• 所有社区 - 中文
    • 所有社区 - 中文
    • 论坛
    • 创意
    • 博客
高级

不是您要找的? 咨询专家!

好评0

Fake.AV

[link removed]
 

Norton Intrusion Prevention

Norton SafeWeb

Norton Auto-Protect and Advanced Protection

All did not even flinch when I downloaded the file and the site claimed to scan my system and showed me a list of ... 100320 infections ... I thought that Norton 08 blocked 100% of Fake AV scanners...

It also saved a file on my computer:

http://www.virustotal.com/analisis/32b6ae67d4bec770a8ca74a247b491f0

[edit: removed link per the Participation Guidelines and Terms of Service. Please do not post links to malicious websites]

Message Edited by Tim_Lopez on 11-29-2008 06:39 PM
=\

回复

好评0

Re: Fake.AV

[link removed]
 

Norton Intrusion Prevention

Norton SafeWeb

Norton Auto-Protect and Advanced Protection

All did not even flinch when I downloaded the file and the site claimed to scan my system and showed me a list of ... 100320 infections ... I thought that Norton 08 blocked 100% of Fake AV scanners...

It also saved a file on my computer:

http://www.virustotal.com/analisis/32b6ae67d4bec770a8ca74a247b491f0

[edit: removed link per the Participation Guidelines and Terms of Service. Please do not post links to malicious websites]

Message Edited by Tim_Lopez on 11-29-2008 06:39 PM
=\
好评0

Re: Fake.AV

I took a step further, and installed this spyware just to check my findings on another thread of mine.

Again, AGAIN it is Windows Defender that takes action and cleans this crap, while Norton Internet Security 2009 sits on its **bleep** and does NOTHING!

Symantec should be really ashamed, their antispyware engine is so substandard and behind the curve it is astounding!

Message Edited by TomiRed on 11-29-2008 07:14 PM
Windows 7 Ultimate x64 SP1 -- NIS 21
好评0

Re: Fake.AV

Considering that most of the top av's don't find it then I wouldn't worry about it. Its a fake program. Hell Antivir didn't find it and that is the best av around. NO av blocks 100%. Where did you get that info from.
Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
好评0

Re: Fake.AV


Dieselman743 wrote:
Considering that most of the top av's don't find it then I wouldn't worry about it. Its a fake program. Hell Antivir didn't find it and that is the best av around. NO av blocks 100%. Where did you get that info from.

Well, Windows Defender recognizes it. It deletes it. It blocks it. It offers to block and delete the BHOs and IE plugins it tries to install.

NIS 2009, meanwhile, creates a rule to allow it to enjoy network traffic.

Considering NIS 2009 antispyware 'quality' at this time, turning Windows Defender off is a recipe for disaster.

Windows 7 Ultimate x64 SP1 -- NIS 21
好评0

Re: Fake.AV

Windows Defender is a joke. SAS and MBAM are miles ahead of it. I just did a scan with SAS and it found it. Does make me wonder about NIS. Sorry if I was disagreeing.
Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
好评0

Re: Fake.AV

Hey guys,

 

For Pro-active and On-demand scans for AVs have a look at this serious and solid report....www.av-comparatives.org

 

and we talk again...

Message Edited by TrDo on 11-29-2008 10:02 PM
好评0

Re: Fake.AV

AV Comparatives is a well known web site but what does that have to do with this thread.
Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
好评0

Re: Fake.AV

Dieselman743,

If you cannot see any relevance between the latest reports (both On-Demand and Pro-active, from AV-Comparatives.. but do read them in their pdf-full form), and this thread, then I cannot explain...Sorry....

Message Edited by TrDo on 11-29-2008 10:15 PM
好评0

Re: Fake.AV

I know what AV Comparatives is all about. Norton 09 got a 99% score. Still what is your point? The ;atest report is still the only from August 2008.Message Edited by Dieselman743 on 11-29-2008 12:37 PM
Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
好评0

Re: Fake.AV


Dieselman743 wrote:
Windows Defender is a joke. SAS and MBAM are miles ahead of it. I just did a scan with SAS and it found it. Does make me wonder about NIS. Sorry if I was disagreeing.

