Author Topic: What is MalPE??  (Read 18701 times)

0 Members and 1 Guest are viewing this topic.

February 06, 2019, 06:48:23 PM

Azurien

  • Guest
What is MalPE??
« on: February 06, 2019, 06:48:23 PM »
Hello, I've been noticing something weird over the few days... I do regular scans with RogueKiller and once a week it finds some MalPE (usually the MalPE.29) on some registry keys that are related to steam. Been carefull with both brownsing and such but it's been buggying me a lot... what are these MalPEs that pop up from nowhere and how harmfull are they? And if so, what to do to get rid of them in a more permanent way?

Thank you.

Reply #1February 06, 2019, 08:10:52 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: What is MalPE??
« Reply #1 on: February 06, 2019, 08:10:52 PM »
Hi Azurien,

Thanks for your interest in our product.

MalPE is a new heuristic engine that detects anomalies in PE files.
In our tests, MalPE appeared to be detecting 90% of malware files, while having false positive on 2% on them. We are still working on reducing those false positives massively so these feature is still in Beta.

For the time being, I advise you to disable the use of the MalPE engine in the Settings tab.

Regards.

Reply #2February 06, 2019, 08:16:42 PM

Azurien

  • Guest
Re: What is MalPE??
« Reply #2 on: February 06, 2019, 08:16:42 PM »
Thank you for your reply. Well 90% is good for me so I'll keep it on, since the weird issue was it only detected on registry keys of games I haven't touched in a while and it had something to do with firewall permissions. Also, 3 days ago it didn't detect anything and today it detected that so I was worried I might have been, somehow, infected.

Again, thank you for your help.

Reply #3February 06, 2019, 08:25:39 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: What is MalPE??
« Reply #3 on: February 06, 2019, 08:25:39 PM »
Hi Azurien,

You are very welcome.
If you want to help us, please make an archive with all the file detected by MalPE and attach it with your next reply. Manual analysis of the files will help us improve the engine.

Regards.

Reply #4February 06, 2019, 08:41:00 PM

Azurien

  • Guest
Re: What is MalPE??
« Reply #4 on: February 06, 2019, 08:41:00 PM »
I already deleted those but I will save future detections.

Reply #5February 06, 2019, 09:06:05 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: What is MalPE??
« Reply #5 on: February 06, 2019, 09:06:05 PM »
Hi Azurien,

Thanks.
Regards.

Reply #6February 27, 2019, 05:31:14 AM

Azurien

  • Guest
Re: What is MalPE??
« Reply #6 on: February 27, 2019, 05:31:14 AM »
Hello, I have a couple of those detections on quarantine and also have the logs. Should I upload the logs through roguekiller? If so what helper should I choose?

Also, just another question (in order to not open a new thread and I'm not sure if its related to this issue or not) since the update to 13.1.6.0 roguekiller has been detecting 2 pum.homepage: one is homepage and the other is session.startup_url. On both, the data entry is the google website (so i'm guessing this pum.homepage is changing my homepage from google to google?) and I even reseted chrome to defaults without the sync on and then forced the sync with the "clean" version but this keeps poping back up. And the weirdest part, on the scan I did before the update it came clean and right after that scan I noticed there was an update for roguekiller, updated it and this keeps showing up dailly. Any ideas?

Thank you for the help.

Reply #7February 27, 2019, 10:21:09 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: What is MalPE??
« Reply #7 on: February 27, 2019, 10:21:09 PM »
Hi Azurien,

Thanks for your feedback.
Could you please directly attach the log here with your next message ?

Regarding the PUMs detection, this is a regression bug. It should be fixed in latest signatures package release.
Could you please update and confirm it's not detected anymore ?

Regards.

Reply #8February 27, 2019, 10:26:56 PM

Azurien

  • Guest
Re: What is MalPE??
« Reply #8 on: February 27, 2019, 10:26:56 PM »
Yep, that is fixed. It doesn't pop up anymore.

As for the logs not sure if it had to be json or txt so I picked txt.

Reply #9February 27, 2019, 10:42:08 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: What is MalPE??
« Reply #9 on: February 27, 2019, 10:42:08 PM »
Hi Azurien,

These two files are legit, you can restore them from quarantine.
Could you also please zip them into an archive and attach it with your next reply ?

Regards.

Reply #10February 27, 2019, 10:45:42 PM

Azurien

  • Guest
Re: What is MalPE??
« Reply #10 on: February 27, 2019, 10:45:42 PM »
Hello

Well, if you dont mind can you give me a step by step on how to get them? I only have the options to either restore or delete them on roguekiller so I don't know how to get them from the quarantine.

edit: just found them inside the roguekiller folder... do you need the .meta ones as well?

edit 2: the files in question have the same info as the log, just out of curiosity, how will these files actually help with the roguekiller detections and such? Just trying to expand my knowledge base and understand a little bit more about the information that can be gathered by studying and analysing these type of files.
« Last Edit: February 27, 2019, 10:56:26 PM by Azurien »

Reply #11February 27, 2019, 11:20:26 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: What is MalPE??
« Reply #11 on: February 27, 2019, 11:20:26 PM »
Hi Azurien,

You need to restore them, then zip them from the Explorer, not RogueKiller.
MalPE uses PE (Portable Excecutable) characteristics to define a file as malicious. By manually analysing them, we will be able to determine what triggered the false detection and improve the detection engine.

Regards.