Author Topic: Advanced machine learning technology not so advanced  (Read 2758 times)

Raistlin

  • Member
  • ***
  • Posts: 259
Advanced machine learning technology not so advanced
« on: February 06, 2017, 07:36:14 PM »
Symantec - End-point protection (Enterprise)

My hardware enumerator is being quarantined for using system discovery API 's: action pending. <- WTF  :exclaim:

Further investigation reveals:
"Heur.AdvML.B is a heuristic detection designed to generically detect malicious files using advanced machine learning technology.
A file detected by this detection name is deemed by Symantec to pose a risk to users and is therefore blocked from accessing the computer. "

Anyone got an idea which API's in my app are being targeted by such "advanced machine learning technology"
or is it just that assembly language in general will generate heuristics false-positives in such AV detectors?

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 4934
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
Re: Advanced machine learning technology not so advanced
« Reply #1 on: February 06, 2017, 09:36:35 PM »
I don't know if this is the problem but make sure you have BOTH a manifest and version control block for your EXE. This at least gets you past the donkey level of AV scanners.
hutch at movsd dot com
http://www.masm32.com    :biggrin:  :biggrin:

HSE

  • Member
  • ****
  • Posts: 553
  • <AMD>< 7-32>
Re: Advanced machine learning technology not so advanced
« Reply #2 on: February 06, 2017, 10:18:55 PM »
It's not assembly. Last week Avira insist that Acrobat Reader, WinWord and Excel are "very dangerous" programs. I have to put them in exception list or they don't work!
Perhaps some update will say: "start the machine is dangerous, disable AV if you still want to do that"

jj2007

  • Member
  • *****
  • Posts: 7757
  • Assembler is fun ;-)
    • MasmBasic
Re: Advanced machine learning technology not so advanced
« Reply #3 on: February 06, 2017, 10:41:39 PM »
Last week Avira insist that Acrobat Reader, WinWord and Excel are "very dangerous" programs.

The first time I agree with Avira :greensml:

Raistlin

  • Member
  • ***
  • Posts: 259
Re: Advanced machine learning technology not so advanced
« Reply #4 on: February 06, 2017, 10:52:26 PM »
Thanks hutch for the practical solution.
The other solutions = ultra ROTFLOL  ;)

caballero

  • Member
  • ****
  • Posts: 784
    • Abre Ojos Ensamblador
Re: Advanced machine learning technology not so advanced
« Reply #5 on: February 07, 2017, 02:35:21 AM »
"start the machine is dangerous, disable AV if you still want to do that"
It already took place, google "avg false positive user32.dll" :bgrin:
En un lugar de la Mancha de cuyo nombre no quiero acordarme

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 4934
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
Re: Advanced machine learning technology not so advanced
« Reply #6 on: February 07, 2017, 03:42:03 AM »
The general drift is the authors need to exercise some ordinary human intelligence in writing artificial intelligence which is what the topic is about. Its never going to be an easy task due to the sheer complexity of producing enough analysis to catch the ever evolving range of exploits being developed. The old style binary viruses are a reasonably straight forward analysis as they try to branch in the MZ/PE headers but later trojan and rootkit exploits are much harder to track as they tend to look like normal code.

I got caught with a nasty when I was setting up this Win 10 box and was saved by a toy I installed that prevents anything from writing to the registry startup code but I still had to clean out over 1500 registry entries that took about 5 goes with Malware Bytes and this pile of crap was trying to disable it after each reboot. This is what make heuristic scanning a difficult task and the problem is the crappy end of the AV market take short cuts to try and get their score count up.
hutch at movsd dot com
http://www.masm32.com    :biggrin:  :biggrin:

jj2007

  • Member
  • *****
  • Posts: 7757
  • Assembler is fun ;-)
    • MasmBasic
Re: Advanced machine learning technology not so advanced
« Reply #7 on: February 07, 2017, 03:56:02 AM »
Its never going to be an easy task due to the sheer complexity of producing enough analysis to catch the ever evolving range of exploits being developed.

I thought it was sufficient to add manifest and VCB (as in your subclass64 tool here)?

make sure you have BOTH a manifest and version control block

I'll soon offer online courses for virus writers: "How to add a manifest to your virus" (special offer: $999) and "Part II: How to add a version control block to your virus" (special offer: $499) 8)

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 4934
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
Re: Advanced machine learning technology not so advanced
« Reply #8 on: February 07, 2017, 12:10:02 PM »
I doubt you will make your first million from that venture, those skulking in the shadows don't like to pay for anything. Now of course as their techniques develop with more sophisticated forms of ever more difficult to find payloads, it may require some of these lazy bastards working for AV companies to actually get off their arse and start to do some decent analysis from the entry point onwards without producing an ever growing list of false positives.

