Hardest AVs to fool?

Agreed! Good Post BigC.

 

Any AV can at the right situation let a piece of malware through for any number of reasons. An infestation of a corporate network could be as simple as having the IT department having the AV set up wrong. It is not always the software's fault. They may have been complacent about OS patches and upgrades.Like I said large companys spend more on advertising but the four companies I listed advertising or not if it did not perform it would be replaced. These companies are used a lot because they work and no other reason. If I had a fifty million dollar company I sure as heck am not going to run security software just because they spend a lot of money advertising. I will run one that has a good track record. No matter how much a product is advertised if it doesn't work it will just disapear. I don't know to many people that will spend lots of money on something if it is not going to do what it advertises.

 

Hi Ronjor,

Not that I'm a fan of M$, but in regards to swiss cheese comment ... I'm sure we would be more aware of vulnerbiltities of other OS's ... if they were the worlds domaint OS ... just a thought

Big doesn't necessarily mean better, but again ... if they had performance issues they surely wouldn't retain their status in the industry.

I'm not trying to be argumentative ... just thought provoking.

dog -

 

Well I have posted all I am going to in this thread. I have said all I wanted to say and we are drifting a little off the original topic of this thread. I will agree that everyone has the right to an opinion and I am really glad of that. It would be a real boring world if everyone agreed on everything.


surf safe
bigc

 

ronjor it has been fun I like a good discussion.

 

Wouldn't the companies IT dept. have an input on the decision ... and maybe even the strongest influence on that decision?

dog -

Just another thought.

 

Looking forward to the next one




See you there to Dog

 

I think the "price" they can negotiate is more a factor in which AV large corps use,thats why more business users sufer when a new unknown bug is released than really should do

 

From my experience, KAV is the easiest to fool. Sure there must be ways to fool any AV, but with KAV I have actually seen it happen, and it was surprisingly simple due to the weak signatures discovered.

 

Has anyone else had that kind of experience with KAV? And recently?

 

Hi, Paul - do you think KAV would be easier to fool than other AVs that rely mainly on sigs? That would be a serious thing.

 

No. Some other scanners (including dedicated trojan scanners) are even worse.

I believe there is currently no scanner which meets all of the following requirements:

1.
"Strong", code-based signatures which cannot be hexed (or erased) without breaking the malware.

2.
Use of several alternative (!) signatures for each malware sample.

3.
Use of "rotating" signatures (in order to make it more difficult to "patch" malware).

4.
Built-in security mechanisms which protect the scannner from filesplitter attacks. (Filesplitters split a malware sample into several small pieces until you know exact location of the signature used by the AV/AT scanner.) A scanner should stop the scanning process if it detects the use of a filesplitter.


Most AV/AT scanners do not meet any of the above requirements at all.

 

Still usable to bypass even with ALL those methods implemented

My simple answer :

The hardest to fool are those with advanced heuristics.
The best security programs are those which dont rely on signatures (or purely on sigs).

 

This is at least misleading, and wrong. It is close enough to IMPOSSIBLE to code a scanner which can detect a "split file" when actually scanning complete EXE/DLL etc files

Now dont misread this. It is very EASY to detect a file which has been split. But to effectively detect on a users machine, it is impossible to actually detect the fact that a file you are scanning, say file.exe, was previously split, patched, and then put back together. How is the scanner meant to know where to look, and what to look for ?

A good scanner SHOULD however not detect files if they are incomplete, this is a simple series of checks of the reported size of the PE image in the header, compared with the actual file presented. If the end has been chopped off, it probably shouldn't be detected to HELP prevent splitter attacks.

Likewise, if the file is missing the header, and only contains the end of the file - or such as in some cases where you detect a BINARY signature in a non-binary file, it should not alarm.

But other attacks to find the signature are easy.. so is this really such a big deal ? No. The big deal is not relying on signatures to detect something since those signatures are IMPOSSIBLE to hide completely. If someone wants them bad enough, they can get them.

 

@Gavin

1.
"My simple answer :

The hardest to fool are those with advanced heuristics.
The best security programs are those which dont rely on signatures (or purely on sigs)."

Heuristics. Agreed. (We have already talked about this issue in connection with Port Explorer's & Process Guard's indirect capabilities to detect trojans: many trojans can be detected by obseverving their suspicious behaviour like hiding themselves, using injection techniques etc.). However, I am not entirely sure how you distinguish advanced from simple heuristics.

2.
"This is at least misleading, and wrong. It is close enough to IMPOSSIBLE to code a scanner which can detect a "split file" when actually scanning complete EXE/DLL etc files" ... "But to effectively detect on a users machine, it is impossible to actually detect the fact that a file you are scanning, say file.exe, was previously split, patched, and then put back together."

I did not say that it should work this way!

I believe that there are several potential ways to protect a scanner from filesplitters (none of them are perfect! I know!):

a) Refuse to detect incomplete/scrap files (as you have already explained).
b) Refuse to detect the same malware sample 100 times in a row.
c) Use an additional mem scanner.
d) Use many alternative signatures.

Again ... I do not say that the above suggestions will solve all problems. However, what's the excuse for not implementing any protection at all and marketing a scanner as a super-duper allround anti-virus/anti-trojan/anti-everything scanner?

 

I don't think there is a theory about advanced heuristics. It’s better, more aggressive with new approach techniques. Where”simple” heuristics is basically the classic approach to detect new viruses or Trojans.


tECHNODROME

 

How do you expect to find such signatures. AFAIK, patching is becoming more and more sophisticated : its not only a matter of "hexing" without understanding. Patching now
involves disassembling the code, replacing an instruction
by another one that is equivalent. If it cannot be done, they may just "call" or "jmp" to instructions that they add inside unused space of the PE. Or they may just "rebase" the exe.

I think KAV does that for some malwares. No ?

I also think KAV's signatures are sometimes changed,
at least for some trojan horses.

It seems quite difficult to implement :
- "Smart" splitters will not affect the PE header (nor the section headers). They may not remove a part of the file, but just replace it by NOPs - not necessarly only 0x90 (any pop/push sequence would do the trick, for example).

- No AV will refuse to detect 100 samples of the same virus in a row : there would be a big risk of missing a "polymorfic virus" test.

- Too many alternative signatures would increase the risk of false positive. IMHO, nobody will take the risk of missing a VB test just for detecting some patched malwares.

- I think several AV companies would be interested in
implementing a real memory scanner. But it seems to be a hard task.

You're right. That's why I would not rely on traditional signature based AV/AT for detecting trojan horses.

 

Ironically, one of the ones that shined in my tests was BitDefender, its probably one of the best, and definately underrated.

I'd say NOD32, Bitdefender and KAV would be my obvious choices, but I avoid KAV due to its bloated state, and horridly slow operation. DR.Web is ok, but false alarms are common, and its quite a load on a system.