Tests Show Problems With AV Detections

Dateline: Moscow.

 

Here at a security press conference held by Kaspersky Lab, the company demonstrated how some malware detections are easily triggered by innocuous programs.

 

The problem arises when one vendor detects a threat. Samples are often passed on to other vendors, through multi-scanning services like VirusTotal. The fact that another vendor, particularly a respected one like Kaspersky, detects a threat is enough of a reason to take a serious look at the sample.

 

After suspecting such problems, Kaspersky created a test which demonstrated the phenomenon. They wrote a series of simple and innocuous programs, compiled them, created false detections for them in their engine, and then submitted the files to Virustotal. Only Kaspersky detected the files at this point.

 

But standard procedure with VirusTotal is that if at least one of the products detects a submitted sample, it is submitted to the others who didn’t detect it. The idea is that they can then analyze the file and create their own detection.

 

Instead, what they found was that other companies were creating detections for the false submissions from Kaspersky. The programs create some variables and perform simple mathematical operations on them. They don’t even touch the file system. Kaspersky provided me with the programs and the source code.

 

Click on these to see some of the detections:

• http://www.virustotal.com/analisis/5aee7…1264831301
• http://www.virustotal.com/analisis/0de6d…1264867956
• http://www.virustotal.com/analisis/b2a11…1264867934
• http://www.virustotal.com/analisis/7e79b…1264867923
• http://www.virustotal.com/analisis/0b974…1264831241
• http://www.virustotal.com/analisis/0b974…1264867640

 

But it turns out that the fact that Kaspersky was detecting the threats was not the only reason the others were. The real problems were the aggressive heuristics in the products and that fact that only a static scan was performed.

 

And there is something suspicious about a program that appears to do nothing and then exits. Other vendors I communicated with on the matter said that the behavior was not surprising and that a live on-access detection on a system with their product installed would not be the same. For instance, F-Secure said that “[o]n the end users Windows box, these alerts would show up as a prompt, asking the user whether he really trusts the program. In addition, we have massive whitelist databases in our back-ends, so such prompts would only appear from new, unknown applications.”

 

I suspected that the compiler used to generate the samples might itself be an issue, so I asked Kaspersky about it. They used the mingw crosscompiler, a gcc version for Linux that generates Win32 binaries. It’s possible that the same source code compiled with Microsoft Visual Studio would have generated a different reaction in the anti-malware products, not that it should make a difference. But Kaspersky then creates a “hello world” program with the same compiler and settings and uploaded it to VirusTotal; hours later, even though there were no Kaspersky detections, 2 other products called the sample “suspicious”.

 

This problem is not entirely new; Hispasec Sistemas Lab of Spain, the company that operates VirusTotal, wrote about it a few months ago (original Spanish, Google translation to English). As they point out, the volume of samples coming into company labs is so enormous that the vast majority has to be handled by automated analysis processes, and perhaps they are designed to be a little more paranoid than humans.

 

Kaspersky Lab has written an Analyst’s Diary entry on the issue as well.

 

By Larry Seltzer from PCMag.com

 

 

Get Free F-Secure Internet Security 2010 for One Year (By softgeeek.blogspot.com)

F-Secure Internet Security is the most popular security software along with BitDefender and Kaspersky in Nordic region but the majority of people like F-Secure. There is no doubt it is really a good

security software but on the other hand it is most expensive security for your computer. F-Secure IS 2009 was really a big change in its history. It became more popular because of low consumption of system resources and better rate of detection and stopping of Malware compared to its previous releases.

 

Read more

F-Secure unveils updated security suite

F-Secure has announced Internet Security 2010, an updated version of its popular security suite.

The company said that the new suite offers enhanced detection techniques using cloud-based technology, more secure browsing, and an improved user experience.

The cloud based element is provided by its ‘Real-Time Protection Network’, which uses F-Secure’s DeepGuard technology to compare any file launched on a system against a database hosted on F-Secure’s servers.

F-Secure’s technical manager Leslie Forbes said this process took only 70-100 milliseconds. “It’s amazingly fast”, he said. When users are offline, the system defaults to a local ‘sandbox’ scanning method. “It’s like having a virus lab with you all the time.”

Forbes also said that the new 2010 version was less resource hungry than the previous version and its competitors, making it suitable for use with netbooks or low spec systems.

