Idea for a new shield :P

you all know about SHA1/MD5.
and if you don’t know what it is, then here is a brief:
MD5 which is like SHA1 means the finger print of a file, there is no record for 2 different files with
an identical md5/sha1.
so why won’t avast! create another side shield which will scan for known infected SHA1/MD5.
this shield has the power to protect against new threats while using short codes and 0% for fp.
Fingerprints shield / MD5 shield ???

no need for this kind of shield. most of avast shield uses malware signature which maybe include sha/md5 as part of the signature

no i aint talking about web shield.
btw, as much as i know malware signature can’t contain md5 fingerprints…

sorry my mistake. already edit my post. i mean malware signature may use hash code (md5/sha1) as part of signature so no need for special shield for it

The problem being new variants are constantly being produced and they won’t have the same MD5, etc. that is the whole idea to try and keep one step ahead of the AV companies. Not to mention polymorphic viruses where they aren’t going to be the same.

So other methods have to be found to identify new variants other than MD5, SHA1, etc. etc.

If they were able to identify the MD5, etc. then they would have to have had a sample to generate that, so they would be looking at producing a virus signature which is likely to be more useful in the long term than MD5s.

Hashing is a very inefficient method of scanning. First it’s very slow and second, if you change just a single bit of a file, the hash will be different and such shield would be useless as they could easily evade it. There are far more sophisticated methods and even those are getting evaded regularly.

Well, a few notes (that basically say that it’s not a good idea, sorry):

  • various avast! shields are about what/when to scan - not about how to scan
  • I’m not sure what you mean by short codes, but these hashes are not that short, compared to some other signatures types
  • MD5/SHA1 are not really secure anymore, especially MD5 - there are collisions, which you certainly wouldn’t want for such a shield
  • the hashes are too specific - you need a lot of them to cover all the malware variants (i.e. huge virus definitions)
  • the hashes are hard to compute (CPU-wise) - i.e. scanning would be slow
  • 0% false positives… you wish. False positives don’t need to happen by misdetection (detecting a different file than the one the signature was made for) - but also because a clean file somehow makes it into the malware collection (by mistake). So, there would be FPs here as well.

one more thing i forgot to say:
why won’t avast! make something to alert when a file like svchost.exe in %windir% directory is being executed? because it is obvious that it’s a virus.
nontheless, avast! already got something paranoid (auto sandbox) but is there a way to add to the behavior shield a defense against suspicous file names
and dirs? like %windir%\system32\explorer.exe which is obviously a virus, or system.exe in system32 (virus!).

No it isn’t obvious as many legitimate processes use svchost, just look in the task manager for how many instances of svchost are running.

Look in even greater detail (see below) and see what is actually using each of these instances of svchost and you will see that it isn’t as simplistic as you say.

  • Find out what is using the SVCHOST Service.
    Windows Start, Run, type (or copy and paste) “cmd.exe /k tasklist /svc > c:\tasklist.txt” without the quotes - this opens a command window and runs the tasklist for services, the > c:\tasklist.txt outputs the results to the file and location given:
svchost.exe 1020 DcomLaunch, TermService svchost.exe 1080 RpcSs svchost.exe 1108 AudioSrv, BITS, CryptSvc, dmserver, EventSystem, helpsvc, HidServ, Netman, Nla, RasMan, Schedule, SENS, SharedAccess, ShellHWDetection, TapiSrv, Themes, winmgmt, wscsvc, wuauserv
Also try this tool http://www.neuber.com/free/svchost-analyzer/index.html

I believe the point was that svchost.exe is not in Windows folder, but rather in Windows\System32.
avast! already uses a number of similar detections, though not in ordinary on-demand scans.

MD5 which is like SHA1 means the finger print of a file, there is no record for 2 different files with an identical md5/sha1.
Sorry but there is for MD5
However, it has been shown that MD5 is not collision resistant, as such, MD5 is not suitable for applications like SSL certificates or digital signatures that rely on this property.
In 1996, collisions were found in the compression function of MD5, and Hans Dobbertin wrote in the RSA Laboratories technical newsletter, "The presented attack does not yet threaten practical applications of MD5, but it comes rather close ... in the future MD5 should no longer be implemented...where a collision-resistant hash function is required

Wikipedia http://en.wikipedia.org/wiki/MD5

igor you are the only one to understand my point :slight_smile:
and im happy to know that avast! is already using similar tactics to what i’ve offered.
cheers.