Security Basics mailing list archives
Re: Malware detection
From: haZard0us <hazard0us.pt () gmail com>
Date: Fri, 27 Jul 2012 00:34:25 +0100
A 27/07/2012, às 00:13, Glenn Duquette escreveu:
Just to be clear, did you have MSSE and another anti-malware product installed and running on the same machine at the same time? I was under the impression this was not recommended and could cause issues with proper detection.
No. I had MSSE installed and then uninstalled it in order to proper functioning of ZoneAlarm.
I'll also throw my experience with MSSE in there: When it was first released, it actually proved to be very effective at detection and removal of known malware, appeared to run with very little resources, and was cost effective (in ForeFront format) for business who had site licenses with MS as well as for home users. Overall it was a decent anti-malware product that I recommended for both home (MSSE) and work (ForeFront). Fast forward a few years to now. MSSE is still pretty effective at detecting and removing the *well known* variants of malware and still does not use a lot of system resources that I have seen, and is still cost effective. The problem is that the malware field has changed drastically. We are seeing far more malware that MSSE/Forefront does not detect because the 'bad guys' have simple ways to make a slightly different variant that thwarts detection. Signature based detection can only get one so far (as has been said in a few other replies) and it is only possible when the signature can be made. When the malware kits allow you to generate a simple variant that MSSE and a few of the other major anti-malware software does not detect one has to rely on other means like heuristics, behavior, white/black listing, etc (when relying on client side software as a layer in the defense). I have not found MSSE v1 or v2 strong in anything but signature detection. I no longer recommend MSSE for home or work users because it's poor performance outside of signature based scanning.
That was my experience, too (regarding home use). No budget means no paid solution. But gladly ZoneAlarm has a free version.
As a fun test, try the following on a malware lab desktop/VM: Install your version of windows with MSSE - and make sure they are fully updated. Download a smattering of malware examples from one of the well known malware sites and see how many of them actually get past MSSE. In my tests, a good 50 to 60% install their payload without MSSE making a peep. Do the same, but this time remove MSSE and install an anti-malware tool like Kaspersky or BitDefender and see how it compares. In my tests the commercial products have done far better due to their faster updates of signatures, heuristic, and behavior analysis. Obviously it is not a scientific test, but effective enough for this example. FYI - Zeus variants always seemed to get by MSSE particularly effectively for me.
I guess I'll give it a try :)
Glenn
Cheers and thanks for the answer! :) --haZ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: Re: Malware detection, (continued)
- Re: Re: Malware detection Savvy95 (Jul 19)
- Re: Malware detection Vic Vandal (Jul 23)
- Re: Malware detection Jeffrey Walton (Jul 24)
- RE: Malware detection Eric Krumm (Jul 24)
- Re: Malware detection Vic Vandal (Jul 26)
- RE: Malware detection David Gillett (Jul 26)
- Re: Malware detection haZard0us (Jul 26)
- Re: Malware detection haZard0us (Jul 26)
- Re: Malware detection Jeffrey Walton (Jul 26)
- RE: Malware detection Glenn Duquette (Jul 26)
- Re: Malware detection haZard0us (Jul 27)
- Re: Malware detection Vic Vandal (Jul 23)
- Re: Re: Malware detection Savvy95 (Jul 19)
- Re: RE: Malware detection Raghav Pande (Jul 25)
- Re: RE: Malware detection Ansgar Wiechers (Jul 25)
- Re: RE: Malware detection Kurt Buff (Jul 26)
- Re: Malware detection Vic Vandal (Jul 26)
- RE: RE: Malware detection Chris Seppala (Jul 27)