Trojan.Vundo help

[John]

Originally posted by: dclive
I've read your guide. You explicitly point out running McAfee's scanner:
"
Although I recommended that you uninstall McAfee (due to bloatware) you can use their command line scanner in DOS or Windows without having to install the program. McAfee's detection rate is somewhat respectable, and this will allow you to leave your current AV installed and get a second opinion in case you are unable to get on the internet to run an online scan, or you do not have the ability to scan the drive on a clean computer. "The scanner runs faster if its window is minimized. It's normal for the text in the window to get all jumbled and overwritten. The virus definitions in this scanner get updated several times per day, and although McAfee is not our favorite anti-virus vendor in the home-user realm, they do sometimes find stuff heuristically and this does use their full threat database, for what it's worth." - mechBgon"

I thought that was interesting. For a product you dislike, too.

Please pay special attention to the bold area above.

Obviously debating security software with you is much like debating psu's; you're always looking for engineering facts to back up the claims of others. By you assuming pretty much any AV has a 99% detection rate shows us that your grasp of security software is below par.

FWIW you quoted Hauri ViRobot 5.0 results instead of Kaspersky's. The real results are as follows:

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 100.00%
Standard: 100.00%
Polymorphic: 100.00%

VB100% is all about marketing. These vendors have come to realize the marketing significance of these tests, and the effort they put into their products to pass the VB100 tests may not reflect the effort they put into detecting viruses outside of those included in the VB100 test set. It's possible for an AV product to pass all the VB100 tests but still have mediocre virus detection. A prime example is CA eTrust which is one of the worst AV's on the market. mechBgon's research alone shows that McAfee (among other AV's) fails to detect numerous trojans and other assorted malware samples.

 

[dclive]

Originally posted by: John

Originally posted by: dclive
I've read your guide. You explicitly point out running McAfee's scanner:
"
Although I recommended that you uninstall McAfee (due to bloatware) you can use their command line scanner in DOS or Windows without having to install the program. McAfee's detection rate is somewhat respectable, and this will allow you to leave your current AV installed and get a second opinion in case you are unable to get on the internet to run an online scan, or you do not have the ability to scan the drive on a clean computer. "The scanner runs faster if its window is minimized. It's normal for the text in the window to get all jumbled and overwritten. The virus definitions in this scanner get updated several times per day, and although McAfee is not our favorite anti-virus vendor in the home-user realm, they do sometimes find stuff heuristically and this does use their full threat database, for what it's worth." - mechBgon"

I thought that was interesting. For a product you dislike, too.

Please pay special attention to the bold area above.

Obviously debating security software with you is much like debating psu's; you're always looking for engineering facts to back up the claims of others. By you assuming pretty much any AV has a 99% detection rate shows us that your grasp of security software is below par.

FWIW you quoted Hauri ViRobot 5.0 results instead of Kaspersky's. The real results are as follows:

ItW: 100.00%
ItW (o/a): 100.00%
Macro: 100.00%
Standard: 100.00%
Polymorphic: 100.00%

VB100% is all about marketing. These vendors have come to realize the marketing significance of these tests, and the effort they put into their products to pass the VB100 tests may not reflect the effort they put into detecting viruses outside of those included in the VB100 test set. It's possible for an AV product to pass all the VB100 tests but still have mediocre virus detection. A prime example is CA eTrust which is one of the worst AV's on the market. mechBgon's research alone shows that McAfee (among other AV's) fails to detect numerous trojans and other assorted malware samples.

*You* linked to the VB100 test. If it's a bad test, why do you link to it on your "Elite" page?

Just out of curiosity, why is CA's eTrust "one of the worst AV's on the market"?

That's what Microsoft uses internally for all employees and all machines.

Did it ever occur to you that various people might have different opinions from you, and *you* might be wrong? Just a thought... obviously, Microsoft strongly disagrees with you.

