Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by nosirrah

  1. Damn Ade , how many times have we seen this driver now ? This is one of those files that is neither bad nor good , it depends of the files that use it . That being said I have seen it used by malware often but never in a legit app (although I did read up on its legit use) .
  2. nosirrah


  3. Google is your friend : http://www.google.com/search?hl=en&q=LE ... gle+Search That seems to indicate that SAS has found evidence of a past infection . Legacy keys are often created with drivers and services . What likely happened here is that some antimalware application of yours in the past killed this infection but left this remnant behind .
  4. IceSword should be able to copy them as well .
  5. I love Spybot for its extra tools in the advanced menu . As for malware removal , I second Lasse88's opinion .
  6. If you don't keep your JRE updated and/or don't use an alternate browser a safe site that has been hacked can attack your system with ease . I can't tell you how many machines I disinfect that have JRE 1.4.2 installed . Check your add/remove list and if you see any java/JRE entries that are below version 1.6/version 6Ux . Uninstall anything from the 1.4/4Ux and 1.5/5Ux families . Version 1.6.3/6U3 is the current version . It sucks that the version has two formats as it is confusing , not sure why they did this . For example 1.4.2 is the same as 4U2 and 5U6 is the same as 1.5.6 . There have been exploit born infections that can use older versions of java to get in even if you have the most current version installed . Installing the new version does not remove old versions and the installer does not give you the option . Doing a scan once a month or once a week or even once a day is not right or wrong as the decision should be based on the use your PC gets . A PC with multiple teenage users in a house with no technically proficient users should be scanned once a day (IMO) . A PC with a single careful user with above average technical proficiency would be safe only scanning once a month . I bring up technical proficiency because understanding things like warning signs of infection and what software needs to be updated goes a long way in terms of keeping infections out . Another thing I have noticed is that if you run a SAS scan and you have active antivirus running in the background the AV can catch malware as SAS checks for infected files . Its like running two scans at once . I do this with SAS and Antivir . As the SAS scan runs Antivir will interrupt it if SAS hits malware that Antivir also detects . This is one hell of a one two punch when you combine the engines and defs of both Antivir and SAS .
  7. Security through obscurity , IMO . Part of the reason Norton and Mcafee miss a huge number of new infections is that the black hats know what AVs are most popular and engeneere against them . I have used it quite a bit and found it to be just shy of the top tier . CA is far more aggressive against software in the gray zone (P2P , semi legit adware with accurate EULAs ...) than most AS apps . As far as what it detects , it does very well but not quite as well as my two favorites (SAS and counterspy) . What I don't like about CA is their frequency of updates . SAS updates on a far more frequent basis .
  8. Between what I see my fellow security experts use and what I see detecting new malware at virustotal.com I would have to say that NOD32 , Kaspersky , BitDefender and Antivir are the best and most trusted . My non test box is protected by SAS and Antivir . When it comes to antispyware my favorites have dwindled down to SAS and CounterSpy . About Antivir , their antirootkit abilities and heuristics are amazing . For free active protection there is nothing better , not even a close second .
  9. I like that idea as well but the temp part better . I would like the restore purge only if it had a strongly worded warning about rebooting first to make sure that everything is working correctly . I have had to format and reinstall several PCs that I could not fix only because I had no restore points to take apart and extract a working registry .
  10. FP prevention engine ? Just a guess .
  11. Do your best to give a clear picture as to what is happening when you try regular mode . Malware can show up in the recycle bin and even run from there . Delete it if you can and rescan . Use safemode with networking so you can both update SAS and download tools . Download a copy of Autoruns : http://www.microsoft.com/technet/sysint ... oRuns.mspx Run a scan but press ESC to stop it . Click options . Check both "verify code signatures" and "hide signed microsoft entries" . This will make the list a lot shorter . Now press F5 to rerun the scan with the new settings . Click file , save as and save the log to your desktop . Open it , copy all and paste it into your next post .
  12. This would also increase the usefulness of SAS in the help forums -> more free advertising -> you know the rest . You could even have an option to send the file/reg item to your team for inspection . Could help build defs .
  13. SAS works well with Antivir . Antivir is free and has both outstanding defs and heuristics . It also now has an option to start its scan with a heuristic rootkit scan . I don't think Nic has any plans to make SAS include antivirus abilities . That involves a lot of new code to unpatch files and is a completely different animal then a general antimalware app .
  14. More than a few fellow techs refused to give SAS a spin because of nothing more than this . They mention that it has the look of a rogue . They love it once I convinced them to give it a chance . It is unfortunate but whether you like it or not image has a lot to do with popularity . IMO SAS could increase its client growth with nothing more than a face lift . No reason not to match your solid technology with a well done website .
  15. nosirrah

