Totally disapointed by all AVs

Discussion in 'other anti-virus software' started by pandlouk, Oct 22, 2008.

Thread Status:
Not open for further replies.
  1. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,551
    An hour ago I was in the mood to test the detection of a new(?) trojan droper. And I must confess that it was a total failure of all AVs (Based on Virus Total results).

    You will say that "this is common with Zero Day Attacks", but before you do, let me explain that all of them detected some off the malicious files and at the same time all of them failed to protect the pc and the user.

    How did this happen?
    Well this dropper uses multiple worms & trojans to infect the system and installs its own drivers.
    But what is even more interresting is the scheme that it uses for installing one specific trojan:
    First creates a trojan dropper (1st) that will create 2 different samples of the trojan.
    If the AV stops the trojan dropper, it will create another one (2nd) and if this one fails it will create another variant 3rd and guess what? If all the above 3 fail it will create a 4th variant.
    And each of those four variants of the Trojan dropper will create 2 different samples of the same trojan (for a total of 8 ).

    None of the antiviruses included in virus total identified all the 4 different droppers and non of them identified all the 8 variants of the trojan. But all of them identified at least one variant of the trojan.

    This means that the user will be convinced that his antivirus protected him from being infected but in reality his pc got infected. :ouch: o_O

    And to conclude, this proves that all those AV detection tests are flawed by design. Because even if the AV X (your favorite one) detects 7/8 of the variants, it will be the winner of the test but does not mean, that it will protect you better than the others. In reallity they all failed the test. ;) :p

    Panagiotis

    edit:
    I am disapointing by the AVs because if they collaborated between them, and used a common database, all the users would be protected...
    But the money and the pubblicity of the AV tests have the priority....
     
    Last edited: Oct 22, 2008
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    That limitation is exactly why a well crafted HIPS is superior in many respects in comparison since you can use them to guard against malware signalling to "create, delete, read, modify", any area you predetermine as a potential landing strip for these creeps.

    I still use an AV (NOD32) but only for On-Demand useage; but in a predicament like you explained, it wouldn't be much use without some form of Pro-Active Preventitive measures. And that's what makes HIPS and now Behavioral Blockers to some extent, vital equipment against those type of malwares.
     
  3. The_1337

    The_1337 Registered Member

    Joined:
    Aug 10, 2007
    Posts:
    112
    AV socialism, now that's a new one.
     
  4. thathagat

    thathagat Guest

    well......that's something new for the av vendors to chew on...till then smart ass malware will chew our so called protected pc's:cautious:
     
  5. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well, most of AV's now go beyond just scanning the files.
    Most of them also track applications behavior, they scan accessed HTTP addresses, block known malware spreading URL's etc.
    Many of these counter measures only work in real-time mode so VT isn't the most accurate tool to rate effectiveness of the AV's.
     
  6. tiinkka

    tiinkka Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    24
    So unless the hand holding the mouse has infinite trust in the integrity of the program being installed then all the behaviour blockers and HIP`s in the world are a waste of time. Cos the ignore button will always be the default option. For such a situation imaging is really the only position of relative safety and only if your AV of choice stays ahead of the game.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Try it with TF plus an AV.
     
  8. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    No, not just the tests. The AV companies themselves and their marketing departments.

    I dared suggest ages ago that the samples detected by one AV could be shared with another AV that apparently missed them and vice versa. I got a stern look from a representative from one such AV; they don't or won't do that, and one can see the reasons why. In an ideal world, they should be shared so all users can benefit irrespective of which AV they use, but it's not gonna happen, is it?
     
  9. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Yes It does happen, at least to a degree. Av companies have shared samples for some time now, or so I've been told.
     
  10. Medank

    Medank Registered Member

    Joined:
    Aug 25, 2008
    Posts:
    102

    I got everyday NEW samples that are Undetected by all AV's out there, even if the AV's has write a generic or heur code for it, still next day the NEW sample is again Undetected, but i am not mad just for that, nothing to do just to try to help your Favor AV and subimit samples to them.
    :cautious:
     
  11. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    if you're testing using virustotal then the failure is yours...

    stop pretending any single technology (known-malware scanning or otherwise) can protect you completely... no technology can and anyone who tells you different is trying to sell you snake oil...

    you tested technology designed for known threats against threats that are new enough to not be known - that means you were trying to use the wrong tool for the job...

    if the av detects the original dropper it will prevent it from running and therefore prevent it from dropping any of the other 8 trojans, thereby protecting the user...

    i can't begin to tell you how ridiculous that sounds... collaboration takes time and you're dealing with malware new enough to have not been properly dealt with yet...

    they share malware and so as a result they are all drawing on a common pool of samples... they can't all share the same signatures because that would require them to all use the same engine, which means there would technically only be 1 product... that would represent a technological monoculture and would be even worse for the computer user population...
     
