So, meet - a bloody callus, a purulent abscess and a headache for everyone who works with logs, traffic and installations - a crypt file.
What you will learn from this article:
* What is the crypt of the file, what is included, what is not included, and what is generally from another opera.
* Why 95% of crypto services on the market are useless dummies, with a hell of an overpayment of money.
* The difference between "unique" and "public" stub.
* What is the difference between scantime and runtime?
* Runtime - why is it not quite a crypt and not quite a simple matter?
* Load file in browser
* Smartscreen
* What to do in the end and how to solve the issue with crypt?
* And much, much, much more!
The article is based strictly on the rich empirical experience of working with the extraction of logs and, as a result, crypts of various kinds of files. As a result, I had to completely abandon public services, then private services, and then plunge headlong into the ins and outs of this niche. I'll just introduce you to the results in this article.
Who is this article useful to:
* For complete beginners, to immediately understand the big picture of the world and pitfalls.
* Experienced people who are already tired of paying God knows what, which one fig either does not work, or works crookedly.
* Cryptors who decided to raise the level of their service (what the hell is not kidding, maybe there will be such here).
Who should pass by:
* Mom's warriors and monkeys with a 200% slap you can't prove anything to you, and any information that doesn't fit into your square-nest way of thinking is useless to explain to you.
What is file crypt and why is it needed?
If this article is read by completely newbies, then you will have to explain from scratch. Roughly speaking, the file is encrypted so that it looks white and fluffy for antivirus software. That is, it can be downloaded and run, without any consequences from this very AB.
In general, this is where the crypt's task ends. But folk legends gradually began to ascribe absolutely magical properties to it (crypt, that is), and now in 2020, "literate crypt" perhaps does not treat stage 4 leukemia.
Systems of active and proactive OS defenses
We figured out what crypt is. Right? Now let us sort through the next question, which few people understand in general and over some aspects in particular. So, let's consider all protection systems from and to in order. We will go over each of the points further in the future.
1) File loading in the browser - means the "ability" of the file to pass the browser check and not issue all kinds of alerts (the file is dangerous, the file is potentially dangerous, the file is rarely downloaded, the file is blocked, etc.). The download should work simply - the file has been downloaded and is ready to open. All! No other options.
2) Static scan of antivirus or ScanTime - the antivirus checks directly inside the browser when downloading a file. A good crypt is responsible for the successful passage. This option can sometimes be disabled, for some antiviruses, so the scantime scan will not be performed.
That is, let's summarize the intermediate result - in order for the file to be downloaded without problems and without alerts, 2 protection systems must be passed - a browser and an antivirus.
3) UAC - sometimes services like to show that they have implemented a User Account Control bypass. It has nothing to do with a request to open a file when downloading from a browser. In general, you do not need an extra alert, so you should be puzzled by the bypass, since it's not difficult.
4) Dynamic antivirus scan at startup or the so-called RunTime - when the file is launched, the antivirus starts actively checking it according to its algorithms. The crypt is responsible for the passage, which must pass this test. If you don't like something - a bolt. We'll talk about the difference between scant-time and runtime a little later. And about runtime, where everything is extremely difficult, we will devote a separate block of the article.
5) Smartscreen is another proactive defense system that is not related to antivirus. Verifies the signature of the file and its certification. If you don't like something, he starts asking questions on the topic: "Are you sure you want to run the file?" The logic of work is outside the human sphere of understanding. Let's consider it separately, because you won't find information about the smartscreen anywhere else.
That is, let us summarize the final result - in order for the file to start without problems, 2 more protection systems must be passed - dynamic antivirus and smartscreen checks. If your build is working (many crypts kill the build's performance) - get the long-awaited knock on the panel.
We check the quality of the crypt - step one
If you have a brain or already have experience, then you should immediately think that the encrypted file needs to be checked somewhere for operability and the ability to bypass protection systems, in particular antiviruses. And if checking a file for the same load is quick and easy, then checking the file for bypassing the protection of antiviruses, of which there are 3 dozen, is already a problem, to put it mildly, problematic.
That is why all sorts of checkers for viruses were invented - from the well-known Total Virus (VT), which merges everything to enemies (logically, this is his job), to supposedly shadow checkers who do not merge anything (avchek, scanmaybin and dinchek).
The logic of the work is simple - you upload a file, mark the AB boxes that interest you. Press the button and wait for the test results. The dinchek service (the only one) also has the ability to check for runtime - you can configure the parameters and check how your file will behave when launched.
The most important note # 1 - 90% of services do not runtime. Why? More on this later.
Critical note # 2 - you will be surprised, but most hamsters do not even know about such a parameter as runtime. Firstly, because see point 1. Secondly, because it can be checked automatically only on a dinchek, and this is quite expensive (3.5 bucks one-time or a subscription from 50 dollars per week).
The most important note # 3 - I can’t confirm it, but it seems the avchek is draining the information "to the left". The files began to die too quickly when I was working with him. For dinchek this is not noticed.
Checking the crypt for quality - step two
Attention! ALL antivirus checkers are a global scam of the century.
Comrade, before you ran, PayPaling out your tongue, to check your crypt on the same dinchek, read this article, especially the current paragraph, and your world will turn upside down.
So, I will not beat around the bush. If you have already visited the forums specializing in certain services of the crypt file, then you may have noticed that everywhere the measure of success is zero detections for scant-time via dinchek (usually everyone uses it). Someone calls it FUD = 0, someone differently, but the essence is simple - the file is checked somewhere and with an important look you are shown a link like “here, by zeros, get and sign”.
Software creators usually show statistics on runtime: "We have only N detections, everything is cool and awesome."
And all the pulp is that the data shown by the checkers are WRONG!
Critical Note # 4 - I don't know why, I won't lie. For I have not studied how checkers work and what algorithms they work with. At least if there are detections, then the checkers are true with a probability of 80-90%. Otherwise, they are critically at variance with what is in reality. If someone has assumptions / data - write in a personal, we will talk.
It all started in due time with the fact that antiviruses on machines detected a file where it could not be detected by default, because all checkers showed that the file was clean.
"What the hell?" - I thought, and we decided to delve deeper into this issue.
1. 15 machines were created on WIN 10, on which 15 official antiviruses were installed.
2. We went through most of the well-known public and semi-public crypt services and tested it in live conditions. Precisely alive. Taking the file and personally pumping it through the browser to the machine and trying to run it.
Conclusion for scantime and Runtime - the discrepancy was up to 80% in live scan.
Again. In eight cases out of 10, where the checkers showed that everything was clean, in reality a detection was observed! Especially on top antiviruses such as Avast, Node, Eset and others.
Since I already directly feel that the readers are beginning to burn a farts and hands, are ready to type angry messages about "their personal response in 90%", I will immediately make certain adjustments.
Let me give you an example:
I made, gentlemen, a cryptic of my file. It is loading, my dear, everything with him is glorious and blissful. I decided to download it from my own machine. So what? Extra check won't hurt. Yes, and I have it on my own typewriter AVAST, such a dog, does not miss a single muck. And then, gentlemen, I download the file, and he, such an infection, is detected! Well, I'm not sewn with a bast, again I quickly do a scan for scant-time - everything is clean!
I took a couple dedicated servers on a dozen, put AVAST there, killed, gentlemen, half a day. Downloading - detectors! Detectors! And the checker shows that everything is clean!
What is this for me, if you personally check a file on a live machine with a certain antivirus, or even on several machines with the same antivirus, and you strenuously climb a sign about the presence of rubbish in the file - what are your conclusions? Who is right - the checker or your personal observations? I'll leave the question open.
Still disagree with me?
Then read on, I will consider this issue additionally in the section "How does everything work then with such detections"?
Checking the crypt for quality - step three
So, if I shook the picture of the world for you, and you decided to check my words for truth yourself. Then your next step is simple - you need to make / buy at least 10 machines (top 10 antiviruses provide coverage of 90%) and personally check the encrypted build for detections. Yes, with pens. Yes, in such a hemorrhoid way. But this is the only way you can be sure of the quality of the work that you have done!
Similarly, check the runtime. And you will be able to see the real picture of the world, and then calculate the approximate loss when the file is picked up.
And finally - no one bothers to use checkers for an indirect assessment of the "crypt's standard of living". And if, after the load, detectors began to appear in the dinchek, then with a probability of 80-90% this is so.
Critical Note # 5 - Why are cryptors ignoring so many obvious discrepancies then? My opinion is that checking in this way is 1) too dreary 2) it is impossible to prove it to the client. For there is also the opposite situation, when a file that is clean on living machines is, for some reason, intensively shown on the dinchek as infected. The client cannot prove it, and who needs it?
Critical Note # 6 - From a technical point of view, making a clean scan based on the performance of LIVE cars is no more difficult than making a clean scan for a dinchek. But in this case, the lack of understanding of customers leads to the fact that it is easier for cryptors to feed false data about detections. And everyone is happy.
What is the difference between scantime and runtime?
In this post, I immediately answer 2 specific questions:
* What is a crypt file process?
* Why are 99% of cryptors not engaged in rheintime?
So. Let's make it very easy for speed, otherwise you can safely sit down to write a book here.
To make a crypt, first of all, you need a "cryptographic module". Which is bought or made from scratch. Further, on the basis of this module, a stub is created (I simplify the explanation as much as I can without unnecessary theory). Well, then you can plant any monkey that will press the button and get the finished file.
Therefore, if you meet a support who is not in the teeth at all in the subject and yells with mats, which are all stupid, then monkeys are detected. The person was simply put to press the button and that's it. He won't help you anymore.
The most important note # 7 - Of course, the resulting stub will gradually fail and it will have to be cleaned, upgraded and adjusted to the changing environment. Which is no longer an easy task.
Now attention!
All of the above is true ONLY for scantime. For modules that would allow automatically encrypting files for runtime do not exist due to the difference in ... let's call it so ... the technological nature of the process. And it turns out that cleaning the runtime is strictly manual and painstaking work.
The most important note # 8 - Due to the laboriousness and the average price for crypt on the market (20-50 bucks), there is no point in cleaning the runtime for services. A logical question on the topic: "Why the hell do you need a clean scantime if there are 100,500 detections at runtime?" move to the next topic.
What is runtime?
Let's repeat. Runtime is when you run a file, the antivirus scans it and makes sure that the process is not dangerous. And the file, meanwhile, is doing its dark deeds. Already on this basis, one can be convinced that the process of cleaning a runtain is much more complicated than making a clean scantime. And cleaning the runtime has nothing to do with the crypt.
Runtime does not use the algorithms of the same module that is used for crypt on scanttime. Again, the cleanliness of the runtime largely depends on the cleanliness of the build that your software creator is doing. Runtime is of two types - static detect and dynamic detect.
