Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Thoughts on Anti-Spyware Testing
Goto page Previous  1, 2, 3
 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Anti-Spyware and Security Software Discussion
View previous topic :: View next topic  
Author Message
Crap Wear Worrier
Warrior Guru


Joined: 08 Dec 2004
Last Visit: 05 May 2009
Posts: 364
Location: Far end of nowhere

PostPosted: Fri Sep 01, 2006 2:45 pm    Post subject: Reply with quote

Um, where is this going? Seemed a pretty sound first post by ELH.

TonyDownUnder wrote:
I got very angry with the disparaging remarks made by Mrkvonic


Yup. I visit this site out of interest but I donít want to be an anti-spyware expert any more than I want to be a car mechanic or a tv repair guy. I want to use my pc, drive my car and watch tvÖ when I get home after a long working week. If you want to call me lazy, go forth and multiply (hope you understand that, Mrkvonic)
Back to top
View user's profile Send private message
Erikalbert
Warrior


Joined: 10 Aug 2006
Last Visit: 05 Jul 2007
Posts: 219

PostPosted: Fri Sep 01, 2006 5:16 pm    Post subject: Reply with quote

TonyDownUnder wrote:
did my own random (no pun) test by visiting an Internet Porn site - it really was a test ~ honest.
Firstly, PCTools Spyware Doctor warned me that it wasn't a good idea but I knew this and went ahead. As the page was loading NOD32 popped up and told me that a trojan was attempting to download.


Yeah, I sometimes get that, but it's isn't always an indication of damage. For me most of the time the file just sits there but doesn't run anyway, Antivirus or no antivirus.

Quote:

I stopped that. Once the page otherwise finished loading, I waited. Almost immediately both Prevx1 and Ghost threw up warnings about something trying to run, execute some of my system processes and write/delete/alter registry values. I blocked all of that and then left the site.


Hmm are you fully patched? What are your browser settings? Seems strange to me that you need Prevx1 and Ghost security to protect you, unless we are talking about some new zero day exploit.
Back to top
View user's profile Send private message
nosirrah
Warrior


Joined: 30 Aug 2006
Last Visit: 16 Jul 2007
Posts: 160

PostPosted: Sat Sep 02, 2006 12:25 am    Post subject: Reply with quote

I have been doing some testing of both antimalware and testing practices themselves here : http://www.castlecops.com/t165650-Malware_testing.html

Comments and suggestions are welcome .
Back to top
View user's profile Send private message
Erikalbert
Warrior


Joined: 10 Aug 2006
Last Visit: 05 Jul 2007
Posts: 219

PostPosted: Sat Sep 02, 2006 2:12 am    Post subject: Reply with quote

nosirrah wrote:
I have been doing some testing of both antimalware and testing practices themselves here : http://www.castlecops.com/t165650-Malware_testing.html

Comments and suggestions are welcome .


You should really start your own thread, so we can start er bashing it properly. Smile
Back to top
View user's profile Send private message
fcukdat
Warrior Addict


Joined: 01 Jan 2005
Last Visit: 08 Apr 2009
Posts: 757
Location: Yeovil,England.

PostPosted: Sat Sep 02, 2006 5:51 am    Post subject: Reply with quote

nosirrah wrote:
I have been doing some testing of both antimalware and testing practices themselves here : http://www.castlecops.com/t165650-Malware_testing.html

Comments and suggestions are welcome .


For-next-loop time again Laughing but sincerly examine eric's commentary with reguards testing criteria etc

http://spywarewarrior.com/viewtopic.php?p=134370#134370

Having read your test article there is one thing that i'm not sure about that makes me personally query your testing model and results.This is founded on personal testing/reallife experience with malware infested 'puters etc

How did your test machine even crawl with the amount of infections/malware you alledgedly imported ?

Quote:
My test machine was infected by the following procedures :

I Installed about 50% of the apps on the rogue antimalware list .
I installed several file sharing apps .
I installed several popular web "enhancements" known for malicious behavior . (my browser window was 50% toolbars)
I downloaded many files from several different serials/warez/cracks sites .
I installed many gambling related apps .
I clicked yes on every question box that popped up .
I installed every app that was recommended in the fake warnings I was getting .


