A forum for reverse engineering, OS internals and malware analysis 

All off-topic discussion goes here.
 #2063  by ssj100
 Thu Aug 19, 2010 4:56 am
CloneRanger wrote:@ ssj100
why did you disable your other security software?
If i hadn't they wouldn't have even been able to run, due to either .EXE blocking and/or AV etc detection. Not to eliminate third party variations.

Sure i ran then with SD enabled, but that wouldn't interfere with the POC's.

If every piece of malware had to ask people to do a fresh install first and/or run in a VM etc, where would that get them. I run tests in a realistic real world enviroment. First with all my security in place to see if they block/interject etc, then one by one i disable them and see what happens, or not. The main purpose of most tests etc i do, is to see how my security shapes up, or not. It it does great, if not i improve it.
The problem with the line of argument you're using is that how does one actually define a realistic real world environment? If you think about it, scientifically, using a fresh install is the best method of testing whether something works. Then, if you confirm that it works, you could go on and test it with Shadow Defender installed. Then, if that still worked, you could go on and test it with services disabled etc etc. Do you see the point I'm making? I'm essentially talking about the principle of a "fair test" methodology.

If EP_X0FF used Shadow Defender (as well as disabled services etc) to test his POC, then sure, the principle of a "fair test" would require we use Shadow Defender and disable services etc, at least when initially attempting to reproduce the POC.

You missed the point I was making about ProcessGuard - by disabling it, you have by definition eliminated one more aspect of third party variation. The POC simply failed to run with ProcessGuard enabled - therefore you disabled it. But then the POC still fails for your setup right? Therefore, you can now take further steps to reduce third party variations in order to reproduce the POC. And as I said, the best way to reduce third party variations is to implement testing fairly - a fresh install of Windows followed by a Prevx installation would be ideal. With VirtualBox (or any VM software), this is very easily achieved.

EDIT: by the way, latest POC (not released to public) still works and is not detected by Prevx. Shame.
 #2104  by CloneRanger
 Fri Aug 20, 2010 4:17 am
@ ssj100

I define a realistic real world environment as one that is used day in day out. Not one that comprises of just a fresh OS install and no other software. I can't remotely consider the possibility of even one user in the whole wide world uses their comp with ONLY the OS installed. No apps, no internet etc etc. It's just not realistic.

If POC's and malware are only tested with just the OS in it's virgin state, then i'm not surprised if they don't always work as intended.

I don't know why tests with the Prevx POC's didn't work, that's why i kept asking people for "possible" reasons. Also i thought people would be curious as to why they didn't work, and be keen to help me establish the facts.

If people don't want to find out why, that's fine with me, just thought "some" might. It's not a big deal though, i just find it interesting that's all.

Have a nice weekend, Everyone ;)
 #2105  by ssj100
 Fri Aug 20, 2010 5:38 am
CloneRanger wrote:@ ssj100

I define a realistic real world environment as one that is used day in day out. Not one that comprises of just a fresh OS install and no other software. I can't remotely consider the possibility of even one user in the whole wide world uses their comp with ONLY the OS installed. No apps, no internet etc etc. It's just not realistic.
Again, I do understand your argument, but you seem to have once more missed the point I'm making (just like when I tried to explain the LNK exploit issue to you haha). The point is NOT about testing the OS in its "virgin state". The point is about testing the POC in an environment with as little third party variation as possible, AND THEN ONLY testing it with more third party variation. This is if you truly care about reproducing the POC.
CloneRanger wrote:If POC's and malware are only tested with just the OS in it's virgin state, then i'm not surprised if they don't always work as intended.
Well, I'm sure genuine malware writers (especially those who are paid) will be much more thorough than EP_X0FF.
CloneRanger wrote:I don't know why tests with the Prevx POC's didn't work, that's why i kept asking people for "possible" reasons. Also i thought people would be curious as to why they didn't work, and be keen to help me establish the facts.

If people don't want to find out why, that's fine with me, just thought "some" might. It's not a big deal though, i just find it interesting that's all.
That's fine. Perhaps I mis-understood your comments - I thought that either you wanted to see the POC in action (but couldn't), or you were claiming that the POC didn't generally work. Now I think I understand - you were just curious as to why the POC didn't work on your particular system and setup, under Shadow Defender, with disabled services etc etc. You didn't care as much about actually trying to reproduce the POC and observing what it does when it is successful (otherwise you would have gone with my recommendation of using eg. VirtualBox with a fresh Windows to do the testing).
 #2146  by CloneRanger
 Sat Aug 21, 2010 12:46 am
Огорченно я не имею время или наклонение держать повторить над и сверх снова.

HaHa HoHo HeHe, то Дед Мороз или?

----------
Sorry I do not have the time or inclination to keep repeating over and over again.

HaHa HoHo HeHe, Santa Claus or something?
Last edited by a_d_13 on Sat Aug 21, 2010 12:56 am, edited 1 time in total. Reason: Translated post.
 #2147  by a_d_13
 Sat Aug 21, 2010 12:57 am
Hello,

As per board rule #5, I have translated your post into English with Google Translate. Some words in other languages are OK, but please keep all translation in English.

Thanks,
--AD
 #2150  by EP_X0FF
 Sat Aug 21, 2010 4:12 am
Actually what you posted (original ru version, probably Google translator) has completely no sense and looks like garbage.
 #2159  by CloneRanger
 Sat Aug 21, 2010 12:42 pm
@ EP_X0FF

Yeah that can happen with translators lol.

a_d_13 was able to use google to translate it though, and almost 100%
 #2174  by ssj100
 Sun Aug 22, 2010 4:00 am
CloneRanger wrote:Огорченно я не имею время или наклонение держать повторить над и сверх снова.

HaHa HoHo HeHe, то Дед Мороз или?

----------
Sorry I do not have the time or inclination to keep repeating over and over again.

HaHa HoHo HeHe, Santa Claus or something?
That's okay, I was getting sick of repeating things too haha.
 #2332  by ssj100
 Thu Aug 26, 2010 9:13 am
By the way, the latest Prevx fails pretty badly here:
http://www.youtube.com/watch?v=zx7vlH1FJ2A

Just goes to show that it's "just another antivirus" (with an extremely clever marketing team).