Scant-time and runtime crypto are completely different operations, lying in completely different areas! And they don't intersect in any way
Conventionally, a crypt at runtime is done as follows:
1. Antivirus algorithms are being studied
2. Studying scanning methods
3. Weak points of scanning are found
4. The file is "cleaned up"
As you understand, any antivirus does not have a magic button "decompile a file and get into the guts", otherwise any tricks would be useless.
Therefore, when the file is launched, roughly speaking, "primary processing" of data is carried out according to the algorithms installed by the antivirus. The task of the cryptor is to identify them and bypass them. Next, the file will most likely be sent for an in-depth examination in the office. And then your crypt dies and you have to start all over again. It is precisely in this window that you need to work. For a unique high-quality crypt, it can last for many days.
Critical Note # 9 - This is why the cleanliness of the base build of software is becoming a critical issue. For it is a million times easier to clean up a file in the presence of the source code than to clean a ready-made build and remove detections at runtime.
Critical Note # 10 - Despite this, it is quite possible to remove 3-5 detectors at runtime. Depends on which antivirus is being fired. With a relatively clean build and a hand cryptor, you can bring the real runtime to 1-3.
Why 95% of crypto services on the market are useless dummies. Did you ask? We answer!
I don't want to offend anyone, the post has a neutral connotation. Some have a business, others have information about this business
So, based on the above, we take 3 points:
* Difference between checker readings (avchek / dinchek / scanmaybin) and real data. The difference can be so critical (especially if the stub is old and has not been updated for a long time) that the meaning of the crypt as a crypt disappears altogether.
* Lack of crypt for runtime. If the build itself already stinks like a rotten egg and real detections at runtime have exceeded 6-7, then the point is even from a perfectly clean scant-time crypt? The most popular 7-8 antiviruses account for approximately 80-90% of global usage.
* And of course, very few people will use an expensive unique stub (which still the hell will do), which generally makes the crypt worthless.
Critical Note # 11 - Again, there are quite adequate services that make a crypt for scant-time in the same way as I described. They take cars, put AB there and check with their pens - whether to be detected or not. Unfortunately, such services rarely go public, due to the problems I mentioned earlier. No one wants to explain to stupid monkeys why checkers should not be trusted.
How to identify services / specialists you don't need to work with?
* When asked about the runtime, he either falls into a stupor, or says that this is not their problem - an adequate service will explain that they are not doing this and the software creator should monitor the cleanliness of the runtime. Cool service - cleans up the anttime with an adequately clean build.
* Spits poison when reading this article and says that this is all a lie and a lie.
* When asked "Why is such a supposedly pure crypt fired on a living machine?" begins to behave inappropriately and splashes shit.
A logical question - why then do installs come and people work with them? Some are even quite successful.
This is a good question and I think it is imperative to sort it out!
First of all, let's define a critical nuance. Do you get installs from your traffic or do you buy them?
In the first case, you will hear a widespread story about: "It is useless to send traffic to an exe file, no one pumps it, it's all bullshit, this is already the last century." Or hear a lot of sad stories about the low envelope. Or hear how hard it is to upload files, because "the envelope does not please." This is logical - such a crypt will cut almost the entire envelope by 5-10 times. Believe me, a good landing for porn traffic will give 10-15% of the envelope as native. With good traffic, of course. But instead of 10-15 installs from 100 clicks, you will get 1-2-3 installs with difficulty.
Buying installations, the picture is different. First of all, most of the traffic there is motivated. And shkolota will not care about all the antivirus alerts and actively install software in the hope of cheats from CS or GTA. Otherwise, there is the so-called “survivor bias”.
Critical Note # 12 - See a screenshot of the desktop of your installations. You will see that most of the machines are either not protected at all, or have antivirus of unknown origin. You will rarely see logs with such antiviruses as Eset, Avira, Commodo, Avast, etc.
Critical Note # 13 - In the process, if you sincerely think your crypt is good, then you most likely have already fallen into the survivor bias. Google it, take a look. Perhaps this will help to look at the "picture of the world" from a different angle.
The difference between "unique" and "public" stub
As I already wrote, the current crypt from the point of view of shkolota and other sudra, except that it does not cure the last stage of oncology. It also gives enlightenment and generates bitcoins every day. Cryptors get fucked up by similar ones, and the public market loses the last adequate professionals
First of all, "unique stub" is meant by the fact that it is made individually for the software you need. For those who have not yet understood: module - stub - crypt. Thus, if we assume that the cryptor "created" a unique stub for a specific client, based on the indicators of "living machines" and reduced it to FUD = 0 by scanttime. Then you can take the build, stuff it into the archive under a password, hold it for a week on the cloud, then get it, check it and there will still be FUD = 0
Critical Note # 14 - Don't forget that a check on live antivirus kills crypts. This method is used ONLY to check the quality of the cryptoservice, and not to constantly check the encrypted build.
In turn, the public "stub" is made according to the principle - one for all. And the lifespan of such a crypt is extremely limited. Therefore, it is usually done immediately before the strait and it is hoped that it does not die in 5 minutes.
The most important note # 15 - This is quite an adequate option for those who buy installations and are confident in the speed of the passage. The lifespan of a public stub is random.
Well, you need to understand that a high-quality unique-stub for your software usually has a price tag for rent per month for an unlimited crypt file. Because nobody cares how many times you are going to use it. Price from 1K and above.