Is your test PC "SuperBlue" by any chance Wink

Something not quite adding up there so looking forward to a reply.

PS a HJT log(*although ltd in scope) would have been quite amusing (all those start up entries dropped alone would have caused an extremely long bootup process then followed by all thoes executables running in the top part of the log etc).
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html
Back to top
View user's profile Send private message Visit poster's website
mikey
Malware Expert


Joined: 12 Feb 2004
Last Visit: 15 Jul 2014
Posts: 1072
Location: CenTex

PostPosted: Sat Sep 02, 2006 7:45 pm    Post subject: Reply with quote

Erikalbert wrote:
[
Quote:

I stopped that. Once the page otherwise finished loading, I waited. Almost immediately both Prevx1 and Ghost threw up warnings about something trying to run, execute some of my system processes and write/delete/alter registry values. I blocked all of that and then left the site.


Hmm are you fully patched? What are your browser settings? Seems strange to me that you need Prevx1 and Ghost security to protect you, unless we are talking about some new zero day exploit.


I have no clue to his reasoning or his setup but I would like to take a crack at answering to these concerns as tho I might see myself or any other random user doing. And thus I would appologize for taking liberties with his comments.

"Hmm are you fully patched?" and "What are your browser settings?"

Since he's running AppDefend in Ghost as well as PrevX, it doesn't really matter if he's "fully patched" or not and it doesn't matter what brand of browser he uses nor what settings he has configured for it. In fact, he could use IE5 straight out of the box without any concern about getting infected since nothing new can initiate on his system without him knowing about and approving it beforehand.

Though that isn't to say his browser couldn't be manipulated to some degree. An example would be an unwanted homepage change. Any connectable that is given permissions can still be exploited to a lessor degree that doesn't require any wares to run(infection). Of course, I wouldn't suggest it.

Actually, what I do suggest is using good safe practices as well as good content filtering. I like to control what I see or don't see. For instance, I see absolutely no third party ads anywhere as well as very little objectionable content of any kind. I won't ever see objectionable content twice. Such filtering can be found in tools like Proxomitron and AdShield. I also recommend the use of a scripting control like ScriptSentry. I know that folks always say that Prox isn't for novice users but I can tell you that I have seen many learn to use it very well in a short time. Of course, compared to the ease of using these process filters, Prox is still very hard to learn. The other tools I just mentioned as well as many many more tho, are very easy to use.

"Seems strange to me that you need Prevx1 and Ghost security to protect you, unless we are talking about some new zero day exploit."

I have often had multiple security tools of similar function in place. Sometimes it's because a properly layered defense(multiple tools) makes for the best most capable and overall most complete set of features.

However, there is also a much simpler reason for having multiple tools on board...the same reason I suspect he has them both on board now. That would be because he wants to look at them while he decides what product best suits his needs and expertise.

If that is the reason, I would caution him about running more than one tool doing the same job at the same time...especially when the tools reside at system level, as this is a recipe for conflict and can cause one or both tools to function adversely to their normal routine.

As for the 'zero-day' ref; A HIPS tool is the only real protection available for a REAL zero-day infection. Signature based tools usually can't even properly remove the items that they detect...much less items never before seen. The best a conventional scanner has to offer for this is possibly a heuristical detection and I could write several pages worth of reasons why that is a screwed up and scary scenario but I'll try to refrain from doing so in an attempt to save any sensibilities that may still exist in users reading this. Smile
_________________
-

UbuntuStudio...community supported multi-media development optimization.

-
Back to top
View user's profile Send private message Visit poster's website
nosirrah
Warrior


Joined: 30 Aug 2006
Last Visit: 16 Jul 2007
Posts: 160

PostPosted: Sat Sep 02, 2006 9:20 pm    Post subject: Reply with quote

fcukdat wrote:
nosirrah wrote:
I have been doing some testing of both antimalware and testing practices themselves here : http://www.castlecops.com/t165650-Malware_testing.html

Comments and suggestions are welcome .


