if you run kis and are having browsing issues ..

Discussion in 'other anti-virus software' started by zfactor, Feb 12, 2008.

Thread Status:
Not open for further replies.
  1. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    please try turning off the anti-banner. if this is already turned off for you this may not help you. but i have fixed a LOT of peoples problems locally by doing this. the anti banner for some reason prevents some entire pages from loading and makes some load SUPER slow, i have seen this in at least a dozen or more cases now. it affects all 3 we have it on and with the feature turned off everything is smooth..

    again may not be the fix for your issues but i know i have seen this fix a lot of the browsing issues for many people now
     
  2. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469

    KIS's HTTP parser is a piece of junk. Not only does it have incompatibility issues, it also misses a lot of drive-by downloads.
     
  3. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    The strange thing is that, the other day I was hit by some malware while browsing a dubious site and it went straight through the web scanner, only to be picked up when written to HD by the file scanner, which deleted it and left a copy in 'Backup'.

    Since the relevent configuration is the same for web and file scanner, and normally the web scanner blocks these things automatically, how did the file reach my HD? I'm forced to conclude that KAV's HTTP scanner can let things through, albeit infrequently, and that hardly inspires confidence.
     
  4. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Probably the web scanner was fooled by obfuscated JS and didn't see anything until the first malicious executable was placed in the cache and then it was smashed by the file scanner.
     
  5. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    has anyone reported this sort of thing to the kaspersky fourm or even tech support of kaspersky? remember kaspersky forum has some kaspersky developers which im sure would like to know about it so it can be fixed.
     
  6. ogy

    ogy Registered Member

    Joined:
    Aug 7, 2006
    Posts:
    28
    Webav level "recommended" i guess.
     
  7. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Yes, it was a .js and it was cached. Obviously I'm not too bothered about a cheapo exploit which is probably going nowhere even if it does get through, it's just the thought that next time the same thing could happen with something more serious, that gets placed into memory before before being cached, thus defeating the point of having a web scanner.

    Unfortunately I deleted the backup copy file and discarded the record, so I can't say more about it.
     
  8. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469
    KIS's web antivirus is easily fooled by obfuscated JavaScript and VBScript. They make a vain attempt to hook document.write and eval so as to see beneath the obfuscation, but if that is easily bypassed. They also look for shell code in the JScript, again a pretty weak approach. If you browse a lot of questionable sites, there is a lot better protection out there.
     
  9. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    No, I never run things on 'recommended'; everything was set to maximum protection.
     
  10. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Unfortunately, that better protection isn't going to come in the form of Symantec.
     
  11. Sjoeii

    Sjoeii Registered Member

    Joined:
    Aug 26, 2006
    Posts:
    1,240
    Location:
    52?18'51.59"N + 4?56'32.13"O
    Why?
    I guess you have some nasty experiences?
    I don't have these kind of trouble at all.

    Could you be more specific?
     
  12. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469
    Sure.. I have run into quite a few websites that use the now 2 year old MDAC exploit but heavily obfuscated and KIS missing them. Not only did the machine get infected, the dropper or whatever the dropper dropped also disabled KIS by changing the system date. Thats pretty poor performance by KIS.
     
  13. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469
    This is an OT comment but no surprise.. a classic Symantec basher comment. Have you even tried NIS2008 vs KIS7 against drive-by downloads head-to-head.
     
  14. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    'Issue':):)) fixed in latest official build.
    NIS 'better' than KIS? uhmmm o_O
     
  15. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Yep, the reasons for which you would obviously prefer to pretend not exist.

    Not only drive-by downloads, but their respective payloads as well. Avira is a top-of-the-line scorer when it comes to Javascript exploits, and Kaspersky is close behind, partly thanks to the unearthly speed at which they can respond and churn out updates. McAfee has a reputation for nabbing scripts as well, which is important since it tends to fail to detect the payload. Symantec, on the other hand... I suppose it's okay. But better than Kaspersky? Sorry, but no.
     
  16. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469
    Prove it. PM me one website that NIS2008 does not block a drive-by AND THE MACHINE GETS INFECTED. Norton does NOT have to release signatures at an unearthly speed for drive-bys like Kaspersky because they detect the underlying vulnerability, not the shell code etc like Kaspersky does. The shell code is constantly changing hence Kaspersky has to constantly keep updating their signatures. Norton on the other hand is able to detect EVERY SINGLE instance of the popular MDAC vulnerability with one signature http://www.symantec.com/avcenter/attack_sigs/s50031.html. Please get your facts straight instead of having blind faith.

    I can't comment on Avira and McAfee since I have never tested them.
     
  17. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469
    Drive-by download protection should be payload agnostic has there can be an infinite number of payloads. NIS has it, KIS doesn't. The number of Web Antivirus sigs on the KIS website just to detect one vulnerability MDAC tells the whole story.

    Symantec has one MDAC signature http://www.symantec.com/avcenter/attack_sigs/s50031.html
     
  18. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    First you claim that Symantec has excellent detection against exploits, but now it looks like you're shifting to another story. Given the dynamic nature of web exploits I may not be necessarily able to immediately find an exploit website where Symantec fails against both the exploit AND the payload for you, but missed exploits by Symantec are in ample supply on my end, one of which will be sent to you as soon as you can make up your mind.
     
  19. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469
    Ok.. the reason I said "the machine gets infected", because a lot of clueless people test drive-by protection with an exploit that is simply buggy or on a machine that is patched. If you know the exploit works on the OS that you are testing, then I dont really care about whether the payload is detected or not. e.g. dont tell me that Norton doesn't detect the MDAC exploit on XP SP2 fully patched because I know that. MS$ has set the kill bit on MDAC through a patch so obviously the exploit wont work hence Norton wont detect it. But as long as you have all the conditions setup correctly for the exploit to work i.e unpatched OS, installed ActiveX, unpatched ActiveX, Norton will block the exploit irrespective of the payload. Send me a URL.
     
  20. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    In fact, I'll give you three. Download, rename extension to zip, and unzip.

    I won't tell you how to convert these into active exploits that you can use to shoot yourself in the foot with, but the exploit code is there and working. As an added bonus, anyone who knows how to de-obfuscate these by hand will get three free copies of internet trojans. Good luck with your much-vaunted Symantec. ;)

    ~Attachment removed. No malware or suspected malware is to be posted on the forums. - Ron~
     
    Last edited by a moderator: Feb 16, 2008
  21. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469
    Tested the link I was sent.. it was a DUD. Still waiting for a URL that is able to bypass NIS2008.
     
  22. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Perhaps you weren't smart enough to see that I plainly uplaoded it as a harmless attachment. Have you tried downloading the file? :rolleyes:
     
  23. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Just sent you another one that Avira nabbed as HTML/Shellcode.Gen. Please note that it's a SendSpace link for you to download the file.

    I mean, dear god... I thought everyone knew what SendSpace is by now.
     
  24. Sjoeii

    Sjoeii Registered Member

    Joined:
    Aug 26, 2006
    Posts:
    1,240
    Location:
    52?18'51.59"N + 4?56'32.13"O
    That's strange.
    What were your settings?
     
  25. ejames82

    ejames82 Registered Member

    Joined:
    Mar 23, 2007
    Posts:
    156
    what is "the anti-banner"? i have KAV 7.0, where can i find it in the GUI?
     
Loading...
Thread Status:
Not open for further replies.