How does scanning obfuscated files work?

NikK
NikK Posts: 903 Forum Champion

If parts of an executable file is obfuscated with techniques like code virtualization, can a file scan really check the entire file?

 

Will a real-time scan detect more than a file scan in this case, or is all hope in DeepGuard detecting any suspicious behavior of the obfuscated code while it's running?

Comments

  • NikK
    NikK Posts: 903 Forum Champion

    Any F-Secure experts reading this?

  • NikK
    NikK Posts: 903 Forum Champion

    I'm really curios to know how this works, and I've also heard that certain obfuscating techniques can cause an application to get caught in scanners. I'm thinking of buying an Obfuscator(and they are not cheap!) to use on my own applications, so I would like to know how much truth there is in this.

  • Ukko
    Ukko Posts: 3,727 Superuser

    Hello,

     

    I'm not a technic or developer, but time to time it was interesting for me too;

     

    What about obfuscated files, packers, cryptors, protectors and another ways, which created troubles for classical and traditional methods in anti-viruses:

     

     - DeepGuard - it's one of "layer", which added certainly because happened increasing that "ways"; More obfuscated files start be - need something new and powerful, than casual methods. Need pro-active in high-stage; DeepGuard - one of them.

    More good to say - DeepGuard already not just a simply layer. It's a great complex and include various technologies and variants of pro-active technologies (as NHIPS and another; include cloud, reputation and etc.);

     

     Probably - against obfuscated files (and same troubles as "packers") - just something like F-Secure DeepGuard can totally help and fight.

    Another  - it's all or "hard to user" (just because need specific knowledge or create work in machine with "a lot of" usability-break-moments); or simply can't to help;

     

     - Just because now virusmakers often can be "high-skilled" - DeepGuard can't protect in all situations, but probably in most part of them (which close to totally protect in ordinary meaning); DeepGuard - not just application control; It's more like header-part of all protect-methods-technologies; It's include correct work with Firewall-addons and another;

    It's mean - if we talk about DeepGuard - we talk about DeepGuard in all stages/layers and technologies in F-Secure (except traditional signature-based scanning; but it's work together with DeepGuard too);

    --------------------

     

    But, of course, except pro-active and "step before" for protect - F-Secure (like all another companies) have technologies for work against obfuscated/packed and another same kind of files; Most part of that - comes by operation system functionality; But anyway - unique technologies here need too.

     

    Unpacked-modules work probably like all another things - it's nothing to something new (but it's can to understand - just if you developer - or work with that; I'm not - because it - can't something to tell about it);

    For that using points like:

     - emulation for launch code (like and include virtual-methods); Just for understanding - "what currently part of code to do" here. Also "decompressors" and all etc. Which can be default "system" things.

     - analysis for that facts and results.

     - also include static and dynamic analysis.

     - all like always was with debuggers, disassemblers, dumpers and etc (just because - need not just one kind of analysis - but static and dynamic together like part of all multi-layer-based for protection);

     

    It's can be module with databases about behavior and technologies for analysis behaviors. It's mean, for example, in F-Secure - Gemini module help to DeepGuard and not just that.

     

    ----------

    If you just ask about how to do "obfuscated files" - probably I hard to say.

    Have a some variants, which all kind of different a little. And if it's known - F-Secure can to try protect against it and detect if it's malware by all things (and not just it) in top-area text;

    Probably F-Secure known about all common, simply, complex and another packers - and create "descriptions" for behavior in that situations for modules and technologies. Need to known algorithms, principes and etc.

    In common situation - can be situation like "if it's obfuscated - it's a suspicious".

     

    But... of course... with encrypted files - a trouble. If it's encrypted - it's hard to scan. But during "encrypted"-status it's close to "safe"; same as "archive" or another.

    If it's possible - can be detect during archive/encrypted too (but encrypted - it's encrypted); And also alert/detection during action. Action - it's already behavior, which F-Secure must to detect in all situations. If it's not detected - it's mean "a trouble" (which can be - just because -  you meet something new and high-skilled);

     

     

    Sorry if I answered not totally about your question. But maybe some part of my answer include information, which you asked. Also it's really will be good if someone from F-Secure answered here too. Just because - if about that theme talk specialist - it's more good, than my answer about that theme.

  • Hello NikK,

     

    As mentioned by Ukko, our multilayer protection should be able to block/remove malicious obfuscated files at different levels.

    Some will be detected via signature where others will be detected on heuristics level.

     

    You surely understand we cannot go here into too much details over the internal mechanics of our products.

This discussion has been closed.
Feedback on New Design