close
Norton Internet Security 2009 SONAR 功能說明:
提供即時威脅防護,並主動偵測電腦上的未知安全風險。
「賽門鐵克進階回應線上網路」(Symantec Online Network for Advanced Response,SONAR) 會依據應用程式行為來識別各種新興威脅。它的速度比傳統以特徵為基礎之威脅偵測技術還快。即使是 LiveUpdate 尚未提供病毒定義檔,SONAR 亦可針對惡意程式碼進行偵測,並且保護電腦不受其攻擊。
主要是針對未知病毒進行行為判斷。
測試環境:
XP SP3
NIS 2009
NORTON 未知木馬一隻,然後執行後測試NIS 2009的SONAR是否有其反應。
這是NIS 2009移除的記錄
行為分析 BY NORMAN
[ DetectionInfo ]
* Sandbox name: NO_MALWARE
* Signature name: NO_VIRUS
* Compressed: NO
* TLS hooks: NO
* Executable type: Application
* Executable file structure: OK
* Filetype: PE_I386
[ General information ]
* Creating several executable files on hard-drive.
* File length: 791428 bytes.
* MD5 hash: 96674c3844e62ea9d05559580ea771
f1.
[ Changes to filesystem ]
* Creates directory C:\WINDOWS\TEMP\BClib.
* Creates file C:\WINDOWS\TEMP\BClib\krnln.fnr.
* Creates file C:\WINDOWS\TEMP\BClib\Exmlrpc.fne.
* Creates file C:\WINDOWS\TEMP\BClib\dp1.fne.
* Deletes file C:\WINDOWS\SYSTEM32\BMANAGEercservice.exe.
[ Changes to registry ]
* Accesses Registry key "HKCU\Software".
[ Changes to system settings ]
* Creates WindowsHook monitoring cbt activity.
[ Process/window information ]
* Creates an event called Wait For Buffer Return.
[ Signature Scanning ]
* C:\WINDOWS\TEMP\BClib\krnln.fnr (417280 bytes) : no signature detection.
* C:\WINDOWS\TEMP\BClib\Exmlrpc.fne (73728 bytes) : no signature detection.
* C:\WINDOWS\TEMP\BClib\dp1.fne (114688 bytes) : no signature detection.
(C) 2004-2006 Norman ASA. All Rights Reserved.
[ Changes to filesystem ]
* Creates directory C:\WINDOWS\TEMP\BClib.
* Creates file C:\WINDOWS\TEMP\BClib\krnln.fnr.
* Creates file C:\WINDOWS\TEMP\BClib\Exmlrpc.fne.
* Creates file C:\WINDOWS\TEMP\BClib\dp1.fne.
* Deletes file C:\WINDOWS\SYSTEM32\BMANAGEercservice.exe.
[ Changes to registry ]
* Accesses Registry key "HKCU\Software".
[ Changes to system settings ]
* Creates WindowsHook monitoring cbt activity.
[ Process/window information ]
* Creates an event called Wait For Buffer Return.
[ Signature Scanning ]
* C:\WINDOWS\TEMP\BClib\krnln.fnr (417280 bytes) : no signature detection.
* C:\WINDOWS\TEMP\BClib\Exmlrpc.fne (73728 bytes) : no signature detection.
* C:\WINDOWS\TEMP\BClib\dp1.fne (114688 bytes) : no signature detection.
(C) 2004-2006 Norman ASA. All Rights Reserved.
virustotal 多線式分析:
| Antivirus | Version | Last Update | Result |
|---|---|---|---|
| AhnLab-V3 | - | - | - |
| AntiVir | - | - | TR/Dropper.Gen |
| Authentium | - | - | W32/Nuj.A.gen!Eldorado |
| Avast | - | - | Win32:Spyware-gen |
| AVG | - | - | SHeur.CMDD |
| BitDefender | - | - | Trojan.Generic.967065 |
| CAT-QuickHeal | - | - | Win32.TrojanSpy.Agent.MM.5 |
| ClamAV | - | - | Trojan.Downloader-19191 |
| Comodo | - | - | TrojWare.Win32.TrojanDropper.VB.~AAAG |
| DrWeb | - | - | - |
| eSafe | - | - | - |
| eTrust-Vet | - | - | - |
| Ewido | - | - | - |
| F-Prot | - | - | W32/Nuj.A.gen!Eldorado |
| F-Secure | - | - | Trojan-Spy.Win32.FlyStudio.ail |
| Fortinet | - | - | - |
| GData | - | - | Trojan.Generic.967065 |
| Ikarus | - | - | Virus.Win32.Agent.COH |
| K7AntiVirus | - | - | - |
| Kaspersky | - | - | Trojan-Spy.Win32.FlyStudio.ail |
| McAfee | - | - | - |
| McAfee+Artemis | - | - | Generic!Artemis |
| Microsoft | - | - | - |
| NOD32 | - | - | - |
| Norman | - | - | - |
| Panda | - | - | Trj/Mesgra.B |
| PCTools | - | - | - |
| Prevx1 | - | - | - |
| Rising | - | - | - |
| SecureWeb-Gateway | - | - | Trojan.Dropper.Gen |
| Sophos | - | - | Mal/Generic-A |
| Sunbelt | - | - | - |
| Symantec | - | - | - |
| TheHacker | - | - | - |
| TrendMicro | - | - | - |
| VBA32 | - | - | Trojan.Win32.Agent.agog |
| ViRobot | - | - | Trojan.Win32.FlyStudio.791428.D |
| VirusBuster | - | - | - |
心得:
測試樣本隨機捉出來測試,主要是NORTON的病毒庫無法偵測到,所以才能拿來做SONAR技術的測試,當然病毒執行過程並不是馬上就可以發現,因為其原廠說法是行為判斷,所以可能要幾分鐘時間做分析處理,但一判斷為有害程式的話,會立即移除其產生的程式,如果重新再執行一次該木馬,就會立刻移除,不用再花任何時間做處理,這個技術確實對於使用者的安全有很大的幫助,也增加了未知程式的偵測率。
PS.但因測試樣本太少不代表最終結果,也不表示能百分之百偵測所有未知程式,只能參考,特此說明。
全站熱搜
留言列表