    Last edited: Oct 23, 2008
  12. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    bullshit - they do it now and they've been doing it for decades... the companies themselves might not do it, but the people working within the companies absolutely do... look up CARO (computer anti-virus research organization) one of these days, i think you'll be surprised...
     
  13. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    Perhaps they do now, but when I brought this up a few years ago in a discussion (posts #18-21) regarding missed samples between NOD and KAV, the impression I got was that one cannot expect an employee of one company to submit the samples they detect that the other doesn't. Bravo if they do that now.
     
    Last edited: Oct 23, 2008
  14. tiagozt

    tiagozt Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    331
    I understand your frustration. I have my TOP3 AVs (Avira, F-Secure, Kaspersky) but I always expect something more.
    If possible, send me the results of your tests (VT links, methods and, if you don't care, the samples too - you can upload to 4shared or other sharing service and tell me the link).
    tiagoderevkoATgmailDOTcom
    Best regards.
     
  15. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    It is up to each companies own responsibility to organize new samples. There are really enough ways to organize samples, the shortest way is just send someone an email and ask for a specific type you still need. For all other cases you can join distribution lists of new malware. So that AV vendors do not exchange samples ( or did in the past ) is a claim without any substance.

    This whole exchange thing also depends on the relationships between companies, and not every company has exactly the same good contacts in other companies / countries.

    AV companies do have competition, yes, but most of them have learned that it doesn't make sense to hide samples in order to gain a market advantage with press releases aka "We're currently the only one who detects that" style.
     
  16. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    CARO has existed since the very early 90's (at least)... i think someone gave you the wrong impression about sample sharing when you brought it up before...
     
  17. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    I like Medank's post, described myself.

    there have always been places to find undetected samples, antivirus conpanys will add whatever samples they believe to be a real threat, ones that are in circulation.
     
  18. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Yes!!! Or try it with Mamutu + AV. In other words, behavior blocker + AV is a great combination (TF & Mamutu are BehaviorBlocker-HIPS).

    Further -- several AVs now include a built-in HIPS. IMO, VirusTotal's tests do not give effect to the full-power of those AVs.
     
  19. Medank

    Medank Registered Member

    Joined:
    Aug 25, 2008
    Posts:
    102
    really? wow:eek:
    thanks that you liked my post o_O
     
  20. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,551
    Update.

    - I tested most of the wellknown AVs against this one and all failed to prevent the infection.

    - Threatfire intercepts most of the actions but it will eventually cause a BSOD. (will not prevent the infection but it gives it a hard time). :D

    - Sandboxie succesfully protects the system. (I am more and more impressed by this little app). :thumb:

    - LUA with strong group policies, will prevent most of the infections (as long as is not executed as an administrator). An Antivirus should be able to handle the remaining files/startup entries that infected the limited account.

    - Shadowdefender, Returnil and similar application will eliminate the infections at the boot time.

    - ThreatFire + LUA prevented all the infections. :thumb:

    Panagiotis
     
  21. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    then ShadowDefender and Returnil did the same as Sandboxie. It may have been allowed to run but in a virtual enviroment so it actually never touched your OS.
     
  22. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,551
    Not exactly. With sandboxie the system remained intact. You only have to delete the sandboxed files.
    With SD, ReturnIl, etc, your system gets infected and until you reboot you are vulnerable. But yes in the bottomline the result is the same.

    Panagiotis
     
  23. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    not trying to be a pain here pandlouk, but isnt your system infected to with sandboxie until you close it. FYI, I like sandboxie to.
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks for testing.
     
  25. Murderlove

    Murderlove Registered Member

    Joined:
    Jul 18, 2008
    Posts:
    99
    Thank you for your tests.
    Lately I am looking more into LUA with SuRun, and find it to be very interesting. So far I have applied the simple SRP: http://www.mechbgon.com/srp/ and ran kafu.exe.
    What would you consider strong group policies? Could you give examples?
     
Loading...
Thread Status:
Not open for further replies.