funsec mailing list archives
Re: Do AV products detect PHP backdoors? Should they?
From: Gadi Evron <ge () linuxbox org>
Date: Fri, 7 Nov 2008 12:38:13 -0600 (CST)
On Fri, 7 Nov 2008, John LaCour wrote:
After finding hundreds of phishing web sites compromised and PHP shells and other backdoors installed, I got to wondering why AV products weren't being used to detect these things. If I had a webhosting business, I'd certainly be looking to find unwanted files installed on servers. What do you use to do that? AV products. After collecting 99 samples of PHP shells and backdoors 'in the wild', I scanned them with 29 vendor's AV scanners to see if they were being detected. The results were a little bit disheartening, but I think it's something that can be addressed fairly easily.
I feel your pain, but I personally believe that the AV world:
1. Has no business doing web security.
2. Will.
Gadi.
Top 5 vendors: Ikarus ClamAV F-Secure AntiVir Kaspersky More here on test methodology, results, and caveats: http://www.phishlabs.com/blog/archives/35 -John, PhishLabs
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Do AV products detect PHP backdoors? Should they? John LaCour (Nov 07)
- Re: Do AV products detect PHP backdoors? Should they? Gadi Evron (Nov 07)
- Re: Do AV products detect PHP backdoors? Should they? Jim Murray (Nov 07)
- Re: Do AV products detect PHP backdoors? Should they? Gadi Evron (Nov 07)
- Re: Do AV products detect PHP backdoors? Should they? Jim Murray (Nov 07)
- <Possible follow-ups>
- Re: Do AV products detect PHP backdoors? Should they? Juha-Matti Laurio (Nov 07)
- Re: Do AV products detect PHP backdoors? Should they? Gadi Evron (Nov 07)