Automated analisys


Disclaimer: the views expressed here are my own, and unless expressly stated, do not necessarily represent the views of any former or current employer.

Automated security analysis is good for dealing with a large flux of (possibly) malicious files, however information resulting from these types of sources must be clearly marked as such (as oppsed of information derived by humans). Example:

In a malware description from TrustedSource we find the following lines (emphasis added):

C:autorun.inf This is a non malicious text file with the following content:

[autorun]
shellexecute=RecycledRecycledctfmon.exe
shellOpen(&O)command=RecycledRecycledctfmon.exe
shell=Open(&0)

Clearly this is one of those simplistic infect USB drives type of malware and the autorun.inf file is a key component of. While it is not harmful in it self, it should clearly be removed (an analogy might help: lets say that a malware is composed out of an executable and a dll which it loads. The dll itself is not active unless the executable loads it, but is still should be marked and removed).

In conclusion: automatically generated information is good, but please do mark it as such. And also: in the name of science, question everything:


Discovery Science Question Everything
by X3EN0N


Leave a Reply

Your email address will not be published.