Tests Show Problems With AV Detections

February 7, 2010 by admin
Filed under Security News

Dateline: Moscow.

Here at a security press conference held by Kaspersky Lab, the company demonstrated how some malware detections are easily triggered by innocuous programs.

The problem arises when one vendor detects a threat. Samples are often passed on to other vendors, through multi-scanning services like VirusTotal. The fact that another vendor, particularly a respected one like Kaspersky, detects a threat is enough of a reason to take a serious look at the sample.

After suspecting such problems, Kaspersky created a test which demonstrated the phenomenon. They wrote a series of simple and innocuous programs, compiled them, created false detections for them in their engine, and then submitted the files to Virustotal. Only Kaspersky detected the files at this point.

But standard procedure with VirusTotal is that if at least one of the products detects a submitted sample, it is submitted to the others who didn’t detect it. The idea is that they can then analyze the file and create their own detection.

Instead, what they found was that other companies were creating detections for the false submissions from Kaspersky. The programs create some variables and perform simple mathematical operations on them. They don’t even touch the file system. Kaspersky provided me with the programs and the source code.

Click on these to see some of the detections:

But it turns out that the fact that Kaspersky was detecting the threats was not the only reason the others were. The real problems were the aggressive heuristics in the products and that fact that only a static scan was performed.

And there is something suspicious about a program that appears to do nothing and then exits. Other vendors I communicated with on the matter said that the behavior was not surprising and that a live on-access detection on a system with their product installed would not be the same. For instance, F-Secure said that “[o]n the end users Windows box, these alerts would show up as a prompt, asking the user whether he really trusts the program. In addition, we have massive whitelist databases in our back-ends, so such prompts would only appear from new, unknown applications.”

I suspected that the compiler used to generate the samples might itself be an issue, so I asked Kaspersky about it. They used the mingw crosscompiler, a gcc version for Linux that generates Win32 binaries. It’s possible that the same source code compiled with Microsoft Visual Studio would have generated a different reaction in the anti-malware products, not that it should make a difference. But Kaspersky then creates a “hello world” program with the same compiler and settings and uploaded it to VirusTotal; hours later, even though there were no Kaspersky detections, 2 other products called the sample “suspicious”.

This problem is not entirely new; Hispasec Sistemas Lab of Spain, the company that operates VirusTotal, wrote about it a few months ago (original Spanish, Google translation to English). As they point out, the volume of samples coming into company labs is so enormous that the vast majority has to be handled by automated analysis processes, and perhaps they are designed to be a little more paranoid than humans.

Kaspersky Lab has written an Analyst’s Diary entry on the issue as well.

By Larry Seltzer from PCMag.com

Tags: a-squared, AhnLab-V3, antivir, Antiy-AVL, Authentium, Avast, AVG, BitDefender, CAT-QuickHeal, ClamAV, Comodo, DrWeb, eSafe, eTrust-Vet, F-Prot, F-Secure, false positive, Fortinet, GData, heuristic, Ikarus, Jiangmin, K7AntiVirus, kaspersky, Malware, Mcafee, McAfee+Artemis, McAfee-GW-Edition, microsoft, NOD32, Norman, nProtect, panda, PCTools, Prevx, Rising, Sophos, Sunbelt, symantec, TheHacker, TrendMicro, VBA32, ViRobot, VirusBuster

7 Must Have – Free Software To Protect Your Laptop

December 11, 2009 by admin
Filed under Protection Tools

2 Comments

Traditional computer security measures are not enough to protect your laptop and netbook. You have to pay attention on various laptop related security risks such as insecure public wireless network, laptop theft, laptop search, about which you don’t worry with your desktop computer.

Whether your laptop is stolen or not, your privacy can still be at risk by simply traveling with your laptop. The Homeland Security Department and other authority can search your laptop to look for evidences on any illegal activity and illicit materials stored on your laptop such as unlicensed songs, movies, software or unlawful images of children. However, good laptop security does not necessarily cost you money.

Here are 7 easy-to-use, useful and free software that can help you protect your laptop, your sensitive data and your privacy.

1. Encryption. TrueCrypt is a trustworthy encryption program that can protect your data against unauthorized access. www.truecrypt.org

2. Backup. Cobian Backup is backup software that can protect your data against loss. www.cobiansoft.com. An alternative is Mozy free edition, which is an online backup software with 2 Gbytes space. www.mozy.com

3. Antivirus. ( AVG – Avira – Avast ) free edition provides protection against viruses, spyware and other malware.

4. Firewall. The built-in Windows firewall protects your laptop against hackers while you’re online. (but make sure you configured it properly)

5. Alarm. LAlarm is like a car alarm for your laptop. The software can help prevent your laptop from theft, and can also recover and destroy your data in the laptop in case of theft. www.lalarm.com

6. Tracking. Prey laptop tracking software that can locate your laptop if it is stolen. www.preyproject.com

7. File shredder. Eraser is a data sanitizing program that can permanently delete sensitive data such as passwords, Internet browse history, personal information from your laptop. www.forensicswiki.org/wiki/Eraser

Tags: antivir, Backup, computer security measures, desktop computer, encryption program, File Shredder, hackers, laptop security, laptop theft, network laptop, online backup software, Protection

Full Version Avira AntiVir Premium v9 Free Download with 3 months license key

November 5, 2009 by admin
Filed under Protection Tools

1 Comment

1808 Full Version Avira AntiVir Premium v9 Free Download with 3 months license key

For the attendees of Cebit Euroassia 2009, Avira Turkish site is offering it’s Avira AntiVir Premium Version 9 Antivirus software free with valid 3 months license genuine key. Anyone can go the website and download it.

Avira AntiVir V9 is the best antivirus with lot of advanced features and light weight. Avira AntiVir Premium reliably protects you against all threats from viruses, worms, trojans, rootkits, phishings, adware, spyware, bots, and dangerous “drive-by” downloads. Best detection rates and top-class security with several updates every day.