tag:blogger.com,1999:blog-1404660204966454042.post7615078502767132742..comments2022-12-05T07:01:56.742-08:00Comments on Meme Over: Authenticode and Antivirus DetectionArkemhttp://www.blogger.com/profile/05047833961750578893noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-1404660204966454042.post-27610908951028288932011-08-06T15:26:35.954-07:002011-08-06T15:26:35.954-07:00Good point Shane. After reading about how Sophos s...Good point Shane. After reading about how Sophos signatures malware in Tavis' paper it did make me think that AV signatures are even more fragile than I thought.<br /><br />I know that Symantec specifically white-lists authenticode binaries (without checking the signature) but that this behaviour will be configurable in the next version of their product.Arkemhttps://www.blogger.com/profile/05047833961750578893noreply@blogger.comtag:blogger.com,1999:blog-1404660204966454042.post-87415618298139603392011-08-06T07:58:15.283-07:002011-08-06T07:58:15.283-07:00Signing is not the only thing that is changing the...Signing is not the only thing that is changing the results here for at least some of the engines. I took the same sample (ba87b562c829b7095bfb9e0db7a39890) and just appended 16 'x' bytes to the end.<br /><br />The detection rate in VirusTotal dropped to 23/43. This isn't as big a drop as you got from signing the exe but it shows that appending any bytes and changing the hash is enough in many cases.Huntsmanhttps://www.blogger.com/profile/17963118046472634232noreply@blogger.com