New Zero day virus follow up

The virus is not detachable by the current anti virus definition for the Symantec anti virus product distributed by the software center….

The current products that see this virus are:

F-secure
bitdefender
prevx csi
panda
ikarus
antiver
GDATA
AWIL
Microsoft…..YES they see it way to go Bill and Ballmer.

Here is the BIG why does my antivirus product not see it and why does it take many days to weeks for larger vendor to get out new definitions that find this stuff.

Little know facts about anti virus companies:

1) They all belong to a trade group that shares all virus samples discovered be any one else in the group on as frequently as hourly bases.

They all get equal and far access to the sample file so why so long then... getting there…

The best site to submit “POTENTIAL” virus files is www.virustotal.com
They are an independent security company that runs all file against 30 to 40 different anti virus product and provides a detailed report of which ones find a bug or not.

And yes this site is a member of the anti virus trade group so after submission here it’s in the large sample pool for all anti virus trade group members to use.

Answers to the why so long

AV Company have been moving away from the single AV product for years now.  They have all moved to a more defense in depth model.  This a good model and works well for some of the companies f-secure for one. 

The other large companies tend to just be very slow because they have a bunch of extra crap in there in depth model… and there product may not be as good at parts of the AV detection process.

That process works this way.
1) Viruses are almost always compiled code Compilers leave finger print on all things they compile so AV products finger print what compiler was used to create “package” when it is scanning files.

2) Compiled code is machine readable and contains character string patterns. Most compiler out have been used at this point in time so almost all files fit the compiler check.  The character string patterns are unique and in unique patterns. All most like a one hash or a human finger print.

3) Last is the file behavior or file use check.  Many types of files behave in the same way as it relates to a system or they use the system fairly the same.

So if the av product gets a hit on compiler check and nothing else it may or may not be a virus right.  But if it hits on the compiler and 1 of the other 2 checks it’s probable a virus right…. could be.

Back to the why so long.

Well you need to understand the steps something must do to understand the time thing. 

Smaller AV vendors have very tight and aggressive code.  It works very well and is very easy to extend.  It’s compartmentalized well and  very very fast.  They have fewer customers and are still hungry for business.  They get business by finding or being the best at discovers things that are design to be hidden and difficult to find. 

Large companies have a lot more poorly “bloated” code in their products.  They are slower to react because false positives are a very bad thing, for their market share.  Come on now would buy the product that mistakenly destroyed a few hundred thousand systems by mistake right.  So big companies prefer the low and slow approach.  It does provide comfort for them but not us.  It guarantees them market share because anti virus purchasing is determined mostly by price…. not by how well it works… and large companies usually wrangle multi year deals and then you are kind of locked in….sad but true..

So the next question I think I would have reading this is what does Lou use or “Evil Lou” to my friends.  I use f-secure and prevx csi….hmm why.

F-secure is an old time AV vendor it is an in-depth product and black light is the best root kit detection product I have used.  It general is a 4 to 8 hour for zero day product.  Many times less than that.

Prevx csi because it is very good at malware and behavior type use.  It is very fast and works well as the second banana or second av product on a system

I spend about 50 to 70 bucks a year for the 2 products and that license is good for up to 4 systems…

I look at as you can pay a little cash now or a lot later if you get infected.

 

 

 

 

 

Trackbacks

Trackback URL for this entry is: http://blog.case.edu/lou.changeri/mt-tb.cgi/18837

Comments

Good information on the inside workings of the anti virus comapanies and how they handle a new zero day virus.

Post a comment





If you have entered an email address in the box, clicking this checkbox will subscribe your email address to this entry so that you are notified if any updates or additional comments occur on the entry.