1 2 3 Previous Next 24 Replies Latest reply on Mar 3, 2015 9:52 AM by dstraube

    GAM 2014.2 BETA

    michael_schneider

      All we are looking for people to test the GAM 2014.2 engine.

      Details here: GAM 2014.2 Beta (Updated 23/01/2015)

      This thread is the one where we would you to discuss questions/problems.

       

      thanks,

      Michael

        • 1. Re: GAM 2014.2 BETA
          Troja

          Hi Michael,

          are there any new additional features to the 5700engine in the new GAM?

           

          New Version is up and running on our MWG in DMZ. Let´s see what happens. :-)

          GAMv2.jpg

           

           

          Cheers,

          Thorsten

          • 2. Re: GAM 2014.2 BETA
            michael_schneider

            Thanks Thorsten

            Just updated the Blog Post with "New Features"

            • 3. Re: GAM 2014.2 BETA
              feickholt

              Hi

              The following URL http://cache-ams02.cdn.yandex.net/download.cdn.yandex.net/browser/yandex/ru/lite /Yandex.exe?browser=Firefox/32/24.0&hash=f5f66e0e6c6837b72b1092c7a5f6d736&downlo ad_date=1419197772&.exe

               

              was detected as PUP or McAfeeGW: Heuristic.BehavesLike.Win32.Suspicious.L!70 using the current engine.

              The new Beta engine tells me the file is CLEAN.

               

              What is right?

               

              Frank

               

              p.s. Happy Christmas to all of you!

              • 4. Re: GAM 2014.2 BETA
                feickholt

                Any idea to check files against both engines for easier comparision?

                 

                My personal idea:

                Check in proxy with old engine.

                If infected -> forward to second proxy, (add findings in Headerfile)

                Seconds proxy analyses again and shows both results....

                 

                Frank

                • 5. Re: GAM 2014.2 BETA
                  dstraube

                  Hello Frank,

                   

                  the 2014.2 engine has improved a lot when it comes to False Positives. So the number of False Positives that you have seen with the older engine should go down. The file you've mentioned had a detection ratio of 0/54 when checked using virus total, so it was a False Positive and the file is not infected.

                   

                  Regards,

                   

                  Dirk

                  • 6. Re: GAM 2014.2 BETA
                    Troja

                    Thanks Michael for the info,

                    Improved Down-Selection Support for Windows Executables

                    Does this mean ATD integration with "Data Trickling" or "Offline Scanning"??

                     

                    Installed this:

                    - GAM heuristics higher than 30%: Trickling page occurs

                    - GAM heuristics lower than 30%:supported file is sent to ATD with offline scanning.

                     

                    Btw,waiting with pleasant anticipation for DXL integration. :-)

                     

                    Cheers,

                    Thorsten

                    • 7. Re: GAM 2014.2 BETA
                      Troja

                      Hmmm,

                      hi all did some testing with the file. Wrote down some explanation as well (I´m a detail freak *g*)

                       

                      1) yandex.exe

                      the file itself seems to be clean. Also sandbox systems showing no problem. virustotal.com shows the file is clean.

                      But, when analyzing with ATD (executing the file) the result shows connections to a site which is categorized as Risk/Fraud/Crime.

                       

                      yandex_browser.jpg

                      There is also content downloaded from internet. The files are stored in the user profile and the whole directory is 380MB in size. :-)

                      ATD detects several malicious activity.

                       

                      My conclusion:

                      GAM works fine as expected, because MWG never executes a file and a false/positives is removed with the new GAM version. The "malicious behavior" starts, if the file is executed on the endpoint. There are 467 files stored on disk.

                      TIE/DXL will close this gap, because the whole behavior will be analyzed with all involved files.

                       

                      2) Files in the user profile directory

                      Did some behavior based analysis with the files stored in the user profile directory. No system detected malicious behavior with the samples i uploaded.

                       

                       

                       

                      Final conclusio:

                      This means, if you ask the question "is this file okay or not" you will detect much well known malware and many zero-day malware with GAM. But, with this approach you will not detect sophisticated threats. :-)

                       

                       

                      Cheers,

                      Thorsten

                      • 8. Re: GAM 2014.2 BETA
                        Troja

                        updated any proxy to the new GAM (during listening Vienna Philharmonic Orchestra - New Year's Concert).....  :-)

                        • 9. Re: GAM 2014.2 BETA
                          michael_schneider

                          Hi Thorsten - happy new year 1st

                           

                          So, that improved down-selection means that GAM is now taking other vectors into consideration and enable a better 'grey' detection so that you will get more 60-90 ratings as opposed to 0 and 100 as previously.

                           

                          Michael

                          1 2 3 Previous Next