Rogue Antivirus Still getting through

Been there, done that, Helix, and if you had bothered to actually read any of my posts you'd know that. I agree, users need to stop downloading dumb stuff. I have users like that and I beat them up all the time. But what you guys seem dedicated to refusing to accept, is that many of the rogues do at least SOME damage even if the user is smart enough not to click on them!

True, clicking does more damage and installs stuff truly deeply (sometimes irreparably) into the system. However, I have personally observed (and submitted samples to ESET) rogues that, WITH NO USER INTERVENTION WHATSOEVER, installed themselves as browser search utilities or other BHOs, installed themselves into HKLM\. . .Run, and in at least one case, re-associated all *.exe files as "open with" the rogue executable (that was a new one I had never seen till last week!). They had also (without clicking) disabled <Ctrl><Alt><Del> and task manager.

You guys need to get it through your head that not every user who has a negative experience is an idiotic computing virgin (even though many are).

 

Dude, you do not understand that criminals test their creations against ESET to not be detected, and are millions of new files every day all over the internet, there is no way to control all.

 

Well all that we can hope for is that ESET or some other AV Vendor gets some sort of solution to this problem. I'm now fixing at least 1 PC per day with these types of infection, the majority of which are on Eset smart security 4 from my reccomendation.
At this rate every one of my customers will probably have been infected by the end of June.

In my limited testing eset comes out near the bottom in terms of detecting these rogue AV's. I've yet to see the ERACLEANER tool they provide detect even one of the samples I have seen.

In one example I had a VM setup with the microsoft security essentials Free AV which was using definitions at least 6 weeks out of date and it picked up one of the samples I fired at it. I then installed ESS 4 and updated it to the current siganture database and it didn't see a thing.

Once ESS had let it through I used MBAM to clear it up, and again that was with an MBAM signature database at least 3 months old.

Incidently after clearing up the infection the machine was left in an unusable state as any .exe file had been associated with the rogue AV. Now that had been removed all you got was a message asking you to say what program you wanted it to run with. Even if you did choose the appropraite program it went round in an infinite loop. I found the solution to this if it's any help.

N.B. this has only been tested on Vista and Windows 7 machines.

To restore the .exe file links copy and paste this text into notepad.


Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\secfile]
[-HKEY_CLASSES_ROOT\secfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"



Save this file as fix.reg (in notepad change Save As Type to all files)

then double click the fix.reg file to incorporate it into your registry.

Reboot and you should find the .exe files now run ok.

 

As u all can see,everyday or every second,a thousand of virus is create by som eone idiot and we cannot just 100% depend on our antivirus!We nid to wisely using our PC to be not infected.I been using Eset product for about 5 years until now,my PC still look gud and havent infect.I love for eset product and i still think it the best.(Virus out first then antivirus)

 

Dude, by that logic we should all just quit using antivirus completely, since we know the criminals will test their viruses before they release them. Seriously, what kind of reasoning is that?

 

@JackSun, there's an easier fix. Go to the Windows Explorer Folder Options (Tools>Folder Options), choose the "File Types" tab, and delete the association for *.exe files.

 

However, you've got to admit that every time when Eset's customers are infected it's MBAM to the rescue, don't you think?

Thanks.

 

You're waging a battle that you cannot win that way, blacklisting is so outdated. Eset needs to rebuild its engine from scratch and incorprate it with file reputation detection. Blacklisting is not enough anymore, to me file reputation is the way forward.

Thanks.

 

Yeah, I HAVE noticed that. I find myself wondering, if MBAM is so bloody great, maybe I bought the wrong product?

If the MB folks can do it, why not ESET?

 

It's definitely an important piece. I still think immunizing of all portions of the registry that call programs at startup, plus intercepting any browser-initiated call for installing anything, would be a step in the right direction. . .and a useful one.

 

Hello,

Why not better try a layered protection instead of relaying on just one?
At home, we have an alarm, a dog, etc. If the alarm doesn't trigger any sound upon someone breaking into my home then the dog should bark and let us know that something is going on, etc...

I think the same principle applies to our computers. I know ESET is not perfect neither are the other AVs. I can back up my words with facts. Because my folks at ESET apparently don't visit those web sites that post shady URLs so AV companies' researchers can go there and test some URLs and the drive-by scum they download against their Antivirus, I have decided to do this myself on daily basis [after I get home from work, of course].

I have come across with a Rogue AV that apparently is spread from IP addresses located at Ukraine. The Fake AV in question is called “Security Tool”. It looks like the MD5 for this Fake AV is changed very frequently so, in ONE single day I have caught 15-20 differents variants of it within an interval of just a couple of hours at the same IP address [!!!!!!].

How do I accomplish this risky task? Well, using the layered protection described above. I run ESET NOD32 4.2.35.0 as my AV but... I also run SANDBOXIE, Windows Defender and the free version of MBAM alongside with Firefox + NoScript and Ad Muncher. I wrap the browser in the Sandbox and copy/paste the shady URL onto the address bar, fire up and I get a prompt to download a drive-by-Fake AV. I do so. Afterwards, if NOD32 has not caught the Fake AV installer upon downloading I get it out of the Sandbox, create a .rar archive which I password protect with the word infected and send it to ESET for analysis and to be added to the signatures database.

