Shop Mobile More Submit  Join Login

Details

Closed to new replies
November 5, 2012
Link

Statistics

Replies: 9

Testing false positive malware with Virtualization?

:iconplutonia-v41:
Plutonia-V41 Featured By Owner Nov 5, 2012  Hobbyist Digital Artist
I have Avira Antivir and every now and then it reports some random files as false positives. It has to do with some specific form of programming in executables, and even dll's. How can I trust any executable at all, when there are so many confirmed false positives reported?

So, I was wondering if it was safe to test potential malware programs using virtualization? I downloaded VMlite for this purpose. If an executable turns out to be a trojan, wouldn't it simply break the virtual machine and not affect the real operating system that the virtual machine is running in? If it's entirely insulated from networks and I can simply destroy the virtual machine afterwards anyway, isn't it a safe environment to test these things?

Of course virtualization isn't perfect. A trojan can install a keylogger and send private date across the network. But if it's insulated, then there shouldn't be a problem with that either, right? Plus I wasn't planning on using my bank login or anything like that on the virtual machine. :D
Reply

You can no longer comment on this thread as it was closed due to no activity for a month.

Devious Comments

:iconjakeukalane:
Jakeukalane Featured By Owner Nov 11, 2012  Hobbyist Digital Artist
....linux....
Reply
:iconplutonia-v41:
Plutonia-V41 Featured By Owner Nov 11, 2012  Hobbyist Digital Artist
Yeah, using Linux to test Windows executables... which by the way doesn't work. That's the only problem.
Reply
:iconjakeukalane:
Jakeukalane Featured By Owner Nov 11, 2012  Hobbyist Digital Artist
well... i don't know. just experience. i set up wine profiles to try archives in order to redistribute throught friends with windows... and wine also can reproduce an infection...
greetings
Reply
:icondelusionalhamster:
delusionalHamster Featured By Owner Nov 6, 2012  Hobbyist Digital Artist
>> How can I trust any executable at all, when there are so many confirmed false positives reported?

That's an excellent question. The unfortunate answer is, you can't.

Thing is, anti-virus companies purposefully make it hard to report false positives. Some companies don't even acknowledge reports of them at all. But there's a twist - the false positives are never given for the software of really big software corporations (microsoft, adobe, oracle etc.) because they know those corporations have the legal firepower to wipe out an antivirus company in the courts if they so choose.

But smaller developers and developers of freeware or free software are SOL. Why you might ask? It's simple: more false positives makes their software look more useful. Most average, non-technical users have no way of knowing whether a virus warning is a false positive or not, so the AV companies know the majority of users aren't likely to complain. And more warnings/actions from the AV software gives the impression that the software is "doing its job".

Of course, you can avoid all this by using an OS that doesn't require silly antivirus software. An OS where the security is built into the system instead of outsourced to a 3rd-party band-aid solution which you have no idea of knowing what it does with your computer. Personally, I haven't used an antivirus software for a year and I haven't caught a single virus or malware.
Reply
:iconpyrohmstr:
pyrohmstr Featured By Owner Nov 5, 2012  Professional Artist
That's a lot of work for no real gain. Certainly you can put these sorts of infections into VMs to see what they do (that's how they're researched in the first place) but unless you have a fairly specific setup looking at the memory and processes you likely wouldn't see anything happen.

If you're concerned about false positives then either get better AV software or ignore them.
Reply
:iconplutonia-v41:
Plutonia-V41 Featured By Owner Nov 5, 2012  Hobbyist Digital Artist
I have had 2 trojans before, and both of them worked pretty immediately. One installed a redirecting proxy on my browser, the other was a rootkit virus that destroyed master boot record and erased my system partition. The first one I was able to defeat pretty easily. The second killed my OS(obviously) and the absence of MBR classified all 420GB of stuff on the data partition as "non-existant files".

Fortunately the virus was stupid. Because it killed my OS before any pesky auto-defragmenters or indexers were able to mess around with the "free space" that the MBR tampering had created. Therefore, about a year later, I was able to use a certain Linux distro to restore every single file that the virus had deleted. :D

Anyway, I just want to be sure that starting up some program doesn't try to install a full-screen toolbar on my browser, or redirect every folder I open to cp sites using automated Internet Explorer scripts or something.
Reply
:iconpyrohmstr:
pyrohmstr Featured By Owner Nov 5, 2012  Professional Artist
Any good AV software will stop the virus on execution and won't give false positives. You said that your was giving false positives, which leads me to think that you know they're false positives. If you're unsure, then it's a gamble for you in the long run. Things in a VM won't nessesarily show the same behavior in that virtual machine, especially since hardware and OS are emulated differently than your actual PC. Depends on the specific VM you're using. The sandbox-type programs will offer you some protection but in reality, anything that was going to get around your OS protected memory is going to get around those.

Point is, if your AV software is worth having then you should be able to run just about anything without worry. If that's not the case, then you need better AV software.
Reply
:icondoctorv23:
DoctorV23 Featured By Owner Nov 5, 2012
I think this is more suited to what you want to do: [link]
Reply
:iconplutonia-v41:
Plutonia-V41 Featured By Owner Nov 5, 2012  Hobbyist Digital Artist
Thanks. That works. :) VMlite didn't work afterall. It needs some extra file for the "XPmode" and the option to download it has been greyed out. So I installed an empty program.
Reply
Add a Comment: