OK, so I must admit I’m starting to become more annoyed with anti virus vendors as the days go on. Today the vendor of choice on my day job computer decided to catch the malicious code I had on my system.
Wunderbar!
Wait, wait…no. Last time I check Ollydbg is not a trojan. It seems my AV client is getting dumber by the day. More and more the AV is “catching” shadows on the side walk. It sees what “might” be malicious code and sounds the alarm. But, time and again it is a legitimate file with no virus/trojan/remailer/et cetera to be found. And I am getting tired of it. Every time one of these false alarms is sounded there is a triage exercise that is initiated and the ensuing investigation. All of this takes time and well, lets be honest, money. The costs of these types of investigations are mounting and I’m getting a little tired of it.
What’s your malware detection client of choice and why? Care to share?
[UPDATE] Feb 6, 2008 Billy Hoffman has noticed some interesting behaviour as well.
[tags]Antivirus, Malware, False Positives[/tags]
Why to use malware detection clents if malware prevention ones are much better?
@Ilya
Fair point. Care to elaborate?
Dave, if you think it is ethical for me as a anti-malware behavioural protection developer- yes, I can. Without advertisement, naturally…
@Ilya
Ha! Yes, I know. As long as you add a disclaimer its all good.
🙂
Right here, in comments?
Ah, silence. Lets then think it means “yep, right here, bro!”.
First of all, it is very important to understand that current anti-virus scanners are working with already known malware. But, if malware module is caught, the revenue rate for “bad guys” is getting down, that is why it is very important for them to do not allow AVers to be up-to-date. There are many methods to do that- constant module updation, rootkits, DDOS of the anti-virus labs with the thousands of the samples per day. Heuristic mechanisms are working good for already known bypass methods of it, but a new one comes every single day. That is why you think that scanners are getting dumber. It is more and more obvious that those blacklisting technologies are out-to-date, they are more and more useless.
Behavioural technologies can’t cure malware in common case (yes, there are some blacklisting HIPS like AntiBot, but I see no difference if some tool is using code or behavioural signatures- false positives and false negatives is their destiny), but may gives you a really high, honest 90-95% of malware prevention against any kind of it, known and unknown, with no misses. So, why to loose couple of hours with HijackThis, AVZ and anti-rootkit tools if malware prevention is much more obvious and simple thing? Yes, right now it is “out of box”, not something you used to use, but its time is coming… Resistance is useless, join people who already lives with only behavioural protections and never being infected!
@Ilya
Sorry mate. I was up to my eyeballs. Thanks for the comment.