Efficient WEB protection - which program?

Discussion in 'Anti-Virus' started by DK, Jan 15, 2012.

  1. DK

    DK Guest

    I am looking for a porpgram that does real time browsing protection
    very well. I don't necessarily need "comprehensive solution" that
    covers everything and a kitchen sink - just browsing.

    So far I tried, as recommended by friends, Kaspersky, AVAST and
    AVIRA. None can truly handle a good but pretty straightforward
    attack. Take, for example, this site (WARNING: clearly bad and
    efficient malware!):

    gradient-header.ru/gamma/index.php

    All of the programs warn about the site containing malware, yet
    before I could even do anything, the virus starts and opens all
    kinds of stupid windows and none of the above programs is able
    to effectively handle it once it gets going. (Other than pretending
    to be a virus scanner, I am not sure what it does - I just shut off
    Windows and restore disk image that I made before visiting
    this "test" site - it does propagate quickly, making numerous copies).

    If you know of a program that can 100% solidly detect and prevent
    the execution of the malware from the above site, please indicate
    what the program is. Freeware would be ideal but I am perfectly
    willing to buy if it works well.

    Thanks,

    Dima

    P.S. I got the address above from
    http://www.malwaredomainlist.com/mdl.php
    Great for testing purposes as it points to many different exploits.
     
    DK, Jan 15, 2012
    #1
    1. Advertisements

  2. Redirected to obfuscated Javascript which leads to shellcode and
    exploits for Java, Flash, and Adobe Reader - has that popular version
    checking routine also. My guess is Blackhole again.

    [...]
     
    FromTheRafters, Jan 15, 2012
    #2
    1. Advertisements

  3. NoScript could help you to avoid the vector (it uses Javascript).
     
    FromTheRafters, Jan 15, 2012
    #3
  4. Yes. It was a Blackhole Exploit Kit exploiting CVE-2010-0840 and there was no virus.

    Efficient ?
    What a strange word to apply to both the malware and an application.

    Malware being "effective" and anti malware "proficient" maybe more descriptive terms.
     
    David H. Lipman, Jan 15, 2012
    #4
  5. I am familiar with the usage of 'efficient' in the manner of the OP. I
    think 'effective' is what is meant because the OP can have no idea of
    the computing cost of producing those results.
     
    FromTheRafters, Jan 15, 2012
    #5
  6. DK

    DK Guest

    Okay, so I will have to go through all of the updates. Fine. But that
    will only solve the problem until the next exploit in the next program.
    And constant updates of every program on the computer eventually
    bring about tons incompatibilitioes/bugs that are very hard to diagnoze.

    So the real question is how come three leading software solutions,
    all with "webguard" equivalents turned on, fail to intercept such
    an attack??? And, going back to my original question, what software
    succeeds in doing so?

    Mentioned so far are Malwarebytes and NoScript. I used to have
    NS installed but found it cumbersome to manage. I will try it again.
    Question: will a very long white list in NoScript slow down browsing
    considerably? It's going to be very long because just about every
    site out there is using all these scripts for all kinds of reasons.

    Dima
     
    DK, Jan 15, 2012
    #6
  7. DK

    DK Guest

    I would have though that if they actually worked as advertised then why
    not? Definitely a better first line defence than worrying about every program
    on the computer. (These days it's almost impossible to find a program
    that would not want to access Internet). Well, it's NoScript for me for now.
    Thanks! I knew I saw this page but couldn't remember it.

    On a completely unrelated note, David:

    Is it possible to get rid of the hard-coded C:\AV-CLS path
    in multi_AV? Would it still work if I just search and replace
    the string with my own path in every *.bat and *.kix file?

    Dima
     
    DK, Jan 15, 2012
    #7
  8. DK

    kurt wismer Guest

    On Jan 15, 12:09 am, (DK) wrote:
    [snip]
    detect and prevent? i think fundamentally you're going about this in
    the wrong way.

    a) it's a pretty well established concept that you shouldn't run code
    from unknown/untrusted sources. unfortunately browsers are designed to
    automatically run code on web pages as you browse to them. others in
    this thread have suggested noscript and i will echo that suggestion.
    it is one of the only ways to stop your browser from being the
    equivalent of a happy-clicker.

    b) no matter what detector you use, there will always be something it
    doesn't detect - many somethings these days, as malware profiteers
    have taken to performing malware quality assurance (whereby they test
    their creations against detectors before using them to make sure they
    aren't detected). you should absolutely have a plan in place for when
    something gets through that kind of defense, and my suggestion would
    be that all internet facing apps (and all apps opening content sourced
    from the internet) run inside some kind of sandbox. there are many
    different kinds with different properties, you should find the one
    that suits your needs best. some internet facing apps have even gone
    so far as to have sandboxing built in (like the latest version of
    adobe reader).
    the fact that those programs need to be patched at all means they
    already have bugs. you're basically saying that you'd rather trust the
    old well known bugs that are actively being exploited by criminals
    over possible new bugs that may or may not be introduced. this is one
    situation where "the devil you know" is *not* preferable.

    as for patches only solving things until the next exploit, see my b)
    paragraph above. a sandbox can help. it's still best to remove the
    vulnerability as soon as possible, though, or maybe even remove that
    part of your attack surface. for example, people should really
    consider dumping java if they don't need it because it's so frequently
    exploited.
     
    kurt wismer, Jan 15, 2012
    #8
  9. DK

    Virus Guy Guest

    Windows 98se, fortified with KernelEx.

    Then watch a lot of malware just bounce off it and die as they thrash
    around looking for NT exploits.
     
