Are Conventional AV's Useless?

Discussion in 'other anti-virus software' started by Diver, Aug 29, 2010.

Thread Status:
Not open for further replies.
  1. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Lately, I have not been posting here as I have moved to Mac OS X. However, over the summer the Windows machines of three people I know became infected which I discovered when I received spam.

    What really set me off is that my adult daughter who runs Win7 with SEP11 installed and proactive protection enabled got her machine root kitted. It's not clear how she became infected but the nasty slipped right past SEP and showed nothing on a scan. By telephone I instructed her to download and install GMER which found that the machine is infected. Unfortunately, at this point a direct removal strategy cannot be determined and the machine will have to be restored to its original state. Her important passwords have been changed using a machine known to be clean.

    This illustrates that AV publishers can't keep up with the techniques used to avoid detection during installation. Nearly everything comes with a root kit and a key logger now. Finally, social engineering is being honed to perfection in order to get past UAC.

    I am starting to think conventional real time AV's are useless and the best strategy is to run GMER once a day. Needless to say, education plays a major role and I am engaged in that process presently.

    By the way, I don't think my Mac's are immune. I have ClamXav on both.
     
  2. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    Slight flaw in your plan there.... GMER wouldn't protect your passwords or any other sensitive information from being stolen (as one example)....especially if the malware doesn't use rootkit technology..in which case GMER wouldn't even sniff at it....and even GMER isn't foolproof. There are times when some rootkits evade detection by GMER until it is analysed and an update released for the tool....also GMER does not provide any soft of disinfection routine for file infectors et al...(meaning in some cases your files would be lost in the case of a virus attack)
     
    Last edited: Aug 29, 2010
  3. 3GUSER

    3GUSER Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    812
    :thumb: :thumb: :thumb: Additionally , advice your daughter use layered protection . First, Symantec Endpoint Protection is not the best one out there especially if it is alone . It is a corporate product intended for company networks where a layer protection is integrated by other tools.
    This site could help you/her : http://www.microsoft.com/protect/
     
    Last edited: Aug 29, 2010
  4. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    NEVER! ;)
     
  5. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe

    As already said in this thread, multilayer defense and, at first and anyway, an HIPS.
     
  6. progress

    progress Guest

    Signature-based AVs are nearly useless but behaviour blocking is up-to-date :thumb: :) :thumb:
     
  7. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    And which AV is strictly signature based? They have all evolved beyond that and they are FAR from useless. I've just tested avast! today on MDL and with all modules connected it blocked pretty much everything. Either through file or script detection or through URL blocking of malicious URL's.
    I have also tested very old Kaspersky Antivirus 7.0 yesterday with great results.
    I was surprised how effective still is. Scanner and behavior analyzer detected pretty much everything.
    These days antiviruses use different methods than they used to 12 years ago...
     
  8. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Hey Diver, welcome back. Long time no see.. :)

    I think education is key here. AV's still have their place, but there simply is no substitute for user education. That's the bottom line IMO.
     
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Diver

    Good to see you back :)

    Well i have to say, the reason your adult daughter got root kitted, eliminating a drive by, was "probably" due to her allowing something/s she shouldn't :p

    Is Scripting/Java etc globally allowed ? Is prompting for DL's enabled ?

    Sure some people seem to have blind faith in AV etc, but these days with anywhere between 5000 - 20,000 new nasties released DAILY, it's a wonder any AV etc manages to even get close to keeping up.

    Stuff has always been missed for a variety of reasons, but even though some AV's now have good to very good heuristics, it's an uphill struggle for all vendors.

    Useless no, without a Good AV most people would be more screwed than they already get. Perfect, never will be.
     
  10. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    Tell her about Sandboxie, Online Armor, and Mamutu. Or other virtualization, firewall and BB/HIPS software. And most important, a system image safely stored for a quick, clean restart in literally minutes. Then the AV doesn't have to be fail-safe (which none are).
     
  11. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,219
    It is interesting to note that you were able to diagnose her infected system from the spam you've received(my understanding?). I think 'useless' is a bit extreme, but I agree AVs, even the best at the moment can't afford the same sense of security to the average user they used to only a few years ago.