    BootSafe tool

    @Nic Is either (or both) a possibility here as an addition . 1. Safemode keyset check/fix built into the safeboot tool . 2. Safemode with the ?? (up to you) second option to select regular mode . I see no reason not to compromise on this one . I understand that it is highly unlikely to cause a problem as is but the chance would become 0% with my suggestions in place . As far as I am concerned this is in the same category as a FP and we all know how well SAS guards against those . I recommend SAS all the time to users but never the safeboot option . If it were to become "safe/safer" then I would . You don't have to be wrong to have things that could be improved .
  16. nosirrah

    BootSafe tool

    @Nic I love everything about SAS , except this . Back when I was still learning I forced safemode on a system (with msconfig) and because the safeboot keyset was damaged I lost control of the system and needed to use a second system to undo the automatic safemode boot . I know of at least 3 infections that break safeboot . One removes the first safeboot service . One removes the whole safeboot key set . One renames the minimal and networking keys . If I were to force safeboot on any of them I would not be able to undo safeboot because a BSOD is as far as I would ever get . Safeboot needs at least a warning and preemptive safemode check/fix . EDIT : BTW TeMerk and Blender are two of the best when it comes to malware removal and prevention . I know both of them and have great trust and respect for their opinions .
  17. nosirrah

    BootSafe tool

    What about adding a safemode check/fix automatically to the safeboot option ?
  18. IMO as the reputation of SAS grows it will at some point need to have some kinds of self defense built in . At this point though it has not been a big target of anti-antimalware .
  19. This happens a lot on systems that are upgraded from IE6 to IE7 .
  20. A lot of googleing for the average user . As an added feature for advanced users it would be nice but there are already good standalone HIPS solutions available from other vendors . Nic wants SAS to stay as light and easy to use as possible .
  21. From that main screen click preferances . Click the repairs tab . Scroll down the fixes and run both that pertain to your desktop . @Nic It might be a good idea to split Preferances away from your fixes . Two buttons would make things much more organized .
  22. Reinstall it and then uninstall from add/remove programs . That should work . IMO it would be better to ask questions before a mistake on your part is mistaken as a problem with SAS . I have been using SAS for quite some time now and can verify that it is not spyware and out of all the high end antispyware applications it drains system resources less than any of them . For the record SAS could use a start/all programs uninstaller shortcut .
  23. This is starting to get a little out of had so maybe we should all make a closing statement and leave it at that . I can't get behind that because that cart mirrors what virustotal depicts when I submit new malware . On the flip side Antivir does very well according to that chart and that also is in line with what I see when I submit to virustotal . I also can assure you that I have nothing to do with the apparent performance of the vendors on the OITC chart . That chart was in effect long before I knew that it existed . One thing to keep in mind is that chart does not depict detection rates of the sum total of all currently live malware , it only depicts the detection rates of malware that is detected by %50 or less vendors at virustotal . If you were to include all malware then obviously the results would be different . Look , if you want proof all of this is independently verifiable . Take a new sample and resubmit it to virustotal a few times a day for a few days . You can see for your self who is "the man" . BTW I know for a fact that Norton (for reasons that have never been explained) has not responded to numerous requests for contact information in regards to establishing a Virustotal sample hook up . I believe that they are the only Virustotal vendor that this is the case for . Like I said , go and do some independent malware hunting and benchmarking and see what you can come up with . It is better to gain knowledge through personal experience anyway . Who cares what an "expert , yes I am poking fun at myself" or a "chart" or a "forum" says when you can go out and check yourself . I will go on record as saying that I did do some norton bashing in this thread , no sense in pretending that I didn't . IMO Between price , performance , being easy to break , hard to fix , performance degradation and (as fatdcuk mentioned) engineered against because of prominence I do not see it a recommendable antivirus application . I also agree with the fact that this does come down to personal preference . Just like politics or religion the potential for escalating arguments is always there . I do think that debates like these do have their value though as it draws attention to the strengths and flaws of the entire antimalware industry . This has been fun BTW , I hope that no one has any hard feelings .
