Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Question about effectiveness of AV


  • Please log in to reply
6 replies to this topic

#1 cyber8607

cyber8607

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 19 February 2015 - 01:23 PM

Hi guys,

 

i just have a question about the effectiveness of AV.

 

98% of our customers are using Trendmicro Worry Free Advanced or Trendmicro OfficeScan with differnt Anto Spam Products.

 

The first of our Customer get infected by the Torrentlocker (by Mail) in November 2014.

 

How could it be, that after 4 Months, still other Customers get infectedby the Torrenlocker, even with the Av up to date? (by Mail)

 

Sry my stupid question, but i can't explain me.

 

thx



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:12 PM

Posted 19 February 2015 - 01:27 PM

Hi cyber8607 :)

You must keep in mind that Antivirus won't protect you if the user allows a malware to go through. Hence why it's important for the user to still use his common sense and brain when browsing the web and using a computer. It doesn't matter how many security software you have installed on a computer, if the user, the one who controls everythings allows a certain file or action to be executed, the system will be infected despite all the protection on it. I'm sure that if you scan the TorrentLocker executable with TrendMicro, it'll be detected. However, if the user allowed on his own the file to go through, then there's nothing really TrendMicro could do, or it couldn't have done it fast enough to prevent the infection. If your customers gets infected by Cryptoware a lot, I suggest you to recommend them to install CryptoPrevent to prevent these kind of infections. Once again, CryptoPrevent doesn't make the system bullet-proof against Cryptoware but it reinforce it a lot.

http://www.foolishit.com/vb6-projects/cryptoprevent/

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 cyber8607

cyber8607
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 19 February 2015 - 01:51 PM

hmmm ok..

 

But usually, the AV scan the File when you try to open it. Right?

 

So theoretically it shout give you a Warning or stop to contiune.

 

You could imagine, how the customer reacts: "How could it be possible that your PC has been infected despite an anti-virus. Have paid a lot for the antivirus"

 

ok, for the new Virus/adaware/ransomware ecc i could it understand. But when the Virus ecc. circulate for months, i understand the costumer.

 

I'll not rant Trendmicro. I have seen the same situation on many other pcs with Avira/avg/avast and so on.

 

My personal opinion is, that a AntiVirus is only there to ease the conscience.

 

The brain is the better Protection.



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:12 PM

Posted 19 February 2015 - 01:53 PM

If the Antivirus isn't fast enough to react on the execution action, there's nothing it can do. Also who knows, maybe that TorrentLocker stub was crypted in a way that it became "UD" or "FUD" to TrendMicro, it's possible. This is why malware that exists since ages ago are still being spread, like DarkComet. Every Antivirus vendor have the basic DarkComet stub detection in their database, but not all of them have its "variants" where it's being crypted by a crypter. This is also another possibility. If your customer relies 100% of his Antivirus to stay safe, then he's wrong and he's also a bit in fault of getting infected.

Edited by Aura., 19 February 2015 - 01:54 PM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,608 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:12 PM

Posted 19 February 2015 - 01:59 PM

Crypto malware and other forms of ransomware is typically spread and delivered through social engineering and user interaction...opening a malicious email attachments (usually from an unknown or unsolicited source), opening an infected word docs with embedded macro viruses, clicking on a malicious link within an email or on a social networking site, and sometimes via exploit kits. Crypto malware can be disguised as fake PDF files in email attachments which appear to be legitimate correspondence from reputable companies such as banks and other financial institutions, or phony FedEx and UPS notices with tracking numbers. Attackers will use email addresses and subjects (purchase orders, bills, complaints, other business communications) such as this example that will entice a user to read the email and open the attachment. Another method involves tricking unwitting users into opening Order Confirmation emails by asking them to confirm an online e-commerce order, purchase or package shipment.

US-CERT advises there have been reports that some victims encounter crypto malware following a previous infection from botnets such as Zbot (Zeus) which downloads and executes the ransomware as a secondary payload from infected websites. GameOver Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family, was a botnet used as a distribution platform for CryptoLocker that infected an estimated 500,000 to 1 million computers. Other types or crypto malware have been reported to spread on YouTube ads, via browser exploit kits and drive-by downloads when visiting compromised web sites. US-CERT advises crypto malware has the ability to find and encrypt files located within shared (or mapped) network drives, USB drives, external hard drives, network file shares and even some cloud storage drives.

It has been proven time and again that the user is a more substantial factor (weakest link) in security than the architecture of the operating system or installed protection software.Security begins with personal responsibility and following Best Practices for Safe Computing.

No amount of security software is going to defend against today's sophisticated malware writers for those who do not practice safe computing and stay informed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,608 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:12 PM

Posted 19 February 2015 - 02:07 PM

Grinler (aka Lawrence Abrams), the site owner of Bleeping Computer created the following guide which all users should read...The ascension of Crypto-Ransomware and what you need to know to protect yourself

Give a copy to your customers.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 AM

Posted 19 February 2015 - 04:21 PM


But usually, the AV scan the File when you try to open it. Right?

 

 

Actually, the AV will scan the file even before you try to open it. Files are also scanned when they are written to disk. So when you try to open an e-mail attachment, it will first be saved to disk, and scanned at the same time.

 

ok, for the new Virus/adaware/ransomware ecc i could it understand. But when the Virus ecc. circulate for months, i understand the costumer.

 

 

These criminals constantly change their malware, to avoid AV detection. For example, once their malware gets detected by AV, they will use so-called packers to produce a variant of their malware that is not detected.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users