Signature-Heuristic AV programs

Re: A new antivirus on the market?

Ok I have bitten my tongue for long enough now.

All signature based AV's are crap!

NO SIGNATURE=NO PROTECTION!!!

Kav and Nod32 ncluded!!!

 

Re: A new antivirus on the market?

Then may I ask, what do you use Frankin?

 

Re: A new antivirus on the market?

Sandboxie and Defensewall for browsing.

E-trust vet and Ewido for on demand which never find a thing after emtying the sandbox.

And have deliberately gone to compromising sites such as freeware.Like I said.No SIGGYS to worry about.

Fred Flinstone used AV's.

 

Re: A new antivirus on the market?

You're wrong here. Pretty much the same as all realworld "prevention" medications. They are mostly placebo or very small rate of effectiveness. While medications after you get that virus are much more effective because they are meant for very specific treatment.
Same with AVs. It's still easier to provide fast reactive aproach (fast responses) than delivering ultra powerful heuristics that give acceptable results.
Ask anyone at ESET or Kaspersky Lab about this and you'll get the same answer.
And you gave exact two pioneers which are both best in each category.
Kaspersky for signatures and ESET for heuristics.

 

Re: A new antivirus on the market?

@Franklin.

So can i ask, A few years ago i went to a crack site and had absolutely no security protection on my machine whatsoever (i.e like you no antivirus).

On there i got a virus of some sort which immediately crashed my computer. Then i found the swine had somehow physically broke my hard drive and motherboard.

What would happen with your setup if you went to a site with this unknown virus on it, and you do not have a antivirus running?.

 

Re: A new antivirus on the market?

I would say it with other words, but I understand your feelings towards AV's.
That's why I'm waiting for something else ... maybe the first Whitelist Scanner in stead of all these Blacklist Scanners.
I leave it up to the professional security analysts/experts. I can't defend my ideas without being one.

 

Re: A new antivirus on the market?

Ask anyone at eset or Kas?What reply do I expect.

I don't need to ask any of them as I consider myself more protected than either of them can provide.

 

Re: A new antivirus on the market?

Exactly what I mean.Your running Fred Flinstone security.

 

How exactly?

If i went there today. Firstly i would get a popup from either OA or Kaspersky saying virus on this page do not download.

And thus i am now safe.

What i am getting at is i think yours (sanboxie) is a roll back method isnt it? (just guessing!)

but if you have acquired a virus which immediately crashes your machine and then brakes your hard drive what roll back options do you have?.

 

If you aquire any virii with those capabilities and they are zero day you are stuffed.

Any AV without siggys or heuristics capable to detect such an attack leaves you stuffed again!

Such a small program with minimal resource usage as Sandboxie should protect you and if you throw in the big gun,Defensewall,I would say you can laugh at any attack.

But nothing is 100% secure but IMHO Sanboxie and or Defensewall offer far better security than any signature based security software.Even better than the kings of AVs.Kas and Nod!!!

 

No the're not totally crap ! Some are much better than others for different reasons, i'll grant you that. I've been both careful and what some would call lucky.

Others i know are not so fortunate for all sorts of reasons, including the fact that it's they who are actually crap in the main. They havn't secured their systems as much as possible, if they know how to, and they surf to unsafe sites etc.

Do our AV's etc sometimes let us down, of course they do, including some of the top names. Just look at jottis and see how some of the so called lesser ones fare better often.

But without any AV etc a lot of people out there really would be stuffed, and a hell of a lot more often then they deserve to be getting away with like they do. So it's definately a very worthwhile safety net to have. If you also have other measures in place so much the better, and why not !

Sandboxes etc are a great solution i agree, but they are not for everybody. Imagine a family household with even just the kids wanting to P2P/UL/DL music/pictures/emails etc etc and save them like they do. It would be impossible to realistically achieve a sensible simple happy solution for all concerned.

As a single user PC, for those who feel inclined, then it might be fine for them if that's what they want, otherwise it's too limiting for most people i think, including me. So yes some people will continue to get caught out, and some more than others, and more often. But you would expect that they might learn, but many don't ?

So there is no perfect answer or solution, except to keep your wits about you and hope the zero days don't happen while your on the PC. The chances are pretty slim, but it could happen, but if you have solid backup, then what's the problem.


