I’ve seen this in few detection signatures. What does it mean? Example: Dyna:Agent-DU [Trj]
my guess…dynamic program analysis
Thus, in today’s antivirus programs, static analysis is used in combination with dynamic analysis. The idea behind this combined approach is to emulate the execution of an application in a secure virtual environment (which is also called an emulation buffer or “sandbox”) before it actually runs on a user’s computer. In their marketing materials, vendors also use another term - “virtual PC emulation”.
A dynamic heuristic analyzer copies part of an application’s code into the emulation buffer of the antivirus program and uses special “tricks” to emulate its execution. If any suspicious actions are detected during this “quasi-execution”, the object is considered malicious and its execution on the computer is blocked.
Interesting, i’ve never experienced any Dyna detections so far executing live malware.
Dyna: prefix is used for autosandbox signatures.
So, this is for stuff that is executed inside Auto Sandbox and gets flagged as malware based on these rules.
Now that i’m thinking, Auto Sandbox does this inside VM. Can you guys port these “Dyna” rules to Behavior Shield as well?
So you’d have detection on two fronts, a VM execution through Auto Sandbox and for executions already on the host that are otherwise handled by the Behavior Shield. I mean, sometimes Auto Sandbox isn’t triggered for something that is malware but in such case Behavior Shield might have a go detecting it while malware is trying to establish itself on the actual host system.
Also one thing thats confusing me, how come not a single Dyna: detection is on Virus Monitor page? From what i see, pretty much the exactly same list is there ever since i can remember. Are Dyna: detections not being counted or they simply aren’t in numbers big enough to be listed there?