Testing alternative security

Discussion in 'other anti-malware software' started by interact, May 17, 2007.

Thread Status:
Not open for further replies.
  1. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    Hi,

    A good test to see just how good your alternative security product really is or isn't! Download any PE32 Virus and check your security app picks it up. Now get a hex editor and modify one byte somewhere sensible so the app still works (good one is to change one of the PE section names e.g "text" to "Text"). Now run the virus again and discover that nearly all signature based detection tools fail and more worrying even zero day protection tools fail to detect the change. I tested a number including leading ones and they all failed. It’s worrying when zero day protection is supposed to detect these forms of "new" threats.

    Does anyone know of any products that do work well in this type of scenario?

    ~interact
     
  2. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Don't know where to download PE32 virus and what is the evil job of this virus ?
    Whatever it is, it will be removed as a change during reboot in my actual security setup.
    So it doesn't matter if I change it with a hex editor or not.
    I don't even need a scanner to detect is, I don't even have to know if this PE32 virus exists on my computer or not.

    I take the challenge, if you tell me where I can get it.
     
    Last edited: May 17, 2007
  3. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    I refer to PE32 as file format not the name of a virus. Any virus that is executable (pe32 format) rather than a script / macro virus.

    ~interact.
     
  4. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    If it is an executable, it doesn't even have a chance to install itself, because Anti-Executable will stop it immediately.
    Even when it bypasses AE (nothing is perfect), it will be removed on reboot anyway.
     
  5. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    Erik it was just a simple test which I thought people may be interested in. Do you work for AntiExecutable by any chance?

    ~interact
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    No, not at all, I'm just an average user from Belgium. But I know how AE is supposed to work.
     
  7. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Hi interact, Although I have no idea what a PE32 virus is, I was curious about a few examples of which zero day products you tried. Are you referring to HIPS or behavior blocker types of programs?

    From what I understand, signature based programs are entrenched in a futile battle to keep up with malware writers. It's also my understanding that they (sig based progs) are also losing that battle. A layered approach to software is needed with a recovery system, and common sense being paramount.

    If you haven't tried SSM, I understand it is good. Lately I also see posts about eqsecure. Also Comodo BOClean (it's free) is different as it watches what happens in the memory, so it might be an option. I would wait for the new version though.

    Cheers, innerpeace
     
  8. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    innerpeace,

    If you want to find good malware to test a security product then visit ryan1918.com some areas are restricted.

    I did a simple test with prevx as some of the users on ryan were talking about some claims on the prevx website. It did detect some popular viruses but as soon as they changed it failed to detect them. The fact that a virus blows another exe out of it's resources into my temp directory and then executes should be detected by even a basic zero day detection tool. I agree with you a layered approach is key.

    I will run some tests on SSM later as it crashed under VMware on one of my machines. I think my VM image of WinXP sp2 is corrupt so no fault of SSM.

    ~interact
     
  9. EASTER.2010

    EASTER.2010 Guest

    If it's ANY pe32 executable what makes you think it can evade detections from a good solid HIPS (Only one). I regularly have turned loose myriads of rootkits/hiders/malware and NONE of them can even start to execute unless you explicity allow permission for them to do so. Perhaps if the HIPS in question was particularly disassembled and targetted for bypass, i don't see it.

    Am i missing something here?
     
  10. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    Easter.2010,

    The signature test is for HIPS products that utilize this technique for identification rather than just relying on having the user recognize specific dangerous actions. Please recommend some other HIPS products that you would rate highly as I would like to give them a test.

    ~interact
     
  11. EASTER.2010

    EASTER.2010 Guest

    Theres no debate about signature based models prove the most vulnerable to that type of change in structure of an executable although i haven't tested these myself it's been suggested Heuristics can reduce that gap, dramatically enough? I can't say with any certainty at this point.

    Please indicate or list if you will which "zero day protection tools" you have found to fail to detect the change. It would prove most helpful for discussion here i think and give others a chance to observe those same limitations for themselves locally.

    I see by that then we narrow our choices to only strictly automated or the most hands-off type of HIPS that we would expect "them" to make those decisions for us.

    With that criteria then, i don't know of any HIPS that would be considered purely hands-off, no interaction needed by the user, since without a black-list so to speak to work from like say a Prevx1 or KIS6 etc. a HIPS can only go as far as intercept & suspend ALL processes (parent/child) and other Vendor mapped out areas in advance deemed most likely critical to system integrity but any HIPS or behavioral blocker as such, "Must" turn any detected/interupted information over for either comparing with a blacklisted signature database or the user themselves before any action can be taken up or down.
    CyberHawk has over several released versions ramped up a blacklist community database which while able to pick up some identities also drew some heat due to false positives, but at least unlike some AV's i've experienced in the past, CyberHawk allows any capture deemed FP or wanted to be returned again.
     
    Last edited by a moderator: May 19, 2007
Loading...
Thread Status:
Not open for further replies.