Maybe you missed something important - what Windows Defender did was not on demand scanning, it was real time protection.

And if 'Windows Defender is a joke', what does that make NIS? A travesty?

Message Edited by TomiRed on 11-29-2008 10:38 PM
Windows 7 Ultimate x64 SP1 -- NIS 21
好评0

Re: Fake.AV

This sucker managed to call home and report something to [Removed Link]

When you trace this address, it is located in the town of Herndon, in Fairfax County, Virginia.

If you direct your browser there, it downloads a file g347.exe.

This is the Virustotal analysis for it at the moment: link

[edit: removed link per the Participation Guidelines and Terms of Service. Please do not post links to malicious files]

Message Edited by Tim_Lopez on 11-29-2008 06:44 PM
Windows 7 Ultimate x64 SP1 -- NIS 21
好评0

Re: Fake.AV

=\
好评0

Re: Fake.AV


TomiRed wrote:

This sucker managed to call home and report something to [Removed Link]

When you trace this address, it is located in the town of Herndon, in Fairfax County, Virginia.

If you direct your browser there, it downloads a file g347.exe.

This is the Virustotal analysis for it at the moment: link

[edit: removed link per the Participation Guidelines and Terms of Service. Please do not post links to malicious files]

Message Edited by Tim_Lopez on 11-29-2008 06:44 PM

Can you upload the file to ThreatExpert and post the analysis here? 

=\
好评0

Re: Fake.AV

Message Edited by Tech0utsider on 11-30-2008 03:58 PM
=\
好评0

Re: Fake.AV

Thats just a pop up and not the program itself. But even after you download the program and scan it via explorer Norton still doesn't detect it. SAS did and so did MBAM.
Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
好评0

Re: Fake.AV

And what were the detections? Try executing it within Sandboxie...

Here is the ThreatExpert Report. Forgive me; the other ThreatExpert Report was inrelavent to this threat. 

http://www.threatexpert.com/report.aspx?md5=21ad8edb7a3437e37600f37d91f1e25c

And my Tracking Number; I submitted to SSR, is

#10079749.

Message Edited by Tech0utsider on 11-30-2008 04:08 PMMessage Edited by Tech0utsider on 11-30-2008 04:18 PMMessage Edited by Tech0utsider on 11-30-2008 04:18 PM
=\
好评0

Re: Fake.AV


Tech0utsider wrote:

TomiRed wrote:

This sucker managed to call home and report something to [Removed Link]

When you trace this address, it is located in the town of Herndon, in Fairfax County, Virginia.

If you direct your browser there, it downloads a file g347.exe.

This is the Virustotal analysis for it at the moment: link

[edit: removed link per the Participation Guidelines and Terms of Service. Please do not post links to malicious files]

Message Edited by Tim_Lopez on 11-29-2008 06:44 PM

Can you upload the file to ThreatExpert and post the analysis here? 


It says it is not detected yet.

Windows 7 Ultimate x64 SP1 -- NIS 21
好评0

Re: Fake.AV

=\ Can you post the link to the analysis by ThreatExpert here?
=\
好评0

Re: Fake.AV

Just my 2 cents, but I wouldn't blame Norton. You have Norton antivirus, not Norton antimalware. They provide virus protection (though no antivirus could be 100%). The extra protection they add (malware, spyware, ect) is just an extra, not the main focus of the program. Thats the reason people have malware protection programs, along with others, in addition to the virus protection. I surf smart, use norton, plus adaware, spybot, malwarebytes, spywareblaster, and a couple others. There is no one program which can give you 100% protection from everything, so don't trash your antivirus for missing malware you were unlucky enough to infect yourself with.
好评0

Re: Fake.AV


Absntmind wrote:
Just my 2 cents, but I wouldn't blame Norton. You have Norton antivirus, not Norton antimalware. They provide virus protection (though no antivirus could be 100%). The extra protection they add (malware, spyware, ect) is just an extra, not the main focus of the program. Thats the reason people have malware protection programs, along with others, in addition to the virus protection. I surf smart, use norton, plus adaware, spybot, malwarebytes, spywareblaster, and a couple others. There is no one program which can give you 100% protection from everything, so don't trash your antivirus for missing malware you were unlucky enough to infect yourself with.