Manifests and version control blocks are just a couple of gates place there by the OS vendor, the version control block being a technique to look at what is embedded in the EXE without running it. When its not there, a user may have reason to be suspicious about it. AV vendors pick this up and build it into their scanners.
hutch at movsd dot com
http://www.masm32.com    :biggrin:  :biggrin:

Raistlin

  • Member
  • ***
  • Posts: 259
Re: Advanced machine learning technology not so advanced
« Reply #9 on: February 07, 2017, 04:52:43 PM »
Well - I was annoyed enough to contact Symantec and uploaded the app into their file submission service.
Got an automated reply with tracking number.... I'am not holding my breath - but will let you all know.
In the mean time - it's manifest modification for me, wonder if JJ is still open to distance learning courses  :icon_mrgreen:
[just kidding]

jj2007

  • Member
  • *****
  • Posts: 7757
  • Assembler is fun ;-)
    • MasmBasic
Re: Advanced machine learning technology not so advanced
« Reply #10 on: February 07, 2017, 07:38:30 PM »
wonder if JJ is still open to distance learning courses

No chance - I am flooded by requests from desperate coders whose viruses so far were always caught by Avira & Co :P

Prepare for new nasties who cannot be recognised by your AV because they have a manifest. Half of them are still caught because they lack a version control block, but in a month or so, the second round of courses is done, and then you should either stop surfing the Internet, or start praying :greensml:

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 4934
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
Re: Advanced machine learning technology not so advanced
« Reply #11 on: February 07, 2017, 07:57:06 PM »
Well, there is a simple solution if you don't like adding a manifest and version control block, take a very deep breath, write a complaint directly to Microsoft and keep holding your breath until they answer you. For those who digested DEP many years ago, a manifest and version control block are no big deal to add, especially as they have been around since XP and they are so amazingly complex that even the donkey end of AV scanners can tell if they are missing and flag your application as "suspicious".  :P
hutch at movsd dot com
http://www.masm32.com    :biggrin:  :biggrin:

jj2007

  • Member
  • *****
  • Posts: 7757
  • Assembler is fun ;-)
    • MasmBasic
Re: Advanced machine learning technology not so advanced
« Reply #12 on: February 07, 2017, 11:05:29 PM »
I couldn't care less about manifests and vcb's; if I need one, I add one. But I find it hilarious to assume "no manifest = virus". Neither are the virus writers too dumb to add a manifest, nor are the AV's (written by teams of professional coders in big software companies) dumb enough to use that as a criterion. Twenty years ago they did, maybe.

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 4934
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
Re: Advanced machine learning technology not so advanced
« Reply #13 on: February 08, 2017, 02:36:20 AM »
Honestly I don't know what you are worried about, Microsoft have been doing things for the last 25 years that have annoyed me but if you want your software to run reliably on their OS versions, you suffer their changes. DEP broke some of my tools years ago and with no explanation, I had to track it down and fix a number of apps and tools, they introduced manifests and version control blocks and over time the donkey end of AV scanners assume that if you don't have them there is something suspicious about the app.

You appear to be confused about the difference between virus authors and virus scanners even though there is some ideas around that they are one in the same folks, fail to observe DEP and your app will not run, fail to use a manifest and version control block and some donkey in an AV company will assume that the app is suspicious and flag it or delete it. Depends what you want, reliable software that does not get flagged (as often) by the trash or wave a red flag at a bull and have false positives against your application.

The old style binary viruses are hard to get going these days because they must do something strange in the MZ/PE header that is easy enough to detect but true trojans and rootkits are much harder to detect because there is no simple way to heuristically detect them. They tend to end up in a pattern list for an AV scanner but this leaves the AV scanner vulnerable to new exploits.

Now I imagine that some of the dorks who write rubbish could write the OS specified things like manifests and version data but the mentality of hiding their intent usually over-rides trying to look conventional.

> Neither are the virus writers too dumb to add a manifest, nor are the AV's (written by teams of professional coders in big software companies) dumb enough to use that as a criterion. Twenty years ago they did, maybe.

You mustn't have seen the number of false positives that the donkey end of the AV market have produced over time, yes there are decent AV companies but there is also enough crap around to be suspicious of AV scanners and take the normal precautions of not writing code that triggers false positives.
hutch at movsd dot com
http://www.masm32.com    :biggrin:  :biggrin:

anunitu

  • Member
  • ****
  • Posts: 919
Re: Advanced machine learning technology not so advanced
« Reply #14 on: February 08, 2017, 05:01:20 AM »
You appear to be confused about the difference between virus authors and virus scanners even though there is some ideas around that they are one in the same folks, fail to observe DEP and your app will not run, fail to use a manifest and version control block and some donkey in an AV company will assume that the app is suspicious and flag it or delete it. Depends what you want, reliable software that does not get flagged (as often) by the trash or wave a red flag at a bull and have false positives against your application.

 I myself wonder because a product will not sell,if there is no virus to hunt. I have thought perhaps the Anti-Virus company might be slipping  "Virus" into the wild to generate business. This is/was the case with some fake anti-adware programs,where the hunter was dropping adware as it was supposed to be ridding your system of adware.