An hour ago I was in the mood to test the detection of a new(?) trojan droper. And I must confess that it was a total failure of all AVs (Based on Virus Total results).

You will say that "this is common with Zero Day Attacks", but before you do, let me explain that all of them detected some off the malicious files and at the same time all of them failed to protect the pc and the user.

How did this happen?
Well this dropper uses multiple worms & trojans to infect the system and installs its own drivers.
But what is even more interresting is the scheme that it uses for installing one specific trojan:
First creates a trojan dropper (1st) that will create 2 different samples of the trojan.
If the AV stops the trojan dropper, it will create another one (2nd) and if this one fails it will create another variant 3rd and guess what? If all the above 3 fail it will create a 4th variant.
And each of those four variants of the Trojan dropper will create 2 different samples of the same trojan (for a total of 8 ).

None of the antiviruses included in virus total identified all the 4 different droppers and non of them identified all the 8 variants of the trojan. But all of them identified at least one variant of the trojan.

This means that the user will be convinced that his antivirus protected him from being infected but in reality his pc got infected. :ouch: :wacko:

And to conclude, this proves that all those AV detection tests are flawed by design. Because even if the AV X (your favorite one) detects 7/8 of the variants, it will be the winner of the test but does not mean, that it will protect you better than the others. In reallity they all failed the test. ;) :P

Panagiotis

edit:
I am disapointing by the AVs because if they collaborated between them, and used a common database, all the users would be protected...
But the money and the pubblicity of the AV tests have the priority....

That limitation is exactly why a well crafted HIPS is superior in many respects in comparison since you can use them to guard against malware signalling to "create, delete, read, modify", any area you predetermine as a potential landing strip for these creeps.

I still use an AV (NOD32) but only for On-Demand useage; but in a predicament like you explained, it wouldn't be much use without some form of Pro-Active Preventitive measures. And that's what makes HIPS and now Behavioral Blockers to some extent, vital equipment against those type of malwares.

AV socialism, now that's a new one.

well......that's something new for the av vendors to chew on...till then smart ass malware will chew our so called protected pc's:dry:

Well, most of AV's now go beyond just scanning the files.
Most of them also track applications behavior, they scan accessed HTTP addresses, block known malware spreading URL's etc.
Many of these counter measures only work in real-time mode so VT isn't the most accurate tool to rate effectiveness of the AV's.

So unless the hand holding the mouse has infinite trust in the integrity of the program being installed then all the behaviour blockers and HIP`s in the world are a waste of time. Cos the ignore button will always be the default option. For such a situation imaging is really the only position of relative safety and only if your AV of choice stays ahead of the game.

Try it with TF plus an AV.

-{ Quote: "I am disapointing by the AVs because if they collaborated between them, and used a common database, all the users would be protected... But the money and the pubblicity of the AV tests have the priority...." }-No, not just the tests. The AV companies themselves and their marketing departments.

I dared suggest ages ago that the samples detected by one AV could be shared with another AV that apparently missed them and vice versa. I got a stern look from a representative from one such AV; they don't or won't do that, and one can see the reasons why. In an ideal world, they should be shared so all users can benefit irrespective of which AV they use, but it's not gonna happen, is it?

-{ Quote: "No, not just the tests. The AV companies themselves and their marketing departments.

I dared suggest ages ago that the samples detected by one AV could be shared with another AV that apparently missed them and vice versa. I got a stern look from a representative from one such AV; they don't or won't do that, and one can see the reasons why. In an ideal world, they should be shared so all users can benefit irrespective of which AV they use, but it's not gonna happen, is it?" }-Yes It does happen, at least to a degree. Av companies have shared samples for some time now, or so I've been told.

-{ Quote: "An hour ago I was in the mood to test the detection of a new(?) trojan droper. And I must confess that it was a total failure of all AVs (Based on Virus Total results).

You will say that "this is common with Zero Day Attacks", but before you do, let me explain that all of them detected some off the malicious files and at the same time all of them failed to protect the pc and the user.

How did this happen?
Well this dropper uses multiple worms & trojans to infect the system and installs its own drivers.
But what is even more interresting is the scheme that it uses for installing one specific trojan:
First creates a trojan dropper (1st) that will create 2 different samples of the trojan.
If the AV stops the trojan dropper, it will create another one (2nd) and if this one fails it will create another variant 3rd and guess what? If all the above 3 fail it will create a 4th variant.
And each of those four variants of the Trojan dropper will create 2 different samples of the same trojan (for a total of 8 ).

None of the antiviruses included in virus total identified all the 4 different droppers and non of them identified all the 8 variants of the trojan. But all of them identified at least one variant of the trojan.