    Virus Guy, Jan 15, 2012
    #9
  10. DK

    DK Guest

    I guess it depends on one's definition of "virus" but under my definition it was
    definitely a virus: it created several instances of a file with names [rubbish]exey,
    each of which was trying to access Internet (firewall blocked them).

    Dima
     
    DK, Jan 15, 2012
    #10
  11. DK

    Virus Guy Guest

    These exploits ARE viral in nature.

    The broader concept of a virus is external code that takes control of a
    system in order to put the system to it's own use, to re-configure the
    system to allow for future exploitability, or leverage the resources of
    the system. That concept works equally well if we're talking about a
    biological system or computer system.
    Yes, I encountered another spam on Friday that had a link pointing to a
    black hole exploit server.

    The "exe" that was delivered had a slightly different characteristic
    than the previous ones: The file did not end with ".exe" but with
    "(numbers).exey" - or perhaps just "(numbers)exey".

    When submitted to Virus Total, the exe had only 1 or 2 positive
    detections.

    BTW, when did VT change the look and feel of their website?
    I notice they no longer allow for anonymous comments. Was that
    being abused?

    And on my Win-98 system, the file either did not execute (because I
    replaced my regsvr32.exe with another program with the same name that
    logs regsvr32 attempts) or it did not execute because it was expecting
    to find itself running on the more vulnerable NT-based windoze
    platform. Instead - it crashed and burned on my win-98 system.
     
    Virus Guy, Jan 15, 2012
    #11
  12. DK

    G. Morgan Guest

    You may also want to use another DNS server that offers some extra
    protection. http://www.opendns.com/
     
    G. Morgan, Jan 15, 2012
    #12
  13. DK

    kurt wismer Guest

    someone with the name "virus guy" really ought to have a better handle
    on the definition of virus.

    a virus is a self-replicating program. if your definition doesn't
    include "self-replicating program" then you're doing it wrong.

    the malware in question is not a virus. it is not OK to call it a
    virus just because someone's malware lexicon may be too small to
    include what it actually is. it is fundamentally non-viral malware.
    from what has been discussed in this thread it is an exploit kit that
    installs scareware on the victim machine. if someone dealing with this
    thing doesn't have those terms in their lexicon then they need to
    learn them. calling all malware "virus" is about as useful as calling
    all gadgets "dohickies".

    don't pander to ignorance. educate and empower.
     
    kurt wismer, Jan 15, 2012
    #13
  14. DK

    DK Guest

    Google "replication-deficient virus".

    No definition is ever precise and absolute and splitting hairs
    about definitions serves no useful goal.

    The end user cares about *infection* not the definition
    of the infectious agent.
     
    DK, Jan 15, 2012
    #14
  15. DK

    Bear Guest

    I agree...though those in the technical environment do care...obvious
    huh! Most people say their computer is "infected with a virus"
    regardless of what it is. At the least it is "infected."
     
    Bear, Jan 15, 2012
    #15
  16. DK

    kurt wismer Guest

    in the world of computer viruses that would be known as an intended
    virus.
    the term "computer virus" was formally/mathematically defined in the
    early to mid 80's. it is precise.
    non-viruses do not infect. that is just another sloppy terminology
    misuse that many people fall into.

    what you're trying to suggest, i think, is that end users care about
    the fact that their system has been compromised, not about what did
    the compromising. however, since different types of malware have
    different properties and capabilities, recovering from a compromise
    requires the knowledge end users supposedly don't care about.

    even restoring from a clean drive image doesn't take care of
    everything. some require you to change passwords for online services,
    get a new credit card number, etc.
     
    kurt wismer, Jan 15, 2012
    #16
  17. DK

    Bear Guest

    Ya but ya gotta agree that is for the technically empowered folks who
    have the ability to de-code eh, which most people are not. Most people
    will try a few scanners or the such and yell for help...that is unless
    they have a clean image, then they won't need help.
     
    Bear, Jan 15, 2012
    #17
  18. DK

    kurt wismer Guest

    On Jan 15, 6:11 pm, "David H. Lipman" <DLipman~>
    wrote:
    [snip]
    infection is a viral concept. suggesting that non-viral malware
    "infects" breeds confusion over the distinction between viral and non-
    viral malware. an infectious agent is one that a person intuitively
    knows can spread, but since non-viral malware does not spread it
    should not be confused for an infectious agent.
    is the file an "infected file" or a "trojanized file"? it seems to me
    you've already proposed the correct terminology, and "infected" isn't
    it.
     
    kurt wismer, Jan 15, 2012
    #18
  19. DK

    Bear Guest

    David, I'm liking you more and more. Don't get giddy!
     
    Bear, Jan 15, 2012
    #19
  20. DK

    Virus Guy Guest

    How does "code that takes control of a system in order to put the system
    to it's own use" not include replication as an example of said desired
    use?
    The old, quaint, pre-internet definition of computer virus is out of
    date.

    I suggest you (and others) abandon that antiquated and at this point
    useless definition.

    Broadly speaking, any code from an external source that runs on a system
    without the owner's knowledge (or permission, or desire) is viral code.

    What you call replication can also mean to change into a different
    form. A first-stage infector that opens channels to obtain a new or
    different agents is a form of replication.

    The goal is always the same: To gain control of a system to utilize
    it's resources, and to actively maintain that control.

    And we have lots of examples where a so-called "non-virus" leads to a
    system that actively probes it's own local or extended network so as to
    "replicate" itself to other vulnerable systems. How is that NOT
    classical viral behavior?
    Don't be a slave to the narrow lexicon of the extinct past.
     
    Virus Guy, Jan 16, 2012
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.