Jump to content

Detection affected by file name

waking
 Share

Recommended Posts

waking

waking

Posted
Posted

Yesterday I received an unsolicited email regarding a fictitious

UPS delivery. Suspecting that the attachment was a trojan, I

submitted it to Virus Total where seven scanners flagged it.

I then scanned it with Malwarebyte's Anti-Malware. It flagged

the file as infected: Trojan.Email.Gen

So far so good. But while doing some tests to check out other

scanners, etc. I encountered an oddity when I went back and

rescanned the file with Malwarebyte's: the file *wasn't* flagged

as infected when I rescanned it. The only difference in the two

scans was that the second time the filename had been shortened

to 8.3 format when I unzipped the infected .exe, whereas the

first time the filename was a long name.

I did several tests with the same file shortening the filename

for each successive test. Here are the results:

Filenames which resulted in a detection:

UPS_invoice_1145.exe

UPS_invoice_114.exe

UPS_invoice_11.exe

UPS_invoice_1.exe

UPS_invoice_.exe

UPS_invoice.exe

Filenames which did NOT result in a detection:

UPS_invoic.exe

UPS_invoi.exe

UPS_invo.exe

UPS_inv.exe

UPS_in.exe

UPS_i.exe

UPS_.exe

UPS.exe

invoice.exe

Why is the ability to detect it as a trojan dependent

on the filename? Seems like a pretty fragile way to

catch malware.

Link to post
Share on other sites
DarkSnakeKobra

DarkSnakeKobra

Posted
Posted

Hi waking and welcome to malwarebytes'!

Malwarebytes' works as a complementary software and catches what anti-viruses miss. When it gets new updates some files are removed/added. It is all based on what most anti-viruses miss. For example the trojan.email.gen could be in the database around 4:00 pm and around 7:00 pm be removed.

Link to post
Share on other sites
waking

waking

Posted
  • Author
Posted

Buttons -

Thanks for the reply and welcome, but I don't think it addresses

the issue. All Malwarebyte's scans were done with the same

database, in rapid succession. The only time lag was the time

it takes to rename the file. With one of the long names, it gets

caught. Shorten the name, it's missed. Rename it again to another

of the longer names, it gets detected again.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Just zip it up and upload it here: http://forums.malwarebytes.org/index.php?showforum=55

Include the link to this post and we'll review it. Detecting by file name alone is a poor and risky method. We need to get other information on the file in order to detect it fully.

Thanks.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept