Home page logo
/

basics logo Security Basics mailing list archives

Re: Malware detection
From: haZard0us <hazard0us.pt () gmail com>
Date: Fri, 27 Jul 2012 00:34:25 +0100


A 27/07/2012, às 00:13, Glenn Duquette escreveu:

Just to be clear,  did you have MSSE and another anti-malware product installed and running on the same machine at 
the same time?   I was under the impression this was not recommended and could cause issues with proper detection.

No. I had MSSE installed and then uninstalled it in order to proper functioning of ZoneAlarm.


I'll also throw my experience with MSSE in there:  When it was first released, it actually proved to be very 
effective at detection and removal of known malware, appeared to run with very little resources, and was cost 
effective (in ForeFront format) for business who had site licenses with MS as well as for home users.  Overall it was 
a decent anti-malware product that I recommended for both home (MSSE) and work (ForeFront).

Fast forward a few years to now.  MSSE is still pretty effective at detecting and removing the *well known* variants 
of malware and still does not use a lot of system resources that I have seen, and is still cost effective.  The 
problem is that the malware field has changed drastically.  We are seeing far more malware that MSSE/Forefront does 
not detect because the 'bad guys' have simple ways to make a slightly different variant that thwarts detection.  
Signature based detection can only get one so far (as has been said in a few other replies) and it is only possible 
when the signature can be made.  When the malware kits allow you to generate a simple variant that MSSE and a few of 
the other major anti-malware software does not detect one has to rely on other means like heuristics, behavior, 
white/black listing, etc (when relying on client side software as a layer in the defense).  I have not found MSSE v1 
or v2 strong in anything but signature detection.  I no longer recommend MSSE for home or work users because it's 
poor performance outside of signature based scanning.

That was my experience, too (regarding home use). No budget means no paid solution. But gladly ZoneAlarm has a free 
version.


As a fun test, try the following on a malware lab desktop/VM:  Install your version of windows with MSSE - and make 
sure they are fully updated.  Download a smattering of malware examples from one of the well known malware sites and 
see how many of them actually get past MSSE.  In my tests, a good 50 to 60% install their payload without MSSE making 
a peep.  Do the same, but this time remove MSSE and install an anti-malware tool like Kaspersky or BitDefender and 
see how it compares.  In my tests the commercial products have done far better due to their faster updates of 
signatures, heuristic, and behavior analysis.  Obviously it is not a scientific test, but effective enough for this 
example.  FYI - Zeus variants always seemed to get by MSSE particularly effectively for me.

I guess I'll give it a try :)


Glenn

Cheers and thanks for the answer! :)
--haZ
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]