Conclusion I reached after 3,200 individual malware removals.

Discussion in 'other anti-virus software' started by Mayahana, Nov 12, 2014.

  1. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Personal conclusion;

    For general users, clickers, kids, and non-techies I have found more automated solutions, and solutions with reputation blocking to be the most effective. That includes products like Webroot, Trend, Norton, where healthy reputations are required for most activities with programs. My conclusion has been reached in monitoring thousands of systems, nearly 3,200 personal/corporate malware removals over the last 6 months. That is -- tickets assigned to me directly as a Level 2 IT Engineer. Also this includes my experiences at home with having kids. I checked my daughters machine today and found 4 quarantined files in Norton 2015 from the last couple of days. Now realized these files made it through double Layer-7 UTMs (Kaspersky+ClamAV). They were flagged by Norton's download insight and sonar reputation. So I removed these samples, and ran them through a few scanners, and they were generally missed by ALL of the big name traditional AV's.. She would be hosed without a reputation AV.

    For safer folks, techies, and people that generally have more experience with computers, I often find solutions like Kaspersky, ESET, Bit Defender, Emsisoft and others better for them. These folks are generally not 'fooled' by dumb downloads, double packed archived files, two extension files, and other things. In doing so they rarely need reputation based systems, and these may actually be an impediment to them because techie types tend to be involved with development, beta testing, and other things to which reputation systems could drive them insane.

    I'm scared to death to not have a reputation based AV on my daughters system. But I wouldn't hesitate for a minute not having one on my machine, or my network engineer 20 year old sons system. Kaspersky or something is perfect for us.

    Clickers, Non-Techs, Kids, Newbs - Run, don't walk to Trend, Norton or Webroot type of products.

    Techie, Developer, Engineer, Hobbyist - Stick with stuff like Kaspersky, Eset, Emsisoft.

    It's personal opinion at this point, but I figured worth sharing. What I find funny(and ridiculous) is.. My daughter managed to push 4 pieces of malware through the following;

    1) ZyXEL USG NGFW (Kaspersky UTM, Bluecoat, Commtouch)
    2) Untangle UTM (ClamAV, and other databases)
    3) Adguard w/Malware Blocking Database
    4) Chrome Malware Database
    5) Kerish Doctor (w/Limited Malware Database)

    Finally Norton nailed it with the reputation of 'rarely seen file, less than 100 machines, unsigned'. I pushed the samples up to the major honeypots, and only 2-3 traditional AV's detected it.
     
  2. Miyagi

    Miyagi Registered Member

    Joined:
    Mar 12, 2005
    Posts:
    420
    Location:
    Honolulu, Hawaii
    Can you share us Norton settings on your daughter's PC?
     
  3. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Sure;
     

    Attached Files:

  4. malexous

    malexous Registered Member

    Joined:
    Jun 18, 2010
    Posts:
    828
    Location:
    Ireland
    Can you be so sure they were not false positives and if so, what kind of malware were they?
     
  5. Miyagi

    Miyagi Registered Member

    Joined:
    Mar 12, 2005
    Posts:
    420
    Location:
    Honolulu, Hawaii
    Thank you Mayahana.
     
  6. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Sandbox evaluation confirmed they were malware. One had Cryptolocker 2x buried in it, including fake root CA's. Another was a credential harvesting tool that injected into the browser as an MTM.
     
  7. Mortal Raptor

    Mortal Raptor Banned

    Joined:
    Oct 6, 2014
    Posts:
    1,013
    Thank you for this great post. and I agree, most PCs I fixed that were infected not by a virus, but by these malware based apps, had Kaspersky on them, which fortifies your view, these n00bs/kids need a reputation based AV to stop them from even installing them
     
  8. atomomega

    atomomega Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    1,285
    Where do we people who don't run AV, and practice safe surfing fit in? We use PC's in the office almost 12 hrs everyday from monday to saturday and last antivirus we had was Vipre 2012.
     
  9. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    May I ask what you came up with Webroot SecureAnywhere? You Mentioned Norton so much but nothing about Webroot or Trend? And why wouldn't you recommend Webroot or Trend to "Techie, Developer, Engineer, Hobbyist"? Also which Webroot product were you looking at Consumer or Business/Enterprise?

    Thanks,

    TH
     
  10. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Agreed. I read some industry report that estimated 67% of infections aren't even classified as true malware anymore, but are greyware, but they can payload as much as a trojan. Also I believe ad blocking is crucial, along with keeping everything up to date as part of the whole package. Not having an AV I personally think is suicide unless you can guarantee nobody but you - a knowledgeable person - is the one accessing the machine at all times. Even so, we're seeing some pretty intense malware these days that would bypass even savvy users, and in some cases exploit vulnerabilities they aren't even aware of. I already mentioned why I noted Webroot, my experience with Webroot is limited, but I have had success putting it on machines with perpetual clickers, and it seems to have a good system for unclassified/risky detection - but overly chatty for developers IMO.
     