 

[dclive]

Agreed on the quoting - it was incorrect; my apologies. The note is still troubling:

K:
Kaspersky Anti-Virus 6.0.0.299

KAV includes various self-protection features which turn out to be a double-edged sword. The less-than-welcome aspect is that the virus definitions are so well protected that they are, by default, unable to be updated manually. Since the update function does not allow updates from a local folder, this is somewhat irritating.

There also seem to have been some changes in scanning methods, the effects of which are particularly unpleasant. On-access scanning was seemingly interminable, while the clean set scanning rate is pretty indicative of the speeds seen while scanning the infected sets. This is not an effect of low scanning priorities however ? during scanning KAV remained steadily at 99% processor usage.

All of this work was, at least, for good reason as all files in all test sets were detected and no false positives were produced. A VB 100% award thus acts as a distraction from the various problems encountered.

M:
McAfee VirusScan Enterprise 8.0i 4400 4753

Happily, with VirusScan we return to a product that had no nasty surprises in store and gave a good performance with full detection of infected samples across all test sets. With no false positives noted in the clean test sets either, VirusScan is awarded a well deserved VB 100%.

Question being then why Kaspersky had the speed issue... and various problems were noted. But nonetheless, yes, it did get a 100% rating; my apologies on that!

 

[dclive]

Originally posted by: dclive
Did it ever occur to you that various people might have different opinions from you, and *you* might be wrong? Just a thought... obviously, Microsoft strongly disagrees with you.

A better way to say this is that it appears you have an enthusiasts page set up with various tests that you subscribe to, but various vendors have their own tests (certainly...), which lead to results that don't correspond with your own.

Microsoft has good reasons for entering into agreements with CA and putting the entire company (at least a few years ago) on CA's eTrust. That it had different results on a test created by enthusiasts or an outside review agency was probably of secondary importance compared to their internal result with their internal testing department. So what do you think they found that led them to roll the eTrust product out enterprise-wide? Why do you think they use(d, possibly; I haven't looked lately) the software?

Clearly, there are a variety of other opinions out there, besides those you reflect and those you show, which led to the conclusion that CA's eTrust was the *best* choice for the company - including Microsoft, a company that can choose any vendor and any product it wants, and, one would think, would only choose the very best for its' internal users.

Please just be mindful that your judging and criteria are not the only ones that matter.

 

[John]

Originally posted by: dclive
*You* linked to the VB100 test. If it's a bad test, why do you link to it on your "Elite" page?

I never said it was a bad test, I simply said it revolves around marketing and is to be taken with a grain of salt.

Just out of curiosity, why is CA's eTrust "one of the worst AV's on the market"?

Lackluster detection rates and high resource usage.

AV-Comparatives Single Product Test: CA Antivirus 2007

AV-test.org roundup w/ eTrust in dead last. Worse than ClamAV.
http://www.pcmag.com/article2/0,1895,2135053,00.asp

That's what Microsoft uses internally for all employees and all machines.

They would use the business version. I cannot comment on that version, but the detection rates are probably similar to the home version.

Did it ever occur to you that various people might have different opinions from you, and *you* might be wrong? Just a thought... obviously, Microsoft strongly disagrees with you.

Microsoft also feels that Windows Defender & Windows OneCare are solid solutions for detecting and removing malware.

You've got 2 highly qualified people in this thread trying to educate you, and it's unfortunate that you refuse to be a little more open-minded about the subject.

 

[mechBgon]

That's what Microsoft uses internally for all employees and all machines.

I'm guessing Microsoft also has most of the employees on Vista with IE7 Protected Mode, non-Admin user accounts, Software Restriction Policies, and other proactive tactics that will stop stuff that no antivirus/antimalware software currently detects.

Maybe after work I'll repeat my "mechBgon100" test to see how McAfee does against a current set of fresh in-the-wild exploits, rootkits, Trojans and other malware.



