MsParanoid wrote:
Mitka
Thank you for pointing out exactly what I would like to bring to the attention of the readers trying to be helpful.
NAV did NOT update itself or it signatures or definitions between the time of infection and time of detection (and disinfection).
I'm quite sure about that because I don't have cable or ADSL or WIFI or any new Internet technology that automagically turns itself on without my knowledge. If any reader missed my earlier post, I have a FreeBSD box with a dial-up modem which I use to connect me (on a NAT LAN) only at night when our call charges are affordable. The infection happened at around 10am.
From infection to detection took about 3 seconds, and then to disinfect maybe another 20 or 30 seconds in total. So it was all over and done with in less than a minute.
Hi, MsParanoid. There are two different ways that NIS reacts to an intrusion attempt.
The first and primary method - used by all antimalware software - is "signature detection". This looks for a string of bytes in the file being processed at that moment - and if something "fits a signature" then NIS pitches a fit and refuses to work with the file in the first place - before the file even gets to run on the machine. This happens automatically, behind the scenes, and you are only notified after-the-fact that NIS successfully blocked an intrusion attempt by "whateveritwas" .
However, signature-based detection has one fundamental weakness. All signature-based detection is no better than your last Live Update - and the Malware writers know this. Consequently, when a brand-new-something or a revised-something is released by a Malware writer into general circulation - all Anti-Malware software is vulnerable until that variant is "captured" by the Anti-Malware Manufacturer's detection routines and "templated".
Once the new variant is templated - its "signature" is added to the Anti-Malware Detection Database and packaged for Live Update. Then, that information must go from the main Symantec Servers to your local Symantec Server - get downloaded onto your machine by your local copy of Live Update - and processed so the new Detection Database is active and running on your machine. You can see from the description of the process above - there is an inevitable delay between the release of a new malware variant - and the required update to your machine's Detection Database so that variant can be detected and prevented from running in the first place.
Because there are inherent delays caused by the procedures mentioned - usually a few hours to a few days - there is a second layer of defense which is used to "bridge the gap".
This second layer of defense is called "heuristic scanning". It is based on the idea that all malware must go through a set of procedures which allow them to "hijack" the machine - bypass its security - and establish the malware as another continuously-running-process which is hidden from view so you have no idea you are infected. Because the pathways by which malware can do this are known - NIS is constantly monitoring for "suspicious activity". Anything that tries to set itself up without being properly certified by a manufacturer is investigated - and all malware is uncertified because if it was investigated, no certifying authority would grant a certificate to the malware writer.
Thus, it is possible for "new" malware to avoid signature-detection - yet be trapped by heuristic detection. If the malware writer is lazy - and they have not massively changed the manner in which the infection process occurs - NIS can recognize the "mechanism" of the infection process and investigate the malware after-the-fact - within seconds of the malware establishing itself. Once that happens, NIS "understands" what the malware is about - and it can launch a cleanup-routine which removes the infection only a few seconds after it is established.
The signature-based method has the advantage of detecting the malware before it even has a chance to execute in the first place. However, because of delays in the templating and dissemination process - that is always a "catch-up" situation. Thus,the heuristic-based method must be relied upon to catch things that are too new yet to have a signature for the new malware variant.
Your situation matches the second scenario mentioned above. IMO, it was heuristic-detection that saved your butt - and only heuristic detection could have saved you from something that was so new that signature-based detection had no hope of detecting it.
The fact that the Live Update signatures were updated with a new signature for W32.SillyFDC within 24 hours of the situation you describe - gives you some idea of how quickly Symantec are capable of reacting to the release of new malware variants. That's one of the things your subscription to NIS goes to pay for. There is a huge global "machine" that Symantec has put in place to capture and analyze new infections as quickly as possible. So, usually, it only takes hours for a new malware to be templated and a new signature devised..
But in between the release and the templating - we are all vulnerable - and nothing can help that other than heuristic detection- which reacts to something that is in the process of infection. There is no other way for heuristic detection to work.
So, be glad that NIS has all those layers of protection. Finding a way through all those layers - to successfully bypass all of the "smarts" in NIS - is no easy task. It is beyond the abilities of all but the very best of the elite of malware writers. You can thank your lucky stars that the malware writer who successfully modified W32.SillyFDC so it no longer had a known signature - did not modify the infection process with enough sophistication to fool the heuristic-analyzer in NIS. Thus, you dodged the bullet.
Hope this helps your understanding.
