RE: Malware detection

[Glenn Duquette <gduquette () midmark com>]

Just to be clear,  did you have MSSE and another anti-malware product installed and running on the same machine at the 
same time?   I was under the impression this was not recommended and could cause issues with proper detection.

I'll also throw my experience with MSSE in there:  When it was first released, it actually proved to be very effective 
at detection and removal of known malware, appeared to run with very little resources, and was cost effective (in 
ForeFront format) for business who had site licenses with MS as well as for home users.  Overall it was a decent 
anti-malware product that I recommended for both home (MSSE) and work (ForeFront).

Fast forward a few years to now.  MSSE is still pretty effective at detecting and removing the *well known* variants of 
malware and still does not use a lot of system resources that I have seen, and is still cost effective.  The problem is 
that the malware field has changed drastically.  We are seeing far more malware that MSSE/Forefront does not detect 
because the 'bad guys' have simple ways to make a slightly different variant that thwarts detection.  Signature based 
detection can only get one so far (as has been said in a few other replies) and it is only possible when the signature 
can be made.  When the malware kits allow you to generate a simple variant that MSSE and a few of the other major 
anti-malware software does not detect one has to rely on other means like heuristics, behavior, white/black listing, 
etc (when relying on client side software as a layer in the defense).  I have not found MSSE v1 or v2 strong in 
anything but signature detection.  I no longer recommend MSSE for home or work users because it's poor performance 
outside of signature based scanning.

As a fun test, try the following on a malware lab desktop/VM:  Install your version of windows with MSSE - and make 
sure they are fully updated.  Download a smattering of malware examples from one of the well known malware sites and 
see how many of them actually get past MSSE.  In my tests, a good 50 to 60% install their payload without MSSE making a 
peep.  Do the same, but this time remove MSSE and install an anti-malware tool like Kaspersky or BitDefender and see 
how it compares.  In my tests the commercial products have done far better due to their faster updates of signatures, 
heuristic, and behavior analysis.  Obviously it is not a scientific test, but effective enough for this example.  FYI - 
Zeus variants always seemed to get by MSSE particularly effectively for me.

Glenn



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of David Gillett
Sent: Thursday, July 26, 2012 12:55 PM
To: security-basics () securityfocus com
Subject: RE: Malware detection

  I encountered a rootkit last year.  MSSE was the only thing I was running that detected it.

  Unfortunately, it only detected it in a temporary folder belonging to a commercial antivirus product I was running 
(which did not itself notice the rootkit...).  My theory is that something about the way the commercial product scanned 
archives caused one or more rootkit components to be extracted and become visible to MSSE.  But of course this 
instance, while visible, was secondary, and so many many attempts by MSSE to "clean" the machine, including required 
reboots, never actually had an effect.
  Several other packages I tried had no success in finding the malware, which eventually crippled the boot process so 
badly I had to reformat and reinstall from scratch.

  (Since then, I've installed ZoneAlarm's new free antivirus.  Too late to see if it could cope with that rootkit, but 
it did find and apparently neutralize many malware examples in a sizable email archive, which none of the previous 
candidates had noticed....

David Gillett
CISSP CCNP
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and 
who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell 
if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your 
Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing 
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


***** NOTICE *****
If you are not the intended recipient of this email, you are notified that disclosing, copying, distributing, or taking 
any action in reliance on the contents of this email and any files transmitted with it is strictly prohibited.  This 
email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to 
whom they are addressed.  If you have received this email in error please notify webmaster () midmark com or 
1-800-MIDMARK (1-800-643-6275).

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------