StevieO

 

What about a Whitelist Scanner (WS) ? You need only one in stead of 15.
During the installation the WS loads all the objects (registry, files, ...) of your OS and legitimate application softwares in its Whitelist Database. Any later installed legitimate software is also added to the Whitelist Database.

Each time you scan, the WS removes everything, that doesn't exist in the Whitelist Database.
OK. I put it a bit too simple, but you can add additional validations in the WS as well. After all Blacklist Scanners aren't simple either, they have more than just a definition (blacklist) database.

 

Franklin, there is no zero day attacks.
There are just worms and bunch of dumb people that click every ~snip~ damn thing they get into inbox. Sorry if i insulted anyone but thats how i see it.
Every AV vendor or expert can confirm this, i'm very sure about that.

The infection vector through mail is so high because payload is PUSHED to you (its active), while browsing pages and downloading stuff is very passive stuff.
You have to first visit that page (very unlikely), download very specific content and in the end execute it. I don't say it's impossible because it isn't.
But before anyone actually gets to that page it may take time and AV vendors already get the sample and issue a signature detection.
You don't have that luxury for mail born malwares. They are pushed to thousands of users in matter of hours, and obviously all of them are dumb enough to extend the process (by executing it) to few ten to hundred thousand samples which just multiply same way as realworld parasitic infections.

So drawing a line here i can say signatures are very important.
The true "zero day" detection is not really importent for people like me that use bulletproof mail services (that refuse all exe,pif,com,scr,zip files regardless if they are legit or not). Sure they are annoying at first but when you get to know it you'll be happy you don't have to deal with stupid mass spammed infected mails ever again. The more important thing for detecting new malware with completely standalone algorithm is detecting malware on existing signatures (modifications of existing stuff).
These are always much more probable than 1 or two really unique samples that are made from scratch here and there.

I'm using just one AV, which is most of the time some free one like avast! or AntiVir. Common sense is what keeps me from malware for years and where i'm kinda expert already. There is almost no file that i can't inspect it just with my eyesight. File placements, process list, startup section, icon+extension, filesize and lots of other factors can identify almost any malware in matter of seconds. But problem is that people simply DON'T THINK AT ALL . Thats a fact that i cannot deny.

 

Hi Franklin . Your point is well taken . Although , you need to understand that they are still good . They can still save you . Because you use a different setup does not mean everyone else is unsafe . I agree that what you are doing is safe . But , AV proggies are good to have also . Just another layer . That is all . Av programs are not the most advanced things , true . But , they still add a good layer of protection . Stick with what you have and you will be safe MOST of the time . AV programs will help others who choose to use them . Stoneage ? Maybe . But , NOT useless .

 

So Franklin, firstly, you're absolutely 100% sure that there is no trojan out there that can bypass your defenses and secrete itself into your system rootkit style and secondly, how could you tell??

 

Franklin never said that :

 

Icesword shows me that I'm safe from rootkits and for emails using outlook express I use Palmail to check and delete any unwanted emails at the servers end.Actually quite a nifty little app.
http://www.mirwoj.opus.chelm.pl/winfreeware/palmail.html

 

The question for me is - whats the best value for money when it comes to the combination of paid security software together with which freebies?

The paid AVs has proven that they fail sometimes - dont want to pay for that, so I stick to the virtual surfing sandbox-technique until it fails me - if it does. This technique is not the complement to sign/heur AV - its the AVs that are the complement to sandboxed-surfing - so I dont pay for the complements.

In the future it might well be that all these are included in the next generation of OSs? Lets hope for the owners of NOD and Kaspersky and all the others that they have sold out in due time?

Best Regards

 

Whitelist scanners won't work. Have a look at Prevx's insight webpage to see why :

http://research.prevx.com/default.asp?d=212

They recorded something in the vicinity of 10,000 new programs today...that would be a horrendous job to update a whitelist scanner effectively...and if your program is unrecognised - what would you do while you waited for the whitelist scanner company to update their whitelist signatures?

Given Prevx1 isn't an old program...but insight has been up and running for at least a couple of months now.

Sandboxes are fine, but they have their problems. Some programs won't work with them, virtualisation programs don't always function well with other virtualisation programs, they tend to have their inconveniences (eg starting Sandboxie to run IE in, or rebooting SU to make changes to your computer), and many aren't automated (so if many people use the comp, this can create a problem), etc etc. Personally I think they Sandboxes are going in the right direction, and they will only get better and better.

