Difference between revisions of "Choosing advanced file parameters"
Latest revision as of 18:16, 27 May 2008
- Run FileAlyzer by right-clicking a file and select to analyze it, or run it from the Start menu and select a file to analyze in the dialog it will show.
- Switch to the OpenSBI tab to view the basic properties it has added.
- Browse other categories (tabs) to load more identifying information in the file.
- When you've seen enough, switch back to the OpenSBI tab.
- The list will show you the parameters for everything you've viewed, just tick the properties you want to use, and copy and paste the parameters from the field at the bottom into OpenSBI Edit Lite.
In the beginning of adware and spyware, those products were seldomly updated and did not use tactics to avoid detection. Detection for such static files can easily be added by using the standard filesize and md5 attributes.
With malware evolving though, issues are getting more complex. You may need to compare various samples of a similar type to find a common ground if the file is pseudo-random. FileAlyzer offers a few simple identification methods here:
- If the file is codesigned, parameters for various fields of the signature are added to this list when loading the file.
- If you switch to the PE sections tab, a hash of the overall content will be added (in case the file is only random through padded information after the end of the actual file), as well as hashes for each section (useful e.g. in case only some sections are randomized).
- Every resource you view will get added to the list. Clear, unchanged product images can be used to identify files this way.
- Version resource fields as well as hashes are added when viewing the Version tab.
- The Hex view tab allows you to select any range of bytes and add a parameter for that.
- So do the various lists of detected GUIDs, URLs, filenames, and registry locations.
Keep in mind that the more complex parameters you choose, the more affect this has on overall scanning time. Standard overall hashes are easier in that regard, since they get cached, but the properties of a specific resource or even random data somewhere in the file are quite unique and slowing the system down. APBoost, a new 1.6 technology, helps reducing that load, but you're still encouraged to think cheap (in terms of time cost to scan files) on the CPU.
Analyzing multiple files of the same product is possible with FileAlyzer, but sometimes it is not very comfortable to detect a common ground between files. We might decide at a later point to make other tools for this purpose available.