For-next-loop time again Laughing but sincerly examine eric's commentary with reguards testing criteria etc

http://spywarewarrior.com/viewtopic.php?p=134370#134370

Having read your test article there is one thing that i'm not sure about that makes me personally query your testing model and results.This is founded on personal testing/reallife experience with malware infested 'puters etc

How did your test machine even crawl with the amount of infections/malware you alledgedly imported ?

Quote:
My test machine was infected by the following procedures :

I Installed about 50% of the apps on the rogue antimalware list .
I installed several file sharing apps .
I installed several popular web "enhancements" known for malicious behavior . (my browser window was 50% toolbars)
I downloaded many files from several different serials/warez/cracks sites .
I installed many gambling related apps .
I clicked yes on every question box that popped up .
I installed every app that was recommended in the fake warnings I was getting .


Is your test PC "SuperBlue" by any chance Wink

Something not quite adding up there so looking forward to a reply.

PS a HJT log(*although ltd in scope) would have been quite amusing (all those start up entries dropped alone would have caused an extremely long bootup process then followed by all thoes executables running in the top part of the log etc).


It ran like crap for sure . I had to disable everything msconfig would allow (system.ini , win.ini , services and startup) just to be able to get the desktop stable . I had to deal with starting a few tests over a couple of times because of random restarts .

I understand that the previous test were flawed but this is not my area of expertise . I tech windows based systems for a living and I am doing this as a hobby . I am trying come up with a testing method that is impossible to score well in without being a good antimalware solution .

I changed a lot of things for my current round of testing . I am only testing antimalware against rogue software . I am specifically looking at :

rogues removed (desktop shortcuts that no longer function)
desktop shortcuts removed (many contenders kill the infection but leave the shortcuts)
installers removed (all contenders currently suck at this)
program folders removed (many contenders remove the infections but leave the program folders)
total files removed (its all malware so this should be a valid measure of thoroughness)

The system is a fresh xp install and then 152 rogue apps . I am using ghost to recreate the drive for each test .

I am helping many of the contenders with the samples they missed . (I am looking for a place I can drop huge zip files , no way in hell am I emailing hundreds of megs of files) .

If you have any suggestions I am going to be doing ongoing tests split into several groups :

rogue software (the one I am currently 20% done with)
file sharing born malware
cracks/serials/warez born malware
malicious browser enhancements
freeware born adware
unprotected hosts file surfing (unhatched xpsp1 machine) born malware

I am an expert at fixing the various ways in which windows can go down in flames but I suck at this testing thing so any suggestions would be appreciated .

I am going to be doing a final install of everything collected in every round of testing for a prank hijackthis log for castlecops . I will post it here as well .
Back to top
View user's profile Send private message
Ilya Rabinovich
Newbie


Joined: 06 Dec 2005
Last Visit: 24 Jan 2007
Posts: 8

PostPosted: Sun Sep 03, 2006 2:37 am    Post subject: Reply with quote

TonyDownUnder wrote:

4. I think that Users fully accept the need for AV and AS and some, like myself are looking at HIPS/IPS/IDS.


They will have to accept need of HIPS because it is the only tool that may stop unknown by AV (0-day) malware.

TonyDownUnder wrote:

5. My own position is that I would place greater weight on AV tests than tests of Antispyware.


That is right- AS are almost useless.

TonyDownUnder wrote:

7. I believe that as a result of 6. people are very sceptical about AS and are probably of a similar mind about HIPS - the next big thing that I need or do I?


That is why HIPS tests are in need- users won't be able identify is concrete HIPS is rogue or not. Also, it is impossible for them to identify effectiveness of HIPS- that is the job for professionals.

TonyDownUnder wrote:

9. HIPS doesn't fit this formula and is harder to use, not because I'm stupid but because it requires knowledge that I do not possess.
Clearly if I open Word and Ghost pops up or ProcessGuard or System Safety Monitor and asks me if I want to allow Winword.exe the answer is obvious. How do I know if svchost.exe in seeking acces to something less clear which then wants to write/delete/alter Registry values is necessarily legitimate?