    Detection is becoming a conceptually difficult process to trust: I can scan my system with the best available scanners, find nothing and conclude that my system is clean. There is always a possibility that new stealth malware, might have escaped detection and could operate on my machine for quite a long period before it is finally discovered.

    I still run an AV, but my real weapon against stealth malware is virtualization for day to day use, and every 3 months (at the latest) I restore a known pristine image of my system, IMO the only way to be 100% clean.
     
  12. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    First of all, a warm Welcome back!!!.
    How is your Mac OS X experience?
    Your daughter must install an Application like DefenseWall (paid) or Sandboxie (paid or free).
    In addition, a simple Boot-to-Restore solution,
    like Returnil (paid or free), Shadow Defender (paid), or Deep Freeze (paid)
    -OR-
    an Instant-System-Recovery solution,
    like Rollback Rx, EAZ-FIX etc.
    would provide effective protection.

    I have lost my faith in AntiMalware Scanners (Conventional and Not)
    especially when they are dealing with 0-day malware, Rootkits etc.
     
  13. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    Just curious: is that with the free version or the paid one?
     
  14. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    nothing is useless if it can detect and protect, regardless of the means. AVs are still very good.
     
  15. clocks

    clocks Registered Member

    Joined:
    Aug 25, 2007
    Posts:
    2,559

    I am guessing paid. I have tested the free version a couple times, and it lets a lot through.
     
  16. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    i'm using no av, no hips and not 100 antivirus and anti what ever scanners and get never infected....

    i'm using at this moment win 7 x64, an restrected user account, maximum uac dep, sehop.
    I'm running sandboxie, using firefox, noscript, adblockplus.

    windows updates are active.
    to update the rest you can use secunia + file hippo.
    use an backup software and klick not all what you can :)
     
  17. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    It was a free version, which is the most widely used. Only thing that got past was some rogue AV that i later got rid off with Autoruns and Process Explorer.
    But other than that it blocked everything.
     
  18. ALookingInView

    ALookingInView Registered Member

    Joined:
    Sep 14, 2009
    Posts:
    365
    No, not useless yet, but they shouldn't be one of your first couple lines of defense either.
     
  19. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    479
    I don't think they will ever be useless..Even if they detect 1 malware, thats 1 less you have to worry about.
     
  20. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    good answer. I would not give a AV of some type for any reason. They will continue to evolve as needed.
     
  21. Soujirou

    Soujirou Registered Member

    Joined:
    Mar 25, 2008
    Posts:
    62
    Was your daughter using a standard user account? If not, Windows 7 make using standard accounts almost painless.
     
  22. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Looks like it might be another 6 months before we see Diver again :D
     
  23. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Yep......
     
  24. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Time is the main factor that motivates me to choose value when dealing with an infection.

    Most infections come through the browser in some manner.
    Yahoo mail, Gmail, Hotmail are all used with the browser.
    Browsing a website that can exploit to add malicious software.

    The browser is where 95% of infections will travel through to get on a machine.

    By protecting the browser you eliminate a large amount of potential to become infected.

    HIPS is the second tool I rely on.
    HIPS gives you choice that you didn't have before.
    It's a window to see what is occurring.
    That which used to be mysterious and always allowed can now be viewed and I have a choice to block that event.

    A firewall that will prevent or alert on network attacks or internal programs trying to call out.

    Back ups make recovering from a difficult to clean infection simple and fast.

    What used to be an Ocean Liner is now a Boston Whaler.
    You have eliminated the number of people that can be aboard the craft and the parties are manageable.

    Virtualization reduces the necessity of AV but doesn't eliminate the need.
     
  25. qakbot

    qakbot Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    380
    I am amazed how people use the wrong tool and blame then tool.

    SEP 11 was released back in 2006. 2006! It is is 5 year old technology. And even though the definitions are being updated, bear in mind that those are just string definitions, which we know are fairly useless. The definitions are new for 5-year old engines!

    SEP 11 does not have most of the advanced features that make the latest Norton products so effective:

    1. Norton Insight
    2. SONAR 2 and 3
    3. Browser Protection

    I see that most home users running SEP are running it because it is easy to pirate. I dont believe it has any copy protection like the Norton products do. So its very popular. And because of that you see a lot of users or "Cleanup Forums" running SEP, because they got infected.
     
Loading...
Thread Status:
Not open for further replies.