File loading in the browser
This is where the path of your earth file begins. Ideally, there should be no alerts a la - the file is dangerous, the file is potentially dangerous, the file is rarely downloaded, the file is locked. Otherwise, you can forget about 99% of the sound.
First of all, you need to understand two basic things:
* Loading the file itself in the browser from the crypt DOES NOT DEPEND! The opposite is also true - even the best crypt will not help the load! For these are two different things. Completely different.
* Checking a file by a browser and an antivirus are two different checks.
Critical Note # 16 - Once Again. First, when the file is loaded, the browser checks the file (especially when the file is loaded and flashing, the download icon is spinning). Then, after downloading, the antivirus starts checking the file (if this module is active).
Preparing a file for loading in a browser is a complex and multifactorial task. And the ways to solve it, of course, no one will shoot.
As a bonus, Google also does not stand still and constantly introduces new conditions. In general, to solve the problem, you need to have at least:
1. Certain signature / signature
2. Certificate
3. Crypt (well, this is already logic - for a clean build is better not to fire in Google)
4. Pure IP domain and hosting
That is, as you noticed, the crypt file and the preparation of an already encrypted file for loading in the browser are completely different tasks. An adequate cryptor with straight arms can help with this problem, but usually does not want to. Why? Thank you schoolchildren, which began to demand this almost with claims and hysteria.
Critical Note # 17 - Crypt is crypt. Load is load. Do not mix everything together. Each task requires a separate solution.
Smartscreen
The last line of defense of Windows 10. The headache of the den. And the thing of questionable usefulness for the average user.
What is its theoretical essence?
Apparently, the system had to check the certification of files and take files without a trusted certificate.
What in fact?
In fact, smartscreen works like a drug addict under a mixture of DMT, LSD and amanita. Blocks good files, skips bad ones. Doesn't pay attention to untrusted files and swears at files with a valid signature. Moreover, it is completely random.
What is the problem?
On average, about 30% of cars have a smartscreen sign “do you want to install a file? The signature could not be verified. " The envelope is okay so cuts ...
How to get around?
Alas, there are no guaranteed workarounds. An ordinary valid certificate does not completely solve the problem. As practice has shown, the use of a valid certificate, which are sold for 200-300 bucks, reduces the appearance of the window by about 1.5-2 times. Is it worth the money? Here everyone decides for himself.
Critical Note # 18 - There are situations when the smartscreen does not pass a file that has a valid license or digital signature, officially bought for hard-earned money. This is due to the fact that there are too few downloads of this file. Cheating won't help, you don't have to try. It is officially believed that the extended developer license helps. And there are also situations when a file without a certificate and signature opens without question. Some AVs, when opening a file, act exactly according to this scheme, even if it is crystal clear.
How to resolve the issue?
Again, either just accept it, or use a valid certificate. You can try to buy it yourself - this will significantly save money. At a komodo, it costs only $ 80-90. Go for it.
Pricing policy
I will just give my own thoughts on this subject, again from personal experience. Maybe it will help someone.
Price for a public crypt (scantime): $ 10-50 In principle, the price depends on the algorithm used and the purity of the scantime. By buying a crypt for $ 10, you get the appropriate quality. The more expensive the crypts, the better the quality. As practice shows, cryptors that still make normal and adequate public crypt remain.
In general, there is gold right - a crypt for 10-15 bucks, this is not a crypt, but a useless imitation.
Also check, for many in the price of the crypt (which cost $ 30-50), the service may include help with loading. At least it used to be, until Google finally squeezed all the nuts.
Price for a unique crypt (scantime + runtime): here you need to understand 2 variants of the situation. First of all, the cryptor, which can make a unique stub, can also clean the runtime. But this does not apply to the crypt! Once again: runtime has nothing to do with the crypt! And the service will most likely have to be provided jointly. Usually, a one-time crypt for a unique stub costs about $ 100 -150 + runtime cleaning. Monthly rent of a unique stub costs 1-2K for yourself.
Critical note # 19 - the price of a unique stub is based on labor costs. Who do you think will buy you a very robust such an expensive module, then create a stub, debug, clean it and all in order to sell you a crypt for $ 40-50. There are no idiots. If you think there is, then most likely you are an idiot
Critical note # 20 - if you are offered a unique stub for too cheap money, then this is a common divorce. Don't fall for scammers. The crypto is either cheap and simple. Either expensive and complex. There is practically no middle ground here.
Price for help with loading: By today's standards, $ 20-40, taking into account the fact that preparing a file is not the fastest, in principle an adequate price. Another thing is that the task is tedious in the sense that the money is not worth it. On the third hand, you can always agree. An extra coin won't hurt anyone.
What to do in the end?
I am correcting myself and offer as many as 2 options to choose from:
1) We stock up on money, popcorn and go to look for all the cryptors on the market. Making a list. We clarify through what he checks the scantime. We ourselves must check the crypts on live machines. If there is no discrepancy - congratulations! If there is, we try to negotiate and provide evidence. If you didn't send the fuck, congratulations! If sent - we are looking further.
Critical Note # 21 - Shit digging usually yields results! Do not give up. There are adequate cryptors, they just need to be found.
2) We are looking for a partner-technician who understands the basics of this whole badyagi. Well, or who has the skills to figure it out. I assure you there are many good and smart guys who also sit on the forums and are looking for an opportunity to join or create a team.
The most important note # 22 - by this time you need to have at least some base. If you don’t know fucking yourself, don’t know how and don’t have, then exactly the same peel will PayPal to you. Do you need it?
