Home > architecture > Testing Panda Cloud Antivirus: Advanced Logging

Testing Panda Cloud Antivirus: Advanced Logging

April 30th, 2009

 

If you’ve read the introduction to Panda Cloud Antivirus and have come this far, you’re probably interested in “seeing” how this new approach to protection works, not just reading about it. We have enabled certain functionalities which you, as a tester, can use to “see” what Panda Cloud Antivirus is doing behind the scenes.

 

Turning Advanced Logging On/Off

One of the most important things to take into consideration while testing Panda Cloud Antivirus, especially against malware samples and its on-access scanner, is that the traditional on-access scanner has been replaced by 3 new types of interception techniques: OnAccess, OnPrefetch and OnBackground. As each of these operates at different priorities and risk situations, their final actions are not always immediately visible as you would expect from a traditional on-access scan. For example if you copy a directory full of malware samples from one drive to another (or from one directory to another) you will not experience an immediate block of the system and detection and disinfection as the copy operation occurs, as in this scenario an OnPrefetch Scan would be scanning these files asynchronously and using idle CPU times.

In order to give visibility of what is happening exactly behind the scenes, we have created 2 registry entries which can be tweaked to turn advanced logging on and off. Simply download and run the registry files below and run them. Make sure the directory C:Logs_CloudAV exists or replace with your choice of path in the REG file. We suggest you create a specific directory for it as multiple log files will be created, one for every time the service is started. A reboot or service restart will be required for Panda Cloud Antivirus to start logging.

loggingonloggingoff

 

Understanding the Log

The log file is basically a CSV file with the following fields:

TimeStamp: Time stamp of the event
JobID: Internal engine ID of the event
Profile: ID of the configuration profile with which the event has been executed. Different types of events use different profiles in order to apply a specific configuration.
Date: Complete date and seconds of the event.
JobType: Type of job. Can be AnalysisRequest, AnalysisResult or ActionResult
TaskType: Type of scan that generated the event: OnDemand, OnBackground, OnPrefetch, OnAccess
File: Full path to the file in question
Result: Result of the task. In the case of an AnalysisResult event will indicate the malware classification. In the case of ActionResult indicates the action taken.

In the following sections we’ll take a more in-depth look into some sample detections and how they can be interpreted by looking at the log file.

 

On-Demand Scan of a Folder

In this scenario we’ll launch an on-demand scan of a folder which has a combination of clean files with infected files. This example generates an OnDemand AnalysisRequest over all the elements inside the directory. An enumeration of said directory is performed and all objects found will be scanned with the OnDemand task. Of those found to be malware Cloud Antivirus will act upon (delete or disinfect).

log01

A typical scenario while launching on-demand scans on a file or folder is the loss of Internet connectivity during the scan itself or simply no connectivity whatsoever. As Panda Cloud Antivirus is basing most of its detection technology on the cloud, it can be seen by the log entries how each file scan is throwing an error back, indicating loss of connectivity. Most detections while running an on-demand scan without Internet connectivity will be due to the local cache copy of Collective Intelligence and heuristics included in the agent.

log02

 

On-Demand Scan of a Suspicious File

In this scenario we’ll launch an on-demand scan on a specific file. We’ll right-click the file suspect.dat which is classified as suspicious. In case of receiving a positive AnalysisResult the engine will throw an Action on the file.

log03

 

Execution of a Malware PE File

In this test scenario we’ll execute a malicious PE file (files with extension EXE, COM, etc.). In this example we’ll double-click on the file EICAR.EXE which is considered malware and whose detection does not require connectivity to the cloud. As the execution of a file is an action which puts the security of the machine in danger, as soon as it is intercepted it is blocked and an OnAccess AnalysisRequest is launched. Depending on the result of the action access to the file is allowed or denied and a subsequent task is generated to neutralize the file.

log04

In the next example we’ll repeat a similar scenario but whose detection of this particular malware file (MyFormatter.exe) is delivered from-the-cloud. In the following example we can see the reaction of the product against the execution of MyFormatter.exe.

log05

 

Copy of a PE File

In this scenario we’ll copy a malicious PE file Eicar.exe to EicarCopy.exe. As a copy operation is not a high imminent risk to the PC the copy operation is permitted while an OnPrefetch AnalysisRequest is launched, anticipating its possible execution later on. If it is detected as malware, an Action will be requested on the file.

