Sunday, November 30, 2008

Response to "Symantec removed from laptop"

This posting of SSBC's is a classic example of why the guy doesn't have a clue. I mean, he has absolutely no idea what constitutes an active threat, how the various engines within a product work, etc. The world has evolved well beyond static file scans. Hence, if you find a product that finds malware when you scan a directory, don't be surprised if it was "missed" by the previous product you had because not all products are designed the same.

In this case, I specifically want to address the comment "Amusingly, AVG identified 5 "infections" when it ran the first scan (see screen capture below)."

Researching the 6 pieces of malware in his screenshot you will realize that every single one of them JScript/HTML related. NIS2008 and the recently released NIS2009 have a feature called Browser Protection which detects malicious script when the browser attempts to open it. Independent tests from Secunia, Cascadia Labs and others clearly show that this feature is way better than any other malicious script detector on the market. But the way its designed is that the files will get downloaded to the TIFF. When the browser opens them, they will get caught. Hence ofcourse, AVG will find such files, because NIS does not remove the files from the disk. There is no need.

At the same time, Mr. Clueless doesn't realize that because AVG had specific signature detections for those malware, implies that they had to create VERY REACTIVE signatures for those specific JScript obfuscations. Norton on the other hand has very generic signatures that detect the exploitation of the vulnerability.

Once again, it just goes to show that one should not believe everything that one reads especially with regards to Internet Security reviews. Most reviewers these days simply believe that the static file scanner is the only engine present inside a security product. Therefore it there is a malicious file on this, it means that it goes past the static file scanner which means it got past the security product. What a joke ! Ofcourse, this same group of individual believe that VirusTotal is the definitive way to compare the real-world detection rates of security products.

SSBC is definitely in this group of "scholars" :-)

No comments: