Antivirus Detections And Why The Initial Response Is So Important

Identifying Malware

To follow up THIS post yesterday about mass malspam starting to use SVG files to deliver malware. I created a little bit of a Twitter storm when I posted these 2 screenshots and suggested Kaspersky should follow Eset and do it “right”.

Lets explain that a little bit. I don’t care that Kaspersky ( or any other Anti-virus ) could not detect the malware initially. That is why we submit samples to them and every other AV company we know of, to get things detected and protect as many users as possible. No security system will ever detect every piece of malware initially. The best initial defence is always a human eye and intuition. If it looks wrong, different, out of place, strange or just unusual then be aware and take precautions.

What however is unforgiveable from Kaspersky is the automatic response that I received from the initial automatic analysing system. NO file types are EVER automatically safe. An initial automatic response saying ” no malware detected, we will examine further” is the correct way. The initial response is by far the most important contact between a company and its customers.

Many individuals as well as small, medium size and big companies use Kaspersky security programs. It always is rated very highly by independent reviews and Anti-Virus tests. In general the first thing a recipient who cares about security does ( if it blows past the installed anti-virus) is submit the file to VirusTotal to see what ( if anything) detects it. Then submit the files to their antivirus company, either via email or via the AV itself. 0 day exploits in generally safe but potentially exploitable files are unfortunately common.

Examples would be an exploit in Word docs, Excel spreadsheets or Adobe PDF files. All 3 file types are commonly used by individuals and businesses and basically are safe formats, when macros and embedded executable content are disallowed. probably 90% of word, excel and PDF files received by companies are safe, but the other 10% are malicious. That 10% can contain new previously undisclosed exploits.

Images like photos, JPG, PNG, Gif are all generally seen to be safe file types. However ANY file of any type, including plain text can have executable content hidden inside it. All image files can contain malware that is Steganographically hidden this is called Steganography. They normally need another file to tell the content hidden in the image what to do, but that doesn’t happen in SVG files. That image type contains the image and instructions all rolled up inside the same file.

If you open it, you will only see the image you are supposed to and the malware runs silently in the background, with no action from you except you viewing a supposedly safe image.

That is why no files of any type can ever be automatically declared safe.
When you get a response saying this file type is safe, you would let the files through. This is what happens frequently in small and medium size business, where, if set up correctly, a mail filter will alert on attachments and divert the entire email to a quarantine area.

This can be very tricky to set up, so “good” everyday attachments will be allowed and the business can function properly. Zip files tend to be used to deliver malware so zips get quarantined. We know that some senders that do business with us, will enclose files in zips to cut down on size of attachment or to send multiple files at same time. When it gets quickly checked by the over worked and underpaid staff member who deals with emails. He or she, unless experienced and able to do basic malware analysis will accept the antivirus response and release the email(s) from quarantine.

Leave a Reply

Your email address will not be published.

Related Posts