PDA

View Full Version : Virus Checkers - AVs



pctek
12-10-2009, 08:56 PM
Been having a long argument with a very smart friend.
He is a brilliant programmer and hacker? Cracker? Whatever.

He said AVs are a waste of time cause:

A)You can avoid viruses by avoiding dodgy downloads
B)They are bloated and clunky
3)They don't find them all

Now we then fought about the various ones. He downloaded and tested quiate a few:

NOD32
Kapersky (which he likes best)
Avast
AVG
and I forget what else......

My NOD is newer than his so I told him to go ahead and send me his nasty little collection of evil viruses.

Yep, sure enough NOD32 missed 2. One in particular is a rather nasty thing according to my friend, and is not new at all.

So I checked it with all my progs I have.
Nothing saw it.

What my friend does, whatever he downloads, he takes it apart and rummages through the code first. SO he sees any suspect code in them.
Not exactly practical for the rest of us mere mortals and I said not having an AV for his reasons is like not using condoms cause on the odd occasion one might break.

But still, he has a point - I wonder how many other nasty little things end up hidden and laughing at us and avoiding detection - and for how long???


Hmm, going through the onlines now:
FAIL!!!

You're clean!
Kaspersky Anti-Virus has not detected any viruses at this time in the file you submitted.

Fprot huh. The only one.

Speedy Gonzales
12-10-2009, 09:07 PM
A)You can avoid viruses by avoiding dodgy downloads

Exactly what Ive said before. And the less you use P2P programs, the better

apsattv
13-10-2009, 01:29 AM
So did u submitt it to ESET?

Chilling_Silence
13-10-2009, 06:32 AM
Yeah its relatively easy, you can even play with existing viruses by simply modifying some of the code thats in them. I remember I found one "How-To" a while back, buggered if I remember how I came across it.

Anyway long and short of it is, by changing the bytecode in two places in this virus file that was only a few KB, it was completely undetected by all the main AV vendors, and it was something like an 8-9year old virus.

Yes, you *can* survive without it if you're an IT tech, but lets face it, the general populace aren't smart enough to know that Bill Gates and AT&T are actually *not* giving away their millions after some 15-odd years now of the same email doing the rounds.

For the better part of the population, having an A/V vendor that plays "Catch-Up" on a daily basis to protect them from the most common threats of the day is better than none...

pctek
13-10-2009, 08:11 AM
you can even play with existing viruses by simply modifying some of the code thats in them.
Anyway long and short of it is, by changing the bytecode in two places in this virus file that was only a few KB, it was completely undetected by all the main AV vendors, and it was something like an 8-9year old virus.


Which is terrible really.
How long it takes them...........

And yes I submitted it.

But I'm more interested now in what my friend is sending me next, he's written some app he wants me to test out.......related to this?

Chilling_Silence
13-10-2009, 07:45 PM
Details? :D

jwil1
13-10-2009, 07:55 PM
Exactly what Ive said before. And the less you use P2P programs, the better

+1

When I MUST use P2P, I always use it inside a VM, which I can quickly wipe (by simply shutting down the VM).

Also, I will run several AV/AS programs against the download after it's finished.

Blam
13-10-2009, 08:06 PM
+1

When I MUST use P2P, I always use it inside a VM, which I can quickly wipe (by simply shutting down the VM).

Also, I will run several AV/AS programs against the download after it's finished.

Join a private tracker lol....P2P *can* get you nasties, but running it inside a VM seems overkill to me...

pctek
13-10-2009, 08:50 PM
Also, I will run several AV/AS programs against the download after it's finished.

His point. They don't always find the nasties. He's been busy proving that to me.

And the new thing he sent is just something else to prove the uselessness of our defenses he says. I haven't tried it, I suspect NOD etc won't object, scanning the .exe didn't fire off any alarms - but I wonder about HJT. However I'm not too keen to run it as he says its mostly harmless. Harmless in that its not a wild virus, its something he wrote as a test, but he did say there may be a possibilty that Windows could panic (and what does THAT mean??:wub - could be quite fun come to think of it...) and upset things and I should have my Ghost image handy.

Well I do have an image but it is slightly old now, a few changes since and I can't be stuffed, cause in a few weeks I'll be doing Win7 anyway. WOuld be an annoyance so I might leave it for now.

You know - on occasion after thorough cleaning I've had a customers PC still be a bit unstable or dodgy and thought a frsh install best - I wonder how often that has been because all our checkers have missed something?

KarameaDave
13-10-2009, 09:02 PM
An interesting read here.

http://arstechnica.com/security/news/2009/10/antivir-10-others-fail-virus-bulletins-october-2009-test.ars

plod
13-10-2009, 09:12 PM
His point. They don't always find the nasties. He's been busy proving that to me.

And the new thing he sent is just something else to prove the uselessness of our defenses he says. I haven't tried it, I suspect NOD etc won't object, scanning the .exe didn't fire off any alarms - but I wonder about HJT. However I'm not too keen to run it as he says its mostly harmless. Harmless in that its not a wild virus, its something he wrote as a test, but he did say there may be a possibilty that Windows could panic (and what does THAT mean??:wub - could be quite fun come to think of it...) and upset things and I should have my Ghost image handy.

Well I do have an image but it is slightly old now, a few changes since and I can't be stuffed, cause in a few weeks I'll be doing Win7 anyway. WOuld be an annoyance so I might leave it for now.

You know - on occasion after thorough cleaning I've had a customers PC still be a bit unstable or dodgy and thought a frsh install best - I wonder how often that has been because all our checkers have missed something?
you keen to upload your nasty for us to check?

Chilling_Silence
13-10-2009, 09:57 PM
I'd be interested to see it ;)

It's also worth noting that it was only a short while ago when you could very easily start writing direct to the HDD from windows with "user" privileges etc. and a whole lot of other things are possible :D

pctek
14-10-2009, 08:02 AM
Wasn't that scarey.
Although the fact it could without anything noticing until after it was done was his point.

Chilling_Silence
14-10-2009, 09:22 AM
:D :D :D