Author Topic: Why would a legitimate file be detected as trying to avoid Malware Analysis?  (Read 323 times)

Offline ReeceN

  • Comodo Member
  • **
  • Posts: 46
During a system scan via 'Unknown File Hunter' a few files were submitted for analysis.

I noticed that the main detection in these files was for 'Malware Analysis System Evasion'.

Link to Valkyrie Report: https://valkyrie.comodo.com/kill/chain/28667d3cd6998c07571cad33ba1dbade6f6ff9a6/summary

So this got me thinking, what characteristics might a legitimate file display in order for it to be detected as trying to avoid Malware Analysis?

Thanks!
« Last Edit: April 05, 2018, 11:34:30 AM by ReeceN »


Offline ReeceN

  • Comodo Member
  • **
  • Posts: 46
Thank you qmarius for your reply.

That article is talking about what techniques malicious files would use to attempt to evade detection.

For example the article talks about how malicious applications could attempt to detect known sandbox components, however I do not see why a legitimate application would typically do this. Obviously you could argue well, any legitimate application could do this, but looking at what is required to fall under this sort of category of detection, it would appear very, very unlikely that most would.

Therefore I was wondering what features an actual legitimate file could typically poses that would make it appear as if it were trying to evade detection.

Thanks.

Offline qmarius

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 3834
  • making simple things complicated
Not unusual at all. Perhaps it's unusual to check for virtualization but it's not necessarily used by malware only. For example, such vendor could provide an unsigned patch which performs those checks. Some app might as well ask for captcha verification or ask you stuff via dialog boxes. Too many examples. Code can be used by both trustworthy and untrustworthy apps. These are just indicators-- it doesn't necessarily mean it's malicious or not; it's something to watch out for as it affects automated analysis.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek