How do malware detectors work?

[ChrisGreaves]

I think that when I download a ZIP file to my Win10 laptop that malware detectors hunt for Bad Code.
Likewise, I think that when I download an APK file to my Android phone that malware detectors hunt for Bad Code.

But when I use my laptop to d/l an APK file, what can the Win10 malware detector know about an esoteric language that runs on the Android platform?
And likewise, when I use my phone to d/l a ZIP file, what can the Android malware detector know about an esoteric language that runs on the Win10 platform?

In these cross-platform d/l scenarios I later on use a USB cable to drag the file from one platform to another.
Perhaps a good malware detector does the check at that time? If not, then I have been living dangerously!

Thanks
Chris

[StuartR]

Most malware detectors simply scan downloaded files for specific known malware patterns, they have no need to understand how the code might execute.

Some malware detectors detect unusual behaviour from running programs, and these will obviously only detect things running on the correct platform.

And finally you should only ever download Android apps from a well-known app store that does the malware scans for you. If you have enabled installation from .apk files that you download from other places then you are taking a huge risk.

[BobH]

Does zipping a file thwart - or at least confuse - malware sniffers? How about encryption?

[Argus]

Not really. ZIP files and similar should be no problem for AV. Can't find at the moment, but think I did a test with ZIP within ZIP etc.
As it is, in an archive, it's not a direct threat; when you try to interact with the archive the AV should react. If you try with a zipped eicar test file (a test dummy file), you will notice that real time scanning doesn't object during download or when opening file manager for the location. But as soon as you try to open the ZIP file the AV steps in. Encryption is a different matter, then it can't be detected since there are no patterns to recognise, as Stuart mentioned. But then it shouldn't be a threat.

[StuartR]

Most antivirus products will scan inside ZIP files, and some will even scan inside doubly zipped files.
You can test how well your antivirus software does this by downloading the EICAR test file, zipping it, zipping it again, and then copying it to the computer you want to test. That download site even includes zipped and doubly zipped versions for you to try.

I just tried this and Windows Defender blocked access.

EICAR error 1.png

EICAR error 2.png

[ChrisGreaves]

Most malware detectors simply scan downloaded files for specific known malware patterns, ...

Thanks Stuart.
My understanding now is that, in essence, a malware detector is looking for signature bit-patterns, regardless of platform, from all sources, so that executables destined for any platform can be checked against a list of "all known malicious bit-patterns to date".

Further I now see that there are different events that could be monitored by malware detectors:-
(1) download from the internet
(2) local file creation (which would include file-copying across platforms, unpacking a packed (zip) file, and so on
(3) calls to load and execute a file on the host platform.
(4) transfer across a LAN/WAN/WiFi network

That is (in my example), four different "armed forces" ready to spring to defence.

Thanks
Chris

[ChrisGreaves]

... Encryption is a different matter, then it can't be detected since there are no patterns to recognise, as Stuart mentioned. But then it shouldn't be a threat.

Thanks Argus.
Again, if I understand this, i could send you an encrypted EXE file which (having shuffled the bits) would slip by an examination of the file, but would be harmless until you decrypted the file (from a MyProgram.greaves to a MyProgram.exe), and then the armed force in charge of monitoring requests to load and execute a program would rise to deal with it.
Does that come close?

If so, that would explain why, years ago, a copy of my utility template UW.dot, caused terror on a McAfee-protected local computer. A VBE-created bit pattern must have been identical to a pattern on a McAfee list

Thanks
Chris