Latest generation of security threats & avast development suggestions

In Gizmo’s Support Alert Newsletter Issue 136, Free Edition, 17th August, 2006 is examinated the question of how well computer security programs protect against the latest generation of security threats. The results were not that good, and a lot of programs could be easily terminated by hostile malware.
It’s know that new avast 5 will have the AntiKill feature that could be beta tested right now.

We know that signature scanners are not designed to detect things like process injection or registry changes. These, it would be argued, are best left to intrusion detection and protection systems. But, we’re asking Alwil from quite some time to improve avast features toward antyspyware and other kinds of malware. I’m trying to discuss the same here.

However, shouldn’t avast protect us from rootkits? In Gizmo tests, only WebRoot SpySweeper passed.

Gizmo stated that it’s pointless focusing on whether one security program is better than another when, in fact, all the security programs flunked. The reality is that it’s not possible to secure your PC against a malware program that is allowed to run on your PC with full admin privileges. Thank Windows for this. Layering your defenses can clearly help. It doesn’t solve the problem though. And the cost in complexity, inconvenience and processing power usage is high.

And for solution suggested: run your PC in a virtualized environment whenever connected to the internet. It’s simpler and more effective than any other option. Remember though, virtualization is in addition to your normal security defenses. It doesn’t replace them; it just makes their job easier.

The full results are here: http://www.techsupportalert.com/security_scanners.htm. I just try to make a summary of them bellow to avast users. Credits are all to Gizmo, not me, of course.

[i]In the table below, the first column shows whether the security product could detect process injection. That’s a technique used by malware to hide inside legitimate programs that are current running on your PC. Once inside these processes, they acquire the rights and privileges of the host process. If the host process has the right to communicate with the internet, the malware automatically gets that right, too.

The second column shows whether, independently of signature recognition, the security product could detect a malware program creating an autostart entry. In other words, could it detect an unknown program starting automatically with Windows? To pass the test the security product had to warn or prevent changes in the Startup folder as well as startup locations in the Registry.

The third column shows whether the security product protects your PC against drive-by infections. I tested each product at three hostile sites. To pass the tests, protection must have been provided against all three.

The final column show whether the security product can detect rootkits. I used two rootkits: Hacker Defender and FuTo. To pass, the product had to detect both.[/i]

[tr][td][/td][td]Detect Process injection [/td][td]Detect malware startup [/td][td]Protect drive-by download [/td][td]Detect rootkits [/td][/tr]
[tr][td]Ad-Aware Pro V1.6[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][/tr]
[tr][td]Avast! Home V4.7[/td][td]Fail[/td][td]Fail[/td][td]OK[/td][td]Fail[/td][/tr]
[tr][td]AVG Anti-Virus Free V7.1[/td][td]Fail[/td][td]Fail[/td][td]OK[/td][td]Fail[/td][/tr]
[tr][td]BitDefender Pro V9.095[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][/tr]
[tr][td]CounterSpy V1.5[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][/tr]
[tr][td]CounterSpy V2.0.122 be-ta[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][/tr]
[tr][td]Ewido v3.5[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][/tr]
[tr][td]Ewido V4 be-ta[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][/tr]
[tr][td]Kaspersky AV V6.0.0[/td][td]Fail[/td][td]Fail[/td][td]OK[/td][td]Fail[/td][/tr]
[tr][td]NOD32 V2.51[/td][td]Fail[/td][td]Fail[/td][td]OK[/td][td]Fail[/td][/tr]
[tr][td]Norton Antivirus 2006[/td][td]Fail[/td][td]Fail[/td][td]OK[/td][td]Fail[/td][/tr]
[tr][td]SpyBot S&D V1.4[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][/tr]
[tr][td]Spyware Doctor V3.6[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][td]OK[/td][/tr]
[tr][td]Trojan Hunter V4.5[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][/tr]
[tr][td]WebRoot SpySweeper V4.5[/td][td]Fail[/td][td]Fail[/td][td]OK[/td][td]OK[/td][/tr]
[tr][td]Windows Defender V1.1.1051[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][td]Fail[/td][/tr]

Not a comment at all :cry: :-[

I don’t think that there is anything there that we didn’t already know.

The one that surprises me is that ewido failed the process injection one, I though that was one of its strengths.

Hi Tech ;D

Comment No.2
Thanks for the Info :o
Avast! Home V4.7 Fail Fail OK Fail
Avast did better than most of them(6 out of 16)
And on the tests-spy sweeper 4.5 was used-wonder how the new 5.0 would of done ::slight_smile:
And Ewido was also the older version as it looks liks some of the others were too!

Hello posters in this thread,

Isn’t this something that we already have known for a long time now? The fact that security can only be guaranteed by a whole range of measures and attitudes known as “layered protection and secure practices”. The days that your computer was aptly protected by an av solution and a software fw, these days, my good friends, are long gone, and are never to return. We have to try and live with this factual situation. So laments about an av solution not offering full protection should be a thing from the past, we can only ask for the best possible protection.

polonus

Yes… but won’t be useful to Alwil to discuss this with us?

In fact, he went further… he’s defending ‘virtualization’… a thing that we do not discuss this frequently.

