Solved

Detection & Scan Functionality for Non-PE Files

  • 11 May 2016
  • 5 replies
  • 1996 views

Userlevel 1
I was told the following by tech support today:
 
  1. "Unfortunately the file (669.f70p53_i_b.dot) is NON-PE. This means the file is a file which does not contain a portable executable header i.e. .dot extension. Webroot is currently only capable of PE malware detection, however the program also contains a heuristics engine for some NON-PE files. In the future, this detection feature will be added."
  2. "Malware downloaders are commonly re-obfuscated and soon all antivirus will not detect examples of the document you have supplied. This is also true for malware in general."
  3. This was not verbatim but basically that non-PE files that are manually scanned (Right click, Scan with WebRoot) are not actually scanned or are scanned but WebRoot is mostly unable (depends on the exact file and type) to detect if the file is infected.  The proof is that the log file doesn't include an MD5 for the file."
Re. #3, this means that even though the application UI shows:
 
Files scanned = 1, Total Scans = 39, Threats Detected = 0, Active Threats = 0
 
that WebRoot doesn't actually know if the file is infected because it's a non-PE file.  The tech is correct in that the log file does not include an MD5 for this file, only the following:
 
Tue 2016-05-10 12:03:52.0588    Begin passive write scan (1 file(s))
Tue 2016-05-10 12:03:53.0221    End passive write scan (1 file(s))
Tue 2016-05-10 12:11:13.0187    Scan Started: C:UsersUsernameDownloadsVirusCheck669.f70p53_i_b.dot| [ID: 36 - Flags: 256/36]
Tue 2016-05-10 12:11:14.0080    Scan Results: Files Scanned: 17, Duration: 1s, Malicious Files: 0
Tue 2016-05-10 12:11:14.0089    Scan Finished: [ID: 36 - Seq: 36]
Tue 2016-05-10 12:16:02.0769    Agent Bits : 0
 
I requested documentation regarding the above functionality or limitations and was told there was none.
 
Can anyone comment/confirm or provide documentation?
 
 
icon

Best answer by JamesG 13 May 2016, 17:30

View original

5 replies

Userlevel 7
Hello,
 
The agent that spoke with you and provided the comments you have listed was correct.
 
We do not provide documentation of this at this time as it could be used to potentially design something that works around the way that we detect.

PE detection is currently in the works but I cannot provide an ETA for that.

Feel free to update your support ticket with any additional details you may have.

I hope this helped?

Regards,
 
 
 
 
Userlevel 1
Thank you for your response, to confirm my understanding then:
 
  1. There are certain file types or extensions that Webroot does not detect as harmful.  Webroot classifies these types as non-PE.
  2. Webroot is unable to provide a definition of "PE" or  a list of the file type types that either will or won't be scanned correctly. For example, non-PE would seem to include .doc, .pdf, .xls, .png, .jpg so we should assume that Webroot is unable to detect any of those files as bad.
  3. Absent a list or definition we should assume anything that falls in the middle ground, like .reg, is non-PE.
  4. The scan UI that says a file was scanned and no threat detected cannot be relied on if the file is non-PE.
  5. There is no documentation for any of this.
Thank  you.
Userlevel 7
1. There are certain file types or extensions that Webroot does not detect as harmful.  Webroot classifies these types as non-PE. – This is not a Webroot classification, but an industry standard for files that do not meet the requirements of a portable executable (PE)
 
Please see the below wiki page for more information:
https://en.wikipedia.org/wiki/Portable_Executable
 
2. Webroot is unable to provide a definition of "PE" or  a list of the file type types that either will or won't be scanned correctly. For example, non-PE would seem to include .doc, .pdf, .xls, .png, .jpg so we should assume that Webroot is unable to detect any of those files as bad. –The definition of a PE file is widely known and publicly available. .acm, .ax, .cpl, .dll, .drv, .efi, .exe, .mui, .ocx, .scr, .sys, .tsp.
 
Please see the below wiki page for more information:
https://en.wikipedia.org/wiki/Portable_Executable
 
Non PE files can be malicious, Webroot is able to protect against such infections through a variety of methods including the detection and quarantine of specific high-prevalence Non PE files. The Word document that you received was basically a delivery method for a PE file payload. This PE file payload is what will be doing damage or compromising a system.  In this situation, Webroot is able to detect malicious payloads that are introduced by a non PE delivery method. Please see our blog on macro documents here which discusses prevention methods for threats that utilize this propagation method.
 
3.Absent a list or definition we should assume anything that falls in the middle ground, like .reg, is non-PE. – As there are many file types and extensions, providing an all-encompassing list is not feasible.  However, a file is a PE or non PE, there is not a middle ground in this classification.
 
4. The scan UI that says a file was scanned and no threat detected cannot be relied on if the file is non-PE. – This can be true for both PE and Non PE files.  All PE files are queried against Webroot’s Intelligence Network and receive the current determination from this database.  We have top detection and efficacy rates for stopping Crypto malware strains and variants and we consistently rate highly compared to other market vendors in both paid for competitive testing as well as independent 3rd party testing, where our entire product is tested. However, we do not claim 100% detection, and we are aware that in the case you highlighted a new variant was able to evade our detection. However, please note that it was not because the source document was a non-PE, but because the PE file that it delivered to your system had not yet been seen when it was written to disk and the hash queried to our database.
 
5. There is no documentation for any of this. – We have a threat blog post that address your specific experience here.We also have more information regarding Ransomware here that covers additional ways that you can protect your data.
 
If there's any other assurance or information you need we'd be happy to organize a call with the PM and Threat Research team to cover what we do, and where we are headed.
 
Userlevel 1
A belated thank you for your detailed response, it is helpful and appreciated even if it's not exactly what I hoped to hear.
Userlevel 7
No problem at all. I hope you have a great day and let me know if you need anything else.

Reply