How easy is it to bypass an AV?

A good AV software, a hardware FW, and common sense is all you need. Don't let others make you believe the opposite. Enjoy life!

 

Hacking of web pages means inserting of IEFRAMEs that redirect to malware web pages full of exploits or inserting the malicious code directly into the existing web page.

That is not so rare, there are thousands of web pages hacked and modified ("infected") every day. If a new way to hack into web servers is found (SQL injection etc.), there are huge numbers of infected web pages within days (100k-1m). Infecting of high profile web pages is not so common, but did happen in the past. The weak spot usally were the advertisement servers that got hacked.

So, common sense will get you only so far these days. There are plenty of infection scenarios which a user can not avoid with a standard setup. You can increase your security level by using exploit detection, browser sandboxing, execution control, system shadowing, HIPS/behaviour blocking and so on.

The number of samples is not the problem - it is actually irrelevant as you can have infinite numbers of samples of the same piece of malware when there is a server side polymorphic generator. The number of very different families and the speed how this variations are created is the problem IMO - diversity. Navipromo, anyone?

 

As will an AV or a any other security software in isolation get you so far. Equally there are plenty scenarios where the user avoids infection with a standard setup (not defining what that setup might be). User education, as generally education is, crucial in the fight against badware out there; if just knowing what the terms like sand-boxing, execution control, system shadowing, HIPS/behaviour, VM, etc etc. mean

 

avast!

Sure, it lowers the risk, and I'm not saying it isn't a good thing. It's just that people often understand/present it in the way "if I don't visit porn/warez sites, I'm safe" - which might have been mostly true a year ago, but certainly not today, when you can get infected anywhere.

 

well hasnt happened to me yet and i am by no stretch of the imagination a safe surfer.

 

this is a bit of false logic. while it's true that most legitimate sites do not serve malware, it's also true that most malware serving sites are legitimate. as such the advice to avoid dodgy sites really is obsolete these days.

 

This is an interesting thread and I just wanted to say that it's one of the most intelligent discussions I've seen on here!

Talking about AVs and user common sense - I agree with everything that's been said so far - there are those of us who are careful where sites we visit and usually understand the set up of our pcs pretty well but I think that for the average Joe they don't have a clue about what's good/what's bad.

The example I will use is my boss and a couple of colleagues at work. We've had F-Secure Client Security installed on our work pcs for a number of years now. The other day I go into my bosses' office to show him a website to visit to buy a new laptop. During this, an F-Secure pop up came up informing my boss that some program was attempting to access the Internet or something like that. Before I had chance to read it, he just clicked allow to get rid of it - I commented that he should have read it first but his attitude was it's just annoying and he never bothers reading any of the warnings - just click allow and forget about it. I've also noticed this behaviour with other work colleagues.

Unfortunately, I would say this is the majority of people who are completely clueless about security - by the way, my bosses' home pc need completely wiping after it that riddled with viruses it wouldn't even boot anymore. His virus software was so out of date but he ignored the warnings and didn't renew it.

So - bottom line - as much as security software can protect you to a point the user is ultimately the one who needs to be educated more on security so they can understand it better.

 

If the numbers you quote"thousands per day" is accurate it is still a very small % of the number web pages out there,so it is still pretty rare numerically.I cannot recollect any PC being brought to us with infections just from "normal browsing" in the past six months,plenty of infections due to downloading things that should not have been down loaded though!
Perhaps its a case of they guys getting infected from browsing,perhaps dodgy sites or even legit sites fix/format their PCs themselves and guys like me don't get asked to fix em,I don't knowt hey may not even realise that something is wrong!

 

perhaps the end of the net is nigh then?

 

never had any direct contact with them(avast)never had a pc brought in with that installed,lots of contatct with some other companies though:-the ones that seem to come "preinstalled" as a trial on lots of machines

 

I would also recommend a good software firewall (for inbound and outbound filtering), keeping your system (Microsoft updates, Flash, Acrobat Reader and others) up to date. And at last but not at least: get a good imaging setup.
What is a good imaging setup could merit starting a new thread !

 

.
Yes, this is classic behavior. No software can keep a system safe when the user refuses to pay attention. Even programs like Norton Internet Security which run as close to silent as possible still occasionally need some user input. This behavior actually makes a pretty good argument for AV companies automatically renewing (and billing for) the updates subscription (LOL).

 

nay...Common sense is the most under-used "security program" of them all and that's why...black-listing/behaviour-blocking technology becomes vital for how many users are savvy of security layers,how many are wiling to answer popups.Av/As will never be a panacea for ills incurred by moronic mis-adventures of users....

 

Common sense only helps if the user has the chance to decide if a program should get launched or not (manual download etc.). If software executes completely automatic without any user interaction (exploits), common sense will not help you.

 

The thread is not for discussion about whose responsibility it is when get infected.

 

.
You're right up to a point, but keep in mind that unless an AV is set to remove infections automatically the user is part of the process. The AV can detect the virus and be capable of removing it, but if the user cancels the permission request the AV will be bypassed. Most users are better off with fully automatic protection even though there are occasional FP's. Of course they complain like crazy when there are FP's.

 

So,we are not discussing the same "bypass"...

 

.
I believe when you refer to the AV being bypassed you mean it is either unable to detect or remove the malware, so you're right that I'm going off in a little different direction. Perhaps the answer for you is to look at the detection rate tests?

 

Hi,

"Bypass" is an improper terminology.
Usually: antivirus are EVADED, firewall are bypassed, H/N/IDS AND sniffers/protocol analyzers are eluded,sandbox/emulators/virtualizaion is escaped.


It has been demonstrated that av detection is an NP-completeness and undecidable problem.
A fact that av developers don't talk for interest conflicts reasons.
Pattern file detection and scanner engines (with or without heuristic)=too much evasion possibilities: packers/crypters/binders/joiners/droppers/wrappers/splitters, EPO, polymorphism, metamorphism, oligomorphism, stealth code, andi-dumping/emulation/sandbox, anti-forensics (bad clusters, steganography, protected zone etc), malformed archives, zero day malwares and exploits, client/server side attacks and malwares...
The recent "in the cloud approach" increase the reactivity and limits evasion possibilities, but does not solve the problem.
Traditional antivirus are currently much more easy to defeat than other security softs, but in the same time, i also recommend the use of one (BitDefender or Avira) to my average users friends.
Human factor is a part of the security process, but out of topic here: you want an intrusion in the top 500 Forbes companies...no need to evade or defeat security systems: just wonder if the sysadmin. would resist to a malleta/suitcase of dollars and trio of bimbos...

Rgds

 

do they have to be bimbos?would 3 very intelligent atractive women not do?

 

Common sense also fails with file infectors. The file looks just as legit as any other. Except that it infects others when executed. So if someone passes an installer to you (not downloaded from a trusted website), you cannot be ever sure if the file is clean. Not all have digital signature either so only way is to scan the file. And even that is not 100% reliable.

 

I rarely see file infectors getting spread these days except by strategically placed ones. Virut is very often found on cracks/keygen sites. But usually, people download the installer from the homepage of the product or a trusted, known download page. That limits the chance for spreading for file infectors quite alot.

Lately someone sent me a Bifrose which was patched and repackaged to be undetected. I wonder if the person who made this knew that the Bifrose executable was Virut infected or (s)he bundled Virut together with Bifrose by intend.