 log06

It is worth noting an error that may show up on the log (shown below) as a JobType “Cloud Error” which means that the communication between the Panda Cloud Antivirus agent and the server has failed, in this particular example during the OnPrefetch scan of the PE file GoogleDesktopResources_es.dll as the network connection was disabled on this machine.

log07

 

Opening of a Non-PE File

This scenario consists of opening a non-PE file, in our case a Word document (mydoc.doc) which is not malicious. Opening a file, as executing a PE file, is considered a high risk action for the computer. Therefore the action is intercepted and blocked while an OnAccess AnalysisRequest is launched on the file.

 log08

 

 Copy of a Non-PE File

In this example we’ll copy a malicious non-PE file Achtung.doc to AchtungCopy.doc. As a copy operation is not a high imminent risk to the PC the copy operation is permitted and the default action is to launch an OnPrefetch AnalysisRequest on the resulting file. However in this case an OnAccess AnalysisRequest is launched on the original file as the Operating System needs to open a non-PE file in order to copy it to a new file. As we’ve seen before, the opening operation is considered a high risk operation and therefore an OnAccess AnalysisRequest is also launched on the file Achtung.doc. As it is detected as malicious, the copy operation is blocked.

log09

 

Categories: architecture Tags: ,
  1. April 30th, 2009 at 00:43 | #1

    If you’re having problems downloading the .REG files, here’s their content. Just copy and paste into a text file, save as log-on-off.reg and run it in order to import into the Registry.

    TURN LOGGING ON:
    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Panda Security\Panda Service Host]
    “tracePath”=”C:\\Logs_CloudAV”
    “traceEnabled”=”1″

    TURN LOGGING OFF:
    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Panda Security\Panda Service Host]
    “tracePath”=-
    “traceEnabled”=-

  2. Jonathan
    April 30th, 2009 at 02:25 | #2

    Why no 64bit support? Seeing as how 64bit os’s are in the here and now, its hard to imagine developing a new Security suite that will not protect the latest software…

  3. April 30th, 2009 at 02:27 | #3

    It’s not that we don’t *want* to support 64bit, it’s just that we released 32bit first while 64bit and Windows7 are being finished and undergoing QA testing. Rest assured we’ll have a 64bit version.

  4. Paul
    April 30th, 2009 at 03:37 | #4

    Thanks this is awesome! It caught 4 trojans and spyware in my machine already and performance-wise i dont notice it’s there.

  5. Nadim
    April 30th, 2009 at 10:33 | #5

    Very good howto Pedro. Really transparent the info you share here.

  6. Kelly Crabbé
    April 30th, 2009 at 11:49 | #6

    I wouldn’t mind testing on Win 7 x64.

  7. James T. Kirk
    April 30th, 2009 at 12:13 | #7

    I find the only options in handling a file in on demand scanning to be delete or disinfect to be poor choices. No user choice to block, delete, quarantine, or disinfect or are the choices there and not listed?

    What if a file is a false positive and Panda deletes it? What if a user wants to hang onto that file for testing?

    I do not use a prefetch so what becomes of that particular module in your Panda Cloud AV? Can the user have control over the module to disable it or have the program detect if prefetching is disabled and then disable that aspect of the program?

    The world is moving to 64 bit computing and Panda needs to get onboard with that or risk disuse IMO.

  8. April 30th, 2009 at 13:09 | #8

    @James T. Kirk, I’ll be posting some details soon on how to handle these issues you mention (quarantine, false positives, Prefetch/Background scan, etc.).

  9. Mike
    April 30th, 2009 at 13:09 | #9

    I find the lack of advanced features to be a tad restictive. I finished a scan, and it detected an IP scanner as a hacking tool (ok, I can kind of understand that), and a wireless network scanner as a trojan (with a disclaimer on them both that they could be used non-maliciously by admins). OK, so Panda deleted them, and I can’t recover them. Stupid. When you flip the AV over it says “If Panda cloud antivirus neutalizes a program you want to use you can recover it here”. No I can’t. Theres nothing there – yet it deleted two prgrams.

