Security scanners are a joke?

Discussion in 'other anti-malware software' started by aigle, Feb 13, 2013.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I was playing with TDL3 Rootkit while testing A recovery software when I tried to scan my system with some security scanners, just for the sake of fun. The Rootkit sample I used is pretty old( at least few months)nso I though it must be detected by almost all the scanners but I was rather surprised by the results. TDL3 infects MBR but many scanners were not ble to detect this MBR infection.
    I tried it on a 32 bit win 7 VM in virtual box with Ubuntu host. Installation and scanning was done with the Rootkit installed and active. I did full scans.

    Scanners that detected the infected MBR:

    Gmer
    Avast Rootkit scanner
    Emsisoft emergency USB files
    Hitman pro
    Kaspersky Tdss killer tool

    Scanners that failed:

    Dr.web( it did detect an infected svchost.exe process but not the MBR)
    Comodo cleaning essentials and comodo anti virus
    Windows defender
    MBAM (it did stop the access of svchost.exe to malicious domain)
     
    Last edited: Feb 13, 2013
  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,765
    Location:
    Outer space
    Normal AV software is with detecting active rootkit infections always behind tools like Hitman Pro, GMER and TDSSkiller, even if it is an older sample. They can add detection for the sample itself easily by adding it to the virus database, but detecting new active rootkit infections may require new techniques for which a program update is needed, and since it is an realtime program installed on lots of pc's, they will need a lot more testing before they can release it compared to on-demand tools like Hitman Pro etc. Also, with these on-demand tools, removal of active malware is the main objective whereas realtime tools have a lot wider focus with prevention, stability, bugfixes and keeping light on resources so removal of active infections takes a backseat.
     
  3. jo3blac1

    jo3blac1 Registered Member

    Joined:
    Sep 15, 2012
    Posts:
    739
    Location:
    U.S.
    Did you run MBAM AntiRootkit? Did you run MBAM Pro or MBAM Free? Was the realtime protection on?
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,746
    Location:
    Texas
    https://www.wilderssecurity.com/showthread.php?t=180128
     
Loading...
Thread Status:
Not open for further replies.