What you need to know for your Computer Security

[Guest]

[Melih]

I think you (Melih) reduce the potential of the antivirus in the article. At least, some of modern antivirus. You can have more than just file protection (as it the oldies). The http traffic scanning, the heuristic analysis, the generic signatures, the sandbox and coding emulation are some of the weapons of the new arsenal.
Of course, you need more than just an antivirus. Firewall, safe browser, safe browsing habits (the most difficult thing to achieve...), a HIPS tool will help and contribute. I tend to think in layered defense way.

Does your Antivirus (and whatever it may have in it) allow "unknown" application to execute?

Melih

[Tech]

What do you mean with unknown? If the antivirus has a whilelist and then block the applications out of it? No, for sure not.
But the antivirus could block infections by its behavior and not classified/named yet (unknown).

[Chiron]

What do you mean with unknown? If the antivirus has a whilelist and then block the applications out of it? No, for sure not.
But the antivirus could block infections by its behavior and not classified/named yet (unknown).

I don't think Melih is implying that an antivirus has no place in computer security. (If this were true than Comodo Antivirus would be a bit of an enigma.)

I believe his point is that you cannot trust any detection based technology to solely defend your computer. Something may get through, and as malware writers test their creations to ensure they won't be detected by most antiviruses when they are released into the wild, then it's very likely that many people will be infected before the detections are updated. Behavioral analyzers can also be fooled, although I still think they're a great layer in addition to a HIPS and a traditional AV. Thus a HIPS is the only type of protection that can actually stop almost 100% of even the most advanced and newly created malware.

I think that's his point, but I could be wrong.

[Tech]

I believe his point is that you cannot trust any detection based technology to solely defend your computer.

If so, I fully agree. I believe in layered defense and think people should give the best to do something the best possible. Focus.

Thus a HIPS is the only type of protection that can actually stop almost 100% of even the most advanced and newly created malware.

If fact, it's not in the real world... you can answer a question badly and then...
HIPS is a very good weapon against malware, I know, but it's not the panacea in my opinion.

[Melih]

What do you mean with unknown? If the antivirus has a whilelist and then block the applications out of it? No, for sure not.
But the antivirus could block infections by its behavior and not classified/named yet (unknown).

I am trying to point out if your security product is built on "default deny" or "default allow" architecture.

If your system allows an unknown application/file to run..then its default alow...

so try it...with other products and see...

if its default allow system....then let me know and we can talk the problems of Default allow systems...

Melih

[Tech]

I have UAC turned on.
I use ThreatFire with the standard configuration (not that many questions).
avast shields on (scanning all files/memory).

I don't know if you consider such system as "default allow".

[Melih]

I have UAC turned on.
I use ThreatFire with the standard configuration (not that many questions).
avast shields on (scanning all files/memory).

I don't know if you consider such system as "default allow".

simple test: Run an "unknown" application or file... (eg: create a hello world application exe and run) if not ask someone to provide it to you..lets see if your system stops it..

Melih

[Tech]

if not ask someone to provide it to you

Can you give me a link to download it?

[brucine]

http://www.win.tue.nl/hashclash/SoftIntCodeSign/

Note: it is of course of no use, because before having downloaded an run "hello world" or whatever exe, one knows it shall be intercepted by defense+, but not by a "database" antivirus.

Also note that, without speaking of HIPS, the default firewall behavior (unknown application) should be deny.
If i allow the defense+ request, cis firewall doesn't say anything (general configuration, it would be a serious failure, or only my special lan rules, the exe is run from my desktop?).

[Tech]

Indeed, a clean file for the antivirus (http://www.virustotal.com/analisis/15b1161906ef5f59d1c3f804e5ae6ba69d201a8092ec93d05ea81663c1e2f274-1267311620).

Isn't it a proof of concept only? Who am I to talk with prof. Wang... I'm far behind this knowledge, but seems that you can't exploit that so easily to infect a computer, that is why I am asking if it is not only a proof of concept. He reported some use of it, are the antivirus companies just "lazy" to find a way to protect this?

How will HIPS behave in this situation?

[brucine]

Professor Wang is .... a Professor and a searcher, and as such wrote something yes, quite theoric, but that could be easily exploited.

And the "goodbye world" thing has not to be intercepted by AV since it is innocuous: it merely serves as an example to show that 2 different files can have the same MD5, to conclude that MD5 is not a safe protection anymore.

In the same time, load eicar.exe to virus total or download it, and everyone shall jump altough eicar is also perfectly innocuous.

The problem is that AV rely on databases and sometimes "heuristic behavior", but that even "heuristic behavior" relies on a database: not in the database, not caught, and it is the reason of the "hello world" suggestion by Melih, but where if you were writing yourself your own malicious "hello world" program, it would never be caught, the only line of defense remaining a "unknown file default blocking behavior".

I don't use CIS AV, but i believe it wouldn't be more efficient against this kind of threat than Avira, failing.
I also get no warning whatsoever from CIS firewall, but of course, when i try to run "hello world", defense+ warns me that it is unknown.

We also must remind that, if not getting fooled by one file between many in a downloaded compressed folder, the best line of defense is betweeen our ears: no one should be fool enough to run a file he is not sure of.

The "compressed folder" situation is somewhat more difficult, and can be compared to mail attachements: if one does not deliberately click the unknown file, he stays safe if he forbids default scripting (IE Active X and so on, calling the malicious file when you meant to open plain html).

[Tech]

To conclude that MD5 is not a safe protection anymore.

I've received the following answer from Igor (an avast developer):

Still, I don't see the problem as that critical... I mean, for an successful attack, you have to deliver an executable on your machine, let the user allow that in the firewall, and then replace the file with the other one. Who would perform that replacement, however... a malicious code, already running on the computer? If so, then there's probably an easier way than abusing MD5 collisions.

and it is the reason of the "hello world" suggestion by Melih

Does he really mean just that? Or something else?

but where if you were writing yourself your own malicious "hello world" program, it would never be caught, the only line of defense remaining a "unknown file default blocking behavior".

Well... not exactly. The malware behavior of "my" "hello world" could be caught by other antimalware techniques besides the signatures...

I don't use CIS AV, but i believe it wouldn't be more efficient against this kind of threat than Avira, failing.

For sure it won't...

I also get no warning whatsoever from CIS firewall, but of course, when i try to run "hello world", defense+ warns me that it is unknown.

And what if the user clicks "ok"...? Such a no-fool technology is to be developed.

[davidfcabral]

[Mr Melih. Call free Comodo Internet Security Supplement for a year, i'm unemployed and i can not afford. Thanks

[brucine]

And what if the user clicks "ok"...? Such a no-fool technology is to be developed.

On what behalf, excepting an infinite database?

In the conditions you are speaking of, i would forever be thrown out of some dos utilities, and i definitely wouldn't like it.

[Tech]

On what behalf, excepting an infinite database?

Indeed. It's a problem: databases increases indefinitely.
Behavior blocker helps. Generic signatures and algorithm detection reduces the size of the database.

[Tags:]