Majorly disappointed by AV apps

Discussion in 'other anti-virus software' started by Veazer, Nov 16, 2008.

Thread Status:
Not open for further replies.
  1. Veazer

    Veazer Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    16
    I was working on a friend's pc that had a virus infection today. He knew what file caused the virus but was puzzled why nothing stopped it. I monitored the system to see what was altering files and deleted the culprits. Dr. Web CureIt found a few more questionable .inf files later, but everything seemed to be ok. (I later found that a rootkit was hiding files that Dr. Web CureIt missed).

    Back at home, I copied the file to the desktop of a Virtual PC running a fresh install of XP SP2 and NOD32 fully updated. With all AMON (realtime scanning) settings maxed on NOD32 (advanced heuristics, etc), it still let me copy and paste the file around the system without detecting the virus. Then i did a manual scan of the file, still nothing. I ran the infected executable, an installer for "homeview". I pressed cancel when the first dialog box appeared. Surprise, the system was now infected and NOD32 had not uttered a peep.

    A new process was running, tempo-617.tmp. The virus creates autorun.inf on all drives, and creates a folder "resycled" containing 'boot.com', which NOD32 does not detect as a virus. Since autorun.inf executes the boot.com file, i knew that was the file used to spread the virus which i was able to test on another VirtualPC session. I could not get any configuration of NOD32 to detect the virus, though it did occasionally find viruses in c:\windows\temp after the infection - which it couldn't remove.

    Deleting any of the autorun files or the Resycled folder was fruitless, they just recreate themselves.

    Then I wiped the system and started again, this time with AVG Free edtion V8. Same result, no detection whatsoever. The system was much slower with AVG however.

    I tried again with AntiVir, same thing. No detection moving the file around, and no notification when the system infection took place.

    Again... this time with Avast. Avast is an annoying, blinking, beeping, flashing and talking (not joking) AV app but at least it noticed the autorun files being created. And couldn't do a thing about it. All it could do was delete them and wait a few moments and delete them again. and again. and again.

    Next up, Kaspersky... Kaspersky faired a little better than the others. It didn't detect the virus in the original file, and it allowed the infection to occur... but it prompty reported that the virus was using the print spooler to modify autorun.inf, and it deleted the windows temp files that seemed to hold the .exe that started the whole mess. Unfortunately is didn't detect or delete the file used to spread the virus to other compters later, boot.com. Still, it did result in a machine that didn't have any virus executables running.

    It's important to note than in every test I fully updated the AV program first and then set the protection settings to the highest available, even when they warned it might result in false positives. It didn't help, unfortunately. None prevented the infection and only one was able to remove it, Kaspersky, and it left behind files that it couldn't detect and would cause a re-infection if run again.

    I then uploaded the virus spreader (boot.com) to virustotal.com and only 3/36 AV engines recognized it as a virus. Authentium and F-Prot recognized that it is the W32/Sinowal-based!Maximus virus responsible for over 500,000 compromised bank accounts. PrevX1 declared it to be malicious software but didn't identify it. This is amazing! Only 2/33 (6%) of the current major AV engines on virustotal identified it. Why is it amazing to me? Because this virus is over two years old and has been a major news story for weeks. Why are major AV packages failing to see it?

    I was really disappointed by today's experience, especially since NOD32 has been my preferred AV for years and it performed poorly. This only goes to show how limited the protection of antivirus applications really is. It also shows how slow the AV companies are to act, despite appearing to be on top of everything with several updates per day.

    I also ran the same test with F-Prot after seeing the results or virustotal.com and it seemed to fully prevented the infection from occurring, as the virustotal.com results would support. That makes it the only AV app that prevented the infection. it couldn't detect the virus in the original file, but it's likely an encrypted self-extracter/installer so that's expected. I'd like to test "Authentium Command Anti-Malware v5 for Windows" as well but they don't offer eval copies for download without contacting their customer support via email. It was the other app that identified the virus at virustotal.com. i'm not real fond of the gui for f-prot though, i like the flexibility and advanced settings of nod32 much more. Unfortunately nod32 failed this test miserably.

    If anyone else wants to play around with the file, just PM me and i'll send you the link. I'd rather not post a direct link to a virus here, but i can if forum rules allow it.
     
  2. mnosteele

    mnosteele Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    194
    Location:
    Chesapeake, VA USA
    I see this same thing all the time, it is why I recommend using Threatfire or some other behavior blocker/HIPS protection with your antivirus. The program that upsets me the most is Kaspersky, I was a reseller for them for years and switched to Avira because of their lack of response to certain issues and refusing to detect certain malware. I just had a client call me the other day that was infected with Antivirus XP 2009 while using Kaspersky, it's built in Proactive Defense should have stopped the infection but did not, there is no excuse for that. I can understand if there were no virus definitions for a new variant but the other tools should have worked.

    :)
     
  3. wtsinnc

    wtsinnc Registered Member

    Joined:
    Oct 3, 2008
    Posts:
    943
    Yesterday, I responded to a post asking which, in my opinion, was better ; Avast or F-Prot. My answer was that while F-Prot didn't measure as well in independent tests as many other AV applications, it had a history of great customer support and a loyal following. Your test bears out what has been suspected by many of us; that independent tests, while interesting, tell only a small part of the story regarding (the) effectiveness of an antivirus solution.

    In my opinion, excellent work !
     
  4. Veazer

    Veazer Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    16
    I just tested Threatfire + NOD32 with the settings maxxed out. I enabled every advanced rule setting and set the sensitivity to 5. It would popup vague security notices after changing settings but didn't indicate what was occurring. For example, it would say that explorer.exe had done something potentially malicious but wouldn't specify what. Was explorer establishing a network connection? modifying a system file? changing a registry entry? It wouldn't say and no amount right-clicking for more info - or clicking "more info" would tell me what was going on. I understand that explorer was not doing anything malicious, i'm just trying to demonstrate that this app did a very poor job of telling me what exactly it found suspicious.

    even worse, when i ran the app that causes the infection threatfire allowed me to run the app and allowed the app to fully infect the system without a single popup. It wasn't until after the system was inffected that threatfire started to see problems, but it was too late at that point

    Sorry, but imho threatfire failed this trial by fire.

    edit: typos
     
  5. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    I can easily believe that TF and many of the AV's suck, but this is pathetic.
    I'm not a tester so if somebody decides to test this against the new Prevx Edge and Defensewall please post the results.
    Also, would running behind Shadow Defender have prevented the infections?
    Thanks.
    Hugger
     
  6. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    I guess im 2 steps ahead for now :D
     
  7. gery

    gery Registered Member

    Joined:
    Mar 8, 2008
    Posts:
    2,175
    I did a thorough scan with Dr WebCure it and it found a possible trojan downloader. Then i scanned with avg paid and all was clean. Uploaded to Virustotal and drweb at the list of scanners did not flag the file so did the rest of the scanners. But who can i trust?
    Hope there is just another false positive
     
  8. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Could you clarify, please, how is this related to the test?
     
  9. mnosteele

    mnosteele Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    194
    Location:
    Chesapeake, VA USA
    That's pretty sad, you would think a behavior blocker would have stopped the infection. Keep testing apps and let us know what stops it, how about WinPatrol or Mamutu etc.

    :)
     
  10. greenhorn113

    greenhorn113 Registered Member

    Joined:
    Nov 14, 2006
    Posts:
    149
    Location:
    England
    Which version of AntiVir ?, free or premium, I am currently assuming free like AVG, If so not fully indicative of AntiVir's capabilities.

    Gh113
     
  11. Veazer

    Veazer Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    16
    Not sure about WinPatrol, the page looks rather unimpressive. Feel free to test, it's got too much extra crap for me. Mamutu failed... :( I was going to try ProcessGuard, but evidently they have not paid their web bill, the page is suspended.

    Both free and a 30 day trial of Pro failed. Initially i only tested the free edition but i just now tested pro.

    Another warning, this virus changes your dns server to 85.255.112.102 (or at least 85.255.x.x). i would recommend you don't do any browsing on an infected machine.
     
  12. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    Well, I don't know about PrevX, but I do about DW:

    DefenseWall HIPS rollback report file:
    File: C:\Users\***\AppData\Local\Temp\nsn9DB6.tmp created by E:\***\Downloads\Keygen.PowerStrip.3.77c3098.exe at 11.17.2008 01:31:39

    File: C:\Users\***\AppData\Local\Temp\jah30980.exe created by E:\***\Downloads\Keygen.PowerStrip.3.77c3098.exe at 11.17.2008 01:31:39

    Keygen.PowerStrip.3.77c3098.exe is a TR/DNSchanger type and is the downloaded file.

    DefenseWall HIPS log file:
    11.17.2008 01:31:39, module C:\Users\***\AppData\Local\Temp\jah30980.exe, Attempt to manipulate KnownDlls section \KnownDlls\advapi32.dll (File )

    11.17.2008 01:31:39, module C:\Users\***\AppData\Local\Temp\jah30980.exe, Attempt to create KnownDlls section \knowndlls\advapi32.dll (File )

    11.17.2008 01:31:39, module C:\Users\***\AppData\Local\Temp\jah30980.exe, Attempt to set value DocumentInfo within the key HKCR\*\ (Registry)

    11.17.2008 01:31:39, module C:\Users\***\AppData\Local\Temp\jah30980.exe, Attempt to create KnownDlls section \knowndlls\dll.dll (File )

    jah30980.exe = W32/Sinowal-based!Maximus

    Basically, malware running in the sandbox, not doing a lot, and dead after I pressed the big red button!
     
  13. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,926
    I tested the virus on winxp sp3 en in a vmware virtual machine, under an limited account.
    I double clicked the exe and it asked me to install homeview program after some seconds of delay--obviously the exe was doing something. I clicked OK all the way to install all it asked.
    After it's done, I checked my C:\ and searched C drive using keyword "resycled" and "boot" but did not find anything. I have F-Secure 2009 and threatfire v4 installed but neither of them indicated anything. It appeared that the virus could not do anything under a limited account under XP SP3.
    I did not test it under admin account yet. Anyone would like to repeat my test to confirm please post once you finish.
     
  14. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Hi Veazer.

    Have you tried CIS "comodo internet security" wich includes defense+ wich is a HIPS app. Though CIS does also includ AV, firewall, spyware protection etc.

    CIS is free, Download CIS here: http://www.personalfirewall.comodo.com/ <
    and try against your crazy virus in your virtual machine.

    Looking forward to your test results Veazer!

    Cheers, SweX
     
  15. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Maybe your expectation level was just a bit too high, I don´t know what you expect from AVs? They are no panacea they mainly have a huge database from past viruses with some more or less good heuristics that´s all.
    Stop living in a security illusion see the reality.
     
    Last edited: Nov 16, 2008
  16. Veazer

    Veazer Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    16
    That's a good point that I didn't address, my tests were all done as administrator. i will do some test under a limited account. I guess this is a good reason for me to start using RunAs and a limited account.

    can you check for the presence of rootkits and files in c:\windows\temp ?

    @Lucy- I'm not familiar with DW but it looks like it's time for me to start. thanks for your testing.... btw, were u using an admin account or limited?
     
  17. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    Could I say that AVs are just useless?

    LUA, SRP, maybe some tools like sandboxes... The key word anyway is policy. That is what UNIX world is all about. Now with Vista, Windows made a big step in this direction.

    AVs are cleaning tools, or removing tools. They always arrive after the battle... They don't desserve to work realtime, eating CPU, RAM...

    @Veazer
    No need to test it under LUA, better work and play all the time under LUA. Most of your problems will vanish (Admin account is for update and settings). If you get annoyed by UAC, put it in quiet mode with TweakUAC...
     
  18. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I ran the sample here with prexv edge and nod32. trying to post image but its not uploading.Prevx edge pick it up on it and nod32 as well.Here is what it reads from prevx.
    c\user\name\appdata\local\temp\jah30981.exe malicious c\windows\temp\969.tmp malicious and c\program files\Homeview\uninstall.exe nod32 c\autorun inf worm and agent trojan a ABH autorun worm and the list goes on.
     
    Last edited: Nov 16, 2008
  19. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    It depends always on your expectations. They have a limited scope nowadays threats are much more complex. There is malware that resides outside the operation system, that even needs only some udp packets to directly communicate with your ethernet os independent... from this point of view AVs would be likely useless so it is always situation-related.
     
  20. Veazer

    Veazer Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    16
    on my machine nod32 found it but only after infection and couldn't remove it. i was using 2.7, you?
     
  21. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,926
    I tried to access the c:\temp folder under the limited account but was denied access so I did not have a chance to actually find out if there was rootkit in that folder. But I would guess that there should not be any since the access to that folder was denied by the system.
    I did check the process but did not find any new processes added after executing the virus.


     
  22. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    461
    Uploaded the file to VirusTotal and only their Antivir and DrWeb detected it as a virus. Scanned it myself using Antivir Free 8.1.0.331 with heuristics set to high and latest definition files and it found nothing.
     
  23. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,926
    Tested the virus in virtual machine under admin account in xp sp3. This time I got all the same symptoms posted by Veazer... When I tried to access the hidden autorun.inf under c:\, F-Secure client security 8.0 found the threat and deleted autorun.inf. However the virus re-created that file once the old one was deleted and F-Secure could not prevent the file reproduction.
    Threatfire did not do anything during the whole virus infection.
     

    Attached Files:

  24. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Ok heres the scope, I use nod32 AV 3.0 it had detected it quarantined and said would be cleaned or deleted after reboot.I did all this in shadow mode with Shadow defender.When I tryed to upload the screen shots for viewing,it would not work. I assume either something with SD or wilders not sure though.Also I couldn't check the cleaning of prevx edge because its trial not paid.I can tell you this there is mutliple nasty stuff with that variant.I just got done rechecking files manual and scans and its clean so shadow defender kicked its butt to the curb:thumb: I can not say for certain that nod would have cleaned it on the reboot But at least it did detect it.PS nod did detect it upon Execution of not before.Thank you Veazer
     
    Last edited: Nov 16, 2008
  25. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,926
    Sorry this post may be a bit off topic, but I found this info below off sandboxie website, which implies that vista x64 is much safer than 32bit vista. I would suggest install x64 if you can.

     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.