What you will learn from this article:
* What is the crypt of the file, what is included, what is not included, and what is generally from another opera.
* Why 95% of crypto services on the market are useless dummies, with a hell of an overpayment of money.
* The difference between "unique" and "public" stub.
* What is the difference between scantime and runtime?
* Runtime - why is it not quite a crypt and not quite a simple matter?
* Load file in browser
* Smartscreen
* What to do in the end and how to solve the issue with crypt?
* And much, much, much more!
The article is based strictly on the rich empirical experience of working with the extraction of logs and, as a result, crypts of various kinds of files. As a result, I had to completely abandon public services, then private services, and then plunge headlong into the ins and outs of this niche. I'll just introduce you to the results in this article.
Who is this article useful to:
* For complete beginners, to immediately understand the big picture of the world and pitfalls.
* Experienced people who are already tired of paying God knows what, which one fig either does not work, or works crookedly.
* Cryptors who decided to raise the level of their service (what the hell is not kidding, maybe there will be such here).
Who should pass by:
* Mom's warriors and monkeys with a 200% slap you can't prove anything to you, and any information that doesn't fit into your square-nest way of thinking is useless to explain to you.
What is file crypt and why is it needed?
If this article is read by completely newbies, then you will have to explain from scratch. Roughly speaking, the file is encrypted so that it looks white and fluffy for antivirus software. That is, it can be downloaded and run, without any consequences from this very AB.
In general, this is where the crypt's task ends. But folk legends gradually began to ascribe absolutely magical properties to it (crypt, that is), and now in 2020, "literate crypt" perhaps does not treat stage 4 leukemia.
Systems of active and proactive OS defenses
We figured out what crypt is. Right? Now let us sort through the next question, which few people understand in general and over some aspects in particular. So, let's consider all protection systems from and to in order. We will go over each of the points further in the future.
1) File loading in the browser - means the "ability" of the file to pass the browser check and not issue all kinds of alerts (the file is dangerous, the file is potentially dangerous, the file is rarely downloaded, the file is blocked, etc.). The download should work simply - the file has been downloaded and is ready to open. All! No other options.
2) Static scan of antivirus or ScanTime - the antivirus checks directly inside the browser when downloading a file. A good crypt is responsible for the successful passage. This option can sometimes be disabled, for some antiviruses, so the scantime scan will not be performed.
That is, let's summarize the intermediate result - in order for the file to be downloaded without problems and without alerts, 2 protection systems must be passed - a browser and an antivirus.
3) UAC - sometimes services like to show that they have implemented a User Account Control bypass. It has nothing to do with a request to open a file when downloading from a browser. In general, you do not need an extra alert, so you should be puzzled by the bypass, since it's not difficult.
4) Dynamic antivirus scan at startup or the so-called RunTime - when the file is launched, the antivirus starts actively checking it according to its algorithms. The crypt is responsible for the passage, which must pass this test. If you don't like something - a bolt. We'll talk about the difference between scant-time and runtime a little later. And about runtime, where everything is extremely difficult, we will devote a separate block of the article.
5) Smartscreen is another proactive defense system that is not related to antivirus. Verifies the signature of the file and its certification. If you don't like something, he starts asking questions on the topic: "Are you sure you want to run the file?" The logic of work is outside the human sphere of understanding. Let's consider it separately, because you won't find information about the smartscreen anywhere else.
That is, let us summarize the final result - in order for the file to start without problems, 2 more protection systems must be passed - dynamic antivirus and smartscreen checks. If your build is working (many crypts kill the build's performance) - get the long-awaited knock on the panel.
We check the quality of the crypt - step one
If you have a brain or already have experience, then you should immediately think that the encrypted file needs to be checked somewhere for operability and the ability to bypass protection systems, in particular antiviruses. And if checking a file for the same load is quick and easy, then checking the file for bypassing the protection of antiviruses, of which there are 3 dozen, is already a problem, to put it mildly, problematic.
That is why all sorts of checkers for viruses were invented - from the well-known Total Virus (VT), which merges everything to enemies (logically, this is his job), to supposedly shadow checkers who do not merge anything (avchek, scanmaybin and dinchek).
The logic of the work is simple - you upload a file, mark the AB boxes that interest you. Press the button and wait for the test results. The dinchek service (the only one) also has the ability to check for runtime - you can configure the parameters and check how your file will behave when launched.
The most important note # 1 - 90% of services do not runtime. Why? More on this later.
Critical note # 2 - you will be surprised, but most hamsters do not even know about such a parameter as runtime. Firstly, because see point 1. Secondly, because it can be checked automatically only on a dinchek, and this is quite expensive (3.5 bucks one-time or a subscription from 50 dollars per week).
The most important note # 3 - I can’t confirm it, but it seems the avchek is draining the information "to the left". The files began to die too quickly when I was working with him. For dinchek this is not noticed.
Checking the crypt for quality - step two
Attention! ALL antivirus checkers are a global scam of the century.
Comrade, before you ran, PayPaling out your tongue, to check your crypt on the same dinchek, read this article, especially the current paragraph, and your world will turn upside down.
So, I will not beat around the bush. If you have already visited the forums specializing in certain services of the crypt file, then you may have noticed that everywhere the measure of success is zero detections for scant-time via dinchek (usually everyone uses it). Someone calls it FUD = 0, someone differently, but the essence is simple - the file is checked somewhere and with an important look you are shown a link like “here, by zeros, get and sign”.