This is correct for classical HIPS, but wrong for sandbox HIPS- they require no special knowlege.
Back to top
View user's profile Send private message
fcukdat
Warrior Addict


Joined: 01 Jan 2005
Last Visit: 08 Apr 2009
Posts: 757
Location: Yeovil,England.

PostPosted: Sun Sep 03, 2006 3:45 am    Post subject: Reply with quote

Hi nosirrah

I don't want to be overly critical since you are experiencing the same learning curve that i personally have/am going through but i'm sure you are aware if you applied Eric's standards to your testing model andd results it would be shredded Crying or Very sad

Net result don't publish flawed test results since they mislead the peeps you wish to assist.Before going to publish test results then makesure all shortcomings are listed first so people reading them can get a grip on the validity/integrity of your tests and the results.

Take time out from testing and research/learn more about what you are testing.This will increase the validity of your tests etc

Go back through Eric's criteria before commencing testing again and make sure your tests tick all the box's Wink

But more importantly please continue testing after fufilling the above criteria,truely independent testing is a rarety since most are done by commercial entities/reps and we need independent testsers to keep the vendors honest ifykwim Wink

If you need any sincere advice/help feel free to PM me exchanges since this is going OT to some extent and there is already a few more divergences to this topic.

HTH Smile
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html
Back to top
View user's profile Send private message Visit poster's website
Erikalbert
Warrior


Joined: 10 Aug 2006
Last Visit: 05 Jul 2007
Posts: 219

PostPosted: Sun Sep 03, 2006 4:11 am    Post subject: Reply with quote

mikey wrote:


"Hmm are you fully patched?" and "What are your browser settings?"

Since he's running AppDefend in Ghost as well as PrevX, it doesn't really matter if he's "fully patched" or not and it doesn't matter what brand of browser he uses nor what settings he has configured for it.


I was actually curious if he really found a zero day exploit. So the question *does* matter. I think it is wrong to give people the impression that such exploits (I mean exploits for vulnerabilities not merely new malware samples) are common, and that you definitely need HIPS or you will be owned even if you take reasonable precautions.

My point is simply, just because you get a warning from your security program (AV , HIPS ,firewall whatever) doesn't mean
if you didn't have such programs you would be owned....

And even in cases where these are real threats, the right and more reliable solution is typically not your AV or HIPS...


Quote:

In fact, he could use IE5 straight out of the box without any concern about getting infected since nothing new can initiate on his system without him knowing about and approving it beforehand.


Actually I think that is very bad advise (though I suspect you didn't mean it that way). Given that the effectiveness of HIPS is not proven, and the possibility of the user responding wrongly, it is much preferable to cover up any known flaws, rather than hoping your HIPS will get it and you will respond correctly...

if you are advocating HIPS as a cure for using outdated application, I disagree and I think you overestimate process filtering...


Quote:

Actually, what I do suggest is using good safe practices as well as good content filtering. I like to control what I see or don't see. For instance, I see absolutely no third party ads anywhere as well as very little objectionable content of any kind. I won't ever see objectionable content twice. Such filtering can be found in tools like Proxomitron and AdShield. I also recommend the use of a scripting control like ScriptSentry. I know that folks always say that Prox isn't for novice users but I can tell you that I have seen many learn to use it very well in a short time. Of course, compared to the ease of using these process filters, Prox is still very hard to learn. The other tools I just mentioned as well as many many more tho, are very easy to use.


All of which I use , but again these are things I add even though they have never saved me before. Good practises (patching, reasonable configurations) is always the foundation of good security, if you don't do this, it's pointless to do anything else.


Quote:

As for the 'zero-day' ref; A HIPS tool is the only real protection available for a REAL zero-day infection.


The only protection yes, but that doesn't not mean it is very effective. Smile

Better than nothing though.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Anti-Spyware and Security Software Discussion All times are GMT - 8 Hours
Goto page Previous  1, 2, 3
Page 3 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group