  10. April 30th, 2009 at 17:24 | #10

    @Mike, cloud antivirus is pre-configured to disinfect/delete malicous code (virus, trojans, spyware, etc.) but quarantine greyware and potentially unwanted applications (such as hacking tools). Therefore your IP scanner should have been quarantined and you should be able to see it in the Recycle Bin. If it’s not there, what you could do is open the events report from the statistics tab and check the hacking tools detection. It should pull down a name for the detection. Click on the name and let me know the URL it points to in our encyclopedia, so we can check if there’s a problem.

  11. jonte
    April 30th, 2009 at 20:40 | #11

    can you make pleas a fast scan o

  12. Xenu
    May 3rd, 2009 at 14:15 | #12

    Clear!

  13. DeHuC
    May 5th, 2009 at 16:35 | #13

    There are too many “Cloud Error” in the log. I connect via proxy. How can I check is Panda online or not? Looks like it’s permanently offline :(

  14. Tonkata
    May 6th, 2009 at 09:46 | #14

    What’s going on with the win 7 version?I’m running NOD 32 but am sick of it!:))))

  15. May 6th, 2009 at 10:12 | #15

    @DeHuC did you configure Cloud Antivirus to use your proxy? Open the Cloud Antivirus, click config (left button) and activate the proxy, entering its connectivity information.

  16. DeHuC
    May 6th, 2009 at 10:32 | #16

    @Pedro Bustamante Of course. Something strange happened with connection yesterday. Today looks ok — only one “Cloud Error”.
    Maybe some simple online status indicator would be useful? Currently I can check it only via logging.

  17. May 6th, 2009 at 14:01 | #17

    It will be useful that the Panda icon on the taskbar (near the system clock) changes a little when Cloud AV can’t connect to the Internet.

    Sorry for my bad english =)

  18. May 8th, 2009 at 00:34 | #18

    DeHuC :

    Today looks ok — only one “Cloud Error”. Maybe some simple online status indicator would be useful? Currently I can check it only via logging.

    Maybe your proxy/firewall is modifying packets? Slap a sniffer on the network and check for inconsistencies.

    @Alex Molina interesting suggestion, thanks Alex !

  19. MikeydaHut
    May 9th, 2009 at 06:43 | #19

    Clearly, Panda is not going to give away its 64-bit version. As somebody said, 64-bit is where the world is going, so it’s safe to give this product to the 32-bits systems that won’t be around much longer.

  20. May 14th, 2009 at 03:04 | #20

    @MikeydaHut This is not true Mikey. As soon as our 64bit and Windows7 version is ready we’ll give that away for free as well.

  21. Alan Amesbury
    May 14th, 2009 at 18:59 | #21

    According to

    http://www.eicar.org/anti_virus_test_file.htm

    the EICAR anti-virus test file is named EICAR.COM. If the testing shown here is supposed to be based on the EICAR standard anti-virus test file, then a reaction to the EICAR string contained inside EICAR.EXE is probably a bug. The string is not malicious, and “EICAR.EXE” is not the same as “EICAR.COM”.

  22. May 15th, 2009 at 00:59 | #22

    @Alan Amesbury you’re right, however most AV scanners today will detect the EICAR string regardless of the file extension that it uses in order to verify if the antivirus is working correctly. Check EICAR.EXE detection at http://www.virustotal.com/en/analisis/ff6f065aef2863d31beac416b9bb4204.

    Hmm, it’s actually interesting that 1 of the 40 engines doesn’t detect EICAR.

  23. Tonkata
    May 18th, 2009 at 11:06 | #23

    Tonkata :

    Tonkata :
    What’s going on with the win 7 version?

    That’s not really serious from You….

    The half of the world already uses windows 7.

  24. May 18th, 2009 at 11:32 | #24

    @Tonkata but Windows 7 is still in beta. We’ll have support for Windows 7 as soon as it comes out of beta.

  25. May 19th, 2009 at 00:06 | #25

    What plans are there for linux platforms?

  26. May 19th, 2009 at 14:12 | #26

    @Gregg Hughes Not many at the moment.

  27. Tonkata
    May 23rd, 2009 at 15:34 | #27

    @Pedro,RC is not the same as ”beta” i think.Whatever…

  28. Amauri
    June 1st, 2009 at 09:56 | #28

    @Pedro Bustamante
    my log sometimes shows a lot of “Cloud Error”, and looking at my firewall log I found the reason: CAV opens a connection to query the cloud, waits 2 minutes for an answer, then closes the connection by timeout. The answer from cloud arrives one minute after that, and is blocked by the firewall.