Dear poster, it is in the nature of commercialism and capitalism that a quality product should perform 'as advertised', or at least give its best effort to achieve that.

NIS 2009, the whole 2009 line is advertised as being capable of 'removing and blocking spyware'.

In the settings, there is a checkbox which turns on the detection and removal of 'misleading applications'. These are precisely those we were discussing on this topic.

As you see here, Symantec behaves as advertised in its low footprint and memory usage.

On the other hand, SONAR and the antispyware module are blatantly inadequate and innefectual, Symantec is lagging behind in intelligence and in detection, lagging behind FREE products. If I invest 50$ in an application, I have every right to expect it to massively outperform the free applications.

And in these two cases, Norton has not proven itself worthy of that money. Windows Defender played nice, waited for 5 seconds as if it was waiting for Norton to do something, and when Norton didn't, it then showed me its red shielded warning window.

If NIS 2009 was priced at 20 bucks or lower, I'd say no biggie, but as the price is steeper, if it doesn't get better, faster and more intelligent then Windows Defender it is gone when my subscription ends.

Message Edited by TomiRed on 12-02-2008 08:20 PM
Windows 7 Ultimate x64 SP1 -- NIS 21
好评2 Stats

Re: Fake.AV


TomiRed wrote:

And in these two cases, Norton has not proven itself worthy of that money. Windows Defender played nice, waited for 5 seconds as if it was waiting for Norton to do something, and when Norton didn't, it then showed me its red shielded warning window.


Ouch.  Now this concerns me.  So you don't actually know what Norton would have done if Defender had been disabled?  It is only your assumption that Defender was waiting for Norton.  For all you know, the five second delay represented a conflict which Defender won and maybe explains Norton's seeming lack of taking action.

I'd like to know how Norton would have performed without the doubling up.

Message Edited by mijcar on 12-02-2008 03:30 PM
mijN360 2013, v.20.1.0.24; Win7 Pro, SP1 (32 bit), IE 9, Firefox 14, No other active securityware
好评1 Stats

Re: Fake.AV


mijcar wrote:

TomiRed wrote:

And in these two cases, Norton has not proven itself worthy of that money. Windows Defender played nice, waited for 5 seconds as if it was waiting for Norton to do something, and when Norton didn't, it then showed me its red shielded warning window.


Ouch.  Now this concerns me.  So you don't actually know what Norton would have done if Defender had been disabled?  It is only your assumption that Defender was waiting for Norton.  For all you know, the five second delay represented a conflict which Defender won and maybe explains Norton's seeming lack of taking action.

I'd like to know how Norton would have performed without the doubling up.

Message Edited by mijcar on 12-02-2008 03:30 PM

There is no use in playing smart'n'savy on me, mij.

Norton sure performed some stuff in those seconds. It logged various happenings in the security logs (Community Watch,  System Activity...), then there was that nice log of NIS 2009 allowing the spyware application network access. That was especially cute! It even logged which url it contacted! Wow!

Did it warn me? Noooooooo. Did it block anything? God forbid!

