From: Karthik Balaguru on 13 Mar 2010 07:56 >[Perumal] >Hi, >Is there any way which I am tell whether an application is malicious >or not by looking at the system calls made by the application? > >Thanks In Advance, >Perumal > >[Marc Stan] >If i've understood your question there exists a project called REMUS hosted >on sourceforge; it monitors system calls made by 'dangerous' processes such >as daemons and, accordingly with a database of 'good behaviours' >(i.e. right parameters in syscalls ecc ecc), tells you weather a call is >malicious or not. Unfortunately it works only with 2.4 kernel...but if you >like you can always make a port. >Hope helped you. >Marc Stan > >[Karthik Balaguru] >Coool ! Thats great :-) >I have been looking for a similar tool but for 2.6 kernel. >But, won't any open source virus scanner tools use this >trick too apart from other scanning tricks to contain >few malicious applications that make malicious calls ? >Is it not useful for virus scanner to use this methodology ? > >Thx, >Karthik Balaguru > >[Bill Marcum] >Most virus scanners that run under Linux are used to scan for viruses that >attack Windows. > [Karthik Balaguru] So, does it imply that the virus scanners check for malicious system calls from malicious applications in Windows ? Are there any opensource implementation of those virus scanners that check for malicious system calls from certain applications in Windows ? PS : (FYI - The original discussion origin is in linux security incase you want even more info of the thread. ) For this discussion, I have looped in the virus, vista security & linux setup too and hence i have added the names against the respective posts so that they could also share their thoughts. Thx in advans, Karthik Balaguru
From: FromTheRafters on 13 Mar 2010 17:40 "Karthik Balaguru" <karthikbalaguru79(a)gmail.com> wrote in message news:9fc79df1-f163-44ac-9dad-c6f9af8d8acc(a)k2g2000pro.googlegroups.com... > >[Perumal] >>Hi, >>Is there any way which I am tell whether an application is malicious >>or not by looking at the system calls made by the application? [...] Not definitively, but as part of a heuristic approach it has some merit. >>[Marc Stan] >>If i've understood your question there exists a project called REMUS >>hosted >>on sourceforge; it monitors system calls made by 'dangerous' processes >>such >>as daemons and, accordingly with a database of 'good behaviours' >>(i.e. right parameters in syscalls ecc ecc), tells you weather a call >>is >>malicious or not. Unfortunately it works only with 2.4 kernel...but if >>you >>like you can always make a port. [...] ....of course, the beast has to be running in order to have "behavior". >>[Karthik Balaguru] >>Coool ! Thats great :-) >>I have been looking for a similar tool but for 2.6 kernel. >>But, won't any open source virus scanner tools use this >>trick too apart from other scanning tricks to contain >>few malicious applications that make malicious calls ? >>Is it not useful for virus scanner to use this methodology ? It is important for virus scanners to have affect *before* the beast has a chance to run - running, it is often too late to avoid damage. They do use "emulation" and do use heuristics sometimes to accomplish this. >>[Bill Marcum] >>Most virus scanners that run under Linux are used to scan for viruses >>that >>attack Windows. Most virus scanners detect viruses, most viruses attack Windows - would you have it any other way? > [Karthik Balaguru] > So, does it imply that the virus scanners check for > malicious system calls from malicious applications > in Windows ? Are there any opensource implementation > of those virus scanners that check for malicious > system calls from certain applications in Windows ? I'm having trouble understanding what a "malicious call" is - nothing exists in a vacuum.
From: spike1 on 13 Mar 2010 18:35 And verily, didst Karthik Balaguru <karthikbalaguru79(a)gmail.com> hastily babble thusly: > [Karthik Balaguru] > So, does it imply that the virus scanners check for > malicious system calls from malicious applications > in Windows ? Are there any opensource implementation > of those virus scanners that check for malicious > system calls from certain applications in Windows ? No, it means the virus scanners don't scan running processes. They scan files on hard disk and in e-mails/other network related stuff that are destined for transfer to windows based networks/machines... and then quarantine anything that matches a virus profile. -- | spike1(a)freenet.co.uk | "I'm alive!!! I can touch! I can taste! | | Andrew Halliwell BSc | I can SMELL!!! KRYTEN!!! Unpack Rachel and | | in | get out the puncture repair kit!" | | Computer Science | Arnold Judas Rimmer- Red Dwarf |
From: David H. Lipman on 13 Mar 2010 20:08 From: <spike1(a)freenet.co.uk> | And verily, didst Karthik Balaguru <karthikbalaguru79(a)gmail.com> hastily babble thusly: >> [Karthik Balaguru] >> So, does it imply that the virus scanners check for >> malicious system calls from malicious applications >> in Windows ? Are there any opensource implementation >> of those virus scanners that check for malicious >> system calls from certain applications in Windows ? | No, it means the virus scanners don't scan running processes. | They scan files on hard disk and in e-mails/other network related stuff that | are destined for transfer to windows based networks/machines... and then | quarantine anything that matches a virus profile. McAfee scans running processes. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: Karthik Balaguru on 14 Mar 2010 09:57
On Mar 14, 6:08 am, "David H. Lipman" <DLipman~nosp...(a)Verizon.Net> wrote: > From: <spi...(a)freenet.co.uk> > > | And verily, didst Karthik Balaguru <karthikbalagur...(a)gmail.com> hastily babble thusly: > > >> [Karthik Balaguru] > >> So, does it imply that the virus scanners check for > >> malicious system calls from malicious applications > >> in Windows ? Are there any opensource implementation > >> of those virus scanners that check for malicious > >> system calls from certain applications in Windows ? > > | No, it means the virus scanners don't scan running processes. > | They scan files on hard disk and in e-mails/other network related stuff that > | are destined for transfer to windows based networks/machines... and then > | quarantine anything that matches a virus profile. > > McAfee scans running processes. > Interesting. So, does McAfee also check for malicious calls from malicious applications ? But, i think McAfee is not an opensource software.So, any other open source virus scanner that supports the feature of checking the malicious calls from malicious applications ? Thx in advans, Karthik Balaguru |