  24. The new exploit+new malware angle can only be covered by HIPS type protection . I have been researching the new exploits (I lead the MIRT team over at CastleCops , same user name) . There has been prolific hacking to install that exploit and it comes in several different variations . Exploits in general are more dangerous and the AVs have a reputation of not doing well against them . This is the last one I ran into : STATUS: FINISHEDComplete scanning result of "index.php", received in VirusTotal at 05.11.2007, 23:32:05 (CET). Antivirus Version Update Result AhnLab-V3 2007.5.10.0 05.11.2007 no virus found AntiVir 05.11.2007 EXP/IEslice Authentium 4.93.8 05.11.2007 no virus found Avast 4.7.997.0 05.11.2007 no virus found AVG 05.11.2007 no virus found BitDefender 7.2 05.11.2007 no virus found CAT-QuickHeal 9.00 05.11.2007 no virus found ClamAV devel-20070416 05.11.2007 no virus found DrWeb 4.33 05.11.2007 VBS.Psyme.383 eSafe 05.10.2007 no virus found eTrust-Vet 30.7.3628 05.11.2007 no virus found Ewido 4.0 05.11.2007 Not-A-Virus.Exploit.HTML.IESlice.i FileAdvisor 1 05.12.2007 no virus found Fortinet 05.11.2007 no virus found F-Prot 05.11.2007 no virus found F-Secure 6.70.13030.0 05.11.2007 Exploit.HTML.IESlice.i Ikarus T3.1.1.7 05.11.2007 no virus found Kaspersky 05.11.2007 Exploit.HTML.IESlice.i McAfee 5029 05.11.2007 no virus found Microsoft 1.2503 05.11.2007 no virus found NOD32v2 2261 05.11.2007 no virus found Norman 5.80.02 05.11.2007 no virus found Panda 05.11.2007 no virus found Prevx1 V2 05.12.2007 no virus found Sophos 4.17.0 05.11.2007 no virus found Sunbelt 2.2.907.0 05.05.2007 no virus found Symantec 10 05.11.2007 no virus found TheHacker 05.10.2007 no virus found VBA32 3.12.0 05.11.2007 no virus found VirusBuster 4.3.7:9 05.11.2007 no virus found Webwasher-Gateway 6.0.1 05.11.2007 Exploit.IEslice Not good . From this thread : http://www.castlecops.com/t189303-2007_ ... avers.html . I can't agree with this based on my own personal experience and from what I have heard reported by numerous industry experts . When it comes to detection rates they are not even in the same class . (fill in the blank)IS is not recommended by industry experts to begin with . We don't like security suites because it makes all of your security far to easy to take out either in an attack or software malfunction . It is recommended to have 1 active AV , 1 active AS/AT , a good firewall capable of blocking certain IP ranges , 1 good hosts file and a handful of on demand scanners . HIPS are not right for everyone but are recommended . Also not for everyone but recommended is a second hard drive and an imaging tool . IMO you are setting your clients up for a return visit if you leave Norton installed on an infested system . Obviously what every they are doing combined with Norton's "protection" is not getting it done . Now it is you that has a lot to learn . That tool does nothing about corrupted registry permissions or and leaves loads of remnants behind . I use subinacl.exe and a custom batch file to preemptively correct permissions before I even begin . I do use SYMNRT as a middle step but I go much further . I have an exported total uninstall file (not a standard option BTW , you have to dig it out yourself) that I use next . This will get the vast majority of the remnants . Then I do a final JV16 registry finder scan with a handful of symantec/norton only terms to get the stragglers . This makes a system like norton was never there to begin with . Personally this is my definition of "uninstalled" . I have not used NOD32 so I can't say anything about that part , but the results for symantec mirror my own experiences with it . Leading the MIRT team I get to scan thousands of samples through VT every week . I often rescan samples at a latter date to benchmark response time . Your statement does not mirror what I see . What I see indicates that Antivir , BitDefender , Kaspersky and NOD32 are both good at detecting new malware and respond quickly when they miss something . BTW there is a new project starting up that does exactly this with malware samples from MIRT and other independent sources . When it is up I drop the link here . Using Kaspersky indicates that you do know the score . Personally I use a combination of a pair of custom batch files to lock and unlock (for updates , installes ...) permissions to critical hijack points , HIPS and drive imaging . No resource drag and bullet proof , not that do anything dumb to begin with . Only in structured tests with cherry picked malware . When you dump a few thousand new samples collected by unaffiliated independent malware hunters into a real test you get a very different result . You can test this yourself . Every time you come across a new sample scan it through Virustotal.com . Keep track of who detects it and who doesn't . There is no way to argue with the results . I do this each and every day and know that published reports of Norton's "amazing" detection rates are often the result of fixed testing . I will point out this link again : http://winnow.oitc.com/AntiVirusPerformance.html That chart is dynamic and 100% unbiased . You can check it daily to see it fluctuate . The samples in the study are taken from several real word sources : Samples collected through the various help forums around the web . Real world tech collected samples from client machines . Honey pot collected samples . Exploit research fallout . Hunting based on known dangerous behavior . Email malware . Samples harvested from P2P networks . This study was started without the knowledge of the malware hunters so it is double blind . The MIRT team (where most of the samples come from) contribute to a listserv that distributes to ALL vendors so all vendors in the study are on equal footing in terms of our help to them . Note the lack of vendor advertising on that page . You don't see that on the fixed tests .
  • Create New...