Regarding the test of Kaspersky's behaviour blocker

Discussion in 'other anti-virus software' started by comma dor dash, Jun 9, 2006.

Thread Status:
Not open for further replies.
  1. comma dor dash

    comma dor dash Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    146
    Ok...let's clear up things a bit:

    1. Why can't I post the link to the test?

    This is certainly not because "it is a dark or grey site, whcih contains links to live malware". There are many "white" sites like http://www.malware-research.co.uk/ (operated by Derek and Inspector Closeau) that contain links to live malware.

    The test published in our forum includes similar samples. Broadly speaking, one sample comes very close to a trojan (but is not a trojan anymore). The other sample is indeed a trojan (which can be easily removed and does not copy itself to Windir or register an autostart entry). The samples allow you to distinguish between "good", visible connections and "bad", stealthy connections (i.e., suspicious behaviour). Many behaviour blockers will ALWAYS alert the user if network activities take place. This is not better than a personal firewall. Another example: "execution protection" informs the user whenever an application is started. Again, this does not allow the user to determine whether an application is good or bad. A behaviour blocker should only inform you about suspicious behaviour. If you simply want to control each and everything in your computer you should use a system firewall.

    So why can't I publish the link? Very simple. We have discussed this before: the average Wilders user is relatively inexperienced, will try this test, get an alert from the virus scanner, fall in panic, delete the operating system and then complain in this forum about a "terribly dangerous link". This situation shall be avoided.

    2.
    "About email privacy: afaik in most european and other countries the law "DL 196/2003" applies, which says that the mails are intended only for the receiver and can not be e.g. posted somewhere without permission of the sender. I am not sure, but at least in Italy, Austria and Germany it is so I think."

    I doubt that this is correct. Apart from the fact that such law does not exist in Germany, it would have to be demonstrated that DL 196/2003 (an Italian law) includes such prohibition. Can you cite the respective paragraph? (I know this is off topic but it's interesting. Maybe we should discuss this in a separate thread.)

    I agree, however, that in VERY limited cases, it may not be allowed to disclose the contents of an email (e.g., if you disclose the email in order to harm someone or if the sender expressly said that the information contained in the email is confidential it *might* not be allowed to disclose the contents of such email). For your convenience I link to a page dealing with the situation in Austria: http://www.internet4jurists.at/e-mail/sonstig1a.htm#Geheimnis

    3.
    "It is also not allowed to post direct links to subpages if the author of the site explicitly prohibits it or uses some basic methods to avoid that."

    In my current jurisdiction, the highest civil court has clarified that deep links are generally permissible: http://www.beckmannundnorda.de/bghdeeplinks.html (English summary: http://www.wilmerhale.com/de/veroeffentlichungen/whPubsDetail.aspx?publication=338 http://www.linksandlaw.com/linkingcases-deeplinks.htm )

    If the author wants to protect his content he can use a password protected site. A mere oral/written prohibition like "you must not deep link" is invalid. The court even went so far that he called the behaviour of someone who tried to prohibit deep links: "venire contra factum proprium" ...
     
    Last edited: Jun 11, 2006
  2. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    As far as I'm aware, the open portion of that board does not contain live links.
    The admins and mods are not about to parse/disassemble/analyze each and every malware behaving link that anyone could randomly include as part of a post, claiming it to be a test piece when, in fact, it is a rather nasty actual trojan. The site takes a conservative approach erring on the side of safety for all. This is a prudent course, no more, no less.
    Agreed, pursuing discussion of this topic should proceed in a new thread.

    Now how about a return to the nominal topic of the thread? Thanks in advance.

    Blue
     
  3. comma dor dash

    comma dor dash Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    146
    I think it might make sense to define certain concrete rules/features that should be supported by a "behaviour blocker" and to distinguish such rules/features from other security applications. (Moreover, I don't like the term "behaviour blocker" because it is a little bit too narrow. I would prefer the term "intrusion detection system". Unfortunately, this term is already occupied by network IDSs like Snort.)

    1.
    IMHO a behaviour blocker should inform about/block ...

    virus-like modifications of executables and important Windows files,
    network connections established by invisible applications,
    network connections established in a suspicious way (e.g., the connection is established through a trojan .dll injected into internet explorer),
    encrypted network traffic (maybe),
    hidden files & registry entries (rootkit-like behaviour),
    registration of autostart entries (also if not registered by the trojan itself but with the help of an installer, batch file, joiner etc.),
    installation of services,
    executables copying themselves to windows or system directory (typical for trojans but can be easily avoided -- "weak" rule),
    modification of another application's memory space (including CreateRemoteThread),
    (other) dangerous "injection" methods (via registry, global hooks, BHOs, etc.),
    termination attacks,
    buffer overflows,
    shatter attacks,
    and so on.

    2.
    IMHO a behaviour blocker does not need to ...

    control or inform about every network connection (-> network firewall),
    block the execution of every executable ("execution protection" -> system firewall),
    scan network traffic with the help of signatures (-> network IDS),
    scan software with the help of signatures (-> AV/AT scanner),
    run high-risk software within a safe environment (-> virtualization solution/sandbox),
    control every file access (-> system firewall).


    It goes without saying that a behaviour blocker may also support certain features of other security apps like system firewalls. However, I consider it important that a user firstly decides what kind of protection s/he is looking for and then determines whether a specific application meets the requirements. Currently, there is too much confusion resulting in questions like: "Is Sandboxie better than NOD?", "Is the detection rate of Outpost higher than the detection rate of Process Guard?" etc. :blink:

    Please feel free to suggest different/additional rules or categories. You may also completely disagree with my approach and suggest something else.


    EDITED: @Blue "As far as I'm aware, the open portion of that board does not contain live links." This is correct. The closed section (to which several blackhats have access ;-) contains direct links to malware which is frequently new and cannot be detected by several scanners. By contrast, our open sections does not contain links to any real dangerous malware. That's why the board is open. This does not imply, however, that I have any problems with you "safety first" approach. IMHO, it is justified because there are so many inexperienced users here.
     
    Last edited: Jun 11, 2006
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    So what are the good behaviour blockers there now. Can u name?
     
  5. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,531
    Location:
    British Columbia
    Since everyone is allowed an opinion, here is mine.These latest Kaspersky versions have really raised the bar and will make it's protection hard to beat.One area i am interested in is seeing how easily some AV's are rendered useless (Norton), has anyone tested the Kaspersky 'self defense'?.
     
  6. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Self-defense is very effective. So far i was unable to do anything to KAV6 without first disabling self-protection.
     
  7. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    I've disabled 'Self Defense' notifications in KIS, but the report contains many instances where other applications have attempted to access one or more of Kaspersky's processes.
     

    Attached Files:

    • sd.jpg
      sd.jpg
      File size:
      20.3 KB
      Views:
      107
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.