Immunet Version 3.0 – The Next Step In Anti-Malware Protection

Introduction to 3.0

 

On February 9th we will be releasing our version 3.0 with some notable changes and improvements.

 

Before I detail what’s new from a feature perspective I should also note that we are changing the name of the product with this release, the new name is going to be Immunet 3.0 – Powered by ClamAV. The new product will look like this screenshot here:

 

 

In addition to our name change, you will also note a change in the icon we use in your tray. The new icon is the ’star burst’ in white and blue, it should like like this in your tray:

 

The name change is the result of the acquisition of Immunet Corp by Sourcefire Inc. This acquisition has brought both the Immunet and ClamAV teams under the same roof to deliver our 3.0 release and future products.

 

New Features

Our 3.0 release was primarily intended to sharpen our focus on malware detection and to provide comprehensive protection to users who are not always connected to the cloud. Some of the features we have added are cutting edge and allow both advanced and basic users of our software to benefit from much higher detection rates. Our new features are detailed below.

 

Complete Offline Protection

The 3.0 release will now ship with an ‘Offline’ engine. This engine (which is ClamAV .97) once enabled will automatically pull down our latest detection sets and allow for complete detection coverage, even when you are not connected to the Internet. We are creating detections for ‘hot’ threats, prevalent on the net, so that you will be protected from current ‘in the wild’ threats and their variants. With our Offline protection we now also have several complex engines for detection native to the desktop and have support for file formats such as .DOC, .XLS, HTML etc. as well as strong unpacking support.

 

If you are installing fresh, you will have the option to install this engine turned ‘On’ by default. If you are upgrading from ClamAV for Windows this engine will be turned off be default. The screenshot here shows how to enable it from the ‘Settings’ feature on the front the User Interface.

 

 

Cloud Recall

One of the advantages of a Cloud model for hunting and identifying threats is that we are able to retain and analyze vast amounts of data about what our community is seeing at any given time. Unlike traditional Anti-Virus, or even other Cloud Anti-Virus we constantly reconsider all the data we see or have seen in our community. This allows us to evaluate every decision we have made about a file in our community and see if we still agree with that decision as time advances. If we find that our position has changed about the security of a file in our community because of new information on that file we can now seamlessly act on it. To put this in practical terms if you look up a file today and we do not know it’s malicious yet and tonight or tomorrow we discover it is malicious we will alert your system to find the file and remove it, all without you needing to download a single definition update. This ‘Cloud Recall’ ensures that your security is advanced with every new piece of information we become aware of. You will always know as much as we do, when we do.

 

Custom Signature Creation

Something which has been missing in modern Windows Anti-Virus products is a feature which allows advanced users to craft and deploy their own signatures or detection capabilities. With 3.0 we now offer the first Windows Anti-Virus product which allows our users to write their own detections with our engines just as we would.

 

Users can now hunt threats (or Advanced Persistent Threats if you like) by creating signatures which range from simplistic (straight MD5 matches) to complex (logically chained expressive signatures w/ offset support and wild carding). Signature management is done with the new SigUI tool which is available in Start -> All Programs -> Immunet 3.0 and looks like this:

 

 

Documentation for the SigUI may be found here and our manual for creation of signatures can be found here. We encourage you to write your signatures and post them to our online Forum.

 

All in and all this represents the most ambitious release we have ever done. The beta program for this version has been full of very positive feedback and we are excited by it’s general release.

 

If you have any feedback about this release or questions, please do not hesitate to email me at ahuger @ sourcefire.com .

 

Be aware of rogue security of Fake AVG software

We have noticed rogue antivirus software that pretends to be the AVG Anti-Virus 2011. As usually  social engineering is in use -  well known names (AVG, Microsoft Security Essentials)  and designs of trusted applications are present in order to increase credibility.

 

Read more

SophosLabs – What is Fake Anti-Virus?

