if you run kis and are having browsing issues ..

It's only in Kaspersky Internet Security I believe.

 

xenophobe,
i guess that explains why i couldn't find it. i was going nuts.
thanks for the reply, Ed

 

Just did. Extracted the contained html and double-clicked it after installing the vulnerable version of Qvod version 2.1.5. It was detected and blocked. See attachment. No surprise.

What next.

 

Correct

 

All default outofthebox settings. Its not surprising Sjoeii. KIS is not detecting the underlying vulnerability. Its still detecting the payload that the vulnerability drops e.g. researching the protection, it looks like it triggers on the shell-code + on the name of the activex + on the literal string of the method of the activeX. Change or obfuscate any of these and the attack gets through.

 

Good thing is that it still has room for improvements

 

Probably because I submitted the undetected files to all vendors that didn't catch them, and I notice your reply came two days late.

Nice try anyway.

 

That signature was released on Jan 22, here is the link http://www.symantec.com/avcenter/security/Content/2008.01.22c.html. And it hasn't been updated since as indicated by the release notes. Small detail that you ignored, but thats expected from all Symantec bashers. This constant and unfounded bashing of ALL Norton features even those that actually work well is getting old real fast. Please get your facts straight before posting rubbish, cause you can bet someone will call you on it.

There is no way you will believe that Norton has better drive-by protection is there. I am wasting my time. Good Luck.

 

Just out of curiosity, did the others get stopped by Symantec as well?

Apparently Symantec seems to have some detection mechanism that isn't included at VT. I'll dredge up a copy of Symantec on a test machine later.

Of course you are. Idle, unsubstantiated claims and anecdotal evidence don't really count for much. At any rate I'm re-downloading a trial copy of NIS2008 right now - will keep you updated.

 

I think Zombini says that the drive-by protection of Norton is included in the IDS signatures of the firewall, which obviously aren't available at VT. Or it could be something related to SONAR.

 

Both sound highly improbable. Firewall IDS typically do not defend against script exploits, as it just isn't their jurisdiction, and behavioral based detection can hardly assign specific names to exploit files.

But I guess we'll see over the next day or two as I toy with it.

 

That's what I think, but everytime someone talks about drive-by protection in NAV/NIS points to the IDS

 

NIS/NAV 2008 added a new feature called Browser Defender, that was specifically designed to detect obfuscated drive-by downloads, script-based or non script-based. I have attached a screenshot. It shows up under the IPS settings, so it may or may not be part of the IPS, I have no way of knowing. NIS/NAV 2007 does not have this feature, neither does N360 v1

This feature is NOT used by the Norton scanner on VT or Jotti or av-comparatives because it is only invoked if you attempt to browse to the malicious URL or double-click the htm when its on the disk. Just right-clicking and selecting "scan with Norton" will not trigger a detection. Neither will a command line scanner that VT uses.

Solcroft,

Make sure you have the system setup correctly when testing NIS's drive-by protection:
- the system must be unpatched for the vulnerability being tested. If it is patched, the patch may have set the kill-bit and hence the activex will not load and hence you wont get a detect
- If you are testing an exploit on a non-Microsoft activeX, make sure the activex is installed. If it isn't then it can't be instantiated, hence Norton wont detect it.
- Finally make sure you either browse to the URL containing the exploit, or double-click the local html.

Good Luck.

 

it is turned on by default?
lodore

 

Yes.

Zombini

 

Question: I've downloaded NAV2008. Do I get the Browser Defender thingy in that, or do I need to go back and redownload the suite instead?

 

Thanks. I still wonder how it sees the exploit signature in an ocean of obfuscated script without a full scripting engine.

IIRC, it's also available in the AV.

 

hmm this does seem a issue with kis, i do see what you mean now that i have played with this...arghh just when you think you have found the right one....

 

Good question. I dont know the answer, but whatever Norton is doing it works great.

 

i actually really like nis2008 it just still impacts my system much more than even kis does.. and as i stated above i am def not a norton fan.. it is a great overall av.. i wish they could bring system impact down even a bit more and honeslty id prob use it myself..

 

It works great indeed.