Security Basics mailing list archives
RE: Malware detection
From: Glenn Duquette <gduquette () midmark com>
Date: Thu, 26 Jul 2012 19:13:12 -0400
Just to be clear, did you have MSSE and another anti-malware product installed and running on the same machine at the same time? I was under the impression this was not recommended and could cause issues with proper detection. I'll also throw my experience with MSSE in there: When it was first released, it actually proved to be very effective at detection and removal of known malware, appeared to run with very little resources, and was cost effective (in ForeFront format) for business who had site licenses with MS as well as for home users. Overall it was a decent anti-malware product that I recommended for both home (MSSE) and work (ForeFront). Fast forward a few years to now. MSSE is still pretty effective at detecting and removing the *well known* variants of malware and still does not use a lot of system resources that I have seen, and is still cost effective. The problem is that the malware field has changed drastically. We are seeing far more malware that MSSE/Forefront does not detect because the 'bad guys' have simple ways to make a slightly different variant that thwarts detection. Signature based detection can only get one so far (as has been said in a few other replies) and it is only possible when the signature can be made. When the malware kits allow you to generate a simple variant that MSSE and a few of the other major anti-malware software does not detect one has to rely on other means like heuristics, behavior, white/black listing, etc (when relying on client side software as a layer in the defense). I have not found MSSE v1 or v2 strong in anything but signature detection. I no longer recommend MSSE for home or work users because it's poor performance outside of signature based scanning. As a fun test, try the following on a malware lab desktop/VM: Install your version of windows with MSSE - and make sure they are fully updated. Download a smattering of malware examples from one of the well known malware sites and see how many of them actually get past MSSE. In my tests, a good 50 to 60% install their payload without MSSE making a peep. Do the same, but this time remove MSSE and install an anti-malware tool like Kaspersky or BitDefender and see how it compares. In my tests the commercial products have done far better due to their faster updates of signatures, heuristic, and behavior analysis. Obviously it is not a scientific test, but effective enough for this example. FYI - Zeus variants always seemed to get by MSSE particularly effectively for me. Glenn -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of David Gillett Sent: Thursday, July 26, 2012 12:55 PM To: security-basics () securityfocus com Subject: RE: Malware detection I encountered a rootkit last year. MSSE was the only thing I was running that detected it. Unfortunately, it only detected it in a temporary folder belonging to a commercial antivirus product I was running (which did not itself notice the rootkit...). My theory is that something about the way the commercial product scanned archives caused one or more rootkit components to be extracted and become visible to MSSE. But of course this instance, while visible, was secondary, and so many many attempts by MSSE to "clean" the machine, including required reboots, never actually had an effect. Several other packages I tried had no success in finding the malware, which eventually crippled the boot process so badly I had to reformat and reinstall from scratch. (Since then, I've installed ZoneAlarm's new free antivirus. Too late to see if it could cope with that rootkit, but it did find and apparently neutralize many malware examples in a sizable email archive, which none of the previous candidates had noticed.... David Gillett CISSP CCNP ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ***** NOTICE ***** If you are not the intended recipient of this email, you are notified that disclosing, copying, distributing, or taking any action in reliance on the contents of this email and any files transmitted with it is strictly prohibited. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify webmaster () midmark com or 1-800-MIDMARK (1-800-643-6275). ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: Malware detection, (continued)
- Re: Malware detection Tony (Jul 18)
- Re: Re: Malware detection Savvy95 (Jul 19)
- Re: Malware detection Vic Vandal (Jul 23)
- Re: Malware detection Jeffrey Walton (Jul 24)
- RE: Malware detection Eric Krumm (Jul 24)
- Re: Malware detection Vic Vandal (Jul 26)
- RE: Malware detection David Gillett (Jul 26)
- Re: Malware detection haZard0us (Jul 26)
- Re: Malware detection haZard0us (Jul 26)
- Re: Malware detection Jeffrey Walton (Jul 26)
- RE: Malware detection Glenn Duquette (Jul 26)
- Re: Malware detection haZard0us (Jul 27)
- Re: Malware detection Vic Vandal (Jul 23)
- Re: RE: Malware detection Raghav Pande (Jul 25)
- Re: RE: Malware detection Ansgar Wiechers (Jul 25)
- Re: RE: Malware detection Kurt Buff (Jul 26)
- Re: Malware detection Vic Vandal (Jul 26)
- RE: RE: Malware detection Chris Seppala (Jul 27)