Thanks Thorsten

Just updated the Blog Post with "New Features"

Hi

The following URL http://cache-ams02.cdn.yandex.net/download.cdn.yandex.net/browser/yandex/ru/lite/Yandex.exe?browser=...

was detected as PUP or McAfeeGW: Heuristic.BehavesLike.Win32.Suspicious.L!70 using the current engine.

The new Beta engine tells me the file is CLEAN.

What is right?

Frank

p.s. Happy Christmas to all of you!

Any idea to check files against both engines for easier comparision?

My personal idea:

Check in proxy with old engine.

If infected -> forward to second proxy, (add findings in Headerfile)

Seconds proxy analyses again and shows both results....

Frank

Hello Frank,

the 2014.2 engine has improved a lot when it comes to False Positives. So the number of False Positives that you have seen with the older engine should go down. The file you've mentioned had a detection ratio of 0/54 when checked using virus total, so it was a False Positive and the file is not infected.

Regards,

Dirk

Hmmm,

hi all did some testing with the file. Wrote down some explanation as well (I´m a detail freak *g*)

1) yandex.exe

the file itself seems to be clean. Also sandbox systems showing no problem. virustotal.com shows the file is clean.

But, when analyzing with ATD (executing the file) the result shows connections to a site which is categorized as Risk/Fraud/Crime.

There is also content downloaded from internet. The files are stored in the user profile and the whole directory is 380MB in size. 🙂

ATD detects several malicious activity.

My conclusion:

GAM works fine as expected, because MWG never executes a file and a false/positives is removed with the new GAM version. The "malicious behavior" starts, if the file is executed on the endpoint. There are 467 files stored on disk.

TIE/DXL will close this gap, because the whole behavior will be analyzed with all involved files.

2) Files in the user profile directory

Did some behavior based analysis with the files stored in the user profile directory. No system detected malicious behavior with the samples i uploaded.

Final conclusio:

This means, if you ask the question "is this file okay or not" you will detect much well known malware and many zero-day malware with GAM. But, with this approach you will not detect sophisticated threats. 🙂

Cheers,

Thorsten

Thanks Michael for the info,

Improved Down-Selection Support for Windows Executables

Does this mean ATD integration with "Data Trickling" or "Offline Scanning"??

Installed this:

- GAM heuristics higher than 30%: Trickling page occurs

- GAM heuristics lower than 30%:supported file is sent to ATD with offline scanning.

Btw,waiting with pleasant anticipation for DXL integration. 🙂

Cheers,

Thorsten

Hi Thorsten - happy new year 1st

So, that improved down-selection means that GAM is now taking other vectors into consideration and enable a better 'grey' detection so that you will get more 60-90 ratings as opposed to 0 and 100 as previously.

Michael

updated any proxy to the new GAM (during listening Vienna Philharmonic Orchestra - New Year's Concert).....  🙂