Epic detection!

All that seems to have happened is that

1) AVG didn't have a signature for the virus at time of it getting into the system
2) AVG didn't have a behavior blocker that stops program writing to the AVG folder.

Why is there so much fuss around this?

• This could happen to any AV
• Why is having this virus in the AV folder any different than malware hiding in the system32 folder?

Having a behavior blocker protect certain folders may have unintended consequences and the mainstream user wouldnt want to deal with this.

 

Because this is Wilders', so my AV is better than yours and it's an opportunity to bash a product you probably don't like.

 

Most likely is that AVG, as with any other AV, did not scan as deeply when the file was copied to AVG's folder. And extended/deep/aggressive heuristic scan of every single disk activity can put quite a drain on system resources. Deep scans are left to the on-demand scanner..

How do you know if it wasn't packed?

-----
However, the AVG folder should be kept as read-only, as a most basic form of security. Surprised that AVG did not do that by default ...

 

I can't know it for sure, but it's likely it wasn't.(that's why real time scanners usually don't include them in detection). One thing is for sure, that the user didn't extract something in AVG's folder (why would he do that). So even if it was packed initially, once unpacked and ended in AVG's folder, it was active, as an exe, hence AVG's real time scanner must have accessed it and failed to identify. Packer or no packer, an exe was written into AVG's folder and was obviously active, shouldn't AVG's real time scanner scan that? Twister scans exes on the fly as they are extracted from a zip, i can't believe that AVG simply let's exes being written here and there without bothering to see what they are.

 

Some folks seem to define "average user" as being synonymous with "ignorant/feckless user."

The "average automobile driver" must learn basic safety rules, else they shall die. The same is true for "average internet users" -- learn basic security or die.

A HIPS job is to WARN users of possible nastiness for which blacklisting is not yet available. We must all learn to react prudently to many kinds of warnings in our lives -- hurricane warnings, flood warnings, wailing sirens, flashing yellow lights, security app pop-up's, etc.

If someone chooses to remain ignorant of what to do when warned, then bend over, grab both ankles, & have a nice ride. Wheeee!

 

Depends on just how deep AVG's real-time scanners scans.

 

Not sure how old the signature was, but it may simply be that it was dropped before AVG added a detection and if the file was inactive, then there's a higher chance AVG wont detect it untill the following scan.

 

OK, either they have a problem which is much bigger, and regards their resident scanner or they missed a signature when the infection happened. I hope for them to be the second one. Because that user, packed or unpacked, got infected successfully. Meaning, the payload was delivered and activated (that's what was supposed to happen). That's what trojans are all about, they aren't made to just go to deliver a file in AVG's folder just for fun, but to execute code eventually. The name was to fool the user into thinking in the taskmanager,that was part of AVG's update processes. Which means malicious exes were executed. If AVG couldn't see them, then i think he has biiig problems as a scanner. But since i 've used AVG 6 and 7 free, i doubt their scanner can miss that. Most probably they hadn't included the signature when the original infection occured.

That's how i see it.

 

That's the very thing I've been struggling to "implant" into many minds for a long time now - you just can not make it with only AV onboard nowadays, and unfortunately that means you must perfect your internet driving skills further more or u'll be swept off the road, constantly trying to repair your vehicle just to face the same situation again..

But fortunately we already have tools that can be used in a combo that should be operable even by those "average joes/janes" without scaring them away or assisting them in annihilation of their windozes, and I'm pretty sure we will see more of those "user friendly" evolved "suits" very soon.

Therefore we just have to continue preaching, and eventually, but probably only after 2K years have passed, this "great knowledge" of ours will be wide spread and acknowledged fact

 

It's called rules. Once you set rules on the HIPS or any other folders, you don't even get a choice anymore to accept or deny, it just blocks the attempt with a ACCESS DENIED! display or no display at all depending on how you want it to be.

That's the extra protection HIPS offer over some AV's which they should have used all along, but then they wouldn't need to keep selling licensing for something that can't happen anymore could they?

The smart thing to do is use a HIPS that can block entry to your AV folder/files and you'll never run into that again.

I been far more secured with HIPS then any AV ever offered.

EASTER

 

If you want to drive an automobile, you need to get a driver license. To get a driver license, you need to go to school to learn with someone how to drive and to learn defensive measures, in case you're faced with real world situations, such as wet floor, etc, which could cause an accident and possible death of you.

Are there any schools out there just for the purpose of folks wishing to use the Internet, so that they can learn about computer security?

Most know the basic security - use a firewall (the system firewall), antivirus (which includes antispyware).

Is HIPS a basic security tool? I guess my grandmother would know how to work with Outpost HIPS or with Comodo HIPS.

I don't see what a hurricane, flood or even flashing yellow lights has anything to do with a HIPS, but ok.

My grandmother knows what to do in case of hurricanes, etc. She doesn't have a clue about HIPS, but thats ok.

[/quote]

I wouldn't wish my grandmother to be your grandmother, that's for sure.

 

Yes, I agree about everything.

Then, again, would my grandmother know how to such? Would everybody's father, mother, sister, brother, uncle, grandfather, etc know how to do it?

Like an early example I gave before, would a mother that works an entire day, then gets kids from school, helps them do their school work, etc, and then finds a few minutes of her day just to check the e-mail know how to do it, or waste that time to make some custom policies regarding HIPS?

