Kaspersky Lab Forum > Blacklisting file names

Kaspersky Lab Forum > English User Forum > Suggestions for current and future versions of KL products

dawgg

12.07.2008 05:45

This may sound like a very crude method of detecting possible malware, but it may be an idea of detecting using extremely loose heuristics many variants of a malicious group (or dropped files of a malicious group) which have commonly malicious filename such as srosa.sys, hldrrr.exe, KAVO0.DLL, wintems.exe, mdelk.exe, hidr.exe etc... useing something like this of aid so you get what I mean...
Files here with a high number of scanns and a high percentage of incidents where they are considered malicious should be added to the blacklist:
http://www.threatexpert.com/files/hldrrr.exe.html
http://www.threatexpert.com/files/wintems.exe.html
and possibly detect them depending on what directory they are in (to reduce the number of FPs)

Also, blacklisting certain filenames which are in certain directories should be considered, such as:
c:\windows\system32\explorer.exe
c:\windows\svchost.exe
(or blacklist the filenames UNLESS they are in their valid locations).

This is probabily most practical integrating into ProactiveDefense rather than scanning/on-demand so the user is prompted that a file using a filename which is often considered to be malware has been dropped. This will trigger the user to ask themselves whether the file was from a trusted source or not and investigate whether it is indeed malicious or not should they think it is.

If it is not malicious, Kaspersky can (maybe) add that specific file (using hash probabily) to its whitelist if it reaches the viruslab and they are told about it triggering the PDM (incase there is a detection of this with a well-known program)

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.