Windows 7 Ultimate x64 SP1 -- NIS 21
好评0

Re: Fake.AV

Norton recorded the actions. Now, then, it was up to SONAR to flag the actions as malicious. =\. SONAR seemed to have failed.
=\
好评1 Stats

Re: Fake.AV


Tech0utsider wrote:
Norton recorded the actions. Now, then, it was up to SONAR to flag the actions as malicious. =\. SONAR seemed to have failed.
"Seemed to" is the operative phrase.  With two aggressive programs in play, only one will actually get to remove the malware.  Since TomiRed appears to have already made up his mind the fault is with Norton, we may never know the truth.  I am not defending Norton -- because at this moment there is nothing to defend.  Microsoft made Windows and Microsoft made Defender and when both Defender and Norton are competing to delete a file, it might just be Defender that gets first dibs.
mijN360 2013, v.20.1.0.24; Win7 Pro, SP1 (32 bit), IE 9, Firefox 14, No other active securityware
好评0

Re: Fake.AV


Tech0utsider wrote:
Norton recorded the actions. Now, then, it was up to SONAR to flag the actions as malicious. =\. SONAR seemed to have failed.

I can say tho, for Norton, that those logs helped me celan up the leftovers.Windows Defender nuked only the final SpyProtector executable and several registry keys.

I had to delete the files in System32 folder manually, as well as the key that would make sure one of those files would be loaded into Winlogon.exe.

Defender also logged some of those, for instance:

Log Name:      System
Source:        Microsoft-Windows-Windows Defender
Date:          29.11.2008 7:05:16 PM
Event ID:      3004
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      Zvijer
Description:
Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
 For more information please see the following:
Not Applicable
     Scan ID: {FBCAFCE5-BB7D-4526-8E9B-3A8E6108C67B}
     User: ZVIJER\Tomislav
     Name: Unknown
     ID:
     Severity ID:
     Category ID:
     Path Found: clsid:HKLM\SOFTWARE\CLASSES\CLSID\{107A1D63-2EAA-4694-8ABA-EC209C630D83};regkey:HKLM\SOFTWARE\CLASSES\CLSID\{107A1D63-2EAA-4694-8ABA-EC209C630D83};regkey:HKLM\Software\Classes\*\shellex\ContextMenuHandlers\Spy Protector;contextmenu:HKLM\Software\Classes\*\shellex\ContextMenuHandlers\Spy Protector;file:C:\Users\Tomislav\AppData\Roaming\shellex.dll
     Alert Type: Unclassified software
     Detection Type:

Windows 7 Ultimate x64 SP1 -- NIS 21
好评0

Re: Fake.AV


mijcar wrote:

Tech0utsider wrote:
Norton recorded the actions. Now, then, it was up to SONAR to flag the actions as malicious. =\. SONAR seemed to have failed.
"Seemed to" is the operative phrase.  With two aggressive programs in play, only one will actually get to remove the malware.  Since TomiRed appears to have already made up his mind the fault is with Norton, we may never know the truth.  I am not defending Norton -- because at this moment there is nothing to defend.  Microsoft made Windows and Microsoft made Defender and when both Defender and Norton are competing to delete a file, it might just be Defender that gets first dibs.

NIS 2009 had ample time to react, Spy Protector was up and running by that time.

And if you had been aware of the fact that Windows Defender presents the user with a UI dialog/warning where it strongly recomends you, the user, to remove that crap (that NIS 2009 allowed to have some fun on your machine), and deletes the files only after you click Remove, it would have saved you from creating and writing these funny eraser rivalry theories.

Windows 7 Ultimate x64 SP1 -- NIS 21
好评0

Re: Fake.AV


TomiRed wrote:

NIS 2009 had ample time to react, Spy Protector was up and running by that time.

And if you had been aware of the fact that Windows Defender presents the user with a UI dialog/warning where it strongly recomends you, the user, to remove that crap (that NIS 2009 allowed to have some fun on your machine), and deletes the files only after you click Remove, it would have saved you from creating and writing these funny eraser rivalry theories.


Sorry, TomiRed, all I have seen is your claim that NIS 2009 "had ample time" without the slightest logical basis for proving that.  Rhetoric, bombast, and personal slurs do not constitute evidence.

When you can show that NIS 2009 has the same behavior without Defender in place, then you will have made your point. 

mijN360 2013, v.20.1.0.24; Win7 Pro, SP1 (32 bit), IE 9, Firefox 14, No other active securityware
好评0

Re: Fake.AV

Will you risk running SpyProtecter with Windows Defender disabled?

And does Windows Defender flag the downloaded file as malicous in a on-demand scan? If it does, Windows Defender is the hands-down winner. 

Message Edited by Tech0utsider on 12-02-2008 07:25 PM
=\
好评0

Re: Fake.AV

And yes, I will download Sandboxie and execute SpyProtecter. Norton should notice the malware running actively in memory. If not, then....

Message Edited by Tech0utsider on 12-02-2008 07:32 PM
=\
好评0

Re: Fake.AV


mijcar wrote:

Sorry, TomiRed, all I have seen is your claim that NIS 2009 "had ample time" without the slightest logical basis for proving that.  Rhetoric, bombast, and personal slurs do not constitute evidence.

When you can show that NIS 2009 has the same behavior without Defender in place, then you will have made your point. 


Be my guest. Try it, you who have so much faith.

Windows 7 Ultimate x64 SP1 -- NIS 21
好评1 Stats

Re: Fake.AV

The cached version of a older version of this web page was updated. As a result, I could no longer access the original website to obtain a sample. I found a similar website and downloaded the file.

The VirusTotal anaylsis is here: http://www.virustotal.com/analisis/5bcb220d7dcb4b5aba08786ace0fd9a6

Looking at it, Symantec once again fails to detect this variation.

I executed it from within Sandboxie. It failed to start; as you will see in the posted screenshots. Apperantly it tried to disable essential services; such as COM+. It also tried to disable the Recycle Bin! and tried to hijack Windows Explorer =(

 

Such behaviors should be reconigized by Bloodhound! Or be incorporated in the signatures!

Message Edited by Tech0utsider on 12-02-2008 08:03 PMMessage Edited by Tech0utsider on 12-02-2008 08:04 PMMessage Edited by Tech0utsider on 12-02-2008 08:08 PM
=\
好评1 Stats

Re: Fake.AV

I still have the original installer of this threat on my disk (the one I ran and the one whose final offspring Defender killed)

I reanalyzed it, here is the result:  http://www.virustotal.com/analisis/a8693b16e9b66c92bb6367c7438d46b8

I scanned the folder it is in, with heuristics set to Aggresive.

NIS was quiet, said everything is OK, I guess the big bear Symantec moves kinda slow in the winter.

Message Edited by TomiRed on 12-03-2008 02:22 AM
Windows 7 Ultimate x64 SP1 -- NIS 21
好评1 Stats

Re: Fake.AV

Allrighty. I reliazed that running Sandbox w/o Admin priv. resulted in the errors =(

I have recorded several screenshots. SpyProtecter was activily running in memory and SONAR did not flag a single thing. Shamful. I'll leave it up to you guys. In the mean time, I am seriously considering SpyProtector KIS09. It may have "many" false positives, however I can deal with those, since the FPs stem from malicious program alerts. Maybe 2010. =\

Kudos to Sandboxie!

And the Main GUI has some interesting sound effects, like shattering glass when closed and mines going off when files are being detected as malicious...=P Message Edited by Tech0utsider on 12-02-2008 08:31 PM
=\
好评1 Stats

Re: Fake.AV

Thanks for your excellent work testing, TechOutsider. Maybe someone who has VMWare or VirtualPC could also try this.Message Edited by TomiRed on 12-03-2008 02:25 AM
Windows 7 Ultimate x64 SP1 -- NIS 21
好评0

Re: Fake.AV

Maybe SSR could add this =\
=\
好评0

Re: Fake.AV

Kudos to Windows Defender! I wonder why so many wanted the beta, and now its included w/ Vista and everyone hates it...

http://www.threatexpert.com/report.aspx?md5=21ad8edb7a3437e37600f37d91f1e25c

That is the ThreatExpert Report. I have already started a countdown to see how long SSR takes to add this threat...

technically a zero-day threat, at least to us Norton users; however over 50% of AV vendors have already added defs for this file.  =\

2 days and counting..file was submitted yesterday and the tracking is on the second page, posted 11-30..already 12-2!!!