UK country manager Pekka Metala, admitted that having had great success as the default security suite provided with many European ISPs, for now, F-Secure was mainly targeting the consumer market.

“We’re not just an enterprise company any more”, Metala said. However, he assured IT PRO that it was not abandoning the business market and that where relevant the new technology in the 2010 suite would be applied to its enterprise products.

“We have lots of legacy public sector customers, and we’re going to continue to support them.”

The suite will be available for download on 3 September for £39.95 for a three user pack, or £19.95 for a single user. It is available for Windows XP, Vista and 7.

When asked by IT PRO, Forbes hinted that a Mac version was also on the way, but no date was provided.

Back in February, F-Secure’s own internal servers were hit by an SQL injection attack, though the company deemed the attempted hack to be only “partially successful”.

Twitter Using Google Blacklist To Filter Malicious Links

 

Twitter has quietly started using a Google blacklist of suspected phishing and malware pages to filter malicious URLs leading to known malware sites.

Twitter hasn’t announced it, but F-Secure’s chief research officer Mikko Hypponen revealed how it was starting to filter tweets that linked to known malware sites.

According to this blog post, users are given a warning message when they attempt to click on a link that leads to a blacklisted site.

He later confirmed – on Twitter – that the microblogging site was using Google Safe Browsing API, an experimental API that allows client applications to check URLs against an updated Google blacklist.

Twitter has become a bigger target for hackers taking advantage of its explosion in popularity.

This Easter, Twitter suffered four separate worm attacks that encouraged users to click on a link which infected them and made them automatically send out messages to friends with the same link.

Twitter has not replied to request for comment by time of writing.

By Asavin Wattanajantra from www.itpro.co.uk

Demonstration of Exploit Shield Technology from F-Secure (Video)

For more information about Exploit Shield Technology from F-Secure ( Click Here )

F-Secure Exploit Shield Technology

Latest version (0.70 build 19) released on June 29, 2009.

About F-Secure Exploit Shield

F-Secure Exploit Shield is an application that protects users from web-based malicious exploits and stops malware at the first point of infection. All malicious, exploit-hosting URLs it detects are automatically reported back to F-Secure’s Real-time Protection Network, which helps our Security Labs discover new exploits on the Internet and react to protect all our existing customers.

Supported Platforms

- Windows XP SP0, SP1, SP2 and SP3 (32-bit)
– Windows Vista SP0, SP1 and SP2 (32-bit)
– Windows 7 (32-bit)

Supported Browsers

- Internet Explorer (32-bit) 6.0 and later
– Mozilla Firefox 2.x and 3.x

F-Secure Exploit Shield Features

- Zero Day Protection: Protects unpatched machines even before patches are available from the software vendor.
– Patch-equivalent Protection: One ’shield’ update per vulnerability stops all exploits targeting it.
– Proactive Measures: Heuristic detection techniques block exploits even for unknown vulnerabilities.
– Protects against both malicious websites and good websites that have been hacked.
– Shields for seven vulnerabilities (listed in the GUI) and proactive measures. More shields will be added through automatic updates. There is also a very good generic protection against exploits that do not have specific shields yet.
– Automatically sends detected malicious URLs from users to F-Secure.

What’s new in this release

- Windows Vista SP2 (32-bit) and Windows 7 (32-bit) support
– Internet Explorer 8 support
– Firefox support (up to Firefox 3.5)
– More vulnerability coverage
– Enhanced block page design
– Exploit Shield engine improvements

Download

If you want to participate in the Exploit Shield beta program, select one of the following options:

- To download the stand-alone beta version of F-Secure Exploit Shield, click here.

- If you participate in the F-Secure Internet Security Technology Preview program, F-Secure Exploit Shield will be installed together with the ISTP program.

Installation Instructions

This standalone F-Secure Exploit Shield version will not install if F-Secure Internet Security or F-Secure Internet Security Technology Preview (ISTP) has been installed on the computer.

F-Secure ISTP already includes the Exploit Shield functionality. F-Secure ISTP also requires that the standalone version of Exploit Shield be uninstalled before installing F-Secure ISTP.

 

To see a demonstration of Exploit Shield Technology from F-Secure ( Click Here )

 

Q2 2009 Security Threat Summary (Video)