Software creators usually show statistics on runtime: "We have only N detections, everything is cool and awesome."
And all the pulp is that the data shown by the checkers are WRONG!
Critical Note # 4 - I don't know why, I won't lie. For I have not studied how checkers work and what algorithms they work with. At least if there are detections, then the checkers are true with a probability of 80-90%. Otherwise, they are critically at variance with what is in reality. If someone has assumptions / data - write in a personal, we will talk.
It all started in due time with the fact that antiviruses on machines detected a file where it could not be detected by default, because all checkers showed that the file was clean.
"What the hell?" - I thought, and we decided to delve deeper into this issue.
1. 15 machines were created on WIN 10, on which 15 official antiviruses were installed.
2. We went through most of the well-known public and semi-public crypt services and tested it in live conditions. Precisely alive. Taking the file and personally pumping it through the browser to the machine and trying to run it.
Conclusion for scantime and Runtime - the discrepancy was up to 80% in live scan.
Again. In eight cases out of 10, where the checkers showed that everything was clean, in reality a detection was observed! Especially on top antiviruses such as Avast, Node, Eset and others.
Since I already directly feel that the readers are beginning to burn a farts and hands, are ready to type angry messages about "their personal response in 90%", I will immediately make certain adjustments.
Let me give you an example:
I made, gentlemen, a cryptic of my file. It is loading, my dear, everything with him is glorious and blissful. I decided to download it from my own machine. So what? Extra check won't hurt. Yes, and I have it on my own typewriter AVAST, such a dog, does not miss a single muck. And then, gentlemen, I download the file, and he, such an infection, is detected! Well, I'm not sewn with a bast, again I quickly do a scan for scant-time - everything is clean!
I took a couple dedicated servers on a dozen, put AVAST there, killed, gentlemen, half a day. Downloading - detectors! Detectors! And the checker shows that everything is clean!
What is this for me, if you personally check a file on a live machine with a certain antivirus, or even on several machines with the same antivirus, and you strenuously climb a sign about the presence of rubbish in the file - what are your conclusions? Who is right - the checker or your personal observations? I'll leave the question open.
Still disagree with me?
Then read on, I will consider this issue additionally in the section "How does everything work then with such detections"?
Checking the crypt for quality - step three
So, if I shook the picture of the world for you, and you decided to check my words for truth yourself. Then your next step is simple - you need to make / buy at least 10 machines (top 10 antiviruses provide coverage of 90%) and personally check the encrypted build for detections. Yes, with pens. Yes, in such a hemorrhoid way. But this is the only way you can be sure of the quality of the work that you have done!
Similarly, check the runtime. And you will be able to see the real picture of the world, and then calculate the approximate loss when the file is picked up.
And finally - no one bothers to use checkers for an indirect assessment of the "crypt's standard of living". And if, after the load, detectors began to appear in the dinchek, then with a probability of 80-90% this is so.
Critical Note # 5 - Why are cryptors ignoring so many obvious discrepancies then? My opinion is that checking in this way is 1) too dreary 2) it is impossible to prove it to the client. For there is also the opposite situation, when a file that is clean on living machines is, for some reason, intensively shown on the dinchek as infected. The client cannot prove it, and who needs it?
Critical Note # 6 - From a technical point of view, making a clean scan based on the performance of LIVE cars is no more difficult than making a clean scan for a dinchek. But in this case, the lack of understanding of customers leads to the fact that it is easier for cryptors to feed false data about detections. And everyone is happy.
What is the difference between scantime and runtime?
In this post, I immediately answer 2 specific questions:
* What is a crypt file process?
* Why are 99% of cryptors not engaged in rheintime?
So. Let's make it very easy for speed, otherwise you can safely sit down to write a book here.
To make a crypt, first of all, you need a "cryptographic module". Which is bought or made from scratch. Further, on the basis of this module, a stub is created (I simplify the explanation as much as I can without unnecessary theory). Well, then you can plant any monkey that will press the button and get the finished file.
Therefore, if you meet a support who is not in the teeth at all in the subject and yells with mats, which are all stupid, then monkeys are detected. The person was simply put to press the button and that's it. He won't help you anymore.
The most important note # 7 - Of course, the resulting stub will gradually fail and it will have to be cleaned, upgraded and adjusted to the changing environment. Which is no longer an easy task.
Now attention!
All of the above is true ONLY for scantime. For modules that would allow automatically encrypting files for runtime do not exist due to the difference in ... let's call it so ... the technological nature of the process. And it turns out that cleaning the runtime is strictly manual and painstaking work.
The most important note # 8 - Due to the laboriousness and the average price for crypt on the market (20-50 bucks), there is no point in cleaning the runtime for services. A logical question on the topic: "Why the hell do you need a clean scantime if there are 100,500 detections at runtime?" move to the next topic.
What is runtime?
Let's repeat. Runtime is when you run a file, the antivirus scans it and makes sure that the process is not dangerous. And the file, meanwhile, is doing its dark deeds. Already on this basis, one can be convinced that the process of cleaning a runtain is much more complicated than making a clean scantime. And cleaning the runtime has nothing to do with the crypt.
Runtime does not use the algorithms of the same module that is used for crypt on scanttime. Again, the cleanliness of the runtime largely depends on the cleanliness of the build that your software creator is doing. Runtime is of two types - static detect and dynamic detect.
