https://wiki.spybot.info/index.php?action=history&feed=atom&title=Choosing_advanced_file_parametersChoosing advanced file parameters - Revision history2026-05-02T06:53:01ZRevision history for this page on the wikiMediaWiki 1.39.15https://wiki.spybot.info/index.php?title=Choosing_advanced_file_parameters&diff=839&oldid=prevCCRDude: First draft2008-05-27T18:16:01Z<p>First draft</p>
<p><b>New page</b></p><div>[[Image:FileAlyzer-opensbi-tab.png|thumb|300px|OpenSBI tab]]<br />
[[FileAlyzer]] is our file analysis tool that, starting with the 1.6 OpenSBI edition, allows to easily create [[Advanced file parameters|advanced file parameters]] for selected files.<br />
<br />
==Quick Steps==<br />
* Run [[FileAlyzer]] by right-clicking a file and select to analyze it, or run it from the Start menu and select a file to analyze in the dialog it will show.<br />
* Switch to the OpenSBI tab to view the basic properties it has added.<br />
* Browse other categories (tabs) to load more identifying information in the file.<br />
* When you've seen enough, switch back to the OpenSBI tab.<br />
* The list will show you the parameters for everything you've viewed, just tick the properties you want to use, and copy and paste the parameters from the field at the bottom into [[OpenSBI Edit Lite]].<br />
<br />
==Details==<br />
In the beginning of adware and spyware, those products were seldomly updated and did not use tactics to avoid detection. Detection for such static files can easily be added by using the standard [[filesize]] and [[md5]] attributes.<br />
<br />
With malware evolving though, issues are getting more complex. You may need to compare various samples of a similar type to find a common ground if the file is pseudo-random. FileAlyzer offers a few simple identification methods here:<br />
<br />
* If the file is codesigned, [[authx509|parameters]] for various fields of the signature are added to this list when loading the file.<br />
* If you switch to the ''PE sections'' tab, a [[md5(sections)|hash of the overall content]] will be added (in case the file is only random through padded information after the end of the actual file), as well as [[md5(section)|hashes for each section]] (useful e.g. in case only some sections are randomized).<br />
* Every resource you view will get added to the list. Clear, unchanged product images can be used to [[md5(res)|identify files this way]].<br />
* [[field(version)|Version resource fields]] as well as [[md5(version)|hashes]] are added when viewing the ''Version'' tab.<br />
* The ''Hex view'' tab allows you to select any range of bytes and add a [[findbinary(searcharea)|parameter for that]].<br />
* So do the various lists of detected [[findtext(searcharea)|GUIDs, URLs, filenames, and registry locations]].<br />
<br />
==Considerations==<br />
Keep in mind that the more complex parameters you choose, the more affect this has on overall scanning time. ''Standard'' overall hashes are easier in that regard, since they get cached, but the properties of a specific resource or even random data somewhere in the file are quite unique and slowing the system down. [[APBoost]], a new 1.6 technology, helps reducing that load, but you're still encouraged to think ''cheap'' (in terms of time cost to scan files) on the CPU.<br />
<br />
==Warning==<br />
Analyzing multiple files of the same product is possible with [[FileAlyzer]], but sometimes it is not very comfortable to detect a common ground between files. We might decide at a later point to make other tools for this purpose available.<br />
<br />
[[Category:Tutorials]]</div>CCRDude