Malware is Evading Detection

Thank you dw426 for taking the time to author your Post, it is well constructed and understandable.
I can understand your concern that off-site storage of personal information is subject to compromise, and in part I agree, however, you are talking of businesses and consumers voluntarily
uploading data to be stored as an backup, where as I am talking of consumers installing an Cloud Based Security Solution. Businesses and consumers that voluntarily upload data for
storage compared to Cloud Based Security Solutions uploading and storing an snapshot of the clients system are two different situations, yet one in the same, meaning, both institutions
are storing personal information. The big difference is, the reputable institution that is storing the publics personal backup data is just as secured, or should be just as secured, as an
reputable International Bank's security measures to protecting personal data. I have yet to read news where an International Bank's data has been compromised and stolen, Servers shut down,
yes, data compromised or stolen, no. Clients that have data backups stored off-site have an account with that institution and have full access to that data and can maintain and monitor
that data, where as clients of Cloud Based Security Solutions have no access or control over the data uploaded by the security vender, such as system snapshots and any other data that is
uploaded from the clients computer to the venders server for analytics and/or storage. Now, Cloud Based Security Venders claim that the data uploaded to the venders servers are in most
instances, not the actual file/s themselves, instead, heuristic information on the file/s gathered locally and then encrypted and uploaded to the venders server for analytics.
Is this to be believed? If the answer is yes, then I can not see any breach in security even if the Cloud Based Security Venders Servers are compromised and the information is stolen.
What would the Hacker have, an system snapshot, heuristic information, infections found, all of which might even be encrypted. This can be decrypted of course.
If the answer is no, it can not be believed, then yes, there is concern here, and that is where we partly agree.


HKEY1952

 

I am unaware of any cloud-based security provider that stores personally identifiable information (at least not without the user’s optional consent) -- but, your point is well taken: a user should be aware of this possibility and check the specifics of the tool that s/he is using.

While this may be true of some cloud-based security providers, it is not true of all. In my opinion, the best ones (1) allow a user to optionally participate in the “community”; and, for those who do volunteer, (2) provide a log of what information is transmitted. I continue to be amazed by the number of individuals for whom the issue of having “no access or control over the data uploaded by the security vendor” isn't a consideration. Different people, different perspectives?

 

Uuuhm, that is not what AV-C does. It is just scanning the files with old signature

Fax

 

doesnt AV-C have 2 separate tests? one for ondemand and one using the AVs realtime capabilities?

 

Not really... what "we" need is policy-based and/or isolating software that doesn't care about where the file came from, how old or new it's - whatever. All the software does, protecting you through these methods, is preventing forbidden/prohibited actions to take place - no matter what is "said" about the file in question.

 

AV-C has two main tests one "on-demand comparative" and the other "proactive/restrospective"
On both a scan is run on the infected samples. The samples are not executed. The same seems to apply to the test mentioned, or NOT??

Are we still not testing the full HIPS/proactive/Sandboxing/clouding capability of security software?

Cheers,
Fax

 

hmm well then that doesnt make any sense. if they dont execute the malware how on earth is it a proactive tests and how the hell are the results so drastically different for both the tests then...

 

Yes indeed... From what I see... they measure detection with different degree of old signature. First one week old, then two weeks old, three weeks old... and then they make up an index with this. This is probably the main difference with AV-C test.

But actually... I am also looking for a confirmation that this is the case...

Cheers,
Fax

 

so a AV scans and detects in tests and looks good or bad, but a BB scans and only detects on activation. It seems the testing fields are becoming grey intead of black and white.

 

So no one has any idea?

Fax

 

Good point, man - hence my opinion previously posted which is above.

 

Raven211, in my opinion, information about a file’s “reputation” will prove to be valuable in a practical sense, since it aids in enhancing the certainty about the “good”/”bad” decision. A pure heuristics approach will likely be plagued with the problem of false positives for the foreseeable future, but this challenge can be mitigated by the use of reputation data. Fortunately, none of these approaches is “either/or” -- a security solution can be “both/and.”

 

Fax, this insight might be of interest:

“The retrospective test (which is performed on-demand) is used to test the proactive detection capabilities of scanners. It does give an idea of how much new malware a scanner (compared to other scanners) can detect (for example by heuristic/generic detection), before a signature is provided for the malware.”​

Source: Testing Methodology & Frequently Asked Questions

 

Thanks.. indeed I know AV-C testing method, I was wondering if VirusBulletin was somehow different from AV-C and it was running the malware samples. Doesn't look like....

Fax

 

Yep, I'm talking about policy-based primarily, with definitions (white- and black-listing) coming as secondary priority. Since policy-based software doesn't give anything for what's said about a file (primarily), but rather what it actually tries to do, it automatically has a higher chance of stopping malware in action in comparison, simply because what it does is monitoring for actions that are not allowed, instead of looking for definitions or heuristics.

This is my belief, and I personally think it's very logical.