Doesn't anyone care?! 

I can't fall asleep tonight! 

Message Edited by Tech0utsider on 12-02-2008 10:05 PM
=\
好评0

Re: Fake.AV

Tech, as usual you have impressed me.  I wish I didn't have to press you to get the results, but for me words are not the convincer - not even my own - unless they are supported by something tangible.

I still have questions (let's say I am 99.9% convinced):

Other than Norton, SpyProtector was the only security software loaded?  I am assuming the answer is "yes".  I will also tentatively assume that Norton was not bothered by the presence of SpyProtector.  At least it loaded up with no issues.  More importantly, it did not detect the presence of the malware either by signature of behavior: that is the most powerful evidence to date.  Previously, the malware was removed, so Norton had the "excuse" that the work was already done.  But here the malware was in place and was actively trying to do its dirty work; and Norton saw nothing.  (Maybe I should make that 99.999% convinced).

The remaining iota of that percentage is simply wondering to what extend Sandboxie emulates the framework of an unrestricted computer system.  Not a being a Sandboxie user myself (yet), I will take your word for it that the emulation is close to perfect.

Okay, it doesn't matter.  Anyone insisting on 100% conviction is going to spend a long time without any at all.

What you have established for me is that Symantec needs to be more immediate in response to discovered malware and not be so confident about heuristic detection as a fallback.

For my own personal security, rather than switch products, I would like to know if you've cleaned out the sandbox and are willing to try the same experiment with heuristics set to aggressive?  Not as a way of convincing me (you've made your point); but so I know if the heuristics are reliable at any setting.  Is this something you can do?

mijN360 2013, v.20.1.0.24; Win7 Pro, SP1 (32 bit), IE 9, Firefox 14, No other active securityware
好评0

Re: Fake.AV

If there are more than one security apps installed and you are testing with malware you will always be disappointed in one app. Because when one catches it the otherone won't be able to reach it.

Besides that isn't it much better to send the malware Norton isn't catching to Symantec? That way they can add the signatures

"All that we are is the result of what we have thought"
好评0

Re: Fake.AV

Well guys....This is a very interesting thread....and a big one....

Reading it again closely, I would have to agree with both Tomi_Red and Tech0utsider.  Although, I'm a Norton supporter my self (I guess we all are since we have a Symantec product and try to improve it , by contributing at this support site), in this particular instance Norton failed to do the job.

It's not a bad thing to admit.  Bad is, not trying to improve.

Further, I also have always active my Windows Defender (for what its worth), and there have been times in the past that protected me, while NIS 08(at the time) did not.

We all agree, I guess, that one AV suite cannot be 100% solid proof. The question then is, what is the right combination of Security Suites for anyones' system.

At the moment I'm using: NIS 2009+TF+MBAM. 

But adding to Stu's comment, I would say that running more than one Security, can also drive you mad from time to time.

好评0

Re: Fake.AV


TrDo wrote:

But adding to Stu's comment, I would say that running more than one Security, can also drive you mad from time to time.


OH. so that is what happened to me
 
Quads 
好评0

Re: Fake.AV


Quads wrote:

TrDo wrote:

But adding to Stu's comment, I would say that running more than one Security, can also drive you mad from time to time.


OH. so that is what happened to me
 
Quads 

maybe ;)

"All that we are is the result of what we have thought"
好评0

Re: Fake.AV

The first time, I executed the Sandbox with Restricted Privileges. That is why Sandboxie reported that several actions had failed; I simply did not have the permissions to ... disable the Recycle Bin ... or disable COM+

So, I executed it as an Administrator, which is not the default option in Vista. I used the context menu option. This time, SpyProtecter hijacked most of my computer. However, as you can see in the screenies, SpyProtecter had failed to create at least 1 temp. file, where malware often hide, such as in the case of Vundo/Virtumonde, which I was complaining about in another thread. Vundo/Virtumonde infects the browser cache and executes from there. 

