Micropoint Forum
 
» Guest:  Register | Login

 

Author:
Subject: the scan of micropoint,NO NO NO!
sidineyqiao
Moderator





Credit 86
Totalpost 83
Registered 2007-12-24
#1  the scan of micropoint,NO NO NO!

[draft translation by sidineyqiao]

Foreword: when I prepare for the 《micropoint isn't the virus terminator 》, and then think about the scan engine, the conclusion was I am personal not glad to see the scanning engine of the micropoint .Come out a viewpoint sorting to discuss together with everyone, welcome friends for giving the advices, and rise together.

1
It is no doubt that decryption is important to the anti-virus software. Actually what is the decryption? There have two type targets of the encryption.
One is to compress application procedure physical volume, like the well-known UPX to compress the pack; another one is encrypting to protect application procedure, prevent the resources of procedure from being robed to user or cracked. This pack pays attention to avoid being taken off pack to restore an original procedure possibly. No matter what purpose it is, the result is the program encrypted is different before encryption

The encryption will change the program files. So applying encryption to the virus procedure, can interferential the judgments of characteristic code scan engine. Generally speaking, once the program encrypted, the procedure document of originality was changed, so the original characteristic identifies a project nature invalid. Certainly the characteristic's scanning method that the engine can use the encryption with the characteristic code to carry out checking and killing the known virus with the pack,
But this can't resolve the real problem. The characteristic scan engine with the pack has the infinitude amounts packs for the original sample. The amount and category of the pack is theoretically infinite, writing a very good pack is a troublesome affair, but make the new pack to avoid the scan engine temporarily would never be the real way to resolve the problem.


as to  the  characteristic with the pack is a little passive. so the anti-virus software pay more eyes on the decryption. the ability of decryption is a important standards to the anti-virus ability of the software.

2
The commonly way of decryption

1).arithmetic decryption is the operation of the contradictorily

Advantage: The efficiency is high, taking off the pack speed quickly.
Weakness:
1.1. Kill the virus lately; you can decryption after you analyze the encryption. And the way to decryption need to update when the encryption has updated.
1.2. Anti-html of the encryption and the arithmetic has the well-done result. The decryption need pay the time and the advanced engineer although you can write the decryption arithmetic. so encryption is impossible when the corresponding decryption need the long time.


2).decryption of the virtual machine
The Virtual Machine takes off the pack, saying in briefing is  establish a virtual environment, procedure or parts of procedure is circulated completion by procedure to carry out thus automatically decryption. The establishment of The Virtual Machine  is on a kind of mental supposed foundation, Virtual Machine suppose all procedures which have encryption need circulate normally, and the precondition of the encrypted program need to turn off the pack automatically and recover to the original program when it run normally. I agree with this suppose and the target to the encrypted Trojan is to avoid the anti-virus software and take the effects except that some bug of the technology. Nobody want to make the dead Trojan for a joke.


Advantage: Virtual Machine theoretically can carry out a wide table to the decryption; it means to turn off all the packs.
Weakness: The virtual movement characteristic of Virtual Machine, make the Virtual Machine consume the big recourses of decryption, but low speed. The good news is Intel and Microsoft prepare in the hardware level to support a virtual technique, so will make the Virtual Machine acquire almost similar to the true machine procedure to circulate efficiency. I didn't notice the model number of concrete support VT, the friend who has can checked related data by him if interesting with it.

Virtual Machine is not what all new technique, encrypt to transform virus at the DOS ages have already used the simple Virtual Machine. The friend who has interest please see this article below. Ha ha, the eldest brother named calm_cs recommended the micropoint severely form last year, the longer article make me benefit after seeing it.
http://www.jijiao.com.cn/avtech/antiVtech/00000021.htm


we can see the reality show of the anti-virus software saw the post under AVK from pacific and it gave me a big shock. The all famous anti-virus corps, the famous virtual machines and the well-known decryption engine made the mistake when scanned the same samples with the 12 kinds of the pack. It all has the characteristic with the pack. Why did the different names after the scan? Decryption or no?  They will not give the answer to you, because this is their mistake.
http://softbbs.pconline.com.cn/topic.jsp?tid=6087616

Hope everyone to communicate with the fact; our Chinese were too easily cheated by the network gossip. I also worshiped the super decryption engine very much last year .I wonder a super and strong ability of reuniting the document format for it ever. Reality is the big hope brings the super hopeless after the network gossip.

3
The micropoint in my eye
The post of the Pacific Ocean gave me the big shock, last October. in the beginning of this year I just saw in the AVK of turn to stick. If the result is a minority of the anti-virus corps can take off the pack with characteristic, the most can take off the pack nicely, that I will accept very peacefully. Because it is very normal because of different factory have the different technology. But, what a pity, none corps incredibly can attain to decryption perfectly, even including the famous virtual technology in the network. I think the scan engine of the Symantec and McAfee will be better than the Russian in reality.

It IS different between the proactive defense and the scan. Proactive is only micropoint at present, and it is the number 1 in this industry. The later only can simulate from the basic actions of the micropoint; but almost every corps has the scan technology, how do you depend on such a small company again with a breakthrough?

So, I am personal don't trust with the scan engine of the micropoint. There have the advantage of the micropoint in monitoring the program real time to decryption, because the characteristic is useless to the behaviors analysis .why do the micropoint to research the scan engine? Just because OF the user habits?


ps: In addition, there don't have the decryption technology of the unknown virus scan in monitor real time of the microprint I guess micropoint doesn't need to decryption at present, the encryption is useless to the behaviors analysis of the microprint .just like the sayings above, the all encrypted virus will turn off the own pack when they run in the real machine, then micropoint will kill the virus when it execute the program. So micropoint doesn't disturb the concepts that the pack with the characters in the known monitor. The dead Trojan of the encryption will exit from the process in service manager. It is different to the other Trojan which has the less action in your eyes. Micropoint will not alarm to this thing. You can send the sample to the official to known the real reason. The micropoint also has something to improve, better be prepared.

Perhaps” know perfectly well the mountain contain tiger, incline toward tiger mountain to go" is Xu Liu consistent style. micropoint have already started to set up the high technique characteristic, hopping the scan engine don't drag the legs that influencing the development of the corps .wish it can do more great things. The friend who has interest can test the scan by you. I will not do the experiment to be disappointment.

As a well-known reason, the micropoint has not the wealthy resources, should have the initiative dispensation resources to make a network version, because of the special structure, the network version will be better in management and the expansibility. Better to make a good plan!

Lack the reason to support the enlightenment.
The enlightenment needs the perfect decryption technology to support the analyze. cause it will take effects and analyze the unknown virus on the static program code when the encrypted program recover to the original program, how do we name about the enlightenment which lack of the decrypt ability and alarm to all the pack. is it fake? I don't support the enlightenment in a long time as to the imperfect technology of decryption! The human society is like this-- regardless the thing good or not, you can sell it out when somebody buy it.

The Net friend Vender has a complicated test about the encryption: The test uses an absolutely normal document, using each big famous anti-virus software online test to kill the virus. No virus was occurred. But when scan the files with encryption in their own software. You can check the result of the original information who was interested with it.

http://publish.it168.com/2006/1213/20061213016905.shtml

ps:Ha ha, I discover the IT168 is pretty interesting recently. He dares to tell the truth and doesn't care the pressure! When I finished the column job, hereafter I will get the IT168 payment.

[ Last edited by sidineyqiao on 2008-9-4 at 11:12 ]

2008-9-4 11:11
Profile  Email  Pm   Edit



Forum Jump ...:

[ Contact Us :: Micropoint Forum ]