AV software and "sharing samples"

Published: 2011-03-01
Last Updated: 2011-03-01 01:01:05 UTC
by Daniel Wesemann (Version: 1)
12 comment(s)

A good part of the fight against malware relies on "the good guys" sharing samples and intel. For some reason though, many anti-virus (AV) companies seem to make it exceedingly hard to "extract" usable samples from their tools and quarantines. They insist on a quarantine in proprietary format, and more often than not, the only option given in the GUI is "Send to Vendor" or "Delete".

Send to vendor? Well duh, how about sending to _more than one_ vendor? How about letting me extract the sample in an industry standard format, so that I can share it with the other AV vendors whose products I'm using to protect my corporation or university ?

Exasperated by a recent run-in with the quarantine mechanism of a particularly stubborn yellow product, I googled some, and found out that there's actually an IEEE Working Group looking into standardizing an open Malware Exchange format. Good news. Though even better news would be if the format chosen were simply an existing forensic file format, maybe with added encoding or encryption to turn the sample inert.

But, no matter which format gets selected eventually, I sure hope that (a) this happens soon and (b) that the AV vendors actually adopt the idea and make extracting and sharing samples and intel easier than they do today. Because most of their products today ... to me look a whole lot like the vendors don't care [beep] about their client's security and efficient malware defense. Not anywhere as much as they care about their own revenue.

 

 

12 comment(s)

Comments

I found the most common action for quarantine was "Restore".

No, I don't want you to delete that false positive.
No, I don't want you to delete that high risk false positive.
No, I don't want you to delete my entire mail folder because one of my emails contains a virus I'm promptly going to delete because I wasn't expecting a .exe from anybody.

I finally got sick of ridiculous false positives and bad performance and purged it. I wasn't ever getting viruses anyway.
in case of mcafee, this might help someone

bup files can be extracted using "7z" and then xor the files (Details, File_0 etc.) with 0x6a/106
One of my pain points with the Symantec Endpoint Management console is how little options it gives for this very thing. I really wish there was a way to send all risks to a central quarantine. Even the ones that were "cleaned" or deleted.

The entire setup seems to be designed around the assumption that the admin has no interest in knowing what went on with an infection as long as it was "cleaned." Given that SEP tends to detect only part of the problem, that's an unfortunate way to operate.
So many useful utilities have been flagged as Hacker Tools, I can no longer scan my flash drive (and what happened to the Read Only locks on flash drives, they've all gone away.)
I actually don't have a huge problem with flagging Hacker Tools. I keep mine in a special folder, and I appreciate knowing if someone with no business having them on our network decides to install one.
I serve as a content advisor to this working group. The XML schema the group created for sharing malware samples is valuable and can be found at http://grouper.ieee.org/groups/malware/malwg/Schema1.1/

The group is now exploring how AV companies can more efficiently share samples.

These are all positive steps forward. I'd like to see even broader, more open sharing of samples (and also of malware URLs and other relevant data), but it's a tough sell to profit-minded companies.
I actually enjoy the personalized emails back from Sophos when you submit samples. Unlike another major AV provider (whose name starts with an M and ends in "soft") -- I can scan a piece of code with ForeFront until I'm blue in the face, and a half dozen other things detect it as bad, but when I send it to them for analysis, in all four times I've done this, their response is always: "if you were to scan it with ForeFront... with definition versions... umpty dump... it would detect it as..."

Whatever. I guess the versions I'm using and updating every day are different from their versions.
I'd be ecstatic if they could use similar names.
I couldn't agree more with this post. I think this should apply to anyone in the community. Services that take samples are notorious for not releasing any data they collect.

I have been working on solving part of this problem by creating a way to share malicious PDF documents. The tool is still in testing and I haven't released the major components, but if interested you can see it here:

https://github.com/9b/malpdfobj

The goal is to get a malicious PDF in a json format that can be sent around through web services and shared. Feel free to email me fore more information.
9bplus, interesting tool!! Do you already have an open central database wher all these results in JSON format can be uploaded and then query by anybody?? I will be happy to provide such database in order to provide intel about malicious PDF files to the community.

Diary Archives