MSE vs AntiVirus 2010

[jadams]

In my works I've come across two computers with up to date MSE's installed that somehow let Antivirus 2010 get past it.

Up to this point I have been an absolute fan of MSE and have even gone as far as setting up VM's and purposely trying to infect them with junk like this. MSE always seemed to step in and say "hey dipshit thats a virus dont press YES". This is the first time its let me down.

Anyone else come across this scareware? Its pretty common, I remember a AV2009 variant out there before. Was it able to sidestep any other AV program that you've seen installed?

 

[MrGuvernment]

when someone clicks to install something MSE kind of has no choice since the user is giving permission to install it and usually admin permission to boot, no AV will stop it, you could install malware bytes it may stop it.

 

[Phyltre]

In my works I've come across two computers with up to date MSE's installed that somehow let Antivirus 2010 get past it.
...
Was it able to sidestep any other AV program that you've seen installed?

There's pretty much nothing you can do (short of running a limited user account and whitelisting-only for anything nonlocal) that will keep those things out perfectly if the user isn't savvy. A system would have to be locked down to the point that an admin account would be needed almost constantly to do everyday tasks like software updates and the like. There are lots of theoretical situations that could maybe make you safe against malware like that, but they're going to be in the direction of a non-Windows machine, or a heavily firewalled corporate network, or something equally nonstandard (which is to say unsuitable for a loose corporate network, which we have).

We've tried hosts file editing, antivirus applications, bloated firewall applications, third-party browsers, and so on but the common denominator between the infections is users who can't tell the difference between a legitimate system message and a bogus one. You can't protect the user from him/herself and still give them reasonable control of their machine.

 

[YeOldeStonecat]

that will keep those things out perfectly if the user isn't savvy. You can't protect the user from him/herself and still give them reasonable control of their machine.

These rogues/fake alerts get past anyone, you don't need to be an ignorant user to get one. These rogues are being spread by many different methods such as legitimate websites being hacked into, and ad banners, exploits in flash, java, pdfs, office documents, poisoned content in torrents/p2p,

No matter how experienced a user you are, say you visit a totally legit website that got hacked just a few hours ago...BAM, jumps up on your screen in a millisecond....too late!

 

[Phyltre]

These rogues/fake alerts get past anyone, you don't need to be an ignorant user to get one.

I'd agree with you, except nobody in our IT department has contracted one thus far. Odds would be against that, assuming it were really just a numbers game, especially given that we're probably on the internet about as much as 4 regular employees put together per one IT member.

 

[YeOldeStonecat]

I'd agree with you, except nobody in our IT department has contracted one thus far. Odds would be against that, assuming it were really just a numbers game, especially given that we're probably on the internet about as much as 4 regular employees put together per one IT member.

Have you studied how they're spread? If you know how the rogues/fake alerts are spread..you'd grasp the concept that it's neutral. You don't have to be a click happy idiot or someone that just surfs midget porn or illegal movie sites.

About 2 or so years ago when rogues/fake alerts were really starting to become a common threat, one of the early versions that's still has many variants today, PAV (Personal AntiVirus), was getting widespread. More accurate to the timeframe for my example was during the "buyout of the big 3 automakers"...when Obummer was about to do the huge financial bailout to Detroit. I was on my home computer, doing some research on the United Auto Worker Union...I was on their main website (one wouldn't suspect this website to be a "bad" site)....and blammo..PAV jumped up on my screen beginning it's scareware routine.

Silly me....since I've been in IT as a profession since Win3x/95 days, I should have been savvy and known better....I should have know that the united autoworkers website wasn't safe.

My computer...I had Eset NOD32 on it (it didn't even blink), and I was using Firefox.
Luckily due to my experience I was able to recognize it and I had task manager up within milliseconds, and since I'd cleaned it so many times prior on clients machines I knew exactly what to look for and how to whack it within about 5 more seconds. IMO however, that kind of expertise shouldn't be expected of all/average computer users, and just because others don't know how to recite by memory exactly how a rogue hits your system doesn't mean that the average user should be held to that expectation.

 

[jadams]

Well guys like i said earlier, I've setup testbed VM's before and have tried to infect known "viruses" with them. Tenga, and Conficker to be more precise, among others. MSE always seemed to stop it before it got in. Tenga and Conficker can both spread through USB sticks via autorun without the user even clicking a YES or OK button. MSE stopped both of these before they could even get started. I was a little disappointed it didnt do the same in this case. Apparently their backdoor installation methods must be different, but how/why does MSE see AV2010 as a legit program?