Scant-time and runtime crypto are completely different operations, lying in completely different areas! And they don't intersect in any way
Conventionally, a crypt at runtime is done as follows:
1. Antivirus algorithms are being studied
2. Studying scanning methods
3. Weak points of scanning are found
4. The file is "cleaned up"
As you understand, any antivirus does not have a magic button "decompile a file and get into the guts", otherwise any tricks would be useless.
Therefore, when the file is launched, roughly speaking, "primary processing" of data is carried out according to the algorithms installed by the antivirus. The task of the cryptor is to identify them and bypass them. Next, the file will most likely be sent for an in-depth examination in the office. And then your crypt dies and you have to start all over again. It is precisely in this window that you need to work. For a unique high-quality crypt, it can last for many days.
Critical Note # 9 - This is why the cleanliness of the base build of software is becoming a critical issue. For it is a million times easier to clean up a file in the presence of the source code than to clean a ready-made build and remove detections at runtime.
Critical Note # 10 - Despite this, it is quite possible to remove 3-5 detectors at runtime. Depends on which antivirus is being fired. With a relatively clean build and a hand cryptor, you can bring the real runtime to 1-3.
Why 95% of crypto services on the market are useless dummies. Did you ask? We answer!
I don't want to offend anyone, the post has a neutral connotation. Some have a business, others have information about this business
So, based on the above, we take 3 points:
* Difference between checker readings (avchek / dinchek / scanmaybin) and real data. The difference can be so critical (especially if the stub is old and has not been updated for a long time) that the meaning of the crypt as a crypt disappears altogether.
* Lack of crypt for runtime. If the build itself already stinks like a rotten egg and real detections at runtime have exceeded 6-7, then the point is even from a perfectly clean scant-time crypt? The most popular 7-8 antiviruses account for approximately 80-90% of global usage.
* And of course, very few people will use an expensive unique stub (which still the hell will do), which generally makes the crypt worthless.
Critical Note # 11 - Again, there are quite adequate services that make a crypt for scant-time in the same way as I described. They take cars, put AB there and check with their pens - whether to be detected or not. Unfortunately, such services rarely go public, due to the problems I mentioned earlier. No one wants to explain to stupid monkeys why checkers should not be trusted.
How to identify services / specialists you don't need to work with?
* When asked about the runtime, he either falls into a stupor, or says that this is not their problem - an adequate service will explain that they are not doing this and the software creator should monitor the cleanliness of the runtime. Cool service - cleans up the anttime with an adequately clean build.
* Spits poison when reading this article and says that this is all a lie and a lie.
* When asked "Why is such a supposedly pure crypt fired on a living machine?" begins to behave inappropriately and splashes shit.
A logical question - why then do installs come and people work with them? Some are even quite successful.
This is a good question and I think it is imperative to sort it out!
First of all, let's define a critical nuance. Do you get installs from your traffic or do you buy them?
In the first case, you will hear a widespread story about: "It is useless to send traffic to an exe file, no one pumps it, it's all bullshit, this is already the last century." Or hear a lot of sad stories about the low envelope. Or hear how hard it is to upload files, because "the envelope does not please." This is logical - such a crypt will cut almost the entire envelope by 5-10 times. Believe me, a good landing for porn traffic will give 10-15% of the envelope as native. With good traffic, of course. But instead of 10-15 installs from 100 clicks, you will get 1-2-3 installs with difficulty.
Buying installations, the picture is different. First of all, most of the traffic there is motivated. And shkolota will not care about all the antivirus alerts and actively install software in the hope of cheats from CS or GTA. Otherwise, there is the so-called “survivor bias”.
Critical Note # 12 - See a screenshot of the desktop of your installations. You will see that most of the machines are either not protected at all, or have antivirus of unknown origin. You will rarely see logs with such antiviruses as Eset, Avira, Commodo, Avast, etc.
Critical Note # 13 - In the process, if you sincerely think your crypt is good, then you most likely have already fallen into the survivor bias. Google it, take a look. Perhaps this will help to look at the "picture of the world" from a different angle.
The difference between "unique" and "public" stub
As I already wrote, the current crypt from the point of view of shkolota and other sudra, except that it does not cure the last stage of oncology. It also gives enlightenment and generates bitcoins every day. Cryptors get fucked up by similar ones, and the public market loses the last adequate professionals
First of all, "unique stub" is meant by the fact that it is made individually for the software you need. For those who have not yet understood: module - stub - crypt. Thus, if we assume that the cryptor "created" a unique stub for a specific client, based on the indicators of "living machines" and reduced it to FUD = 0 by scanttime. Then you can take the build, stuff it into the archive under a password, hold it for a week on the cloud, then get it, check it and there will still be FUD = 0
Critical Note # 14 - Don't forget that a check on live antivirus kills crypts. This method is used ONLY to check the quality of the cryptoservice, and not to constantly check the encrypted build.
In turn, the public "stub" is made according to the principle - one for all. And the lifespan of such a crypt is extremely limited. Therefore, it is usually done immediately before the strait and it is hoped that it does not die in 5 minutes.
The most important note # 15 - This is quite an adequate option for those who buy installations and are confident in the speed of the passage. The lifespan of a public stub is random.
Well, you need to understand that a high-quality unique-stub for your software usually has a price tag for rent per month for an unlimited crypt file. Because nobody cares how many times you are going to use it. Price from 1K and above.
