Critical notes on the traditional av-scanner!

Hi malware fighters,

Some critical notes using a AV-scanner- Is the traditional scanner doomed?

  1. The OS is not really that important here. Also for Linux versions and BSD’s
    exploits exist, that can be used as part of a general toolkit.
    So there is no sense to go Windows bashing here.
    The most secure OS is VMS, graphical and browser enabled…
    (Sorry for the MAC enthusiasts here - you are also doomed in the process)

  2. It does not matter where you may surf, good or bad sites do not exist any longer.
    XSS and Asprox can turn good sites into victim sites easy peasy. Every site can be
    abused now (through an attack somewhere in the future).

  3. The term AV scanner is wrong. Viruses are not so much of a problem to-day.
    Malware objects stay under the radar now and do not behave irritatingly.
    The malware (trojans and spyware) sits there silently in the background
    without hampering or crashing the OS. Malware sits there until it becomes activated.
    This is so with log collectors (spyware) as it is with trojans,
    where the first can be used on banking sites and the latter form part of a botnet.

  4. Because there are so many new malware objects, old signatures are taken out of
    the AV database. So a relative old attack can be as effective as the brand new one.

  5. Because malware objects are dynamically coded, signatures become useless.
    ASPROX again is a good example here.
    The final infection was an excellent piece of programming, try to decode the
    Javascript manually that came with the initial XSS attack.

  6. Upload modern malware to virustotal, and as a rule of thumb you only get
    a 25% detection rate. I am not the only one raising some questions,
    read: http://www.theregister.co.uk/2004/03/02/so_how_does_avechos_av/

Like to hear your views on this analysis?

polonus