Majorly disappointed by AV apps

IMHO,Sanboxie on windows 32 bit is still safer then windows 64 bit without.

 

I can confirm that running in as a limited user avoids the infection.

Good point... I've switched to a limited user account. I've got lots of apps that need to be run as administrator, but i'll try to get by using RunAs and SudoWin.

Thanks to everyone who helped test this file. I've learned my lesson about doing too much as administrator, but after all is said and done I still think it's pathetic that only f-prot blocked it. This virus has received far too much attention and press to be undetected by updated virus apps.

edit:typo

 

It's a dropper of an Autorun worm that has been changed and thus it's not detected. It's nothing to do with Sinowal as you might think. We have tested it and the dropped dll is detected and neutralized by NOD32 so basicly running the dropper with NOD32 will not do any harm.

 

Vista x64 is not any safer that x32 because PatchGuard can't really protect you against rootkits. It can protect you only against security software.

 

Personally, I think AV should only be considered as a last hope of defense. Sandboxes, policy restriction stuff, hips, firewalls and common sense should come first. My .02 cents.

Ice

 

I'd question why your client had Antivirus XP 2009 if they already had Kaspersky.

 

this is incredibly disingenuous... do you really not understand what a variant is? you have a new version that most of the vendors haven't added detection for yet... it doesn't matter that the malware family is old and well known when this particular member is new...

of course it did - authentium licenses the f-prot engine... anything based on f-prot should be able to do what f-prot does...

 

And if it's known to be true malware, submit it to the vendors that didn't detect it for analysis so that users of those products will be protected against the latest variant.

 

could i say that statement is just hyperbole?

maybe that's your experience, but that's not a full picture of reality... av doesn't stop things when they're new, but there's plenty of old stuff still running around, some of it more than a decade old... that's why realtime av is still useful...

obviously for stuff that's still new other methods are necessary... it would be naive to think that those other methods obviate the need for av... there are always special cases that get around any given method and the fastest (and sometimes only) way to deal with special cases is a blacklist (av)...

 

that doesn't mean vista x64 is safer, it's just another example of security software thats been broken by microsoft's bandaid.... quite telling is the fact that the api's microsoft promised to open up for security vendors isn't sufficient for what sandboxie does...

 

They were infected by it and Kaspersky did not stop the infection. What angers me with Kaspersky is when the first variants of Antivirus XP 2008 started showing up I had clients running Kaspersky who were infected with this, I sent the files myself to Kaspersky Labs twice and they refused to detect it.

 

Jees, reading this thread really makes me scared... here I am using admin. account with only windows xp firewall and an av-software as a defence line...
maybe it's time to get some HIPS as well. Who knows what's really hiding underneath that shiny OS.

 

Really? I know PatchGuard is not impenetrable, however, it should still be able to provide added protection since it prevents the patching of the kernel.

 

it prevents some bad things, but breaks a number of 3rd party security tools that protected against things patchguard was never meant to address... adding protection in one area while irrevocably breaking protection in others isn't really a good thing and can't really be considered more secure...

 

I disagree. While it's true that it breaks security applications that rely on kernel hooking, protecting the integrity of the kernel is more important, IMHO. Microsoft developed APIs so that security applications can interface with the kernel without having to actually patch it.

 

It actually doesn't protect anything really. You can bypass this, but security vendors cannot use such techniques, so they are stuck and losing and wasting money because M$ abuses its monopoly once again. It only gives MS more control over what SW and what HW and how you can use.

Same thing with the x64 unsigned driver nonsense - does it make anything more secure? No. Does it benefit user in any way? No. It gives M$ control over third-party drivers and HW, which could possibly bypass all the DRM crap bundled with Vista, etc. Oh, and guess what - it can be easily bypassed - just Google for "readydriver plus".

to M$.

 

but protect it how? the current design naively focuses exclusively on prevention and it failed (there have already been bypasses discovered) as all preventative methods must occasionally do...

sandboxie could likely also protect the kernel, but more importantly when (not if) it fails you'd still have the flexibility to prevent or detect it in other ways, unlike patchguard...

and as has already been posted, those APIs are insufficient for what sandboxie needs to do...

 

Hi marcos.I tested yesterday and nod32 had pick it up and gaurantined nicely.

 

disappointed by AV apps?

simple, dont use one.

there are other options if you dont wish to use one.

 

It is true that PatchGuard was bypassed before but Microsoft remedied those problems already. As far as I know, there are currently no methods that are able to bypass PatchGuard. Someone correct me if I am wrong.

As more and more users migrate to 64-bit, I'm sure Microsoft will develop more methods that will allow security vendors to do what they want to do without tampering the kernel.

 

I understand your frustration that Kaspersky did not detect it, but I'm more worried about why and how they got infected with it in the first place.

Antivirus XP 2009 comes from a long line of fake antivirus/antispyware programs. In order to be infected, you need to download the rogue program or run a scan from a website, of which there are many variants. The point I'm making is if they downloaded this, why download when they already had an antivirus program anyway i.e. Kaspersky? I could understand if they didn't have an AV already and tried running the bogus scan that wasn't legitimate. They already had protection; they didn't need to seek elsewhere, least of all a scam site offering a supposedly "free security scan" whose results are nearly always erroneous.

This is where people need to be educated on perils like this and how best to avoid them, but it's no easy task.

 

AVs are funny, the disappoinment that he thinks is a disappointment is only something beyond his experience level.

Patchguard can be subverted, user mode rootkits still work with ease on vista 64. Don´t expect too much.

Nonsense. ASE gets you in all events. Everyone.

That won´t save your *ss. Just another new illusion of security.

Finally someone with insight.

Look beyond the matrix...think deeper...

 

Let's see... I know that Vista x64 is still susceptible to a lot of malware out there, however, those that try to tamper the kernel will not work due to PatchGuard (ie. kernel-mode rootkits). Don't get me wrong, there are lots of ways a (Windows) system can get infected. As you've said, user-mode rootkits (malware) can still infect Vista x64. But since they are user-mode, they are not completely hidden since code that reside in the kernel can see them.

What I am trying to say here is that PatchGuard helps protect the system by ensuring that the kernel does not get tampered with (untested) third-party code. It is by no means a panacea; it only prevents successful patching of the kernel, which is one of the many ways a malware can infect a system.

 

You sound like an expert.
No one is saying that vista x64 is bullet proof. However, not all the viruses are as smart as you think either. and vista x64 does make some progress in terms of system security.
Again, I am not saying that no virus can penetrate vista x64, in fact, many, many viruses still can, but this does NOT mean that "Vista x64 is not any safer that x32".
I agree with ambient_88. vista x64 is more secure than 32bit although still vulnerable to many threats.

 

Really?

Seriously, MS controlling what kind of code you are allowed to use is not exactly the way to go...