McAfee signature update Kill Windows systems

 

A flawed signature update (DAT 5958) from McAfee yesterday (Wednesday) caused the system file svchost.exe to be identified and quarantined as the virus W32/Wecorl.a under Windows XP SP3. This resulted in affected systems rebooting (30 second countdown) and then entering an endless boot loop, repeatedly restarting.

 

According to McAfee’s user forum, large numbers of businesses are affected. To resolve the problem, the vendor is advising users to download an updated signature (DAT 5959) on an unaffected computer, copy it to a USB drive, restart the affected computer in safe mode with network support (press F8 while booting) and connect the USB drive. Double-clicking on the file 5959xdat.exe will then install the new signature. In most cases, users will then need to restore the svchost.exe file. McAfee has provided instructions for doing so.

 

Alternatively, the file extra.dat (direct download) can be used to prevent the flawed signature from disabling the system. Users should copy this file onto a USB drive, copy it from there into the c:\Program Files\Common Files\McAfee\Engine folder on the affected system (in safe mode) and restart the computer. Here again, svchost.exe will need to be manually restored or retrieved from quarantine.

 

These fixes involve a fair bit work for administrators, as it is not possible to resolve the problem from a central management console. On large networks this is likely to result in a few late nights. McAfee has also released an automated solution in the form of an executable file (direct download).

 

McAfee has a function for intercepting false positives, but this only works for files on the hard drive – the problem here, according to McAfee, is that the false positive is triggered by the memory scan, which can’t be intercepted.

 

As an interesting side note, McAfee’s bug added an extra dose of realism to a disaster exercise being held by one Iowa community, when the emergency centre computers and communications systems failed. The teams were forced tofall back on old radio systems.

 

As past stories from The H show, McAfee is not alone among anti-virus vendors in causing disruption through issuing a flawed update.

 

 

Source : www.h-online.com

AVG Rescue CD A powerful toolset for rescue & repair of infected machines

The AVG Rescue CD is a powerful must-have toolkit for the rescue and repair of infected machines. It provides essential utilities for system administrators and other IT professionals and includes the following features:

• Comprehensive administration toolkit
• System recovery from virus and spyware infections
• Suitable for recovering MS Windows and Linux operating systems (FAT32 and NTFS file systems)
• Ability to perform a clean boot from CD or USB stick
• Free support and service for paid license holders of any AVG product
• FAQ and Free Forum self-help support for AVG Free users

 

 

Key technologies

 

• Anti-virus: protection against viruses, worms and Trojans
• Anti-spyware: protection against spyware, adware and identity theft
• Administration toolkit: system recovery tools

 

The AVG Rescue CD is essentially a portable version of AVG Anti-Virus supplied through Linux distribution. It can be used in the form of a bootable CD or bootable USB flash drive to recover your computer when the system cannot be loaded normally, such as after an extensive or deep-rooted virus infection. In short, the AVG Rescue CD enables you to fully remove infections from an otherwise inoperable PC and render the system bootable again.

 

Apart from the usual AVG functions (malware detection and removal, updates from internet or external device, etc.), the AVG Rescue CD also contains the following set of administration tools:

• Midnight Commander – a two-panel file manager
• Windows Registry Editor– simple registry editor for more experienced users
• TestDisk – powerful hard drive recovery tool
• Ping – to test the availability of network resources (servers, domains, IP addresses)
• Common Linux programs and services– vi text editor, OpenSSH daemon, ntfsprogs etc.

 

Free of charge

 

The AVG Rescue CD is a free-to-use product that anyone can download. This also covers any new program versions and virus database updates. If you have any other paid AVG license, you are also entitled to receive our full technical support.

 

Download:

Download Rescue CD (for CD creation)

Download Rescue CD (for USB stick)

 

 

New ClamAV for Windows Powered By ( immunet and sourcefire )

 

The new ClamAV for Windows is the result of a partnership between Immunet Corporation (http://www.immunet.com) and Sourcefire, Inc. (http://www.sourcefire.com). It is designed to provide the ClamAV community with a free Windows-specific Anti-Virus (AV) solution using an advanced Cloud-based protection mechanism.  You can use ClamAV For Windows as a stand-alone, host-based AV solution, or in conjunction with your pre-installed AV solution to provide enhanced detection for the latest malware threats.