I do think Alwil could do a better avast :wink:

Hello Tech,

I agree with you here on several points. Just had to point to a new vulnerability that can be exploited in Word documents to turn a PC into a zombie for which only 6 virus scanners have ample protection.
The malware landscape is changing, and even Balmer admits that it is less secure than two years ago. Traditional viruses only make up a minority of malware, as spyware and drive-by installs of adware form the majority. Scripting vulnerabilities make for the majority of infection vectors. Disable scripting and your Internet experience is much more secure. But in some cases you cannot do without.
A solution could be sandboxing or a full restoring capability, so that all the impact of an infection of malware could be undone to the effect it appeared it never happened.

polonus

Yeah… http://forum.avast.com/index.php?topic=22945.msg189525#msg189525

Ok… but backup backup backup all the time… sometimes we want just to work 8)

Other security programs are going in high speed to protect new technologies… what I want with this thread is taking Alwil team out of the programmers desktop and discuss with us what we can expect from avast 5…

For instance, where is pk? where is Pavel? where is Kubecj? Are they all on vacations? ??? ::slight_smile:

Hello Tech,

There are also other aspects of innovative techniques to be used.
Consider the following:

McAfee has been sued by another security solution provider because of offering a firewall and intrusion detection and prevention technology on one machine. According to Deep Nines they have the patents for “unified threat management technology” that is used in developing appliances.

Originally McAfee was offered this patent, Deep Nines succesfully filed an appeal.
The latter firm uses this technology inside their UTM and IPS appliances, and wnats McAfee to quit selling products that use this technology. Furthermore they seek for damages undone.

“This is important to us. The government states clearly that the patent is ours,
but they keep on offering products and sell these with our patented technology” according to the president of Deep Nines.

McAfee has refused to comment, because it has not seen the accusations as filed.

So if you want to beat your competition, you see to it that you have some vital patented technology so you can succesfully keep them from making any innovations,
or you have to buy them about together with their patents, a strategy that Microsoft more than often followed. If you cannot you have to come up with new original ideas, and coding.

polonus

For instance, where is pk? where is Pavel? where is Kubecj? Are they all on vacations?

Is it just me or are they less active in general than they used to be? It seems there have been situations where people have not found resolutions and responders are speculating as to what a problem could be and yet there is no response from them where as it the past they would almost always respond eventually??

Vlk said before that upcoming avast! gunna include own version version of HIPS … so in short point of this thread is ?

… until we see what and how is getting implemented then discussion about that can turns into wasted time as it may be in already …

p.s. polonus from ondate is that patent filled ?

Hello Dwarden,

The patent news is just recently found, look here:
http://www.deepnines.com/pressreleases/pr081706.php

What the case is eventually developing into, that the future will tell. But I can guess that these patents can get developers count the buttons of their shirts, as you grasp what I mean to say.
That is just why they say in the east when you do not have the money to come up with an easy solution, you should use your brains to create a clever one.

polonus

sorry but what is HIPS ??
Any idea of when avast 5 will be available even for beta ??
Is Avast thinking about adding a firewall ??
New modules ??

Please do tell us ;D

MounierNetwork

Google is you not your friend on a search for HIPS ‘Helping Individual Prostitutes Survive’ but there is an acronyms search tool http://acronyms.tfd.com/Hips which returns ‘HIPS Host Intrusion Protection System.’

No date yet for avast 5.0 but you will sure find out first here also for the beta.

This is a very good point of view… but we need some expert info here. I’m not sure the programmers could not innovate anything, on contrary, if the ‘code’ is not stolen or craked, it will be difficult (in my point of view) to avoid innovations…

Well, if you think I’ve opened this thread to waste time… ::slight_smile: ::slight_smile:

Sure, it will.

http://forum.avast.com/index.php?topic=12640.msg187343#msg187343 :slight_smile: :wink:

I hope, I wish the antispyware is comming…

Host Intrusion Prevention Services (HIPS). http://www.secureworks.com/services/hostintrusionprev.html

Talking about Host Intrusion Prevention System (HIPS):
A HIPS shield will protect the computer from running unknown applications that can infiltrate by system and/or applications security holes.
The avast VRDB or the full scanning could create a database of executable files in the computer.
With a HIPS shield, any attempt of an unknown application or library (dll) to install in the computer could be monitored.
When the shield cannot detect the action as coming from is a safe application, it will display a warning message.

Alwil, can we expect this for avast 5 ? ::slight_smile:

If anti(virus+spyware) could live into Spyware Terminator (http://www.spywareterminator.com//help/FAQ.aspx?faqid=1761&faqmod=SpyTerm_Help5), why not inside avast 5?

yes I agree with you tech ,if Alwil doesn’t want to develop an antispyware in the fear that the antivirus might lse its ansome performance and detection abilities just do like spyware terminator that way you are just adding abilities and it won’t interfere with the antivirus. Or hire new progrqmers that would only work on the spyware definitions just like for the virus.
Any idea if this is possible vlk ,igor, pavel ??

Thank You

MounierNetwork

this bring me on idea, Spyware Terminator is done by Czech team, Alwil should get them :slight_smile: (buy them out :)))

It won’t be bad at all 8)
What we cannot acchieve is an official word about what Alwil thing about all of this issue… ::slight_smile: