Are Conventional AV's Useless?

Lately, I have not been posting here as I have moved to Mac OS X. However, over the summer the Windows machines of three people I know became infected which I discovered when I received spam.

What really set me off is that my adult daughter who runs Win7 with SEP11 installed and proactive protection enabled got her machine root kitted. It's not clear how she became infected but the nasty slipped right past SEP and showed nothing on a scan. By telephone I instructed her to download and install GMER which found that the machine is infected. Unfortunately, at this point a direct removal strategy cannot be determined and the machine will have to be restored to its original state. Her important passwords have been changed using a machine known to be clean.

This illustrates that AV publishers can't keep up with the techniques used to avoid detection during installation. Nearly everything comes with a root kit and a key logger now. Finally, social engineering is being honed to perfection in order to get past UAC.

I am starting to think conventional real time AV's are useless and the best strategy is to run GMER once a day. Needless to say, education plays a major role and I am engaged in that process presently.

By the way, I don't think my Mac's are immune. I have ClamXav on both.

 

Slight flaw in your plan there.... GMER wouldn't protect your passwords or any other sensitive information from being stolen (as one example)....especially if the malware doesn't use rootkit technology..in which case GMER wouldn't even sniff at it....and even GMER isn't foolproof. There are times when some rootkits evade detection by GMER until it is analysed and an update released for the tool....also GMER does not provide any soft of disinfection routine for file infectors et al...(meaning in some cases your files would be lost in the case of a virus attack)

 

Additionally , advice your daughter use layered protection . First, Symantec Endpoint Protection is not the best one out there especially if it is alone . It is a corporate product intended for company networks where a layer protection is integrated by other tools.
This site could help you/her : http://www.microsoft.com/protect/

 

NEVER!

 

As already said in this thread, multilayer defense and, at first and anyway, an HIPS.

 

Signature-based AVs are nearly useless but behaviour blocking is up-to-date

 

And which AV is strictly signature based? They have all evolved beyond that and they are FAR from useless. I've just tested avast! today on MDL and with all modules connected it blocked pretty much everything. Either through file or script detection or through URL blocking of malicious URL's.
I have also tested very old Kaspersky Antivirus 7.0 yesterday with great results.
I was surprised how effective still is. Scanner and behavior analyzer detected pretty much everything.
These days antiviruses use different methods than they used to 12 years ago...

 

Hey Diver, welcome back. Long time no see..

I think education is key here. AV's still have their place, but there simply is no substitute for user education. That's the bottom line IMO.

 

@ Diver

Good to see you back

Well i have to say, the reason your adult daughter got root kitted, eliminating a drive by, was "probably" due to her allowing something/s she shouldn't

Is Scripting/Java etc globally allowed ? Is prompting for DL's enabled ?

Sure some people seem to have blind faith in AV etc, but these days with anywhere between 5000 - 20,000 new nasties released DAILY, it's a wonder any AV etc manages to even get close to keeping up.

Stuff has always been missed for a variety of reasons, but even though some AV's now have good to very good heuristics, it's an uphill struggle for all vendors.

Useless no, without a Good AV most people would be more screwed than they already get. Perfect, never will be.

 

Tell her about Sandboxie, Online Armor, and Mamutu. Or other virtualization, firewall and BB/HIPS software. And most important, a system image safely stored for a quick, clean restart in literally minutes. Then the AV doesn't have to be fail-safe (which none are).

 

It is interesting to note that you were able to diagnose her infected system from the spam you've received(my understanding?). I think 'useless' is a bit extreme, but I agree AVs, even the best at the moment can't afford the same sense of security to the average user they used to only a few years ago.

Detection is becoming a conceptually difficult process to trust: I can scan my system with the best available scanners, find nothing and conclude that my system is clean. There is always a possibility that new stealth malware, might have escaped detection and could operate on my machine for quite a long period before it is finally discovered.

I still run an AV, but my real weapon against stealth malware is virtualization for day to day use, and every 3 months (at the latest) I restore a known pristine image of my system, IMO the only way to be 100% clean.

 

First of all, a warm Welcome back!!!.

How is your Mac OS X experience?

Your daughter must install an Application like DefenseWall (paid) or Sandboxie (paid or free).
In addition, a simple Boot-to-Restore solution,
like Returnil (paid or free), Shadow Defender (paid), or Deep Freeze (paid)
-OR-
an Instant-System-Recovery solution,
like Rollback Rx, EAZ-FIX etc.
would provide effective protection.

I have lost my faith in AntiMalware Scanners (Conventional and Not)
especially when they are dealing with 0-day malware, Rootkits etc.

 

Just curious: is that with the free version or the paid one?

 

nothing is useless if it can detect and protect, regardless of the means. AVs are still very good.

 

I am guessing paid. I have tested the free version a couple times, and it lets a lot through.

 

i'm using no av, no hips and not 100 antivirus and anti what ever scanners and get never infected....

i'm using at this moment win 7 x64, an restrected user account, maximum uac dep, sehop.
I'm running sandboxie, using firefox, noscript, adblockplus.

windows updates are active.
to update the rest you can use secunia + file hippo.
use an backup software and klick not all what you can

 

It was a free version, which is the most widely used. Only thing that got past was some rogue AV that i later got rid off with Autoruns and Process Explorer.
But other than that it blocked everything.

 

No, not useless yet, but they shouldn't be one of your first couple lines of defense either.

 

I don't think they will ever be useless..Even if they detect 1 malware, thats 1 less you have to worry about.

 

good answer. I would not give a AV of some type for any reason. They will continue to evolve as needed.

 

Was your daughter using a standard user account? If not, Windows 7 make using standard accounts almost painless.

 

Looks like it might be another 6 months before we see Diver again

 

Yep......

 

Time is the main factor that motivates me to choose value when dealing with an infection.

Most infections come through the browser in some manner.
Yahoo mail, Gmail, Hotmail are all used with the browser.
Browsing a website that can exploit to add malicious software.

The browser is where 95% of infections will travel through to get on a machine.

By protecting the browser you eliminate a large amount of potential to become infected.

HIPS is the second tool I rely on.
HIPS gives you choice that you didn't have before.
It's a window to see what is occurring.
That which used to be mysterious and always allowed can now be viewed and I have a choice to block that event.

A firewall that will prevent or alert on network attacks or internal programs trying to call out.

Back ups make recovering from a difficult to clean infection simple and fast.

What used to be an Ocean Liner is now a Boston Whaler.
You have eliminated the number of people that can be aboard the craft and the parties are manageable.

Virtualization reduces the necessity of AV but doesn't eliminate the need.

 

I am amazed how people use the wrong tool and blame then tool.

SEP 11 was released back in 2006. 2006! It is is 5 year old technology. And even though the definitions are being updated, bear in mind that those are just string definitions, which we know are fairly useless. The definitions are new for 5-year old engines!

SEP 11 does not have most of the advanced features that make the latest Norton products so effective:

1. Norton Insight
2. SONAR 2 and 3
3. Browser Protection

I see that most home users running SEP are running it because it is easy to pirate. I dont believe it has any copy protection like the Norton products do. So its very popular. And because of that you see a lot of users or "Cleanup Forums" running SEP, because they got infected.