how easly is to bypass avira ?

While true, I don't think it's healthy for any security vendor to dismiss user concerns with pomp and sarcasm. Acknowledging a challenge with fulfilling a duty doesn't mean one is necessarily exempted from doing anything about it.

 

Repeatedly stating the obvious is a waste of time. Telling everyone exactly what they're doing every time someone asks about "doing something against random obvious fact" in a random forum is a waste of time AND a security risk since it may show new ways of circumvention. Security by obscurity may by principle be a bad idea, however when you're at war, would you send the enemy your battle plans (i'm a pacifist btw.)? All discussions you see here, or on any other public forum, are only tipping the surface of the pond. People need to realize that they won't be spoonfed personally on a daily basis, this has nothing to do with pomp or arrogance. Look at ClamAVs results in tests, it sucks. It will never have proactive detection, it will never make use of emulation for proactive detection. It has about 3 or 4 poly virus detections. Why? Because making the non-obvious tools of the trade - the battle plans and tactics - public would render them useless to a large proportion of new malware within hours.

 

You don't understand. I never said that they are "moronish" BECAUSE they discovered it. I said they were BEFORE. To underline that a very DUMB user can find one other solution to bypass that by ACCIDENT. That's a big difference so please don't flip the words. Next thing is that AV Vendors *RELYING* also on other companies. Microsoft for instance. So if there is a flaw within the OS it might affect the AV programs as well.

 

Please don't twist my words or put them into my mouth. Show me exactly where I expected security vendors to outline the technical details to the public of how they intend to rectify a specific position. All I can say is that since all you are doing is responding to something I have never said, your post is completely irrelevent in this context and proves nothing.

 

If a very smart and technically-inclined person spends hours or days crafting and fine-tuning code in such a way as to evade mainstream scanners, then your response might be justified. If a VERY DUMB user (so to speak) can discover a way to bypass security products, a way that anyone with minimal technical know-how can easily perform as well, then in my point of view what the vendors need to do is to sit up and take notice of that flaw.

Or am I missing something here, and all that security vendors are expected to do is to shrug and say "well, it happens"?

 

So would an answer along the lines of "Yup, we know. We are working on something." be satisfactory to those asking these questions? What do you think?
My bet is, it would lead to more questions. "When?" "How?" "Why does it take so long?" "Don't you care what happens in the meantime?"

I don't want to attack you personally, nor was it intended as a direct reply to the point you tried making with what i quoted from you (quoting was probably a bad idea, since the reply went off track after a few lines). I am trying to make people aware that if companies chose not to disclose too much information, that may be in the best interest of the user or sometimes because of strict company policies and classified information.

That's not meant as a "mind your own business" or "you're an idiot because this will cause me to do overtime yet again". I just want people to keep in mind that, on the other end are people too. As far as I know all of them have one brain, a set of arms with attached hands and the rest of them doesn't look very much like mutant super powers either.

 

To be brutally honest: I do not care about the tough questions security vendors face, and, I think, neither do most people. It's what they do for a living, and it's how they will be judged. But despite this, suffice to say I have seen vendors who do know how to respond to such issues in a responsible manner; difficult as you try to make it sound, it's far from impossible, and perhaps it's what sets the excellent vendors apart from the mediocre ones.

 

You still don't get it. And i'm not going to explain that again.

 

You don't have to. I think I get the picture.

 

solcroft: I'm still feeling I pissed you off personally, that has not been my intention. I am not sure what cases of reasonable responses you may refer to, so I can't judge their actual merit. I'm certain some people have found kinder words to soothe people's minds than I do, and I am certain that in many cases they have actually been beneficial to both sides. Hell, I am not bashing anyone who's just trying to be helpful and points out something he think is wrong or flawed. However I have the feeling that going in circles has seldom led anyone to his preferred destination (unless the destination was on the path of the circle).

The initial question was how easily AVIRA can be bypassed, and my answer would be: Just as easily as any other security solution, if you know what you're doing. If you don't know what you're doing, you might stumble over something that works for some vendors to remain undetected until they get the sample in their hands, while others may use this very little trick you came up with to actually detect the newly created malware proactively. Thanks to sites like virustotal and jotti it is easier than ever for malware authors to test their creations for detection. Feeling a bit insecure is better than feeling that you are 100% protected. Because the latter is, in reality, always a wrong and dangerous assumption. Being paranoid about your security is a quite reasonable stance nowadays.

Issues like run time packer support always are and always will be problematic for ALL vendors, no matter how many they add (there are thousands of public and private builds of packers, and they get patched, customized, modified and adapted constantly), no matter how generic their unpacking, and no matter how they call their next big Cool Mega Detection Technology (no pun towards panda intended).
There is no "Solution (TM)" in IT Security, and there never will be. Even Trusted Computing with hardwired on chip logic has its limitations.
And there are a good many reasons against Trusted Computing as well.

These are fundamental technical truths, they always will be. And no amount of work, no amount of blood and sweat or marketing will change the fact that they are facing an enemy who is just as ready and willing to counter every effort security vendors make as they are to add new protection technology.

Two industries with conflicting interests are fighting each other. On the one side the security industry who tries to protect users, the other side is the more and more organized fraud and spam mafia who tries to exploit them and to steal whatever information and money they can get their hands on. The importance of closet nerds who write proof of concept viruses for fun has pretty much descended to zero.