This means that the user will be convinced that his antivirus protected him from being infected but in reality his pc got infected. :ouch: :wacko:

And to conclude, this proves that all those AV detection tests are flawed by design. Because even if the AV X (your favorite one) detects 7/8 of the variants, it will be the winner of the test but does not mean, that it will protect you better than the others. In reallity they all failed the test. ;) :P

Panagiotis

edit:
I am disapointing by the AVs because if they collaborated between them, and used a common database, all the users would be protected...
But the money and the pubblicity of the AV tests have the priority...." }-


I got everyday NEW samples that are Undetected by all AV's out there, even if the AV's has write a generic or heur code for it, still next day the NEW sample is again Undetected, but i am not mad just for that, nothing to do just to try to help your Favor AV and subimit samples to them.
:dry:

-{ Quote: "An hour ago I was in the mood to test the detection of a new(?) trojan droper. And I must confess that it was a total failure of all AVs (Based on Virus Total results)." }-

if you're testing using virustotal then the failure is yours...

-{ Quote: "You will say that "this is common with Zero Day Attacks", but before you do, let me explain that all of them detected some off the malicious files and at the same time all of them failed to protect the pc and the user." }-

stop pretending any single technology (known-malware scanning or otherwise) can protect you completely... no technology can and anyone who tells you different is trying to sell you snake oil...

you tested technology designed for known threats against threats that are new enough to not be known - that means you were trying to use the wrong tool for the job...

-{ Quote: "And to conclude, this proves that all those AV detection tests are flawed by design. Because even if the AV X (your favorite one) detects 7/8 of the variants, it will be the winner of the test but does not mean, that it will protect you better than the others. In reallity they all failed the test. ;) " }-

if the av detects the original dropper it will prevent it from running and therefore prevent it from dropping any of the other 8 trojans, thereby protecting the user...

-{ Quote: "I am disapointing by the AVs because if they collaborated between them, and used a common database, all the users would be protected... " }-

i can't begin to tell you how ridiculous that sounds... collaboration takes time and you're dealing with malware new enough to have not been properly dealt with yet...

they share malware and so as a result they are all drawing on a common pool of samples... they can't all share the same signatures because that would require them to all use the same engine, which means there would technically only be 1 product... that would represent a technological monoculture and would be even worse for the computer user population...

-{ Quote: "I dared suggest ages ago that the samples detected by one AV could be shared with another AV that apparently missed them and vice versa. I got a stern look from a representative from one such AV; they don't or won't do that," }-

******** - they do it now and they've been doing it for decades... the companies themselves might not do it, but the people working within the companies absolutely do... look up CARO (computer anti-virus research organization) one of these days, i think you'll be surprised...

-{ Quote: "******** - they do it now and they've been doing it for decades... the companies themselves might not do it, but the people working within the companies absolutely do..." }-Perhaps they do now, but when I brought this up a few years ago in a discussion (posts #18-21) (http://www.wilderssecurity.com/showthread.php?p=584994#post584994) regarding missed samples between NOD and KAV, the impression I got was that one cannot expect an employee of one company to submit the samples they detect that the other doesn't. Bravo if they do that now.

I understand your frustration. I have my TOP3 AVs (Avira, F-Secure, Kaspersky) but I always expect something more.
If possible, send me the results of your tests (VT links, methods and, if you don't care, the samples too - you can upload to 4shared or other sharing service and tell me the link).
tiagoderevkoATgmailDOTcom
Best regards.

It is up to each companies own responsibility to organize new samples. There are really enough ways to organize samples, the shortest way is just send someone an email and ask for a specific type you still need. For all other cases you can join distribution lists of new malware. So that AV vendors do not exchange samples ( or did in the past ) is a claim without any substance.

This whole exchange thing also depends on the relationships between companies, and not every company has exactly the same good contacts in other companies / countries.

AV companies do have competition, yes, but most of them have learned that it doesn't make sense to hide samples in order to gain a market advantage with press releases aka "We're currently the only one who detects that" style.

-{ Quote: "Perhaps they do now, but when I brought this up a few years ago in a discussion (posts #18-21) (http://www.wilderssecurity.com/showthread.php?p=584994#post584994) regarding missed samples between NOD and KAV, the impression I got was that one cannot expect an employee of one company to submit the samples they detect that the other doesn't. Bravo if they do that now." }-

CARO has existed since the very early 90's (at least)... i think someone gave you the wrong impression about sample sharing when you brought it up before...

I like Medank's post, described myself.

there have always been places to find undetected samples, antivirus conpanys will add whatever samples they believe to be a real threat, ones that are in circulation.

-{ Quote: "Try it with TF plus an AV." }-Yes!!! Or try it with Mamutu + AV. In other words, behavior blocker + AV is a great combination (TF & Mamutu are BehaviorBlocker-HIPS).

