2

There's a file processing service that looks for some know attacks and sometimes returns messages like:

Probably harmless! There are strong indicators suggesting that this file is safe to use.

Are there heuristics that model the likelihood that a file is harmless, and if so, what is a simple example of such a heuristic, and what is the best way to learn more about the topic in general?

blunders
  • 5,052
  • 4
  • 28
  • 45

1 Answers1

2

Likely heuristics are:

  • File is a valid file of a known type (eg. a JPEG that falls within a strict reading of the JPEG spec).
  • File does not contain any extraneous data (eg. JPEG permits unformatted data after the image. A safe file would not have any.)
  • File does not contain any known exploits for the format.

Other possible heuristics:

  • File does not use unusual features of the format (eg. a JPEG that uses unusual application-specific markers would be considered suspicious).
  • File does not appear to embed data of a different type (eg. a JPEG with something that looks like HTML in the comment field could be an attack on the Internet Explorer type-sniffing mechanism, though this is prone to false positives).

For learning more about this, I'd recommend reading up on the specs on a few file formats, and looking for exploits involving those formats.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • You forgot `3. This 'file processing service' is actually a scam to reassure gullible users into installing 'virus-free' malware.` – Shadur May 19 '14 at 06:49
  • @Shadur: Unclear what you mean by "[it] is actually a scam to reassure gullible users into installing virus-free malware." What do you mean? – blunders May 19 '14 at 11:43
  • @blunders Story time! I occasionally play an MMO named Warframe. Good fun, has a number of microtransacty things, lots of depth for a third person space ninja shooter. Couple weeks ago I got followed on Twitter by an obvious bot that advertised 'free platinum' (plat being the in-game for-purchase currency) that led to a website where you could download an app that promised to "hack" the game and provide you with a thousand plat a pop. The app itself was touted on a file processing service like mentioned in the question and certified virus free... (cont'd) – Shadur May 19 '14 at 13:27
  • @blunders ... and the instructions were to launch it, provide it with your in-game username and password, and it would handle everything else. Just because something doesn't contain a virus doesn't mean it's safe to execute. – Shadur May 19 '14 at 13:28
  • @Shadur: I see. In my opinion, someone that would knowingly give away their access credentials in the way you've described likely has larger security issues than any automated security service would ever be able to account for; point being that it might be possible to account for that pattern, but the pattern is so fundamental of a concept, that it is not worth automating a solution for, and the the real issue is that the user lacks a basic understanding of security; or at least that's my opinion. – blunders May 19 '14 at 14:11
  • @blunders "lacks a basic understanding of security" pretty much sums up my opinion of people willing to trust a 'file profiling service' website rather than an actual virus scanner on their own system. – Shadur May 19 '14 at 14:56
  • @Shadur: Sorry, but appears you are presenting uncalled for assumptions, maybe being argumentative, and that your comments are at best semi-related to the topic of the question. Both on-system and off-system services have there strengths & weaknesses, and the question in no way takes a position on how best to use them. – blunders May 19 '14 at 15:30
  • @Shadur: Nowhere in the question does it say "rather than". Did you consider that someone might use *both*? The recommendation to only use one anti-virus is (1) bad and (2) based on concerns about technical incompatibility between badly programmed antivirus software, not based on an actual improvement in security by trusting a single tool. – Ben Voigt May 20 '14 at 01:35