if you run kis and are having browsing issues ..

please try turning off the anti-banner. if this is already turned off for you this may not help you. but i have fixed a LOT of peoples problems locally by doing this. the anti banner for some reason prevents some entire pages from loading and makes some load SUPER slow, i have seen this in at least a dozen or more cases now. it affects all 3 we have it on and with the feature turned off everything is smooth..

again may not be the fix for your issues but i know i have seen this fix a lot of the browsing issues for many people now

 

KIS's HTTP parser is a piece of junk. Not only does it have incompatibility issues, it also misses a lot of drive-by downloads.

 

The strange thing is that, the other day I was hit by some malware while browsing a dubious site and it went straight through the web scanner, only to be picked up when written to HD by the file scanner, which deleted it and left a copy in 'Backup'.

Since the relevent configuration is the same for web and file scanner, and normally the web scanner blocks these things automatically, how did the file reach my HD? I'm forced to conclude that KAV's HTTP scanner can let things through, albeit infrequently, and that hardly inspires confidence.

 

Probably the web scanner was fooled by obfuscated JS and didn't see anything until the first malicious executable was placed in the cache and then it was smashed by the file scanner.

 

has anyone reported this sort of thing to the kaspersky fourm or even tech support of kaspersky? remember kaspersky forum has some kaspersky developers which im sure would like to know about it so it can be fixed.

 

Webav level "recommended" i guess.

 

Yes, it was a .js and it was cached. Obviously I'm not too bothered about a cheapo exploit which is probably going nowhere even if it does get through, it's just the thought that next time the same thing could happen with something more serious, that gets placed into memory before before being cached, thus defeating the point of having a web scanner.

Unfortunately I deleted the backup copy file and discarded the record, so I can't say more about it.

 

KIS's web antivirus is easily fooled by obfuscated JavaScript and VBScript. They make a vain attempt to hook document.write and eval so as to see beneath the obfuscation, but if that is easily bypassed. They also look for shell code in the JScript, again a pretty weak approach. If you browse a lot of questionable sites, there is a lot better protection out there.

 

No, I never run things on 'recommended'; everything was set to maximum protection.

 

Unfortunately, that better protection isn't going to come in the form of Symantec.

 

Why?
I guess you have some nasty experiences?
I don't have these kind of trouble at all.

Could you be more specific?

 

Sure.. I have run into quite a few websites that use the now 2 year old MDAC exploit but heavily obfuscated and KIS missing them. Not only did the machine get infected, the dropper or whatever the dropper dropped also disabled KIS by changing the system date. Thats pretty poor performance by KIS.

 

This is an OT comment but no surprise.. a classic Symantec basher comment. Have you even tried NIS2008 vs KIS7 against drive-by downloads head-to-head.

 

'Issue') fixed in latest official build.

NIS 'better' than KIS? uhmmm

 

Yep, the reasons for which you would obviously prefer to pretend not exist.

Not only drive-by downloads, but their respective payloads as well. Avira is a top-of-the-line scorer when it comes to Javascript exploits, and Kaspersky is close behind, partly thanks to the unearthly speed at which they can respond and churn out updates. McAfee has a reputation for nabbing scripts as well, which is important since it tends to fail to detect the payload. Symantec, on the other hand... I suppose it's okay. But better than Kaspersky? Sorry, but no.

 

Prove it. PM me one website that NIS2008 does not block a drive-by AND THE MACHINE GETS INFECTED. Norton does NOT have to release signatures at an unearthly speed for drive-bys like Kaspersky because they detect the underlying vulnerability, not the shell code etc like Kaspersky does. The shell code is constantly changing hence Kaspersky has to constantly keep updating their signatures. Norton on the other hand is able to detect EVERY SINGLE instance of the popular MDAC vulnerability with one signature http://www.symantec.com/avcenter/attack_sigs/s50031.html. Please get your facts straight instead of having blind faith.

I can't comment on Avira and McAfee since I have never tested them.

 

Drive-by download protection should be payload agnostic has there can be an infinite number of payloads. NIS has it, KIS doesn't. The number of Web Antivirus sigs on the KIS website just to detect one vulnerability MDAC tells the whole story.

Symantec has one MDAC signature http://www.symantec.com/avcenter/attack_sigs/s50031.html

 

First you claim that Symantec has excellent detection against exploits, but now it looks like you're shifting to another story. Given the dynamic nature of web exploits I may not be necessarily able to immediately find an exploit website where Symantec fails against both the exploit AND the payload for you, but missed exploits by Symantec are in ample supply on my end, one of which will be sent to you as soon as you can make up your mind.

 

Ok.. the reason I said "the machine gets infected", because a lot of clueless people test drive-by protection with an exploit that is simply buggy or on a machine that is patched. If you know the exploit works on the OS that you are testing, then I dont really care about whether the payload is detected or not. e.g. dont tell me that Norton doesn't detect the MDAC exploit on XP SP2 fully patched because I know that. MS$ has set the kill bit on MDAC through a patch so obviously the exploit wont work hence Norton wont detect it. But as long as you have all the conditions setup correctly for the exploit to work i.e unpatched OS, installed ActiveX, unpatched ActiveX, Norton will block the exploit irrespective of the payload. Send me a URL.

 

In fact, I'll give you three. Download, rename extension to zip, and unzip.

I won't tell you how to convert these into active exploits that you can use to shoot yourself in the foot with, but the exploit code is there and working. As an added bonus, anyone who knows how to de-obfuscate these by hand will get three free copies of internet trojans. Good luck with your much-vaunted Symantec.

~Attachment removed. No malware or suspected malware is to be posted on the forums. - Ron~

 

Tested the link I was sent.. it was a DUD. Still waiting for a URL that is able to bypass NIS2008.

 

Perhaps you weren't smart enough to see that I plainly uplaoded it as a harmless attachment. Have you tried downloading the file?

 

Just sent you another one that Avira nabbed as HTML/Shellcode.Gen. Please note that it's a SendSpace link for you to download the file.

I mean, dear god... I thought everyone knew what SendSpace is by now.

 

That's strange.
What were your settings?

 

what is "the anti-banner"? i have KAV 7.0, where can i find it in the GUI?