    Now we are in beta phase, with few users. I’m worried about this delay when the number of users increases…

  29. DavidC
    June 1st, 2009 at 13:43 | #29

    @Amauri
    That would explain the waiting for verification etc.
    Good catch

  30. blametheadmin
    June 2nd, 2009 at 03:39 | #30

    @Amauri
    Could you please tell us which process is requesting to open the connection? Thanks.

  31. Amauri
    June 2nd, 2009 at 04:12 | #31

    blametheadmin :
    @Amauri
    Could you please tell us which process is requesting to open the connection? Thanks.

    Blametheadmin, I don’t know the name of the process, sorry. I just enabled full logging in the Windows XP builtin firewall (!?!) and compared the time, IP and job id for each request (open, close and block) against time and job id in the CAV log. The ONPREFETCH event opens a connection, after 2 minutes a CLOUD ERROR is generated and the connection is closed, 1 minute later the reply for that request is blocked by the firewall because that connection was already closed. The CAV opens 4 or 5 simultaneous connections, for equivalent number of files being tested in background. Most of time it works fine, but sometimes the reply of the cloud is sent too late.

  32. blametheadmin
    June 2nd, 2009 at 15:46 | #32

    @Amauri

    I also enabled logging on a vista premium after noticing a few errors in the PCA log. Thanks for the reply!

  33. June 3rd, 2009 at 01:42 | #33

    @Amauri The XP firewall only blocks incoming connections (not outgoing) so it might not be the firewall doing the blocking. Are you sitting behind a proxy? Can you send me the advanced log to take a look? (pedro.bustamante@pandasecurity.com).

  34. Amauri
    June 3rd, 2009 at 07:48 | #34

    @Pedro Bustamante
    The firewall isn’t blocking the communication between PCAV and the cloud. What is blocked is just the delayed reply from the cloud, that arrives 1 minute after the timeout of the connection. Obviously the firewall must block this packet, because the connection was closed. The problem is the time to send the reply to a query – sometimes in seconds, but sometimes it takes 3 minutes and isn’t received. What will happen with 10x or 100x more users? Are the servers prepared to this?

    This is a GREAT software, congratulations! But I want a Linux version, please!

  35. June 3rd, 2009 at 12:28 | #35

    @Amauri According to our sensors we have in various countries our response time to cloud queries is well within 6 seconds. Can you send me the advanced log to check this out?

  36. June 4th, 2009 at 00:57 | #36

    @Amauri Also, I would say that honestly Linux needs no antivirus (yet). Although many windows viruses run under wine, that only messes up wine, not the Linux part. And I’m sorry if panda is one of those companies already marketing Linux antivirus, I’m just being honest :).

  37. June 4th, 2009 at 06:10 | #37

    @Sam Smoker We don’t have not distribute a Linux antivirus.

  38. June 5th, 2009 at 01:15 | #38

    @Pedro Bustamante :-)

  39. Amauri
    June 5th, 2009 at 19:53 | #39

    Sam Smoker :
    @Amauri Also, I would say that honestly Linux needs no antivirus (yet). Although many windows viruses run under wine, that only messes up wine, not the Linux part. And I’m sorry if panda is one of those companies already marketing Linux antivirus, I’m just being honest :).

    Sam, there were hundreds of Linux virus in the past, and nobody can say they will not come back. Apple said “Mac doesn’t need an antivirus”, and now “We reccomend the users of Mac to install an antivirus”. Mac OSX is based on *nix, so, sooner or later… There are not just viruses, but also trojans, rootkits, etc. How can you be sure there are no vulnerabilities in Linux, Firefox, etc. (not yet fixed) that can be exploited to install malware in your computer?

    @Pedro Bustamante My computer is Ubuntu Linux, I’ve installed Cloud Antivirus in my friend’s computer with Windows XP. I’ll try to recover the advanced log (or generate a new one) when I return there, and will send it to you.

  40. August 1st, 2009 at 06:50 | #40

    Try it in my free test version of windows 7 and i also have the same question. What if a file is a false positive and Panda deletes it? What if a user wants to hang onto that file for testing?