....orrrrr I might go ride my new Stumpjumper. Hmmm, test antivirus software or ride mountain bike... we'll see who wins

 

[dclive]

Originally posted by: John

Originally posted by: dclive
*You* linked to the VB100 test. If it's a bad test, why do you link to it on your "Elite" page?

I never said it was a bad test, I simply said it revolves around marketing and is to be taken with a grain of salt.

Just out of curiosity, why is CA's eTrust "one of the worst AV's on the market"?

Lackluster detection rates and high resource usage.

AV-Comparatives Single Product Test: CA Antivirus 2007

AV-test.org roundup w/ eTrust in dead last. Worse than ClamAV.
http://www.pcmag.com/article2/0,1895,2135053,00.asp

That's what Microsoft uses internally for all employees and all machines.

They would use the business version. I cannot comment on that version, but the detection rates are probably similar to the home version.

Did it ever occur to you that various people might have different opinions from you, and *you* might be wrong? Just a thought... obviously, Microsoft strongly disagrees with you.

Microsoft also feels that Windows Defender & Windows OneCare are solid solutions for detecting and removing malware.

You've got 2 highly qualified people in this thread trying to educate you, and it's unfortunate that you refuse to be a little more open-minded about the subject.

I'm very open minded - I just have different ideas on how to approach problems than the two of you, and I have different experiences.

You also say the solution *Microsoft* implements is bad, which is something I find a bit unusual.

I still believe in what I wrote - if a system is infected, booting from it and expecting to have a clear and clean view of the OS and the internals of the OS is flawed logic. A good way around this is an offline scan, typically with BartPE. One plug-in included is McAfee's SCAN32. If you have another Win32 commandline scanner to use, by all means use it.

 

[dclive]

Originally posted by: mechBgon

That's what Microsoft uses internally for all employees and all machines.

I'm guessing Microsoft also has most of the employees on Vista with IE7 Protected Mode, non-Admin user accounts, Software Restriction Policies, and other proactive tactics that will stop stuff that no antivirus/antimalware software currently detects.

Nope. 100% of PSS is wide open, make the machine any way you want it - except you'll put on the MS-approved antivirus solution, CA eTrust, or you'll lose connections to the MS corporate network.

 

[bwatson283]

I am a new IT guy, supporting it on the home computers isn't crap compared to corporate. Cause I have only had a few small ones. Soon i will get to the level as everyone else here

 

[dclive]

Originally posted by: dclive

Originally posted by: mechBgon

That's what Microsoft uses internally for all employees and all machines.

I'm guessing Microsoft also has most of the employees on Vista with IE7 Protected Mode, non-Admin user accounts, Software Restriction Policies, and other proactive tactics that will stop stuff that no antivirus/antimalware software currently detects.

Nope. 100% of PSS is wide open, make the machine any way you want it - except you'll put on the MS-approved antivirus solution, CA eTrust, or you'll lose connections to the MS corporate network.

..and also you need to patch the machines, else the connection to the Microsoft corporate network is cut....

 

[mechBgon]

In point of fact, McAfee's and Kaspersky's scanners can both detect rootkits on live online systems, as I discovered while studying for my Reality+ cert

Since I was a bit too tired to go mountain biking today instead I collected 95 samples, including exploits, rootkits, trojans (Zlob, DNSChanger, LoadAdv, VideoAccessCodec and others), backdoors, password-stealers, PUPs/adwares (including some DLLs, BHOs and EXEs harvested from a few live installs on my honeypot), a malicious HOSTS file, a QuickTime exploit, and a couple email worms. This is fresh real-world malware, hot off the bad guys' servers today.

I ran antivirus scans on folders containing the 95 malicious files. Online scanners are noted as such; other scanners were run as fully-installed products, except the McAfee command-line scanner. Caveats: this isn't a scientific test, it isn't necessarily indicative of the softwares' performance on every category of threats, and it doesn't account for some of the proactive-defense capabilities that some of the softwares would provide in real-life scenarios. The main point isn't that brand A is better than brands C, D and E, it's that antivirus software has limitations and you should think about adding other layers of defense, including user education, non-Admin user accounts, etc.



