Difference between revisions of "Choosing advanced file parameters"

From SpybotWiki
Jump to: navigation, search
(First draft)
 
(No difference)

Latest revision as of 18:16, 27 May 2008

OpenSBI tab

FileAlyzer is our file analysis tool that, starting with the 1.6 OpenSBI edition, allows to easily create advanced file parameters for selected files.

Quick Steps

  • Run FileAlyzer by right-clicking a file and select to analyze it, or run it from the Start menu and select a file to analyze in the dialog it will show.
  • Switch to the OpenSBI tab to view the basic properties it has added.
  • Browse other categories (tabs) to load more identifying information in the file.
  • When you've seen enough, switch back to the OpenSBI tab.
  • The list will show you the parameters for everything you've viewed, just tick the properties you want to use, and copy and paste the parameters from the field at the bottom into OpenSBI Edit Lite.

Details

In the beginning of adware and spyware, those products were seldomly updated and did not use tactics to avoid detection. Detection for such static files can easily be added by using the standard filesize and md5 attributes.

With malware evolving though, issues are getting more complex. You may need to compare various samples of a similar type to find a common ground if the file is pseudo-random. FileAlyzer offers a few simple identification methods here:

Considerations

Keep in mind that the more complex parameters you choose, the more affect this has on overall scanning time. Standard overall hashes are easier in that regard, since they get cached, but the properties of a specific resource or even random data somewhere in the file are quite unique and slowing the system down. APBoost, a new 1.6 technology, helps reducing that load, but you're still encouraged to think cheap (in terms of time cost to scan files) on the CPU.

Warning

Analyzing multiple files of the same product is possible with FileAlyzer, but sometimes it is not very comfortable to detect a common ground between files. We might decide at a later point to make other tools for this purpose available.