Independant System Verification and Validation of Malware

hi Team Emerging Threats

hope this message finds you well…

can please advise why alerts on Security onion written by emerging threat does not trigger alerts on other platforms such as AV and malware byte

as when i receive alerts on Security Onion, i trigger scanners from the other platforms to the node identified by Security onion but no malware signature is picked up by these platforms…

is there something that i am missing in validation and verification of Malware signatures from Emerging threats…

current using OPEN instead of PRO

Rootkit:W32/HacDef | F-Secure Labs

Rule UUID - 2001743

is there another platform that can pickup this rule or signature that is not feed by Emerging threats ruleset

Thanks

1 Like

Thanks for reaching out!

Antivirus runs and looks for anomalies in application running on your computer but some applications can evade antivirus applications.

The Emerging Threats signatures look at the network traffic on the network and detect on patterns in that traffic. Sometimes these signatures/patterns are mis identified and result in a false positive. This means that the content on the network matches our signature but the application or source of the traffic is not what we think it is from the signature perspective.

In this case, the signature that is firing was created in 2010 for a backdoor that was used quite a bit back then. However, as far as I can tell that rootkit doesn’t work on current Windows operating systems.

In this case you would have to find a tool that can specifically detect hackerdefender and see if that finds anything to provide confirmation of an infection on the system.

Hopefully that helps,

JT

1 Like

Thanks @jtaylor for the insight and clarification

given your insight it would than make sense to change my approach to understanding malware evasive detection…

yes it would make sense to find specific malware detectors for specific signatures

perhaps a 2nd IPS platform would give some level of assurance. and scanning hosts with specific malware signature detectors could provide more assurance

Thanks again @jtaylor