That was the only obvious pitfall of my experiment. SpyProtecter was unable to create that paticular file. That could have triggered Norton. However, I doubt. =\

The Heuristics were set on Aggressive. Despite that pitfall, Norton should have been able to detect the actively running malware, which is known to download a malicious payload. 

And Norton was the only security software loaded. Windows Defender was disabled via MSconfig and Services.msc. SpyProtecter is not a security suite ... 

 

And Sandboxie was not perfect. It allowed SpyProtecter to create a shortcut on my desktop. Other than that, I was ok. Phew! 

=\
好评1 Stats

Re: Fake.AV

Hello,

First of all, my apologies for coming so late to this thread. The file spyprotector_install_4173.exe (21ad8edb7a3437e37600f37d91f1e25c) is now detected as "AntiVirus2008".

This is a relatively new variant of this misleading application and isn't too widespread, hence it managed to fly under our radar. We've invested a lot of work in the past few months into better detecting these misleading AV programs and their associated malware, but this sample managed to evade these detections. The generic and heuristic detections we create tend to have a limited lifespan before the authors determine how to evade our detections. An unfortunate side-effect of VirusTotal and similar tools is that they allow the authors of these applications to verify whether their handiwork is detected before releasing it to the wild. We're looking at our detections now to see what changes can be made to ensure that any new releases of this misleading AV are proactively detected.

If you run LiveUpdate later today you'll get the updated detection. You should have already received an email with this information.

Regards

Orla

Symantec Security Response

好评0

Re: Fake.AV

This is good news, Orla, however as we already knew that you were going to add this to the signatures eventually, this is is not the key issue.

The key issue is that another, free application detected this as a threat 5 days ago. As Symantec is a company that charged me money for protection, I expect its products to perform better and faster, not worse and slower. If that doesn't change, I will form an opinion that there are better ways to spend my money.

(I'm glad, by the way, that the new NIS09.exe installer doesn't force Windows Defender off. Now, that is a good call.)

Another issue is SONAR & heuristics. If NIS isn't that sure that something malicious is taking place to take drastic action, why doesn't it at least warn the user that something looks suspicious? And if nothing here seemed suspicious to the heuristic modules of NIS that's even worse.

The third issue is the slowness of Symantec. My NIS submitted this variant 5 days ago, I saw that in my logs. What is the point of Community Watch if it takes Symantec 5 days to react to a submitted malware sample???

Also, you might have noticed in  this thread that Tech0utsider tested yet another variant of the same installer. Does that now also fly under your radar?

Final point. An Idle Quick scan ran this morning. The file spyprotector_install_4173.exe is in my userfolder, in a subfolder. It wasn't picked up. I'll let you know when it will be.

Message Edited by TomiRed on 12-04-2008 01:27 PM
Windows 7 Ultimate x64 SP1 -- NIS 21
好评1 Stats

Re: Fake.AV

I'll try to address all of the points you raise:

- Submission response times: in the current threat landscape, we see thousands of new samples on a daily basis. As a result, we need to prioritise samples so that we are responding as quickly as possible to the most prevalent and dangerous threats out there. As I mentioned previously, yours was the only sample we had received of this particular threat, hence it flew under the radar.

- Proactive/Heuristic Detections: While we've had tremendous success with SONAR it's not yet 100% effective against all threats (no behaviour-based detection is), which is why we continue to produce traditional signature-based detections. For our signature-based detections we try to use heuristic detections as much as possible so that we can cover multiple variants of the same threat or risk family. However, as I mentioned in the previous post, these detections have a limited lifespan until the threat authors figure out how to evade. We rework our heuristic detections on a regular basis to combat this.

- Another vendor detected the threat first: While we'd like to be first (and that's our aim!) in detecting all threats out there, sometimes we get beaten to the post. However, as a previous poster noted, you can check our overall comparative performance in independant tests:
http://www.av-comparatives.org/seiten/ergebnisse_2008_08.php
http://www.av-comparatives.org/seiten/ergebnisse_2008_11.php

- New variant: if you could indicate the md5 or submission number of the new variant I'll make sure we detect it.

