Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dumb question about virus products in general


  • Please log in to reply
3 replies to this topic

#1 Furvy

Furvy

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 06 August 2010 - 05:40 PM

Having seen a ton of malware in my day, there is always a nagging question that I would love to get answered by one of the experts here.

Why is that absolutely no antivirus program, Norton, McAfee, AVG, etc can't pick up viruses when there are 3 extremely simple, standardized rules for just about every modern infection I have seen?

1st rule) The virus will have a random name. Do you mean to tell me that there is NO way that any product can effectively pick up a file with a random name?

2nd rule) It will be stored in the Application Data or AppData folder. Is it really that hard to make a product that continuously monitors these folders?

3rd rule) Proxy settings for IE are set to 127.0.0.1. In what case would this be used except for a virus? Why don't they automatically detect and fix this?

Just some curious questions. It just seems like every antivirus program is a piece of dead weight and that if someone really wanted to, they could easily write a program that actually takes care of these issues. I'm just curious why even the absolute latest and greatest and most expensive products don't work to take care of these no-brainer trends?

BC AdBot (Login to Remove)

 


#2 the dummy

the dummy

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 06 August 2010 - 08:05 PM

Its hard to prevent something YOU let in and gave admin rights to. Products like sandboxie, returnil, etc, that isolate or flush the nasties are the way to go.
Yes many do think of a/v's as a dieing breed as far as black listing goes, and thats why more of the newer releases combine sandboxes, hipps, and other items to try and keep up.

Edited by the dummy, 06 August 2010 - 08:06 PM.


#3 Platypus

Platypus

  • Moderator
  • 14,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:34 PM

Posted 06 August 2010 - 08:51 PM

You might like to experiment with DriveSentry:

http://en.wikipedia.org/wiki/DriveSentry

I'll leave it to the Malware experts who deal with infections daily to comment on the specifics of file locations, if they choose to respond. But I do wonder why you feel "that absolutely no antivirus program, Norton, McAfee, AVG, etc can't pick up viruses (sic)" - obviously they can.

Do you mean to tell me that there is NO way that any product can effectively pick up a file with a random name?

Yes. There is nothing inherent about a filename that makes it random. "Random" simply means occurring without bias. A randomly generated string of characters is just as likely to end up being iexplore as it is to come out qiofurld. That's what makes it random. We recognise the likelihood of a seemingly weird name having been randomly generated because we maintain a mental "whitelist" of strings we recognise, and we know random occurrence is a possible cause for unrecognised sequences. But being in another language is also a possible cause for non-recognition. Programs like DriveSentry duplicate this process using a whitelist, but the technique can fail because being randomly generated is not the only possible cause for being unrecognised. DriveSentry uses other heuristic techniques as well, such as cloud queries, to maximise the potential of a correct decision about a file.

Proxy settings for IE are set to 127.0.0.1. In what case would this be used except for a virus?

"127.0.0.1 is used whenever a program needs to access a network service running on the same computer as itself."

(http://what-is-what.com/what_is/127.0.0.1.html)

Anything that needs to establish a proxy on the local host will use this, whether it is malicious or legitimate. An example of a legitimate application is parental control software or network monitor. That's the way things work, so malicious software will use the same technique to get access to network traffic.

Edited by Platypus, 06 August 2010 - 08:53 PM.

Top 5 things that never get done:

1.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:34 PM

Posted 08 August 2010 - 03:45 PM

One of my teachers a long time ago told me "the only dumb question is the one not asked".

Malware can be named anything and can hide anywhere on your system. Determining whether a file is malware or a legitimate process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. Another techinique is for the process to alter the registry and add itself as a Startup program or service so that it can run automatically each time the computer is booted. Keep in mind that a legitimate file can also be infected by some types of malware such as Virut which is a dangerous polymorphic file infector.

Other types of malware like backdoor Trojans, Botnets, and IRCBots use rootkit components, to conceal its presence (hide from view) in order to prevent detection and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:No single product is 100% foolproof and can prevent, detect and remove all threats at any given time. The security community is in a constant state of change as new infections appear. Each vendor has its own definition of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another. Thus, a multi-layered defense using several anti-spyware products (including an effective firewall) to supplement your anti-virus combined with common sense and safe surfing habits provides the most complete protection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users