Real-time Protection

Derek0027 · #1 June 3rd, 2009, 05:02 PM

Hello,

Does anyone know why new (undetected) malware is able to slip by most anti-virus real-time protection?

larryb52 · #2 June 3rd, 2009, 08:46 PM

because they do & can, nothing is 100% perfect...

Peter2150 · #3 June 3rd, 2009, 09:20 PM

Quote:

Originally Posted by Derek0027

Hello,

Does anyone know why new (undetected) malware is able to slip by most anti-virus real-time protection?

Because until the AV companies get it and add signature, they can't detect it.

Derek0027 · #4 June 3rd, 2009, 10:06 PM

Quote:

Because until the AV companies get it and add signature, they can't detect it.

So the protection modules don't have the ability to recognize unknown malware files by themselves? That seems very risky. How can I protect my system if the AV can't analyze an unknown malicious file?

bellgamin · #5 June 4th, 2009, 12:31 AM

Quote:

Originally Posted by Derek0027

So the protection modules don't have the ability to recognize unknown malware files by themselves? That seems very risky. How can I protect my system if the AV can't analyze an unknown malicious file?

Most AVs have heuristics, which enable them to detect many (not all) of the malwares for which they do not yet have signatures.

In addition to using AVs, some users (myself included) also use HIPS applications, such as Mamutu (a behavior blocker) and Malware Defender (a "classical"), which can further alert users to malware which gets by their AV.

However, IMO the "ultimate protection" is to periodically image your system drive.

andyman35 · #7 June 4th, 2009, 08:14 AM

Quote:

Originally Posted by Derek0027

So the protection modules don't have the ability to recognize unknown malware files by themselves? That seems very risky. How can I protect my system if the AV can't analyze an unknown malicious file?

That's why many users here adopt a default deny policy based on whitelisting,whereby only known good executables are allowed to run and everything else is treated with suspicion.

twl845 · #8 June 4th, 2009, 09:02 AM

This is why apps like Returnil and Shadow Defender, not to forget Sandboxie are superior for prevention.

Derek0027 · #9 June 4th, 2009, 10:18 AM

Based on your comments, it sounds like an AV is not enough anymore by itself no matter what brand it is. I wonder why it is still the dominent method in determining if a file is rogue. For example, there are many virus upload sites like VirusTotal that use several name brand AV programs that scan the file(s) for recognition. Sometimes you'll see 2 or 3 that detect, other times more, other times zero. It seems that this is still the security model being used to find out if a file is bad.

TonyW · #10 June 4th, 2009, 10:31 AM

Quote:

Originally Posted by Derek0027

It seems that this is still the security model being used to find out if a file is bad.

It's not the only method, but you have to remember scanning sites like virustotal often use older scanning engines and cannot be compared to having the actual product installed on your system which will use newer scanning engines and incorporate other technologies too.

Fly · #11 June 4th, 2009, 07:19 PM

Quote:

Originally Posted by Derek0027

Hello,

Does anyone know why new (undetected) malware is able to slip by most anti-virus real-time protection?

Maybe this will give you some insight ?

http://www.eset.com/download/whitepa...c_Analysis.pdf

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search