Discussion in 'other anti-virus software' started by PiCo, Jan 16, 2009.
This is from a friend's PC, I don't know if some malware infected AVG files, but LOl!!
From a google search, there doesn't appear to exist a an avgupdm.exe, but an avgupd.exe. So it probably IS a real malware that finds its way inside AVG's folder.
Exactly. Just a trojan trying to dusguise its self as one of AVG's components. Upload to VT and share the detections, rather than the vendors. And ThreatExpert.
I can confirm that there exists no avgupdm.exe in my AVG installation folder. It is probably real malware.
YOU ARE PROTECTED EXCEPT INSIDE OUR OWN FOLDER
After all these years you think they would at least take some lessons from HIPS. Try to add either a file or folder inside my HIPS folder (EQS) and it's met immediately with ACCESS DENIED!
Just goes to show the weaknesses which still exist in some AV's if not all of them in comparison to HIPS!
With all due respect, I think you are totally wrong. Weak how? It obviously caught it which is what is what suppose to do. HIPS? Would have left it up to the user to say it is or isnt and to me that is never ever, going to sell on the open market. No product that leaves it up to the average consumer to play Russian Roulette on if something is malware, will never sell. A AV may not catch it all but the good ones will more then likely keep the average user safe for a long time.
If malware can put it's files inside your av's folder... imagine what it can do to the av itself (e.g. delete files, databases, license keys).... I'm not sure how AVG defends itself but it should have some sort of file defence at least. If it doesn't like some certain AV's, all it takes is a 1KB .bat file to wipe it out completely.
I think the ironic part, is , that from the screenshot, it appears that AVG caught it, but on demand. Meaning it didn't catch in in realtime. So, AVG's response time failed against a malware the specifically targets AVG.
Malware vs AVG's honour 1-0.
Case in point as pointed out, something as simple as a maliciously compiled batch file can render the entire AV useless. HIPS and even now many AV's set up shop where HIPS been standing sentry at the SSDT Table for one to prevent as little disruption as possible. So one better hope AVG doesn't put all it's eggs into a single basket (folder).
my mistake, apology offered.
That any AV should be able to prevent infections to it's own folder/folders, that no one can deny.
But, I don't see how a HIPS would prevent such, unless the user knows exactly what to do.
Wouldn't a "normal" user just think it was his/her AV performing an update, and that's what the HIPS is alerting for? He/She would, most certaintly, allow it. Infection would still happen.
I think, that, for AVs to be able to stop this, some sort of behavior blocker should be implement just to monitor the AV's own file, and if no action is done under normal updates situation (the AV vendor knows better than anyone - I think - how their AVs work), then automatically block such action.
Not a HIPS, in my opinion.
That is supposed to be the Av's self protection's job.
Yes, indeed. But, in AVG's case, it clearly failed the job. So, a better self protection is needed.
Maybe that's why they acquired SANA.
Please... HIPSs are designed exactly for that, find AVG executables and permit to modify/read/delete/write %ProgramFiles%\AVGfolder\*.* all other deny, or simple use (some HIPS have) learning mode for a while ...
Yes, and if you read well what I wrote, you'll see I didn't say otherwise.
Or will you say that every user knows what to do with a HIPS?
Most will simply, for example, allow everything with UAC. A very simple and not complicated tool. The users are the complicated component. And, unless they learn what each alert means, they won't known what to answer.
And, as I already mentioned...
So, in a situation as this, a HIPS wouldn't make any difference. The user would be allowing the infection.
Security vendors need to protect better their own applications. Not every user has the knowledge to interact with a HIPS. And, it shouldn't be the user concern to protect his/her antimalware tools or any other security tool. If we consider they're paying for that security, then it would be to expect that it wouldn't be vulnerable to such attempts of malware modifying files, etc, which are part of those tools.
Well, this debate clearly points out one major thing: AV vendors have to ascend to a whole new level together with their software if they want to stick around..
Basing the whole idea of protection (almost) solely on real-time blacklist scans against known threats already proved a way back to be pretty worthless - but to be able to continue with that, first they will have to be at least able to protect the core of their software and of the underlying operating system.
Otherwise they'll end up being used only as demand only scanners. So the evolution is inevitable
Both sides are right. For experienced users hips is a powerful weapon, but for the average user is a nightmare. These are things that can not compare.
I learned from you guys what "layered security" means.
Your disputation is about something about which you agree.
There are no questions, answer is already remembered, deny
I'm glad you can work with a HIPS and deny, as a custom policy mode, such modifications.
The ultimate questions still remains: Does the newbie/average user know how to work with a HIPS to do that? Will those users know what they should or not allow/deny access to?
And, unless they know it, a HIPS won't do any good for them.
One thing is for you to know. One other thing is for other millions of users out there to know it.
Real-time scanning is often not as deep as on-demand scanning; otherwise your system resources would be drained.
Average user should learn that deny/block is much better answer than allow, if something doesn't work dig-ask-learn...
So, someone who, for example, works days and noons, and then studies at night, needs/has to waste time digging-asking-learning about HIPS?
I guess that by the time he/she ends digging-asking-learning, his/her time to be able to use the Internet for a little while goes out of the window. And I have a pretty good feeling time was wasted in vain.
Or, when he/she is performing online searches to get info for some school work, musts waste time digging-asking-learning HIPS. I guess this person would be better on the security field studies, rather than any other. After all, it would spend all his/her time learning such tool.
Or a busy mother, who works her ass the entire day, gets the kids from school, gets home, takes care of the kids, helps them do the school work, and finally, gets a little time to check her e-mail, she must learn how to interact with a HIPS tool.
Then why not saying if they wish security, go learn how to develop security software and make it to your own taste. I guess this would bring a lot people to unemployment.
I agree that users should be concerned with their security, and that's why they use security software, either installed when they bought their computers or some friend installed for them. But, shouldn't be their concern if the security tools they use and bought are weak enough to let malware infect their systems and weaken the very own security tools. This should be the vendors concern. To implement strong defense mechanisms in their security tools, so that their apps won't be bypassed by malware. The users are paying for their tools, so why don't they implement stronger defensive mechanisms.
So, a user buys an antivirus, and so that the antivirus doesn't get bypassed by malware, will have to get a HIPS to protect it?
Of course AV vendors job should be to protect their software, especially when they plan to sell it
But, being the weakest link in the "security chain", The User will unfortunately have to learn a bit more about security, since it is obvious that we can only expect rougher times ahead (and I'm not talking about the great depression no2 )
Yes, but this was a simple exe. It wasn't a rar, zip, cab or i don't know what that can be excluded from real time scanner because the file is packed so represents no immediate danger.
Yes, indeed. Unfortunately, the user is the weakest link in all the security chain. And that's what the bad guys will always count on. Otherwise, during all the times malware exist, there would be practically no infections and what comes from that.
But, also, unfortunately, not everyone (millions of people) have the time to learn a bit more about security. And how much would be a just a bit? Just the enough to know there are bad guys in the cyber world? That they develop malware to spy on them?
Some are not even aware of such. And those who are, just don't have the time to learn all about it and the best way to protect themselves. They should, and that I do not deny. But, many, just don't have the time. Should they be insecure?
That's why I have my own idea about what should be done to fight all this malware thing. But, it would raise other discussions, which, in turn, would turn all this into off topic topics. (Ours already are a bit )
Perhaps, starting a new thread. I believe would make a great and healthy discussion.
Separate names with a comma.