We don't live in a perfect world. No one can expect that mother and other millions (maybe billions or more) like her to know such thing.

Who's gonna do it for them? If they have people who know about it, that's a great thing. But, does everybody have such people living with them? Some do. Many don't. That's life.

The hell with them, right? If they can't find a few seconds to learn how to interact and to work with HIPS, then they don't deserve to be secure.

 

I see and understand your point. Very valid, that's why it's ultimately ever the more important never to trust anything you're not relatively certain about, at least to a degree. No, theres no way for them to know if they can depend on what is claimed/supposed to protect them when it comes to computer safety, and for that matter it also includes everyone of us no matter how learned or educated we think we are. We all can be at risk at any time irregardless of the program we depend on to protect us, because no software is fool-proof, but many are very close.

At that theres always System Restore or better yet an automated imaging program that makes duplicates where if bit, we can simply press a few buttons and Presto! we're right back on track again.

EASTER

 

Such a classic example of Malware totally owning an AV program.

This thread should achieved/pinned.

 

Epic failure, on your part. Disguised Malware.

 

That's where sandboxes, system restore, deepfreeze, etc come in.

In due time, big-brother protective apps may become increasingly pervasive, effective, &... mandatory. Some day, trying to override Windows Security Center may result in your computer saying...

 

Hahahaah

I haven't talked to him since. If I get some more info I will share, I think it had sth to do with Rapid Antivirus, a rogue.

Tha name avgupdm.exe is also strange, cause there should be at least a few hit in google I think, even if it's a random string attach on AVG's updater. There exist none.

 

Moonblood, Easter, Bellgamin, all have their valid points.

Idealy, a classical HIPS is powerful, for the knowledgable user. For an expert user, it can become virtually undefeatable.

I too often find myself bored of pop ups, but at the end, i return to the classical hips, because it gives me peace of mind. I know though that i am not an expert and there is one kind of attack that i won't be able to parry. Malware within an installer that i think is a legitimate program. Because i will put installation mode and won't care what happens. For that, trying the installer in virtualized system can be of help.

But usually malware, comes from within a browser exploit, or downloaded "game no cd patch", "crack", "keygen", malicious media files, pdfs, documents, unpatched OS/software holes and in all these cases, a pop up out of the blue, is really a red flag that you can't miss or ignore as "probably normal".

Unfortunately, most people don't use and aren't willing to learn to use a classical HIPS. The answer is what Bellgamin says. Specially virtualization would make things much easier, although i am sure that if it was to become mainstream, we would see a boost of malware capable of identitying that they run in virtual enviroment (already happened) and specially crafted to leak out. But the main point is, that widespread use of sandboxes and system virtualization, won't happen, until the AV major companies decide to employ them. Until then, only a few will hear about Tzuk, Tony, Coldmoon etc. So what Moonblood says is true.

I also find this quite true:

Not only for HIPS but also for other more signature-less solutions. Eventually any defense can be foolded, but the rate of successful attempts would diminish and rate with which users renew their licenses would diminish too i think. For example, SSM isn't first at Matousec's. But honestly, what are the chances that will meet the malware that will slip through? So, one can keep on using it for quite a long time. The same could apply with virtualization solutions.

The danger and risk malware presents, is good for business in the AV sector! It's like pharmaceutical companies. If they were by miracle one day to discover the drug to cure all diseases, they would have first to invent a new disease,incurable, to keep selling.

And to come to this:

+

Imagine, if these instructions were put on every AV box or as startup tips when you run your AV... But they won't, will they... "Your AV protects you! We care about your safety! You are in safe hands" is much better for business.

MS is already going that way. It's common knowledge that MS has reduced access points to kernel of Vista 64bit so much, that HIPS programmers have difficulty taking control of apis to make 64bit compatible versions. This of course doesn't hurt traditional antiviruses that don't need to hook so deep and in so many places.

 

Well, there is that option called "on-close scanning" (scan on process closing) for the Resident shield in AVG 7.5 and 8.0, checking which allows the real-time monitor to perform a more stringent real-time scanning (by default this option is off as it consumes more CPU resources).

 

Who can be sure that they don't? Or that they won't when/if they develop a new bread of "unbeatable" protection?

My guess is that we should see very soon more security software vendors "reinventing" their approach in dealing with malware: rely less on blacklists of known threats, put more efforts to protection of "the doors to infection" in the first place!

I mean, how on earth can one expect that some newlybred polymorphic virus, encrypted with 1Kbit+ encryption can be blacklisted?! Remember that recent Kaspersky's SOS call to crack the 1024bit key?

So it's easier to "just" cover the entry points, than to try to decipher the badass, isn't it? And that can also be done with almost no (or minimal) user input even now, so we can foresee highly improved protection is just about to hit the market.

And, yes it will be unpenetrable! But very soon (conspiracy theories thought us well) we will witness "the cure" being released that will make it look just like swiss cheese

All jokes aside, and since we can not expect that this search for the holy grail between good and bad guys will ever stop, we can only expect help from programs that are "trying to think as the bad guys".

From this point in time looks like that should be a combo/crossbred of behaviour detector, policy based restrictor, and HIPS like protector.