  41. August 3rd, 2009 at 13:47 | #41

    @Bix software box As of Beta2 (available since about a month ago) you can recover any file, whether its detected as malicious (by signature) or suspicious (by heuristics). Please look at the following for the details:
    http://blog.cloudantivirus.com/2009/06/30/cloud-antivirus-beta2-released/

  42. Bill C
    October 10th, 2009 at 13:03 | #42

    I am not able to open Panda Cloud Antivirus from it’s programs file and I do not have the Panda Cloud Antivirus icon in the Notification area.

    The down load of Panda Cloud Antivirus has a file in the programs file. When opened it has the Panda icon labeled shortcut and a help icon labeled shortcut.

    I can open help, but Panda Cloud Antivirus flashes once, that is it, only this visual.

    Please help me to open Panda Cloud Antivirus.

    Bill C

  43. Anonymous
    November 4th, 2009 at 04:13 | #43

    @Pedro Bustamante
    If EICAR is supposed to be contained in a file named EICAR.COM and an AV product reports when it sees the string in a file named EICAR.EXE, it sounds like that AV product is producing a false positive. That doesn’t sound like the sort of AV product I’d want to use . . .

  44. November 5th, 2009 at 00:44 | #44

    @Anonymous Actually this is not a false positive. All AV products are supposed to flag EICAR as malicious as the EICAR file is a test to make sure the AV product is functioning correctly.

  45. Alan Amesbury
    November 5th, 2009 at 22:42 | #45

    I think what “Anonymous” (I actually know who he is, and he mentioned to me he’d commented in this thread) was pointing out is that EICAR, in the form in which it should trigger a reaction, is a .COM file and not an .EXE file. My understanding of the .COM format is that it’s a headerless executable that’s capped at 64KB (legacy design issues from the early MS-DOS days), and the .EXE format most encountered today is the portable executable, which has a header and doesn’t suffer from the memory cap.

    EICAR is described at

    http://www.eicar.org/anti_virus_test_file.htm

    EICAR (the organization) states that EICAR (the test case) is a DOS program. Since the EICAR test string obviously lacks a program header and existed back in the DOS days, I think it’s a reasonable assumption that it is a .COM file, not an .EXE file.

    EICAR’s documentation seems to support this assertion. From the link above:

    In order to facilitate various scenarios, we provide 4 files for
    download. The first, eicar.com, contains the ASCII string as
    described above. The second file, eicar.com.txt, is a copy of
    this file with a different filename. Some readers reported
    problems when downloading the first file, which can be
    circumvented when using the second version. Just download and
    rename the file to “eicar.com”.

    Their sample .ZIP files also happen to contain the EICAR test string in files named “eicar.com”, which also suggests this is the correct format (and not “eicar.exe”).

    I would expect a good AV product to interfere with the download of known malicious files, and it should treat EICAR.COM exactly the same way. However, .COM is not .TXT is not .EXE; I would expect a valid test to pick up the first one only, not the other two, and would consider it an error if an AV product did otherwise. Since EICAR.COM’s creators suggest downloading the .TXT file containing the string and renaming it to “eicar.com”, they would seem to agree.

    This is why I believe that the EICAR string present in a file called “eicar.exe” should product as much reaction as the EICAR string found in a file called “foo.bar”: None. In the absence of additional qualification, i.e., being present in a specific location in a file named “eicar.com”, the EICAR string is only a set of characters and not worthy of notice.

  46. November 6th, 2009 at 01:07 | #46

    @Alan Amesbury I see what you mean. And while you are 100% right about this, unfortunately there are many different “tests” published out there that try to show AV evasion techniques by modifying EICAR strings in a multitude of ways. What this has caused is an over-detection by AV companies in order to not “look bad” when these crappy tests are published.

    For example:
    http://lists.virus.org/ntbugtraq-0307/msg00015.html

    See for yourself. Submit an EICAR.EXE file which only includes the EICAR string to VirusTotal.
    http://www.virustotal.com/analisis/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f-1257462253

    Also, nowadays it doesn’t matter what extension a file has. There are hundreds of thousands of examples of malware loading with any extension (.tmp, whatever). AV has to be able to look for malicious code in any format, regardless of the “visible” extension. AV can not play by these strict rules you mention when the bad guys are already playing dirty.

Comments are closed.