TechBlog

VirusTotal online scanner adds behavior analysis

ByOmid Farhang July 25, 2012

h-Online: The developers of the VirusTotal online virus scanner service are currently testing a new sandbox feature to provide users with more meaningful scan results. In a post on the company’s blog, software architect and developer Emiliano Martinez says that, for this purpose, samples uploaded to the service are executed in a controlled sandbox environment where their actions can be “recorded in order to give the analyst a high level overview of what the sample is doing”.

An analysis of the uploaded file’s behavior is then displayed in a new “Behavioral information” tab as part of the scan results. VirusTotal logs file and registry activities as well as new processes and code injections. The scanner also issues a notification when a file directly sends commands to certain device drivers.

With the free online service, users can submit URLs and files to be analyzed by various antivirus engines and scanners for malicious content such as viruses, worms and Trojans. However, it is often only the heuristics that flag up issues – which can be identified by result descriptions that contain keywords such as “Heur”, “Suspicious” or “Generic”. Occasionally, this causes legitimate files to be regarded as suspected viruses without giving users the option to establish whether there is an actual threat.

Even a sandbox analysis carries a residual risk as some Trojans quietly check whether they are being executed in a virtual environment when they’re launching. If this is the case, they will act inconspicuously, only launching their malicious payload on a real Windows system.

The behavior analysis is currently being carried out by the scan engines at a different time than the virus analysis. It only scans executable files that are less than 8 MB in size and were previously unknown to VirusTotal. Therefore, it makes sense to keep the results page open and reload it occasionally to check whether a new data has been added.

Martinez notes that the behavior analysis is still in its early days, and that there is no guarantee that uploaded files will undergo the added analysis. The company uses Claudio Guarnieri’s open source Cuckoo sandbox. Incidentally, VirusTotal is far from being the only online tool to use a sandbox: Anubis, MWAnalysis CWSandbox and ThreatExpert have offered similar services for quite some time.

http://h-online.com/-1651766

TechBlog

Google Media Player under development
ByOmid Farhang January 27, 2010

Google has confirmed that it’s future operating system Chrome OS will have an integrated media player that will offer basic codec support , so that users can directly play audio or video files from Gmail or from USB drives or other media devices. In an interview with Ars Technica, Matthew Papakipos, the lead engineering director…

Read More Google Media Player under development
TechBlog

YouTube Returns Blogs Some Link Love
ByOmid Farhang April 9, 2010

You may have noticed that certain YouTube videos have a link below them pointing to a popular blog. This little “As seen on” link is Google’s way to thank blogs that have promoted popular videos on their site. If you’re wondering why this or that site hasn’t been linked, it’s hard to say, since there…

Read More YouTube Returns Blogs Some Link Love
TechBlog

Duqu, Son of Stuxnet?
ByOmid Farhang October 20, 2011

Schneier on Security: A newly discovered piece of malware, Duqu, seems to be a precursor to the next Stuxnet-like worm and uses some of the same techniques as the original. Link to Source Symantec: W32.Duqu: The Precursor to the Next Stuxnet Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written…

Read More Duqu, Son of Stuxnet?
TechBlog

7-Zip version 9 is out
ByOmid Farhang November 22, 2010

For those who missed this update on Nov 18: 7-Zip 9.20 was released. 7-Zip for 32-bit Windows: http://downloads.sourceforge.net/sevenzip/7z920.exe Mirror: http://www.filehippo.com/download_7zip_32/ 7-Zip for 64-bit Windows x64: http://downloads.sourceforge.net/sevenzip/7z920-x64.msi Mirror: http://www.filehippo.com/download_7-zip_64/ What’s new after 7-Zip 4.65 (2009-02-03): 7-Zip now supports LZMA2 compression method. 7-Zip now can update solid .7z archives. 7-Zip now supports XZ archives. 7-Zip now supports…

Read More 7-Zip version 9 is out
TechBlog

Facebook Makes a Move Toward Security
ByOmid Farhang August 25, 2011

Sunbelt: Facebook recently published a guide for it’s users on how to secure their online accounts from anything that threatens one’s Facebook security. Among those covered are Wall, Chat, and Comment spams, weak passwords, fake applications, and account hacking. Personally, I’m quite happy that Facebook is actually doing something that concerns user security, despite it…

Read More Facebook Makes a Move Toward Security
TechBlog

APCProtect
ByOmid Farhang December 24, 2009

APCProtect is a phony security program, designed to rip people off. APCProtect uses scare tactics including false security warnings and system scan results that are false to frighten people into purchasing it. If APCProtect is installed on your computer, you should remove it immediately. if your computer is infected with this malware, you must remove…

Read More APCProtect

Similar Posts