A forum for reverse engineering, OS internals and malware analysis 

All off-topic discussion goes here.
 #1907  by EP_X0FF
 Thu Aug 12, 2010 6:57 am
Any AV product without HIPS can be killed easily, there is nothing to test.
 #1908  by ssj100
 Thu Aug 12, 2010 6:59 am
EP_X0FF wrote:Any AV product without HIPS can be killed easily, there is nothing to test.
Which AV product(s) don't/doesn't have the HIPS that you are talking about? Thanks.
 #1910  by ssj100
 Thu Aug 12, 2010 7:08 am
EP_X0FF wrote:For example Doctor Web.
How about Avira, ESET, Microsoft Security Essentials etc? I'm only talking about the antivirus-only releases of these programs. However, it would be interesting to know if your methods also work with the suite versions of these programs?
 #1911  by EP_X0FF
 Thu Aug 12, 2010 7:13 am
Sure. Why not? There is nothing special in technical meaning.
 #1912  by LeastPrivilege
 Thu Aug 12, 2010 2:30 pm
I see just about every brand of AV software when I remove malware on PCs. This isn't 1995 anymore. The trojans are able to infiltrate and disable all of them. The AV "self-protection" is a joke as is their removal as well. Based on what I see on a daily basis, I have no faith in traditional AV software anymore.
 #1913  by ssj100
 Fri Aug 13, 2010 12:11 am
LeastPrivilege wrote:I see just about every brand of AV software when I remove malware on PCs. This isn't 1995 anymore. The trojans are able to infiltrate and disable all of them. The AV "self-protection" is a joke as is their removal as well. Based on what I see on a daily basis, I have no faith in traditional AV software anymore.
That's interesting. I personally don't use a real-time Antivirus (I don't even have one installed...I just run occasional scans with MBAM and a-squared in a sandbox) so I personally don't really care much about this. My security setup is in my signature.

Regardless, I'm not convinced that people get infected because of bad AV software. Sure, Prevx etc are trying to make themselves look like the stand-out product (through very clever marketing strategies and "brain-washing"...perhaps too harsh a word?) etc etc. I believe the way people get infected is mainly through having a bad security approach. For example, a bad security approach would be poor handling of newly introduced files - executing/opening these files from potentially dodgy sources (eg. via e-mail attachment) on the REAL system. An example of a good security approach would be executing/opening these files in a sandbox via eg. Sandboxie, or even in a full blown Virtual Machine. A lot of newly introduced files are simply data that you view/execute once and then discard. With Sandboxie or a Virtual Machine handy, you can do this extremely safely.

For files that you want to keep, you merely have to use on-demand scanning (or simply get files from trusted sources) to check if there are any "viruses" within the files. VirusTotal and other specific signature scanners like MBAM are useful for this. Of course, a certain degree of computer common sense/experience is required to deliver this good security approach.

Finally, regular backing up is also very important (some might argue it's the most important aspect). I'm not just talking about regular backing up of (important) data files, but also regular image back-ups (perhaps once a month). So even if malware completely destroyed your system, you can restore a perfectly working image within 10-20 mins. Perhaps for "noob" users, if there was one thing to teach them, this might be the most important thing.
 #1953  by SecConnex
 Fri Aug 13, 2010 9:01 pm
We strive to make our product the very best in the world.
Truly, this is not enough of an answer, and seems to be a marketing ploy to reach a conclusion. However, the problem with this logic is that it lacks evidence, and has a poor approach.

Introducing yourself would have helped, as the nature of your post is rather odd.

However, I do agree that the methods used by behavioral antivirus software is not being updated for the latest technology. Realistically, signature and behavioral based detection are not working with new malware as good as they should. There are many times where something is missed, and needs careful review.

Most researchers would love just to quickly pilfer through an infection, collect data, and save it, then delete the infection from the machine. However, many infections are too bound to the Windows API, that there are new methods out to circumvent behavioral antivirus products.

There will always be a circumvention until a company comes up with a better way to detect malware, instead of behavior based and signature based.
 #1955  by ssj100
 Fri Aug 13, 2010 9:39 pm
PX6 wrote:We strive to make our product the very best in the world.
Which company doesn't?
PX6 wrote:The recent demonstrations carried out with your tool are not a real-world example of true circumvention and therefore are not accepted as a legitimate malware threat to our product.
Why the updates then? Prevx has updated about 3 times since the release of these POC's. And the updates were purely to rectify these specific issues, and were released relatively hastily.
PX6 wrote:Your tool is currently blocked and tagged as unsafe by our software.
The latest one is/was NOT blocked and tagged as unsafe at all. Please read my post above.
DragonMaster Jay wrote:Truly, this is not enough of an answer, and seems to be a marketing ploy to reach a conclusion.
Agreed.
 #1956  by GamingMasteR
 Fri Aug 13, 2010 9:58 pm
Your tool is currently blocked and tagged as unsafe by our software. I suggest you contact the Prevx Technical Support team for any further questions.
Effective & professional solution :D :mrgreen: