CONTEXT
Current viruscope recognisers are:
- Move (not copy) self to autorun path
- Move (not copy) self to other folder and copy link (shortcut) to self to autorun path
- Move (not copy) self to other folder and set registry value in autorun key to self
Recognition operates only if the file first executed is an unknown .exe file, not a trusted or a batch file. However the action of any file, whether .exe or batch run by that initial file (and so on recursively) can form part of a detection set for that initial file and can be reversed.
Most people don’t want to run malware to test VC.
SOLUTION 1
So you can get a Viruscope alert, and thus test recognition and reversal by finding a program in which you can manually or programmatically carry out file moves, and arranging for it to be rated as unknown. If it is also capable of editing a registry, or running a program that can like regedit.exe, that’s ideal!
One example might be a Windows explorer file manager substitute, though I would not recommend you use a full replacement Windows shell. But how do you arrange for it to be unknown? You could:
[ol]- find a relatively obscure one that happens to be unknown - we use explorer++ in the example below
- find a beta version of a better known one which is unknown
- remove the programs vendor and/or trusted file entry from CIS and disable all cloud interactions or disconnect your network connection
- if the file’s license agreement allows this, over-write some irrelevant bytes in it’s executable file with a random string of equal length[/ol]
Implementing Solution 1 - Steps to get VC alert (recognition with option for reversal) using Explorer++
Explorer++ is an unknown explorer substitute found by Sanya.
Installation
- Please turn Cloud Lookups off in Advanced settings ~ file rating to prevent explorer++ being whitelisted
- Install explorer++ from here http://explorerplusplus.com/download
To get alert - text
- Check you have HIPS off, BB dis-abled and “detect programs…” and “show privilege…” also disabled (I don’t think HIPS off is needed but lets see!)
- Check you have Cloud Lookup off
- Run explorer++
- Run Killswitch and check explorer+++ is running as unknown
- In explorer++ navigate to explorer++ directory and select explorer++.exe
- From menu choose Edit ~ MoveTo and in move directory selection dialog navigate to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
- Press OK, you should get VC alert
- Choose ‘Ignore once’ if you want to repeat experiment, and re-start explorer++
To get alert - videos
Mine: here
Sanya’s here
SOLUTION 2
Use Sanya’s test file, “Test Viruscope.exe” which has options
[ol]- Create custom file. This creates a test file with a name you select, which is a logged and reversible activity
- Create preset file. This creates a test file with a preset name, which is a logged and reversible activity
- Launch custom file. This will run any batch or .exe file you nominate with whatever name you choose. The batch file will normally contain commands to run other trusted or untrusted executables (eg regedit or explorer.exe) which you can then use to perform recognised activities or actions to be reversed.
- Launch preset file. This will run a batch file you create with the name TestViruscope.bat, if in the same directory. The batch file will normally contain commands to run other trusted or untrusted executables (eg regedit or explorer.exe) which you can then use to perform recognised activities and/or actions to be reversed.
- Launch Powershell_ISE
- Launch Powershell_ISE script
- Move self to autorun folder. This immediately generates a VC alert by moving itself to autorun folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup. This is useful for testing that VC is working on your machine
- Move custom file to custom folder, please note you need to specify the destination filename too, not just the folder!
- Read a file to test access restrictions
- Run a custom command using cmd.exe[/ol]
To select an option, type the number followed by .
You can combine these options in any process run session by pressing enter again after selecting an option - ie when the appropriate message is showing. The test file will then show the menu again. For example you can use this to first ‘create a preset file’, ‘Move self to autorun path’ causing a VC alert, and thus demonstrate a reversal by deletion of the document you created.
Two functionally identical files with different hash identity (SHA) are provided, ‘Test Viruscope’ and ‘Test Viruscope 2’. This is so you can make one trusted (via Trusted Files) while the other is untrusted, allowing mixed processing chains to be created.
You can run each test file from itself, if you wish, or either from each other. For example to create a long chain of processes with the same or different file ratings.
N.B. Using the option to ‘Move Self to Autorun Folder’ will leave the executable on an autorun path so it will execute when you reboot.
Test Viruscope.exe - SHA1 FEFDE831901A866C824C2E1E9E6D4C3485AB941D Virustotal
Test Viruscope 2.exe - SHA1 6ACC34ADCF090B16B9F655C6325F1158652805B3 Virustotal
CAUTION
Please be careful when carrying out these experiments as user files created by detected unknown programs, or the programs they run, may be automatically deleted by reversals. So for example, based on my analysis of how VS is currently working, if you use your explorer or shell substitute to start an office program, create some files you want to keep, forget and then trigger a detection and don’t respond to the alert, the files will be deleted by the reverser. This is a bigger potential issue with a full Windows shell replacement, which is why I do not recommend using a substitute windows shell for this type of testing.Taking a full data backup before triggering detections is a wise precaution
There may of course be other ways. Please do report your experiences in testing using these techniques or any others you happen upon, below. Obviously please report bugs and wishes in the Beta bugs Board.
Best wishes
Mike
