8:28 a.m.
I've used malfind and memscan on a suspected POS infected system and I get a ton of
false positive hits on AV processes. Any way to white list some of these or use --silent
to filter out some of these false positives? On the other side, is it likely malware is
using AV processes to do their deed?
Mike
Det. Michael Chaves
Monroe Police Department
7 Fan Hill Road
Monroe, CT 06468
203.452.2831 x1307 (desk)
203.261.3622 (w)
203.650.7997 (c)
*** NOTE: If you are sending me an attachment, rename the extension to .txt or .jpg,
otherwise, due to filters, I will not get it ***
-----Original Message-----
From: vol-users-bounces(a)volatilityfoundation.org
[mailto:vol-users-bounces@volatilityfoundation.org] On Behalf Of
vol-users-request(a)volatilityfoundation.org
Sent: Tuesday, October 28, 2014 1:00 PM
To: vol-users(a)volatilityfoundation.org
Subject: [BULK] Vol-users Digest, Vol 76, Issue 6
Send Vol-users mailing list submissions to
vol-users(a)volatilityfoundation.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
or, via email, send a message with subject or body 'help' to
vol-users-request(a)volatilityfoundation.org
You can reach the person managing the list at
vol-users-owner(a)volatilityfoundation.org
When replying, please edit your Subject line so it is more specific than "Re:
Contents of Vol-users digest..."
Today's Topics:
1. Detailed analysis of Kaspersky hooks including analysis with
Volatility (Andrew Case)
----------------------------------------------------------------------
Message: 1
Date: Tue, 28 Oct 2014 02:16:58 -0500
From: Andrew Case <atcuno(a)gmail.com>
Subject: [Vol-users] Detailed analysis of Kaspersky hooks including
analysis with Volatility
To: "'vol-users(a)volatilityfoundation.org'"
<vol-users(a)volatilityfoundation.org>
Message-ID: <544F42EA.9020500(a)gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
A really well done writeup & analysis:
https://quequero.org/2014/10/kaspersky-hooking-engine-analysis/
--
Thanks,
Andrew (@attrc)
------------------------------
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
End of Vol-users Digest, Vol 76, Issue 6
****************************************
10:03 a.m.
New subject: [Detailed analysis of Kaspersky hooks including analysis....
Hi Mike,
You might want to take a look at malfinddeep by David Lassalle:
http://blog.superponible.com/2014/08/30/volatility-plugin-ssdeep-for-malfin…
All the best,
-Jamie
On 10/29/14, 8:28 AM, Michael Chaves wrote:
I've used malfind and memscan on a suspected POS
infected system and I get a ton of false positive hits on AV processes. Any way to white
list some of these or use --silent to filter out some of these false positives? On the
other side, is it likely malware is using AV processes to do their deed?
Mike
Det. Michael Chaves
Monroe Police Department
7 Fan Hill Road
Monroe, CT 06468
203.452.2831 x1307 (desk)
203.261.3622 (w)
203.650.7997 (c)
*** NOTE: If you are sending me an attachment, rename the extension to .txt or .jpg,
otherwise, due to filters, I will not get it ***
-----Original Message-----
From: vol-users-bounces(a)volatilityfoundation.org
[mailto:vol-users-bounces@volatilityfoundation.org] On Behalf Of
vol-users-request(a)volatilityfoundation.org
Sent: Tuesday, October 28, 2014 1:00 PM
To: vol-users(a)volatilityfoundation.org
Subject: [BULK] Vol-users Digest, Vol 76, Issue 6
Send Vol-users mailing list submissions to
vol-users(a)volatilityfoundation.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
or, via email, send a message with subject or body 'help' to
vol-users-request(a)volatilityfoundation.org
You can reach the person managing the list at
vol-users-owner(a)volatilityfoundation.org
When replying, please edit your Subject line so it is more specific than "Re:
Contents of Vol-users digest..."
Today's Topics:
1. Detailed analysis of Kaspersky hooks including analysis with
Volatility (Andrew Case)
----------------------------------------------------------------------
Message: 1
Date: Tue, 28 Oct 2014 02:16:58 -0500
From: Andrew Case <atcuno(a)gmail.com>
Subject: [Vol-users] Detailed analysis of Kaspersky hooks including
analysis with Volatility
To: "'vol-users(a)volatilityfoundation.org'"
<vol-users(a)volatilityfoundation.org>
Message-ID: <544F42EA.9020500(a)gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
A really well done writeup & analysis:
https://quequero.org/2014/10/kaspersky-hooking-engine-analysis/
--
Thanks,
Andrew (@attrc)
------------------------------
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
End of Vol-users Digest, Vol 76, Issue 6
****************************************
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
Jamie Levy (@gleeda)
Blog: http://volatility-labs.blogspot.com/
GPG: http://pgp.mit.edu/pks/lookup?op=get&search=0x196B2AB527A4AC92
Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
3669
days inactive
3669
days old
vol-users@lists.volatilityfoundation.org
1 comments
2 participants
participants (2)
-
Jamie Levy -
Michael Chaves