The great signature-based anti-virus program swindle

Discussion in 'other security issues & news' started by Graphic Equaliser, Sep 20, 2007.

Thread Status:
Not open for further replies.
  1. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    411
    Location:
    London England UK
    Over the past couple of months, I have tried an experiment whereby I tested various anti-virus programs hosted on http://www.virustotal.com

    I would take a freshly-received spam email and follow the links in it to get to a download. I would download the file (usually an executable) and rename it (to make it harmless), and then upload it to Virustotal. I would then get an HTML page report of what anti-virus programs made of the file.

    In three separate uploads chosen at random from spam emails, ALL anti-virus programs hosted at Virustotal failed to spot at least one of them. That includes latest versions of NOD32, Symantec, Sophos, Kaspersky and Microsoft AV products with up-to-date signatures.

    Submitting the same files a fortnight later, most of them would be spotted, but the latency of a fortnight seems far too long in my opinion. It would be far too late if you have already clicked on the various links in an email you just received. With IE6, one email I got (about Britney Spears and from somewhere in Hungary) had a link, which, if clicked, instantly and without prompting, downloaded 2 trojans onto the PC and attempted to patch them into the registry's auto-run keys.

    The security program I use, which is behaviour-based, spotted all three samples I sent (http://www.jacobsm.com/mjsoft.htm#rgwtchr), and prevented the Hungarian link from doing anything bad to my PC (it quarantined the files, one of which I uploaded to Virustotal, where again, many popular AVs failed to see it as a threat!).

    That is why I reckon anyone using a signature-based AV product is being conned out of their hard-earnt money.
     
  2. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Rely on other security rather than blacklists or heuristics here.Just been reading about a very nasty virus.
    http://forum.piriform.com/index.php?showtopic=12348
     
  3. Dogbiscuit

    Dogbiscuit Guest

    I've been swindled!
     
  4. For a minute or so, it sounded like you discovered this wonderful software that you were recommending to all of us, and not that you actually wrote and sell that software. (Donations for licenses is still "selling" by the way.)

    So, there is no chance that you are making a self serving (spam) post there in order to get people to give up antivirus software in favor of your own package, right? :rolleyes:
     
  5. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    411
    Location:
    London England UK
    Good point, but actually not true in this instance. I was just reporting my own (personal) experiences, and it was not meant to be an "advert" for MJRW. Sorry for the confusion, but I feel this failing of AV software needs some attention. I believe people are being ripped off, unless there's some behaviour-based analysis going on too. Signature-based is woefully inadequate because signatures come out after the "bad guys" appear in the wild.
     
  6. Dogbiscuit

    Dogbiscuit Guest

    Discussed Here
     
  7. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    To call sig-based AVs a "swindle" is a little extreme... all you're really saying is that AVs alone aren't always enough today...
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,
    Well, he has a point ...although I think the cure is a bit different...
    But signature-based apps are problematic. They belong to the innocent world predating today's mayhem.
    Mrk
     
  9. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    411
    Location:
    London England UK
    I'm saying that the inadequacies of signature-based AV programs are so obvious, that anyone can prove their scanner has a hole in it by responding to a few current email scams. Now, that's really bad, IMO. :eek: o_O :( :'( :doubt: :blink: :ouch: o_O :gack: :thumbd:
     
  10. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    AVs aren't supposed to watch over or catch "email scams" per se... they should however catch any nasty file attached and that sort of thing...
     
  11. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408

    Sniff...Sniff...o_O Hmmmmm...
     
    Last edited: Sep 23, 2007
  12. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    411
    Location:
    London England UK
    OK. I did this one the other day :-

    EMail received Wednesday 26 September 2007 8:44 am from Beverly Jackson <ilithyia.danby@webra-austria.at>, had attachment image.zip and inside was image.exe which I submitted to Virustotal. EMail read :-

    Good afternoon, man!
    Nude Holly Berry ! Watch in your attachment!
    Regards.​

    Virustotal results :-

    {VT results snipped per forum policy - Blue}

    So, only 7 out of 32 AVs found it. That is my point! What a scam AVs are!
     
    Last edited by a moderator: Sep 28, 2007
  13. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    AV's is only one more way to protect our systems!

    The users should also make their work to prevent that malware infect their systems!
     
  14. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Then precisely what is the post above, a non-advert advert? Sheesh

    Obviously you have a point in that a signature - any type - can't exist until the malady is defined, and that can't happen until the malady exists, ergo, blacklisting of any type lags appearance.

    Unfortunately, average users really have no a priori basis to make operational decisions regarding uncharacterized malware/events, particularly if any sort of automated updating/desired to try new content/etc. occurs on their machine. So there's a pragmatic quandry, which is currently best solved using the expert analysis and advice provided by a standard AV package.

    If you don't think it's the best solution for you, fine, but get a clue that the mass market isn't starting from the same knowledge base as yourself, or most members of this forum for that matter - and most of the latter could still benefit from the expert analysis and advice of an AV package.

    Blue
     
  15. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    IMHO, it's a fair point, up to a point, but one could also say that locks are a ripoof, since any competent burglar can defeat most of them, and any dtermined burglar will simply find another way in, but I presume you have locks on ur house and car, and lock them both dutifully. Not everyone will encounter malware "hot off the press" so to speak, many will encounter it, if at all, at a much later date. I don't think the problem lies so much with the AV's, as with your expectations of them. They are merely one weapon in the fight.
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    Then you wouldn't mind if we edited out all the links to your site:)
     
  17. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    This is based on the assumption that the AV is the only line of defense! And when you assume, you make...... not me!
     
  18. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    It's all very logical and predictable, if you think long enough about it. This is old news for me.
    My goal is to remove viruses, that don't even exist yet, viruses of 2008, 2009, 2010, ... :)
     
  19. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    I think your language is a little flamboyant.... What you're trying to say in normal English is: AVs are imperfect. ;)
     
  20. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408



    An Anti Virus program has always and will always play a key role in my layered security setup.
    Nothing is perfect.Nothing will stop/catch everything.
    That is the beauty of the layered approch, what one misses another could very well catch/stop.
    IMO an Anti Virus is still an important part of any security setup.
     
  21. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    "The great signature-based anti-virus swindle"?
    That's extreme!

    I think LoneWolf summed it up best.
    Layered security is the way to go.
     
  22. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Haven't used any blacklist scanners here in a long time but I will admit that they are needed for cleaning up infections for people that don't want a format/reinstall along with a bit of of education in using Sandboxie, Returnil and images.

    Using your head along with Sandboxie, Returnil, Image backups makes blacklists redundant, for me anyways.

    Also think of the speed increase with not having anything checking a webpage before opening.

    I even have "Tell me if a site is a suspected forgery" in Firefofox security options unticked.

    Like that peanut said, "Bring it on "!
     
  23. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    411
    Location:
    London England UK
    That's the whole point. We should be looking at what these nasties are trying to do to the PC systems, and prevent that from happening. The fruitless pursuit of trying to instantly recognise threats from their ever-growing databases of signatures, means that all PCs using these AVs will get slower and slower, unless you keep upgrading the hardware. It is a ridiculous state of affairs, IMO.
     
Loading...
Thread Status:
Not open for further replies.