open the ZIP file the AV steps in. Encryption is a different matter, then it can't be detected since there are no patterns to recognise, as Stuart mentioned. But then it shouldn't be a threat.
Byelingual    When you speak two languages but start losing vocabulary in both of them.

User avatar
StuartR
Administrator
Posts: 12856
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: How do malware detectors work?

Post by StuartR »

Most antivirus products will scan inside ZIP files, and some will even scan inside doubly zipped files.
You can test how well your antivirus software does this by downloading the EICAR test file, zipping it, zipping it again, and then copying it to the computer you want to test. That download site even includes zipped and doubly zipped versions for you to try.

I just tried this and Windows Defender blocked access.
EICAR error 1.png
EICAR error 2.png
You do not have the required permissions to view the files attached to this post.
StuartR


User avatar
ChrisGreaves
PlutoniumLounger
Posts: 16415
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

Re: How do malware detectors work?

Post by ChrisGreaves »

StuartR wrote:
09 Jul 2021, 21:44
Most malware detectors simply scan downloaded files for specific known malware patterns, ...
Thanks Stuart.
My understanding now is that, in essence, a malware detector is looking for signature bit-patterns, regardless of platform, from all sources, so that executables destined for any platform can be checked against a list of "all known malicious bit-patterns to date".

Further I now see that there are different events that could be monitored by malware detectors:-
(1) download from the internet
(2) local file creation (which would include file-copying across platforms, unpacking a packed (zip) file, and so on
(3) calls to load and execute a file on the host platform.
(4) transfer across a LAN/WAN/WiFi network

That is (in my example), four different "armed forces" ready to spring to defence.

Thanks
Chris
Most of my hair had already fallen out by the time I learned that mousse is spelled with two esses

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 16415
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

Re: How do malware detectors work?

Post by ChrisGreaves »

Argus wrote:
09 Jul 2021, 23:29
... Encryption is a different matter, then it can't be detected since there are no patterns to recognise, as Stuart mentioned. But then it shouldn't be a threat.
Thanks Argus.
Again, if I understand this, i could send you an encrypted EXE file which (having shuffled the bits) would slip by an examination of the file, but would be harmless until you decrypted the file (from a MyProgram.greaves to a MyProgram.exe), and then the armed force in charge of monitoring requests to load and execute a program would rise to deal with it.
Does that come close?

If so, that would explain why, years ago, a copy of my utility template UW.dot, caused terror on a McAfee-protected local computer. A VBE-created bit pattern must have been identical to a pattern on a McAfee list

Thanks
Chris
Most of my hair had already fallen out by the time I learned that mousse is spelled with two esses