Re: The Coalition against Personal Firewalls


"Wolf Behrenhoff" <NoSpamPleaseButThisIsValid3@xxxxxxx> wrote in message
news:44815ba7$0$4494$9b4e6d93@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
fritsz wrote:
"Volker Birk" <bumens@xxxxxxxxxxx> wrote

please prove it and offer me some changed compiled PoC's.
Just change yourself, please.

You are the expert and you could always say that my changes aren't the
correct changes.

You can modify the code as YOU like. You just need to change some code
without breaking functionality. The changes need to be big enough so
that the binary is different. If the PoC is sill detected as a virus
then change some more code.

From another example I know changing code didn't help.
It depends, what you're changing, of course. Changing something that
results in the same binary will not help.

Wow, changing the code and that should result in exact the same binary?
What a nonsense. I know that you are very wrong.

And I know that you are very wrong.

Why sould "some_var = 40 + 2;" and "some_var = 42;" generate different
binaries? It's different code but will result in the same binary.

It seems you don't know that modern compilers do a lot of optimization
so that even other differences can generate the same binary. The above
example is just very simple.

Wolf

Good heuristic detections don't work that way, they look for the specific
calls to the OS or the specific activities, not just different biary crc's
or strings. So, seeing a few particular calls that would be the same no
matter what sorts of changes you made to program flow or syntax, add up to
the heuristic definition. That's what makes it a heuristic. Changing a few
lines of code to give a different binary evades garden-variety
string-matching AV signatures, but not good heuristic engines.

-Russ.


.