  11. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    for me webroot works awesome for happy clickers. i have seen only 2 infections in the time with it and thats with more than currently 500 users. i also agree for me its a bit chatty. even with the quirks it has at times i find it just works. also many things are greyware now. including many keygens even. ad blocking for most is great but for some it does tend to slow things down a bit and even cause issues with some pages loading which is why i have been asked to remove ad blockers for some they did not like that the page they wanted to view did not load properly. but then this also goes for many av's like webroot. some people (though rare) have said to me its blocking pages i want to view and i dont believe they are bad pages.... and then i try to explain things to them.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    I agree, it's not a good idea to run without AV, unless you know what you're doing. I have been relying on VirusTotal, combined with HIPS for the last 6 years, without any problems, so this is proof that "tech savvy" users do not have to rely on a standalone AV. And speaking of intense malware, the key is to not let them run at all. So this means download apps only from trusted sources and let HIPS monitor apps. HIPS should also be used for blocking exploits.
     
  13. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    708
    For most kids, sandboxie would be essential. Add EMET/HMP.Alert/MBAE and a firewall with only whitelisted programs allowed to internet and you got yourself pretty much covered. And then add any decent AV with high heuristics.
     
  14. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    I personally think it is 'suicide' (overly dramatized situation, there are sadly so many problems in life that are infinitely more serious than an infected computer) to rely on an AV as a first line of defense. Virtualization for noobs and kids is the only way to stave off unknown malware. Norton is one of the best AVs around, no doubt about it, you are talking about reputation as a godsend, but still Norton couldn't stop the notorious New York Times incident whereby Chinese hackers managed to copy an enormous amount of info from the newspaper editors.
     
  15. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,248
    I rely on my own judgement to keep me protected. By doing that, even when I have no system protection other than Windows Firewall, and no website blocking I find it extremly hard to get infected, even with UAC turned off. I don't even scan downloads or try to avoid unsafe websites, and there are countless times I've visited websites which Google or Chrome tell me not visit because they are infected.

    However, this is not something I recommend for others.
     
  16. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Speaking of intense malware, I am thinking more along the lines of quantum injection type of stuff, or the Dark Horse types of activities. Many of those aren't going to be contained unless you roll with a UTM. But Sandboxing does tend to work for prevention of those, however I elect not to sandbox due to some issues in the past in relation to keeping things non-confusing for the younger ones, while still giving them a fairly seamless experience. Norton's issue with NYT isn't as much of an issue with Norton, as it was what version they were running, deployment below best practices, and incompetent IT. Specially honed, targeted malware missed? No surprise there. Thankfully the newer Norton's have much better reputation/insight than the ones back when this happened.

    http://www.forbes.com/sites/andygre...-black-eye-in-chinese-hack-of-new-york-times/
     
  17. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    on the other side of things people are much of the problem itself. i literally just a few minutes ago finished cleaning some wicked virus on a laptop. what a mess. they insisted i clean it and not format and reinstall which in this case imo would have been the better way to go and cost them less money. all this because they TURNED OFF their av. they wanted to run a "speed up" type app and eset did block it but they thought they wanted to run it and shut eset down. some people i just dont get. the whole point of having an av is to let it protect you looking in the logs i saw where eset did try to stop it.
     
  18. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    Any chance you can share VT link. Not sure if it can be posted here. You can send me a PM. I am just curious on to see on how many AVs detect it now!

    And thanks for your excellent posts. they are very informative. I was unware of the concept of UTM before.
    I like the idea of having something filter at the router level..I am behind Linksys EA3500 router which has some firewall. And sadly it does not do Ad filtering. I hope more products will add Ad Fitlering capabitlites in the future. This at least should reduce number of malicious incidents to certain extant.
    Unfortunately its not available in wider markets. And a little expensive. :(
     
  19. phalanaxus

    phalanaxus Registered Member

    Joined:
    Jan 19, 2011
    Posts:
    499
    IMHO, if you have to give the power to decide to a "click-happy" user, nothing short of an anti executable which is password protected will do good for keeping the computer clean. Though they will complain about some new awesome cleaner or facebook game not working because of you, they will be relatively safe. Some kind of webfilter (for phishing protection) is essential too.
     
  20. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    708
    He can't share the VT link due to forum policy but can post/PM the hash.
     
  21. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    yes, thats what i remembered but was not sure. Hash should be sufficient and PM may not be needed for it :)
     
  22. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    Impossible to compare everyday malware with targeted-state sponsored attacks that have access to multiple zero day exploits, valid digital signatures and custom modules specifically designed to bypass the security of a given target. An antivirus is an automated response that works well against automated threats. Highly skilled attackers will always have the upper hand against any piece of software.

    During the incident that you mention Norton caught a couple of modules related to the attack, but the NYT staff didn't realize what was happening. They thought it was normal malware.
     
  23. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    zfactor, i've read something like this few days ago (written by a technician): If you're a bad driver and take your crashed car two or three times to a garage, the mechanic will not bother trying to teach you how to drive... He will just smile and take your money for the repair.
     
  24. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    I agree with you, nevertheless the whole thing went on for 4 months without one single warning from Norton...
     
  25. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Interesting perspective @Mayahana. Unfortunately I don't want to give Trend or Symantec one red cent.

    (Webroot I know less about. Back when it was PrevX it was useful as an intrusion detection system, though I strongly disliked the free detection/pay for removal policy. In general I dislike giving money to AV companies due to their tactics.)

    What's your opinion on MS Smartscreen or whatever it's called?

    Also, I'm interested in what you've seen with Linux on end-user systems. Rooted Linux servers are ubiquitous enough; and what I've heard from my contacts in the sysadminosphere is that native Linux trojans are usually harder to detect than Windows ones.
     
Loading...