 

Say goodbye to the days of watching AV software drain your memory and processing speed. Immunet’s unique Cloud-based technologies allow the ClamAV application to leverage the power of the Cloud to drive the AV engine. When you use ClamAV for Windows, you save system resources for the tasks they really want to run, like games and business applications.

 

ClamAV for Windows utilizes advanced Cloud-based and community-based detection methods. Developed by Immunet, these detection methods leverage the computers of your friends, family and a worldwide global community to harness their collective knowledge for securing your PC. Every time someone in this collective community encounters a threat, everyone else in the community gains protection from that same threat in real time. You no longer have to rely on the isolated security of your current Anti-Virus vendor. You are able to protect your friends and family while being better protected yourself. This is exactly what we designed ClamAV for Windows to do. By providing a fast and light layer of virus detection, and linking everyone in a global community, we harness a security sum that is far greater than its individual parts, we call this Collective Immunity.

 

Immunet placed ClamAV into their Cloud infrastructure alongside their Ethos detection engine, and several other detection technologies.  By combining all these technologies, and utilizing the power of community-based detection, we feel we have the most effective Anti-Virus technology on the market. And it only gets better with every user that installs and utilizes our technology.

 

Download New ClamAV :

• ClamAV for Windows 32 bit
• ClamAV for Windows 64 bit

 

Minimum System Requirements

1. Windows XP SP2, Windows Vista SP1, Windows 7
2. A working Internet connection

Optional Requirements

1. A Facebook account
2. A Twitter account

 

 

Fake Anti-virus Attack on Twitter

A couple of hours ago Jack Schofield, a technology journalist at the Guardian newspaper, warned Twitter users about a fake anti-virus attack that is being distributed via the micro-blogging network.

 

A number of Twitter accounts are promoting a link via the Metamark URL shortening service:

Clicking on the links, however, will take you to a webpage hosting fake anti-virus (also known as scareware or rogueware) which will try and frighten you into believing that you have security problems on your computer.

 

Ultimately you end up on a group of servers based in Toronto. SophosLabs has known about these servers since June, and have been blocking access to them since then with our Web Security Applicance.

 

As is the norm, the alarming security warnings pressure you into downloading an executable program to your PC. Sophos is adding detection for this code as Troj/FakeVir-PC.

 

Metamark’s xrl.us URL shortening service is nothing like as well known as more common alternatives like Bit.ly and TinyURL which means some plugins which try and verify the destination of a shortened link may do a poor job of giving you reliable information.

 

By Graham Cluley, Sophos

Immunet Protect – Free Anti-Virus Protection From The Social Cloud (Windows)

It is perhaps an idea whose time has come. Immunet is not the first cloud based antivirus (do you recall the Panda Cloud antivirus?). There have been other cloud based antivirus software before it. But it definitely can lay claim to be the first anti-virus which collectively harnesses the power of the World Wide Web community.

How exactly Immunet does so using the cloud is the first part of the Immunet story. How effective is its clout, is the second part.

To those who have come in late, here’s the Internet nuance of the term – cloud computing.

The term ‘Cloud’ is basically a figure of speech for the Internet itself. It generally covers services which can be hosted and delivered over the internet. The user just needs the hardware (a computer) and bandwidth. The software and services are provided by the vendor. This allows a user to interact with the software/service from anywhere. The term cloud computing came symbolically from the cloud drawing that’s commonly used to indicate the Internet in graphics and diagrams.

 

The Men behind Immunet

A critical product like Immunet needs a stamp of credibility. That’s given by its developers – Oliver Friedrichs (former Director at Symantec) and Alfred Huger (former McAfee and Symantec executive). Both are gurus in the field of internet security.

 

The Premise of Immunet

Cloud computing is not a new fangled concept anymore. Google Apps is perhaps the most in-our-face example we have today. Or even the online games we enjoy. Though cloud computing has its own set of pros (scalability, maintenance free) and cons (security, privacy), it is starting to offer new ways to do hitherto desktop based tasks.

