No more safety without AntiVir !! Is it the only one ?

Hi board

I have tested many antimalware scanners : AV, AT, AS etc. against very well known and easily detectable malware but encrypted with Themida runtime packer, all of them have failed except Avira AntVir in all encrypted malwares and Pest Patrol in some of the encrypted malwares.

Specifically I have tested these AV's : KAV, NOD32, BitDefender, Pc-Cillin, Norton, AVG, Avast.

And these AT's and AS's : AVG (Ewido), T Hunter, T Remover, SpySweeper, SpywareDoctor, SAS, Ad-Aware Pro, SpyBot, A2, TMAS.

Note : I tested every scanner with a Themida encrypted malware wich is easily detectable by the same scanner when it was not encrypted !!

No one succeeded except Antivir all the time, and Pest Patrol some times, all other failed every time .

It is a very annoying test result which means that any trivial but Themida encrypted malware can easily infect a machine protected by any first class AV or AT or AS but AntiVir !

Now I cann't feel safe any more without AntVir.

Did you try any other scanner against Themida encrypted malware?
If not please do and share your results with us.

 

I would agree there isnt any better.

 

Did you use free version of AntiVir or paid version and thanks.

Gary

 

@ huntnyc

Free Version

 

Well duh! Considering your avatar, take this with a biased grain of salt.

So, you use a very specific testbed that only includes one sample, or one type? And from that you conclude that AntiVir must be the best? I'm sorry you'll need to do a little testing in order for your conclusions to have any weight to them.

Don't get too comfortable. Take into account a pproducts track record. It is entire possible to AntiVir to not do well on the next official test. It is a very good product but it is not the best there is. Nor is any for that matter.

 

Would any HIPS or behavior type programs have detected this? Like ProSecurity Free, or Cyberhawk?

 

When you execute it (they work on behaviour, ie when the malware acts). Same goes for the av's, maybe they would detect them upon extraction, i don't know.

 

You got me wrong I didn't test all scanners with the same malware, I tested every one with a 2 or 3 very well known malwares to it specifically.

I didn't say that AntiVir is the best, but simply I said it is the only one who was able to detect the malware before encryption and after encrypted by Themida.

 

I'm curious, did you test these products with their default settings? NOD32, for instance, has an option to scan runtime packers. If memory serves, it is not enabled by default, but someone please clarify this if I'm wrong. I'm really not familiar with the other products you tested, but they certainly must include options not enabled by default that would increase the detection rate if enabled.

 

HIPS should be able to detect the bad effect on the system, because HIPS detect the influence of the malware on the system not the malware it self. and there is no difference if the malware it self was encrypted or not because HIPS don't depend on sigs.

 

No for our bad luck
For example : NOD32 and KAV accept Themida encrypted Biforse trojan running in the memory very happily.

Other scanner show similar silent action even when malware was in working phase !!!

 

Just use Avira then, and don't worry if that is what it takes.

Jerry

 

NOD32 2.7.16 was tested with maximum security level enabled, including runtime packers, Advanced Hueristics, Anti Stealth and every thing else.
Try it your self with a very old malware but encrypted by Themida!

All others were tested with the highest level of security available.

 

Metting,
I read your posts about this in a thread about Pest Patrol recently.
This is good for AntiVir.
A question though.....
Would malware need to be decrypted before it could actually do anything?
The reason that I ask is because you stated that these samples were detected by multiple programs before they were encrypted.

 

Okay, thanks Metting. I'll take your word for it. I suppose to minimize the risk of infection from one of these encrypted malwares is to download executables from well-known, trusted sites, as I always do. I don't use shareware or torrent programs of any kind. BTW, is it possible to recognize these thermida-encrypted files by their file extensions?

 

Thank you, thank you, thank you!! When I saw this thread I was surprised more then I have ever been and amazed at the same time. I immediately called Eugene and said, "We messed up big time! Over at Wilders this guy discovered a hole that had never occurred to any of us before. We'd better jump on this right now or our scanner is done for!"

Ever thought of pursuing a job in our labs?

 

you really talked with Eugene?

 

Did a quick Google on Themida and malware. Found that F-Secure detects Themida encoded malware also.

SourMilk out

 

How about Dr. Web antivirus? Did you test it?

 

Be careful what you read into those results. At the moment, it means that AntiVir is capable of detecting malware encrypted with that particular packer. With a different packer or encryption method, the results could well be different. AVs can react to new packing or encryption methods but it's impossible for them to anticipate all the methods could be used. The tools are freely available that can make malware undetectable by any AV.
I uploaded a copy of graypigeon, a known malware to 2 different online sites that use multiple scanners. The results are shown in the links below.
Scanned by Jotti.
Scanned by Virustotal.
I'm suprised by the ones who didn't recognize this unencrypted malware, starting with PrevX1, NOD32, and Microsoft!
I then encrypted graypigeon by a method not normally used, renaming it testpest..exe and uploaded it to both sites. Here's the results.
Jotti scan of encrypted malware.
Virustotal scan of encrypted malware.
I'm not going to identify the method I used to encrypt this file for obvious reasons. This was strictly to demonstrate that signature based detections have no chance against encrypted malware, unless the vendor has already seen malware encrypted by that particular method.
Rick

 

None of them got it o_0... So if someone got that on a computer... and executed it so... w.e damage could be done... would an anti-virus like kaspersky stop it... or not until the next version with heuristics?

 

There is something I dont understand, there should be some point at executing an encrypted exe that the AV will detect it or not? Try executing your encrypted trojan Herbalist and see if your AV detects it.

 

No,

malware encrypted by themida can do it's work while encrypted.

Themida simply protects the area in memory in which the malware or any other themida encrypted file works, so it is impossible for any program to read this memory area except if the program has a special way to pass through this protection, and this penteration of themida protection is what AntVir handled with success.

 

Thanks SourMilk

any one ready to test F-secure ?

 

No I didn't, I hope some one will do