File loading in the browser
This is where the path of your earth file begins. Ideally, there should be no alerts a la - the file is dangerous, the file is potentially dangerous, the file is rarely downloaded, the file is locked. Otherwise, you can forget about 99% of the sound.
First of all, you need to understand two basic things:
* Loading the file itself in the browser from the crypt DOES NOT DEPEND! The opposite is also true - even the best crypt will not help the load! For these are two different things. Completely different.
* Checking a file by a browser and an antivirus are two different checks.
Critical Note # 16 - Once Again. First, when the file is loaded, the browser checks the file (especially when the file is loaded and flashing, the download icon is spinning). Then, after downloading, the antivirus starts checking the file (if this module is active).
Preparing a file for loading in a browser is a complex and multifactorial task. And the ways to solve it, of course, no one will shoot.
As a bonus, Google also does not stand still and constantly introduces new conditions. In general, to solve the problem, you need to have at least:
1. Certain signature / signature
2. Certificate
3. Crypt (well, this is already logic - for a clean build is better not to fire in Google)
4. Pure IP domain and hosting
That is, as you noticed, the crypt file and the preparation of an already encrypted file for loading in the browser are completely different tasks. An adequate cryptor with straight arms can help with this problem, but usually does not want to. Why? Thank you schoolchildren, which began to demand this almost with claims and hysteria.
Critical Note # 17 - Crypt is crypt. Load is load. Do not mix everything together. Each task requires a separate solution.
Smartscreen
The last line of defense of Windows 10. The headache of the den. And the thing of questionable usefulness for the average user.
What is its theoretical essence?
Apparently, the system had to check the certification of files and take files without a trusted certificate.
What in fact?
In fact, smartscreen works like a drug addict under a mixture of DMT, LSD and amanita. Blocks good files, skips bad ones. Doesn't pay attention to untrusted files and swears at files with a valid signature. Moreover, it is completely random.
What is the problem?
On average, about 30% of cars have a smartscreen sign “do you want to install a file? The signature could not be verified. " The envelope is okay so cuts ...
How to get around?
Alas, there are no guaranteed workarounds. An ordinary valid certificate does not completely solve the problem. As practice has shown, the use of a valid certificate, which are sold for 200-300 bucks, reduces the appearance of the window by about 1.5-2 times. Is it worth the money? Here everyone decides for himself.
Critical Note # 18 - There are situations when the smartscreen does not pass a file that has a valid license or digital signature, officially bought for hard-earned money. This is due to the fact that there are too few downloads of this file. Cheating won't help, you don't have to try. It is officially believed that the extended developer license helps. And there are also situations when a file without a certificate and signature opens without question. Some AVs, when opening a file, act exactly according to this scheme, even if it is crystal clear.
How to resolve the issue?
Again, either just accept it, or use a valid certificate. You can try to buy it yourself - this will significantly save money. At a komodo, it costs only $ 80-90. Go for it.
Pricing policy
I will just give my own thoughts on this subject, again from personal experience. Maybe it will help someone.
Price for a public crypt (scantime): $ 10-50 In principle, the price depends on the algorithm used and the purity of the scantime. By buying a crypt for $ 10, you get the appropriate quality. The more expensive the crypts, the better the quality. As practice shows, cryptors that still make normal and adequate public crypt remain.
In general, there is gold right - a crypt for 10-15 bucks, this is not a crypt, but a useless imitation.
Also check, for many in the price of the crypt (which cost $ 30-50), the service may include help with loading. At least it used to be, until Google finally squeezed all the nuts.
Price for a unique crypt (scantime + runtime): here you need to understand 2 variants of the situation. First of all, the cryptor, which can make a unique stub, can also clean the runtime. But this does not apply to the crypt! Once again: runtime has nothing to do with the crypt! And the service will most likely have to be provided jointly. Usually, a one-time crypt for a unique stub costs about $ 100 -150 + runtime cleaning. Monthly rent of a unique stub costs 1-2K for yourself.
Critical note # 19 - the price of a unique stub is based on labor costs. Who do you think will buy you a very robust such an expensive module, then create a stub, debug, clean it and all in order to sell you a crypt for $ 40-50. There are no idiots. If you think there is, then most likely you are an idiot
Critical note # 20 - if you are offered a unique stub for too cheap money, then this is a common divorce. Don't fall for scammers. The crypto is either cheap and simple. Either expensive and complex. There is practically no middle ground here.
Price for help with loading: By today's standards, $ 20-40, taking into account the fact that preparing a file is not the fastest, in principle an adequate price. Another thing is that the task is tedious in the sense that the money is not worth it. On the third hand, you can always agree. An extra coin won't hurt anyone.
What to do in the end?
I am correcting myself and offer as many as 2 options to choose from:
1) We stock up on money, popcorn and go to look for all the cryptors on the market. Making a list. We clarify through what he checks the scantime. We ourselves must check the crypts on live machines. If there is no discrepancy - congratulations! If there is, we try to negotiate and provide evidence. If you didn't send the fuck, congratulations! If sent - we are looking further.
Critical Note # 21 - Shit digging usually yields results! Do not give up. There are adequate cryptors, they just need to be found.
2) We are looking for a partner-technician who understands the basics of this whole badyagi. Well, or who has the skills to figure it out. I assure you there are many good and smart guys who also sit on the forums and are looking for an opportunity to join or create a team.
The most important note # 22 - by this time you need to have at least some base. If you don’t know fucking yourself, don’t know how and don’t have, then exactly the same peel will PayPal to you. Do you need it?