The new definition should now be available through LiveUpdate. If you run LiveUpdate and scan again, the installer should be picked up. Let me know if you continue to have problems.

Thanks

Orla

好评2 Stats

Re: Fake.AV

Orla, all that you say is well and good.  But there are additional things that you can do, things that neither cost more money nor take more time.

The main thing is to make better use of your resources.

Here is what I propose:

You have submissions for malware activity from two kinds of sources:  those who know what they are doing and those who will send you any email attachment that shows up in their in-box.  You need to distinguish between them.  It would not be difficult to rank submitters by their track record.  Those who show themselves to know what they are doing should either be given a difference address to which to submit their files for checking or should be filtered by their email address into a different pool.

Submissions from reliable sources should be bumped up past the automatic checking straight to the human checkers.

Since this can be handled easily enough by software, it takes no effort, time, or money on your part.  It merely changes the order in which submissions are examined based on the submitter's track record.  Some like TomiRed or Tech0 would have almost immediate access to the examination team because they will have already done the important first analysis.

In other words, you have already established this community.  We have already become proficient to a large extent, each of us in the domains that we feel comfortable in and are interested in.  But so far the expertise that you helped bring together and encourage is largely being neglected.  Now is the time to start empowering us and gaining yourselves by using what we have to offer.

Message Edited by mijcar on 12-04-2008 09:01 AM
mijN360 2013, v.20.1.0.24; Win7 Pro, SP1 (32 bit), IE 9, Firefox 14, No other active securityware
好评1 Stats

Re: Fake.AV

Although there are "99 Ways to Kill an Idea", in this particular instance I think that mijcar's idea stands conceptually and contextually correct.

With a bit of refinement from Symantec's side, I believe that it might really help.

TrDo.

好评1 Stats

Re: Fake.AV


mijcar wrote:

The main thing is to make better use of your resources.

Here is what I propose:

You have submissions for malware activity from two kinds of sources:  those who know what they are doing and those who will send you any email attachment that shows up in their in-box.  You need to distinguish between them.  It would not be difficult to rank submitters by their track record.  Those who show themselves to know what they are doing should either be given a difference address to which to submit their files for checking or should be filtered by their email address into a different pool.

Submissions from reliable sources should be bumped up past the automatic checking straight to the human checkers.

Since this can be handled easily enough by software, it takes no effort, time, or money on your part.  It merely changes the order in which submissions are examined based on the submitter's track record.  Some like TomiRed or Tech0 would have almost immediate access to the examination team because they will have already done the important first analysis.

In other words, you have already established this community.  We have already become proficient to a large extent, each of us in the domains that we feel comfortable in and are interested in.  But so far the expertise that you helped bring together and encourage is largely being neglected.  Now is the time to start empowering us and gaining yourselves by using what we have to offer.


Yes. Often times I just leave the comments section blank because I know that either A), the machine detects it as malicious, B) The machines does not and stores it. 

Submission to SSR should be based on reputation. More weight should be put on reliable sources. This, Collective Intelligence, is what seperates us from the competition. Like Norton Insight, which leverages data from 65 million users. Why not leverage those people for malware detection as well? 

=\
好评0

Re: Fake.AV

The variant is not detecteed after running LiveUpdate multiple times. As for the original file, I no longer have access to the link. If someone could PM me the link that would be nice.

The variant's MD5 is fe6b29b732087ea22b6d1d943c4ffa97

Message Edited by Tech0utsider on 12-04-2008 06:21 PM
=\
好评0

Re: Fake.AV

Hello Tech0utsider,

Since Orla explained that it would be posted later today, you might want to wait till tomorrow to run LiveUpdate, as "later today"could be anytime today. 

This thread is closed from further comment. Please visit the forum to start a new thread.