There is truth to what you say, the average user does not care about the difficulties vendors face. However I still think some education is required to keep people safe(r) than they are by blindly trusting any security solution. I also believe that knowing the limitations of security software is part of that.

My point is we all have to abide the laws of reality. No amount of ranting, wishful thinking or marketing will change that.

 

I think my opinions about this issue have been summarized up quite nicely in post #30. It's all nice and good to be aware of the technical difficulties vendors face, but at the end of the day the important issue is always: what are they doing about it?

And if what some vendors doing about it is to gripe and moan about how "that's just the way things inevitably are", well...

 

Would you prefer them to lie so you can sleep better? I'm not saying they're not doing anything, I'm saying that the work never ends. There is no ultimate solution to all problems.

I am not sure what kind of response you actually expect to get. Would a standard answer like 'we are working on this and similar issues' be sufficient for you? I mean dealing with these things is their daily business, I'm not sure whether each and every improvement they come up with requires a press-release

 

All things considered, I'd expect no less from any self-respecting security vendor. Also, fixing vulnerabilities in their software has little to do with press releases and media coverage, as you seem to be insinuating.

While what you say is true regarding the problems vendors face, it is unfortunately largely irrelevent to the rest of us. Users will switch to and use products that they feel provide the best protection, while malware authors will continue to do what they do, without giving much thought to how tough things must be for those in the anti-malware field.

 

I think Malware Authors DO give much thought on how hard it is for security vendors. It's part of the problem

 

On second thought, maybe they do. I doubt there's a lot of sympathy involved in it, though.

 

This may be a bit far fetched, but organized crime being on the rise with malware/fraud and the money losses caused to them by security vendors leaves a bit of a bad feeling...

 

What about Anti-Executable? Doesn't a HIPS like Process Guard free intercept all execution attempts?

- Good patching policy.
- Hardware-enforced DEP.
- ASLR.
- Hardening.

- Firewall.
- Patching.

- Script Defender.
- Document viewers that don't execute macros by default.
- Scanning at Virustotal/Jotti if the documents are small.
- Execution in a VM.

There's no 100 % security.

For the corporate gateway, we have Fortinet, eSafe and Webwasher
Thanks FRug

 

Damn I had a long reply on your post, but closed the wrong window. I'm only giving a short comment instead now since it's getting late here....

This is going to be a bit tough anyway However if people adhered to each and every advice/technique you have listed they'd probably be fairly safe from random attacks (which is what people mostly are affected by).
Most of my comments below would require very deep knowledge to be used effectively against someone, and I'd not expect more than a few dozen of people in the world would be able to carry them out. I don't count government agencies into that number though, I'm pretty certain they have a bunch of people knowing about this stuff too.

On AntiExecutable/Process Guard:
I haven't tested AE yet, Process Guard has successfully been circumvented in the past, I am not sure about the current state though and whether these issues have been fixed. The previous attacks removed PGs IDT Hooks as far as I can remember.

On DEP:
DEP as implemented by Windows XP SP2 has successfully been bypassed by attacking internal loookaside lists and patching them with faked return addresses. DEP usually causes a slight slowdown for processes that have it enabled as well.

ASLR:
Certainly a good thing, but I know of bypass mechanisms at least for PaX and Windows. One example is that it is possible to get info about the randomized memory layout by using format string attacks. This way you can find out the address of a library that is vulnerable and a stackframe which you can use to bypass the protection. Additionally on windows, binaries have to built for ASLT support, you cannot enable it on your own for random programs. Let's say it like this, ASLR reduces the chance of a successful exploit. Instead your programs will probably 'just crash'.

Firewalls and Patching with regards to CodeRed-Style attacks:
A firewall certainly won't block the service of a server that you actually want to expose to the public, as it usually is the case with IIS or SQL Servers. The most prominent attacks of this type were codered and sql slammer, both of which were only successful due to unapplied but available patches. A zero day exploit using the same techniques would have caused much more destruction than those two did.

ScriptDefender:
Works based on file extensions as far as I can remember.... file extensions usually are smoke and mirrors. I haven'T had a look at it though, so I can't really give a final verdict.

Execution in a VM:
There are ways to break out of VMWare, I am certain there are ways for VirtualPC as well although I can't remember a concrete example for it. Other VMs probably haven't been considered worth breaking out so far.

 

Either you get your tech news from paranoid sensationalists... or you're one yourself. Either way, I'd be very interested in any further sources on this one.

 

- Yes, Script Defender works based on file extensions, so it's easy to bypass it. Wormguard is smarter and more powerful, see discussion started in this post.
- Well, if something can execute without prompts from a HIPS like PG/SSM, lots of people will be worried
Of course, if you give execution permissions and the malware lands in kernel space, you can say goodbye to your HIPS (kick the driver, restore the SSDT, etc)
Thanks FRug, I really appreciate it.

Peter Ferrie has some material on attacks to VMs.

 

IIRC, the paper discusses methods to detect the presence of VMs. Which is a far cry from breaking out of the VM, which AFAIK is not possible today, yet.

 

You're right.
See this paper

 

Read the following paper as an example:

http://taviso.decsystem.org/virtsec.pdf

There are a few more issues like the ability of the VM Guest OS to enable deactivated network in the VM to gain full network access of the host, do RPC etc. This is done by abusing the internal management virtual hardware "backdoor" VMWare has. I'm not going to post a link on that one though

 

Wrong.
http://www.eweek.com/article2/0,1895,1904647,00.asp

 

Yikes, Lucas was faster than me