Further -- several AVs now include a built-in HIPS. IMO, VirusTotal's tests do not give effect to the full-power of those AVs.

-{ Quote: "I like Medank's post, described myself.

there have always been places to find undetected samples, antivirus conpanys will add whatever samples they believe to be a real threat, ones that are in circulation." }-

really? wow:o
thanks that you liked my post :wacko:

Update.

- I tested most of the wellknown AVs against this one and all failed to prevent the infection.

- Threatfire intercepts most of the actions but it will eventually cause a BSOD. (will not prevent the infection but it gives it a hard time). ;D

- Sandboxie succesfully protects the system. (I am more and more impressed by this little app). :thumb:

- LUA with strong group policies, will prevent most of the infections (as long as is not executed as an administrator). An Antivirus should be able to handle the remaining files/startup entries that infected the limited account.

- Shadowdefender, Returnil and similar application will eliminate the infections at the boot time.

- ThreatFire + LUA prevented all the infections. :thumb:

Panagiotis

-{ Quote: "Update.

- I tested most of the wellknown AVs against this one and all failed to prevent the infection.

- Threatfire intercepts most of the actions but it will eventually cause a BSOD. (will not prevent the infection but it gives it a hard time). ;D

- Sandboxie succesfully protects the system. (I am more and more impressed by this little app). :thumb:

- LUA with strong group policies, will prevent most of the infections (as long as is not executed as an administrator). An Antivirus should be able to handle the remaining files/startup entries that infected the limited account.

- Shadowdefender, Returnil and similar application will eliminate the infections at the boot time.

- ThreatFire + LUA prevented all the infections. :thumb:

Panagiotis" }-
then ShadowDefender and Returnil did the same as Sandboxie. It may have been allowed to run but in a virtual enviroment so it actually never touched your OS.

-{ Quote: "then ShadowDefender and Returnil did the same as Sandboxie. It may have been allowed to run but in a virtual enviroment so it actually never touched your OS." }-
Not exactly. With sandboxie the system remained intact. You only have to delete the sandboxed files.
With SD, ReturnIl, etc, your system gets infected and until you reboot you are vulnerable. But yes in the bottomline the result is the same.

Panagiotis

not trying to be a pain here pandlouk, but isnt your system infected to with sandboxie until you close it. FYI, I like sandboxie to.

-{ Quote: "Update.

- I tested most of the wellknown AVs against this one and all failed to prevent the infection.

- Threatfire intercepts most of the actions but it will eventually cause a BSOD. (will not prevent the infection but it gives it a hard time). ;D

- Sandboxie succesfully protects the system. (I am more and more impressed by this little app). :thumb:

- LUA with strong group policies, will prevent most of the infections (as long as is not executed as an administrator). An Antivirus should be able to handle the remaining files/startup entries that infected the limited account.

- Shadowdefender, Returnil and similar application will eliminate the infections at the boot time.

- ThreatFire + LUA prevented all the infections. :thumb:

Panagiotis" }-
Thanks for testing.

Thank you for your tests.
-{ Quote: "
- LUA with strong group policies, will prevent most of the infections (as long as is not executed as an administrator). An Antivirus should be able to handle the remaining files/startup entries that infected the limited account.
Panagiotis" }-

Lately I am looking more into LUA with SuRun, and find it to be very interesting. So far I have applied the simple SRP: http://www.mechbgon.com/srp/ and ran kafu.exe.
What would you consider strong group policies? Could you give examples?

Well with Antivirus engines are are a variety of ways to configure them. I find that Symantec, on Virustotal, misses a lot samples, however with my copy of NIS09, it generally nabs the majority w/ "aggressive" heruistics.

Running the OS in Ram as virtual image is one of the method to avoid infection of virus. Once it occurs, just reboot the computer and all viruses will be destroyed because it is only a virtual image.

Why not use sandboxie its very good program

-{ Quote: "Running the OS in Ram as virtual image is one of the method to avoid infection of virus. Once it occurs, just reboot the computer and all viruses will be destroyed because it is only a virtual image." }-

Will the virus be able to circumvent this in anyway? eg such as copying its self to the hard disk and executing upon reboot.

It can be avoided by disconnecting the hard disk after the OS is booted up to run in Ram.

I used to be thoroughly fed up with AV's and felt vindicated from my distress of them when HIPS entered the security scene. I never got on the ProcessGuard bandwagon back when it was extremely popular but now see the usefulness of it.

It took KIS6 before i finally began to regain some confidence that i just might be able to run an AV resident again for the first time since Windows 98 and AVG6.

Now that i tried Avira i can see plenty of improvement is gone into AV development to make them as "Lite" as possible without sacrificing functionality.