Notices by Rubikoid (rubikoid@social.rubikoid.ru)

@a1ba I work at sandbox+malware-related department in one ru big infosec company.

We don’t have AV in their original form (even we have some of EDR products, which replaces AV as well), but i think i can say a few words about a problem.

About the ML for AVs: it’s cursed.
Most of AVs can work in two general ways: signature analysis and behaviour analysis.

I have not seen any AV, that uses ML in behaviour analysis - and this is the only thing where ML works enough good.

For signature analysis, it is hard to make really good models for malware detection, I think.

For example, if for hand-written signatures you can run some false-positive tests and don’t release bad signatures, for ML model this action performs even more slower and harder.
Also, ML models are more harder to fix and retrain.

Why ML models used? I think, it’s cheaper than department of specialists, who knows how to write good signatures.
Aaaand in 1% cases it can really be better than human.

In your case, i *magically guess* this can be happen due to usage of some weird functions imports, or you accidentally wrote code snippet, which seems _like_ packer or something.

@akhil @kir4ik52 @libre_fox @yura @edges @Houl а может лучше WSL?)