Epic detection!

Discussion in 'other anti-virus software' started by PiCo, Jan 16, 2009.

Thread Status:
Not open for further replies.
  1. PiCo

    PiCo Registered Member

    Joined:
    Apr 9, 2008
    Posts:
    352
    Location:
    Athens, Greece
    This is from a friend's PC, I don't know if some malware infected AVG files, but LOl!!
     

    Attached Files:

    Last edited: Jan 16, 2009
  2. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    From a google search, there doesn't appear to exist a an avgupdm.exe, but an avgupd.exe. So it probably IS a real malware that finds its way inside AVG's folder. :D
     
  3. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    Exactly. Just a trojan trying to dusguise its self as one of AVG's components. Upload to VT and share the detections, rather than the vendors. And ThreatExpert.
     
  4. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    I can confirm that there exists no avgupdm.exe in my AVG installation folder. It is probably real malware.
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    YOU ARE PROTECTED EXCEPT INSIDE OUR OWN FOLDER

    ROFL

    After all these years you think they would at least take some lessons from HIPS. Try to add either a file or folder inside my HIPS folder (EQS) and it's met immediately with ACCESS DENIED!

    Just goes to show the weaknesses which still exist in some AV's if not all of them in comparison to HIPS!

    EASTER
     
  6. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    With all due respect, I think you are totally wrong. Weak how? It obviously caught it which is what is what suppose to do. HIPS? Would have left it up to the user to say it is or isnt and to me that is never ever, going to sell on the open market. No product that leaves it up to the average consumer to play Russian Roulette on if something is malware, will never sell. A AV may not catch it all but the good ones will more then likely keep the average user safe for a long time.
     
  7. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London

    If malware can put it's files inside your av's folder... imagine what it can do to the av itself (e.g. delete files, databases, license keys).... I'm not sure how AVG defends itself but it should have some sort of file defence at least. If it doesn't like some certain AV's, all it takes is a 1KB .bat file to wipe it out completely.
     
  8. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    I think the ironic part, is , that from the screenshot, it appears that AVG caught it, but on demand. Meaning it didn't catch in in realtime. So, AVG's response time failed against a malware the specifically targets AVG. :D

    Malware vs AVG's honour 1-0.
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    Absolutely True.

    Case in point as pointed out, something as simple as a maliciously compiled batch file can render the entire AV useless. HIPS and even now many AV's set up shop where HIPS been standing sentry at the SSDT Table for one to prevent as little disruption as possible. So one better hope AVG doesn't put all it's eggs into a single basket (folder).

    EASTER
     
  10. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    my mistake, apology offered.
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    That any AV should be able to prevent infections to it's own folder/folders, that no one can deny.

    But, I don't see how a HIPS would prevent such, unless the user knows exactly what to do.

    Wouldn't a "normal" user just think it was his/her AV performing an update, and that's what the HIPS is alerting for? He/She would, most certaintly, allow it. Infection would still happen.

    I think, that, for AVs to be able to stop this, some sort of behavior blocker should be implement just to monitor the AV's own file, and if no action is done under normal updates situation (the AV vendor knows better than anyone - I think - how their AVs work), then automatically block such action.

    Not a HIPS, in my opinion.
     
  12. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    That is supposed to be the Av's self protection's job.
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, indeed. But, in AVG's case, it clearly failed the job. So, a better self protection is needed. :D

    Maybe that's why they acquired SANA. :D
     
  14. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    Please... HIPSs are designed exactly for that, find AVG executables and permit to modify/read/delete/write %ProgramFiles%\AVGfolder\*.* all other deny, or simple use (some HIPS have) learning mode for a while ...
     
    Last edited: Jan 17, 2009
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, and if you read well what I wrote, you'll see I didn't say otherwise.

    Or will you say that every user knows what to do with a HIPS?

    Most will simply, for example, allow everything with UAC. A very simple and not complicated tool. The users are the complicated component. And, unless they learn what each alert means, they won't known what to answer.
    And, as I already mentioned...

    So, in a situation as this, a HIPS wouldn't make any difference. The user would be allowing the infection.

    Security vendors need to protect better their own applications. Not every user has the knowledge to interact with a HIPS. And, it shouldn't be the user concern to protect his/her antimalware tools or any other security tool. If we consider they're paying for that security, then it would be to expect that it wouldn't be vulnerable to such attempts of malware modifying files, etc, which are part of those tools.
     
