[curtisblaine]

> I guess if this gets enough attention, malware will just add more sophisticated checks and not just look at the exe name.

But more sophisticated detection means bigger payload (making the malware easier to detect) and more complexity (making the malware harder to make / maintain), so mission accomplished.

[saagarjha]

Not by much. Probably less effort than you're putting in trying to avoid the malware, so it's a net loss.

[xiphias2]

The more scarecrow is installed, the easier it gets for real security researchers to hide from these checks and detect viruses. So actually the dynamic helps security research.

[saagarjha]

That's not how this works.

[GordonS]

Nope, just check the process executable's digital signature - pretty simple.

[oefrha]

“Sophisticated” detection can be as simple as checking rss and pcpu, the bullshit decoy processes probably aren’t wasting a lot of CPU and RAM, otherwise might as well run the real things; if they are, well, just avoid, who cares. So no, it’s not going to meaningfully complicate anything.

[curtisblaine]

Wouldn't that be more fragile though? CPU usage is not constant in time, so if - again - you're not sophisticated enough, you get more false negatives / positives, depending on which side of the heuristic you err.

[oefrha]

This is only useful for dragnet malware targeting the masses, where false positives/negatives have low impact to begin with. High value targets can run the real programs if this is proven to have any effect — the average corporate IT can approve some more bloat for security, no problem. Also, you take a sample.