 

Immunet takes this approach one step further by bringing the web community on board in the defense against malware and viruses. Citing the fact that a collective defense against virtual scourges is better than a standalone rearguard fight, it best defines what it does –

Imagine for a moment that you could link to the computers of your friends, family and a global community to harness the collective security of all these systems put together. Every time someone in this collective community encounters a threat, everyone else in the community gains protection from that same threat in real time.

Immunet works on four fronts –

• Cloud computing
• Community based protection
• Collective wisdom
• Coincidental with installed antivirus

Immunet in Action

• Immunet (ver1.0.10) is free, light and hassle free to install. The 4.25MB application can be downloaded and installed in a flash. Ideal system OS are – Microsoft Windows XP (SP2 or later), Vista and Windows 7 (RC 32Bit only).
• The Immunet interface is clean and minimal sans complicated settings. The application loads and exists without noticeable lag.
• Immunet can run alongside Norton Antivirus (versions 2008, 2009 and 2010). Also supported are AVG Pro (v8.5) and MacAfee 2009. Other antivirus software are not specifically mentioned but it’s assumed that they can be run unless bugs crop up. (For instance, I am running it with Avast!)
• On installation Immunet starts off with a Flash Scan. Flash scan is a rapid-fire initial system scan.  This is not a comprehensive system wide scan. On my system, completion of the Flash Scan showed 2804 files checked in 1 minute 39 seconds. A later, full scan went over 3300 files in 3 minutes 12 seconds.

 

• Immunet features only one type of scan. Individual files or drives cannot be scanned individually. But Immunet does offer one feature – Protection Settings when enabled allow you to monitor application installations and starts. An Active Protection Mode takes a few seconds to check and block program installations unless they are deemed to be safe. You can switch these settings on-off from Settings.

 

• CPU footprint is very minimal.  On my system it was around 25 – 27KB while scanning.

Circle Your Wagons with Immunet

The sum of parts is greater than the whole. The Immunet cloud is at the center of the harnessing this community power. With your internet connection you are always connected to the cloud (i.e. the data center). The cloud aggregates virus definitions and every user taps into this security umbrella. This is Immunet’s version of collective immunity.

If one user in the social chain gets threatened by a virus, this information passes through the cloud to the others in the circle. The threat is identified and neutralized at the central server. Immunet protection thus kicks in for the entire community. This inter-linked detection and cure happens in real time. Thus every user shares in the collective wisdom gathered from each virus attack.

 

 

The community is built up through your existing Facebook account or a new Immunet account. (The Facebook button wasn’t working for me though).After logging in, the community building process works similar to social networks. Invite others from your Facebook, Google, Yahoo accounts or using Email. A broader based group should translate to more effective protection. Even if you do not log-in, you get the default protection offered by the Immunet global community.

 

So, will you bet on Immunet?

Cloud computing has inherent advantages and some prominent drawbacks as well. With the server doing the bulk of work, you don’t have to worry about updates. Centralized updates removes the risk of bloatware. The software is light and low on system resources. The community based protection is a good idea in theory. Its real power will be realized only when greater numbers log-in. Its early days…last figures suggest 1,800 users were logged in and were protected from 3.5 million threats.

 

The real disadvantage of Immunet is true for everything that’s on the cloud. Dependency on bandwidth comes at a premium in some places. For a high-priority need such as an antivirus, effective protection is the absolute bottom line.

The one singular feature (though traditionally people advise against it) of Immunet is that it can ride along with our existing antivirus solution. Thus, when it’s time to circle the wagons, Immunet can gallop in and along with the other antivirus, give double barreled cover.

 

If industry experts reckon that more than two million viruses will be created in 2009 alone and established protection has a 50-50 chance of catching all of them, then Immunet becomes a vital addition to our defense armory. The numbers may not match up, but even if a few sneak in they can become wreckers in chief.

 

With the first version label, it’s early days yet. But will you be a part of the community?

By Saikat Basu From makeuseof.com