That said, I've nothing against AV's. I run one with SU.

 

Franklin, do the following:

- make a complete backup of your PC (Ghost, TrueImage etc.)
- download malware from some website with your browser marked as untrusted in DW
- execute Windows Explorer
- execute the malware with Windows Explorer

Ooops... No protection from DW... How about format c: ? ;-)
And try to add Explorer.exe to the untrusted list of applications and reboot your computer...

DW did not propperly protect from the WMF exploit - the exploit will activate if you have a WMF file in the view pane of Explorer. So if you download a WMF exploit file into a directory, DW will block the exploit being run from the browser but totally fails to notice that the exploit also executed from Explorer.exe... Looks like a basic design flaw to me... Also, DW requires that the user adds every program to the untrusted list that has internet connectivity. If the user forgets Winamp for example, her/his system is already badly compromised.

Beside that I was able to disable/bypass DW easily in less than 5 minutes from an untrusted application. Seems someone did not analyse enough malware to find every possible entry vector...

And why is DW called a virtualization program? It simply blocks certain API calls when they are executed from untrusted application combined with trust inheritance/management. It does not create a virtual environment, it does not have the ability to undo any action like for example VMware when you restore back to a snapshot.

 

"Such a small program with minimal resource usage as Sandboxie should protect you and if you throw in the big gun,Defensewall,I would say you can laugh at any attack."

That is pants. Again, how can he be absolutely sure that he isn't infected in some, as yet, unknown way?
The main thrust of his post was- if you don't have a signature then you're stuffed as your AV wont be able to detect it.
But with his set up what if there is an, as yet, unknown way around it?

 

If you dont have IE under untrusted in DW you are not using DW properly. I suppose the same goes for winamp.

If you dont download updates to your AV or dont set it to start at startup you will be dissapointed if you get a virus - but its not fair to the software.

I dont put myself in the backseat of my car and tell it to drive me to work.

If you have bypassed DW with DW set up as intended I will thank you for your contribution because it will either make me change my use of software or it will improve DW to an even better product - in which case I will continue to use it.

The WMF exploit issue when it comes to DW seems to be a discussion whether or not DW protected the exploit from entering any part of my PC or whether or not DW protected my PC from suffering any damage. I am pleased as long as my PC does not suffer damage.

The also interesting follow up question is which AV protected from day-zero?

Best Regards

 

Yes, DefenseWall doesn't mark within the rules all the downloaded files as untrusted. That is why if you run downloaded file from the trusted process it will be trusted.
It is your who deside how to run downloaded file.

Is it impossible to add Explorer.exe (and all the system processes) as untrusted. There is a special check for it.

It is the same thing for all the sandbox HIPS. It is one of the it's class limitations. Nobody's perfect....

Yes, that is right. But it depends- I don't have my WinAmp connected to the Internet. And what is the point? Why it is so bad? WinAmp doesn't work as untrusted? Mine one works perfectly....

Well, it is very hard words. Do you have any PoC?

First of all- it creates virtual "untrusted process" environment, separated from the trusted one. Then- there will be some file/registry rollback features, but in time. As you understand, it is just v1.xx of the program. My todo list is groing constantly. I do my best, but I'm not all-the-mighty!

 

Not the quoting again...

 

plus

And this is why DW is almost useless for a standard user. Every non-poweruser I watched while (s)he operates the computer is using Explorer to launch programs. They download programs with the browser and then launch the apps with Explorer. DW will not protect the system in any way then, how you want to enforce the user to launch the downloads from within the browser? How does DW protect from malware that is not transfered into the system over the internet? Not at all.

That comment alone shows you have not much experience with malware & exploits. And you call yourself an security expert claiming that all other solutions other than yours are flawed? Interesting...

I only say Explorer.exe, it took me just a minute to get untrusted applications launched as "trusted" again. As soon you manage that, the protection is bypassed. Again, how many malware samples did you analyse *by yourself*?
All I needed to find is to execute processes in a way that is not monitored by DW. And I am not going to make the homework for you. With your long years of experience with malware you should be able to reproduce this easily...

All I see is that dangerous API calls from applications marked as untrustd are blocked. There is no virtual environment at all. The original system kernel and applications are executed, there is no virtualization at all. As I said, it's a simple API blocker with trust management, interesting tool but it will be bypassed by the standard user download behaviour. If I would install DW on some friends computer, they will get infected within less than a week anyway.