Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 6 subscribers
  • Views 2407 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

does sophos call "naughtyware" malware?

ed_andrews

long story so i wont tell it

suffice it to say that as a result of a google search for some tech info i downloaded a large archive of files

all of the files were exe files which are generally useless to me except that sometimes rar archives are stored as exe

so in search of my promised pdf i tried expanding them

no luck

but before doing so i checked for duplicate files

there were a lot of them - with wildly different names

this led me to suspect that these files were mostly malware

so instead of throwing them out i deleted the dupes and kept the files to use as an av test sample

i just ran sophos against these files which found 52 threats in a majority of the files

what intrigues me is one file detected as 

"Troj/AdbPat-A" described as "a Trojan that attempts to subvert and hack Adobe Acrobat 8.1 Professional application."

from this description it sounds like this is some sort of registration cracking program

if so, i'm sure that adobe would consider t malware

but does it actually harm the user's computer

i guess what i'm asking is does sophos only detect software that is harmful to the user or does it act as a net nanny and flag software that it thinks does stuff you shouldn't do?

if not your threat descriptions could use some improvement

:1000505


This thread was automatically locked due to age.
Parents
  • 0

    i guess what i'm asking is does sophos only detect software that is harmful to the user

    Yes - if we add potentially between is and harmful (and on Windows it also flags suspicious files). From the description - short as it is - Troj/AdbPat-A does not sound like a "benevolent" cracking program. And anyway it's for Windows.  

    Nowadays malware is often modular and complex. One way to avoid easy detection is to distribute it in parts. So you plant something on the net which subverts an authoring tool but doesn't do any noticeable harm. Somewhere else you you place specifically grafted but otherwise inconspicuous documents (using the usual methods to make sure users stumble upon them). Only when they are opened by the subverted application "evil operations" will commence. This is, sadly, not sci-fi. Of course complex applications have to be tested (after all, all programmers are only human at best) so it's no surprise that seemingly inoperable but suspicious "things" are "out there".

    if not your threat descriptions could use some improvement

     Some years ago almost all major vendors stopped publishing detailed descriptions for all but a few threats for several reasons. To name a few: In practice only a few people really need, read and understand them - more often than not they just want to get rid of the "things". If prevalence is low and no remediation except removal necessary there's probably not much real interest in the analysis. As new threats or variants are analyzed each day it'd be no mean feat to keep the descriptions up to date.   

    Ever used a spam filter? Do you care why it thinks something's spam? If you did then probably no longer (unless you get a false positive) - you simply trust it (or whomever who's behind it). You do have better things to do than to affirm its decisions.

    Christian

    :1000591
Reply
  • 0

    i guess what i'm asking is does sophos only detect software that is harmful to the user

    Yes - if we add potentially between is and harmful (and on Windows it also flags suspicious files). From the description - short as it is - Troj/AdbPat-A does not sound like a "benevolent" cracking program. And anyway it's for Windows.  

    Nowadays malware is often modular and complex. One way to avoid easy detection is to distribute it in parts. So you plant something on the net which subverts an authoring tool but doesn't do any noticeable harm. Somewhere else you you place specifically grafted but otherwise inconspicuous documents (using the usual methods to make sure users stumble upon them). Only when they are opened by the subverted application "evil operations" will commence. This is, sadly, not sci-fi. Of course complex applications have to be tested (after all, all programmers are only human at best) so it's no surprise that seemingly inoperable but suspicious "things" are "out there".

    if not your threat descriptions could use some improvement

     Some years ago almost all major vendors stopped publishing detailed descriptions for all but a few threats for several reasons. To name a few: In practice only a few people really need, read and understand them - more often than not they just want to get rid of the "things". If prevalence is low and no remediation except removal necessary there's probably not much real interest in the analysis. As new threats or variants are analyzed each day it'd be no mean feat to keep the descriptions up to date.   

    Ever used a spam filter? Do you care why it thinks something's spam? If you did then probably no longer (unless you get a false positive) - you simply trust it (or whomever who's behind it). You do have better things to do than to affirm its decisions.

    Christian

    :1000591
Children
No Data