反驳红伞报HEUR/Crypted 和HEUR/Malware不是报壳的说法

The EQs

声明：此帖只是讨论技术，而不是口水贴

记得以前有很多人说过红伞是见壳就报的，自己也不相信，不过在经历了红伞这么多误报之后，不得不相信这句话。。。就拿以前的一个例子来说，GB论坛换服务器的时候，升级了一个新版本，然后升级后的GB升级文件被红伞用启发式报HEUR/Malware了，偶去多引擎页面扫了扫，只有红伞一个报，其余都未报，看了一下，上面写了加了ASPACK，还有一个例子就是红伞支持者之一的周X在样本区发的20层北斗的样本，按照正常的话，只要杀软能脱壳就能准确报出这个木马的名字，但是红伞呢？直接报HEUR/Crypted（大家自己可以查查crypted的具体意思是什么），另外nod32官方论坛的有个人是这样说的“Can't beat the package”。。。，大家也可以测试一下误报的东西都有没有加壳。。。

ohmyivan

不关心,反正小红伞目前杀马杀毒最强,这就够了,懒得搞什么研究.

mofunzone

就目前测试结果，只有skvp+北斗产生的crypted是加壳的原因，还有几个不常用的壳类似ntpacker，岁月加壳，木马帝国加壳的这几个有问题，已经联系雨伞了，剩下的crypted倒是没什么问题
不过就算报壳了，一般的软件也不会这么写吧

ly250094040

此类帖子严禁口水和辱骂

违者直接思过

ly250094040

这段时间这类帖子实在太乱了。。。。


打个预防针先

曲中求

Description:
HEUR/Crypted


HEUR/Crypted is a heuristic detection routine designed to detect common malware characteristics. Avira AntiVir recognizes unknown malware proactively using its AHeAD technology. To achieve this, Avira performs innovative structural analyzing.

On the basis of the composition of a file, the sequence of significant code sequences or based on particular behavior patterns, the heuristics can determine with a high probability whether it is dealing with a harmful or virulent file.

HEUR/Crypted in particular signals files that have a suspicious structure of the program. Usually such files are protected by encryption mechanisms and are often manipulated afterwards to hide the real functionality.

Please note that cracks or the cracked program files themselves as well as key generators are often modified with similar techniques. Therefore Avira AntiVir's AHeAD heuristics may detect such files as well. The user should keep in mind that trojans are often disguised as such software.

In the unlikely occurrence of a false positive we would kindly ask for your help, by sending the file to our virus lab.

A heuristic detection might be a false identification if one or more of the following are true:
- The program is in use for a very long time and is known to the user
- The program was installed by the user himself
- The program is from a trustworthy source

Please note that even old programs can get infected or replaced by malware without your knowledge. Besides that trustworthy sources might have become compromised themselves.

In order to enhance detection and reduce the rate of false positives we recommend that you send the file to our virus lab for further analysis.

[ 本帖最后由 曲中求 于 2007-3-9 01:10 编辑 ]

rs-z

原來如此

jessonguo

原帖由 曲中求 于 2007-3-9 01:07 发表
Description:
HEUR/Crypted


HEUR/Crypted is a heuristic detection routine designed to detect common malware characteristics. Avira AntiVir recognizes unknown malware proactively using its A ...

学习了 多谢曲版了