Sandboxie, in my humble opinion will be a program that many IT Administrators will have to take into consideration in the near future cause 90% of the PC infections nowadays are Internet borne. Which means the PC users are infecting their workstations while the browsing the Internet. And, it isn't necessarily by browsing porn...NO !!! Even legit web-sites can be compromised as well.

For example, my actual employer is running McAfee Virus Scan Enterprise version 8.7i with patch 2 and its Antispyware module installed and, guess what? Last week, IT Help Desk received 18 phone calls from our Department alone coming from people whose PCs were hit by Rogues. McAfee could NOT stop the Fake AVs before they installed on their PCs.

Had they been running something like Sandboxie to protect their browsing sessions from Drive-By-Downloads, nothing of this would've happened.

Bottom line: just do NOT rely solely on your AV to do the job against 200,000,000 of Rogue AV variants. Back it up with something else.


Kind regards,


Carlos

 

In other words AV software is fast aproaching being useless (if indeed it isn't already)... which gets back to ESET's pricing... naw, that was another thread.

Seriously, all ESS does for me these days is control outbound program activity through its firewall. It hasn't detected anything (seriously... nothing) for the last 5 years although I have seen 2 scareware drive-bys in the last 6 months.

If you can lock down or monitor your files and registry, keep an eye on running script and plug-ins in your browser or run it in a sandbox then who needs AV, especially if it is only checking md5 values.

Maybe it would be worth aving a look at Returnil as one of your layers of defnce. I've seen another similar product called Deepfreeze that basically prevented any changes to your C: drive - reboot, and you're right back to your known good starting point.

AV software has to change or it's going to be one of those layers you will be able to do without!

cheers

 

Please understand this, criminals are also testing their files against a lot of security products, including MBAM; Eset is NOT alone. Such a fact cannot be taken for an excuse to explain why a particular product or Eset does so poorly.

Thanks.

 

It seems to me that ESET is losing ground faster than many of the other well known security security suites. However, this thread has brought a few things to light.

1) If you run ESET Smart Security, you'd better forget the idea that this is a suite to hopefully cover the vast majority of eventualities. Therefore, you should install other products to supplement your security. MBAM and Sandboxie and Defencewall all get repeated mentions here. I can definitely attest to the effectiveness of MBAM, it's saved my bacon on three PC's on four occasions this year alone.

2) ESET's super light narrow sphere of effectiveness is no-longer competetive enough in todays world of Rogue-Ware and Drive-by's. Suites such as Kaspersky, offer a "Sandbox" environment and Virtual Keyboard built right in. The Av-Comparatives fair very well, up against ESET's and the price for a full suite 3PC license on Amazon uk as of today is £22.97. This also compares very well to £29 renewal fee for a similar license.

3) The corporate environment likes single box, easy to administer solutions. It might be lazy, but IT Managers and the people above them, The ones that usually hold the purse strings, are used to paying for and administering desktop level security from a single solution via a single server. This is quite often just an Anti-Virus solution not a full suite. If the IT manager has to put the case for a more layered approach, his/her boss is first going to ask them to explore alternatives that can fill the requirement of single point security solution from other providers first. At one time ESET was thought of as the best of the best. That can no-longer be the case, as personally I believe that it is not protecting us adequately enough against the most prevalent security threats out there today, as even some free solutions.

Where ESET products win is that they're fairly light and unobtrusive. Unfortunately, nowadays that's also where it loses. In the past, programs that tried to be "All Things to All Men" were seen as bloat ware, particularly Symantec's offering. It seems that our security suites now require a more rounded portfolio of facilities. Otherwise they should not be called suites. An AV + Packet filter + Spam filter, is no longer enough for an application to be termed, Internet Security Suite. The trick is to provide a solution or range of solutions that are light, unobtrusive and thus do not take-over the PC and render it useless to the end-user for vast chunks of the day.

Perhaps ESET should look to including bolt-on applications for users to optionally add-in to there ESET solution. i.e: ESET sandbox. Eset Virtual Keyboard. ESET Hips, ESET Packet Filter, etc. The AV could be just that an AV and then, perhaps, a spyware solution could be sold as ESET anti-Spyware. This way the user can pick and choose the elements of the suite that are relevant and the pricing model could also more truly reflect the capability of each security bolt-on. A full suite of all products of-course being somewhat less that the cost of all items added together. At least then, the user doesn't have the illusion of a rounded security suite that protects against all things and then become disgruntled when it fails to work as they expected. The replacement of one or other bolt-on for a solution via another provider, gives the user the ability to more transparently pick and choose the approach that's pertinent to them.

Regards,

Greg

 

Wow, I cannot believe you said something like that. You mean Eset still relies on its blacklist as its main detection mechanism, simply wow, really, wow... Like I stated before blacklisting was a technology from ages ago; welcome to the 21st century Marcos.

Well then, if Eset still adhere to its blacklist as its main apparatus to protect its customers; consequently, let us all pray to God in order to protect them and they are going to need it, prayer I mean...of course.

Thanks.

 

What you said is logical and I'm obliged to concur.

Thanks.