[*]McAfee's command-line scanner was run with all detection capabilities maxed, using the hourly beta 4100 DATs. It detected 36 of the 95 samples. Notably, it failed to detect any of the rootkits or any of the HTML exploit samples, and it failed to detect the current versions of the sneaky Frogexer .GIFs.

[*]F-Secure's online scanner detected 60 of the 95 samples.

[*]Microsoft's Live OneCare online scanner detected 43 of the 95 samples. It was unable to delete some of them, for unknown reasons, but it detected more than I expected.

[*]Kaspersky AntiVirus 7 detected 67 of the 95 samples using maxed-out settings (which is how I normally run it). And looking at the scan results, the reason KAV7 scored higher than F-Secure (which uses the KAV engine and sigs) appears to be the new heuristic-detection capabilities added to v7. KAV7 nevertheless missed all of the HTML exploits, all of the Frogexer pics, about half of the DLLs from actual adware/PUP installs, and some of the Trojans.

[*]Computer Associates (CA), in its default configuration, detected 26 of the 95 samples. There did not appear to be any additional scanning capabilities to enable, since heuristics were already enabled. CA missed nearly all of the HTML exploits, lots of Trojans, all the crafty .GIFs, the PUP/adware files, an email worm, a Spambot, Trojan-Downloaders, and some of the rootkit files. Evidently signatures and heuristics are not the main selling point

[*]Symantec's online scanner detected 39 of the 95 samples.

[*]Oh, and Windows Defender detected 3 of the 95 samples *golf clap*


Edit: adding the popular freebie antiviruses below...

[*]AntiVir PersonalEdition Classic, in its default configuration, detected 60 of the 95 samples. With all settings maxed out (heuristics at maximum, all filetypes scanned, and all optional threat categories enabled) it nailed 71 of the 95 samples, including all but one HTML exploit, but still missed most of the files from live adware/PUP installations, some Trojans, and the crafty .GIF files.

[*]AVG Free Edition, in its default configuration (which already includes heuristics and archive scanning), detected 47 of the 96 samples. With the Scan all files option enabled, it detected on one additional file, the malicious HOSTS file, leaving the HTML exploits, adware/PUP files, the crafty .GIF files and lots of Trojans undetected.

[*]Avast! Personal Edition, in its default configuration, detected 45 of the 95 samples. Setting the protection to High instead of Normal did not get any additional detections. Avast missed the same sorts of stuff that AVG did.

[*]AOL Kaspersky, in its default configuration, detected 59 of the 95 samples. With all settings maxed out, it detected 61 of the 95 samples thanks to the enabling of PUP detection. Detection pattern was similar to KAV7 except it didn't have the heuristic detections.

[*]SUPERAntiSpyware detected 42 of the 95 samples. That was pretty impressive considering that the majority of the samples don't really fit its target genre.



In my view, the results again underscore the value of backing up security software with other proactive measures such as non-Admin user accounts, SRP, fully-enabled Data Execution Prevention, patching of all installed software, removal of unnecessary software, and user education. Because even some of the best security software, using multiple engines and definition sets, is still only batting about .600 against the bad guys in the real world. Granted, signatures and heuristics don't tell the full story by themselves, but I think the point is clear.

Based on general knowledge of these malwares, I believe a computer being used by a Standard user on Vista, running IE7 Protected Mode, would be completely safe from all of the samples in this set (provided that the user doesn't have the option and the gullibility to elevate to Administrator level), particularly with a disallowed SRP in place, but regardless. This is why I keep getting out the soapbox to yammer on about the merits of least-privilege operation as an important part of a security strategy.

In retrospect, maybe it would've been less tiring to just go mountain biking...

 

[dclive]

Agreed; all good points.