  16. neksus

    neksus Registered Member

    Joined:
    Nov 27, 2008
    Posts:
    54
    Well, this debate clearly points out one major thing: AV vendors have to ascend to a whole new level together with their software if they want to stick around..

    Basing the whole idea of protection (almost) solely on real-time blacklist scans against known threats already proved a way back to be pretty worthless - but to be able to continue with that, first they will have to be at least able to protect the core of their software and of the underlying operating system.

    Otherwise they'll end up being used only as demand only scanners. So the evolution is inevitable:)
     
  17. Zimzi

    Zimzi Registered Member

    Joined:
    Jul 10, 2005
    Posts:
    289
    Both sides are right. For experienced users hips is a powerful weapon, but for the average user is a nightmare. These are things that can not compare.

    I learned from you guys what "layered security" means.

    Your disputation is about something about which you agree. :D
     
  18. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    There are no questions, answer is already remembered, deny
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I'm glad you can work with a HIPS and deny, as a custom policy mode, such modifications.

    The ultimate questions still remains: Does the newbie/average user know how to work with a HIPS to do that? Will those users know what they should or not allow/deny access to?

    And, unless they know it, a HIPS won't do any good for them.

    One thing is for you to know. One other thing is for other millions of users out there to know it.

    Regards
     
  20. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    Real-time scanning is often not as deep as on-demand scanning; otherwise your system resources would be drained.
     
  21. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    Average user should learn that deny/block is much better answer than allow, if something doesn't work dig-ask-learn...
     
  22. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    So, someone who, for example, works days and noons, and then studies at night, needs/has to waste time digging-asking-learning about HIPS?

    I guess that by the time he/she ends digging-asking-learning, his/her time to be able to use the Internet for a little while goes out of the window. And I have a pretty good feeling time was wasted in vain.

    Or, when he/she is performing online searches to get info for some school work, musts waste time digging-asking-learning HIPS. I guess this person would be better on the security field studies, rather than any other. After all, it would spend all his/her time learning such tool.

    Or a busy mother, who works her ass the entire day, gets the kids from school, gets home, takes care of the kids, helps them do the school work, and finally, gets a little time to check her e-mail, she must learn how to interact with a HIPS tool.

    Then why not saying if they wish security, go learn how to develop security software and make it to your own taste. I guess this would bring a lot people to unemployment.

    I agree that users should be concerned with their security, and that's why they use security software, either installed when they bought their computers or some friend installed for them. But, shouldn't be their concern if the security tools they use and bought are weak enough to let malware infect their systems and weaken the very own security tools. This should be the vendors concern. To implement strong defense mechanisms in their security tools, so that their apps won't be bypassed by malware. The users are paying for their tools, so why don't they implement stronger defensive mechanisms.

    So, a user buys an antivirus, and so that the antivirus doesn't get bypassed by malware, will have to get a HIPS to protect it?
     
  23. neksus

    neksus Registered Member

    Joined:
    Nov 27, 2008
    Posts:
    54
    Of course AV vendors job should be to protect their software, especially when they plan to sell it:)

    But, being the weakest link in the "security chain", The User will unfortunately have to learn a bit more about security, since it is obvious that we can only expect rougher times ahead (and I'm not talking about the great depression no2 :))
     
  24. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Yes, but this was a simple exe. It wasn't a rar, zip, cab or i don't know what that can be excluded from real time scanner because the file is packed so represents no immediate danger.
     
  25. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, indeed. Unfortunately, the user is the weakest link in all the security chain. And that's what the bad guys will always count on. Otherwise, during all the times malware exist, there would be practically no infections and what comes from that.

    But, also, unfortunately, not everyone (millions of people) have the time to learn a bit more about security. And how much would be a just a bit? Just the enough to know there are bad guys in the cyber world? That they develop malware to spy on them?

    Some are not even aware of such. And those who are, just don't have the time to learn all about it and the best way to protect themselves. They should, and that I do not deny. But, many, just don't have the time. Should they be insecure?

    That's why I have my own idea about what should be done to fight all this malware thing. But, it would raise other discussions, which, in turn, would turn all this into off topic topics. (Ours already are a bit :D )

    Perhaps, starting a new thread. I believe would make a great and healthy discussion.

    Best regards
     
Loading...
Thread Status:
Not open for further replies.