Survey: What AV or HIPS last detected a zero-day malware/virus for you?

Emsisoft Anti Malware Commandline Scanner probably.

 

Spot on

 

Both Panda and Dr Web.
Threat Name: Trojan Fakealert
Time period: Mid 2010.
I downloaded that malware intentionally.

 

What AV or HIPS last detected a zero-day malware/virus for you?

Same here.

 

1. ESET's Web Access scanner detected an iFrame infection and blocked access to the site.
2. Q4 2010

PS. Though, I didn't scan the site with VT or anything else, since I was really eager to leave the site ASAP
So it's impossible to say if it was an Zero-day or not. But that was the last prevention anyhow.

 

Does purposeful infection count? I had infected myself last week with a trojan dropper. It was interesting to watch how it progressed and moved around.
I did encounter a fake av once when looking for a dumpster rental. I laughed and downloaded the EXE.

 

Yes purposeful infections count As long as it's not detected by over 30% of AVs at the time.

 

Well, I can tell you a combination of software that DID NOT detect a zero-day infection on my wife's home machine (XP Home SP3 & fully patched):

AVG ISS running with Prevx paid appx. two weeks ago.

Neither caught the infection install and I wound up having to install Win7 to finally get rid of it.

 

Really don't remember.

 

comodo firewall surprised me this week, was visiting some websites, nothing really prone to malware, and suddently comodo blocked a java.exe connection to some weird ip in Luxembourg, weirdest thing is I have java DISABLED in firefox and "emet'd", soon I launched process hacker and saw a huge launch process using jp2launcher.exe with hundreds of commands, sure was exploiting some vulnerability there... i dropped firefox after that.

 

ok, if its being detected by at least 1 vendor, using it's AV module, that means it's using signatures to dectect it. That's not 0-day. HIPS's and alikes work in a different that allows them to stop the malicious payload, but they DO NOT detect it, per se.

 

About a year ago when I installed MBAM several BHO.exe Trojans showed up in MBAM.was using Kaspersky at the time.reported it to both KL labs and their forum.the lab told me via chat(only support they had) to disable something.ran it by the forum they said wrong don't and browse helper objects were nothing to worry about.explaining the executable was a Trojan got me no where fast so aidos KIS,hello then goodbye ESET just a week ago to 2011 CIS 5.3... no zero day though.remember when the Brain virus hit 25 years ago.although it was aimed at Mac's or Apple as it were it was the first on scene back then.had a Commodore 64 then HA! been just fine to date since running the gamut on more AV and firewalls than I care to remember.

 

Not technically, which is why I defined what 'zero-day' meant for the context of this post.

A lot of '0-day vulnerability' sites report vulnerabilities in software which are technically not 0-day either, because they also post the patch. The definition of 0-day is vaguely used.

 

More like overly used.

 

both

 

no, it may be detected by powerful heuristics, it still 0-day, new malware, with highly chances of being undetected in the majority of antivirus software.

 

still, heuristics use generic signatures to assess risk and therefore determine family variants.

 

the question is a little spurious:-if you have been infected with zero day malware that your product missed in a lot of cases you wouldn't know,some malware does things that aren't always apparent to the user,how many times have you been spammed by a friends computer that has been infected and they didn't know their PC was sending emails out(just an example):-in some cases if your AV fails to detect and alert you you may not have any inkling something has got through your defences

 

The question is even more spurious... ... than that. The OP wants to know if your AV or HIPS caught a zero day. And what I have asked is, how would someone know if the infection that their AV found was a zero day?

 

Personally, I would consider any form of detection by an AV running on your PC as a zero-day malware detection; provided it was based on other types of analysis and not on signatures. It doesn't matter if the malware isn't entirely 'new' (in other words publicly/widely known/distributed and other AV vendors have added a signature for it) but as long as the signature of the said malware isn't on your system (e.g.your AV vendor have not added signature for it or maybe it has but your local installed signatures wasn't up-to-date)and that it was the alternative analysis that 'detected' it, then it remains as a zero-day malware detection. The only exception to this is if the heuristics detected it based on variants of already known/identified malware families.

Source: zer0-day virus

I would consider an AE/HIPS/Sandbox/LV that managed to prevent damage/harm to the system either by an unknown/untrusted file that you didn't purposely seek to install (e.g. drive-by download, rogueware) or mistakenly trusted/ mistakenly allowed to run as a zero-day malware prevention.

P.S. There's another term called zero-day attack (or zero-day exploit) which has a different definition.