I also found it odd that I've been tasked with removing it from two computers within a week from each other. *shrug*

 

[GotNoRice]

I've had 5 different boxes on my workbench in the last week. All had MSE installed and didn't do anything to stop the boxes from being infected.

I don't blame MSE for not stopping the infection, what pisses me off is that it it can't remove it either. In normal mode the malware usually prevents MSE from running at all, but when I run it in safe-mode it finishes the scan and doesn't find anything.... And that is with updated definitions. I run Spybot-Search and Destroy on the exact same box and it finds over 350 items?

The fact that I can run MSE on a completely infected box and have it find absolutely nothing is what is making me lose favor with it.

 

[dashpuppy]

I've had 5 different boxes on my workbench in the last week. All had MSE installed and didn't do anything to stop the boxes from being infected.

I don't blame MSE for not stopping the infection, what pisses me off is that it it can't remove it either. In normal mode the malware usually prevents MSE from running at all, but when I run it in safe-mode it finishes the scan and doesn't find anything.... And that is with updated definitions. I run Spybot-Search and Destroy on the exact same box and it finds over 350 items?

The fact that I can run MSE on a completely infected box and have it find absolutely nothing is what is making me lose favor with it.

ah oh, i use this software ALOT guess im not going to be soon!

 

[Captain Colonoscopy]

You're going to have this problem with any and all AV suites. Not a single one of them can stop everything or remove everything. Since I switched most of my friends and family over to MSE and OpenDNS from whatever they had before I've had a lot less phone calls. To me that tells me its working. Is it the best in the world? No. Is it free? Yes. Does it make my life easier? Yes.

 

[dashpuppy]

You're going to have this problem with any and all AV suites. Not a single one of them can stop everything or remove everything. Since I switched most of my friends and family over to MSE and OpenDNS from whatever they had before I've had a lot less phone calls. To me that tells me its working. Is it the best in the world? No. Is it free? Yes. Does it make my life easier? Yes.

this may be stupid, but why did you switch them to open dns ? what does this do ? Do yuo have to manually put the DNS into their router's etc etc ?

 

[Captain Colonoscopy]

http://www.opendns.com/solutions/overview/

Set the router to forward all requests to 208.67.222.222 and 208.67.220.220. Set the clients to use the router as DNS server via DHCP server options or set clients directly to OpenDNS. Register on OpenDNS.com for a home use account, setup the Dynamic IP updater thingy on one of their computers. Now a significant portion of malware/spyware is blocked before it can resolve. You can also block porn, myspace, gambling, etc. Some peoples don't want a UTM firewall to manage, this is the next best thing.

 

[dashpuppy]

http://www.opendns.com/solutions/overview/

Set the router to forward all requests to 208.67.222.222 and 208.67.220.220. Set the clients to use the router as DNS server via DHCP server options or set clients directly to OpenDNS. Register on OpenDNS.com for a home use account, setup the Dynamic IP updater thingy on one of their computers. Now a significant portion of malware/spyware is blocked before it can resolve. You can also block porn, myspace, gambling, etc. Some peoples don't want a UTM firewall to manage, this is the next best thing.

I have a dyndns account, been using that for years. I also run Untangle, do i still or should i still use opendns ?

 

[Captain Colonoscopy]

I use astaro and opendns at home. I'm paranoid.

 

[dashpuppy]

I use astaro and opendns at home. I'm paranoid.

LOL! well, at least your protected not like formatting your machines every few weeks to remove spyware and crapware eh

 

[Captain Colonoscopy]

I have a wife and two kids. I don't like to clean malware at home.

 

[dashpuppy]

I have a wife and two kids. I don't like to clean malware at home.

I forced the mac onto the wife, her last pc was WELL! i threw it out, hated it LOL, spent more time keeping viruses off of it and spyware than she actually used it.

Now she has a macbook, and a untangle box, and lots of pc laptops that i use and a few desktops.

 

[kschaffner]

I hope you do realize that MSE is an *Anti-Virus* program not an *Anti-Spyware/malware/scareware* program. It is designed to stop viruses hence AV2010 isn't a virus it's scareware and that's why programs like SpyBot S&D and Malwarebytes pick them up because they are designed to do so. This goes for quite a few other people in this thread. There is a vast difference in the 2 types of infections mentioned here. Not 1 program will take care of it all.

I've had 5 different boxes on my workbench in the last week. All had MSE installed and didn't do anything to stop the boxes from being infected.

I don't blame MSE for not stopping the infection, what pisses me off is that it it can't remove it either. In normal mode the malware usually prevents MSE from running at all, but when I run it in safe-mode it finishes the scan and doesn't find anything.... And that is with updated definitions. I run Spybot-Search and Destroy on the exact same box and it finds over 350 items?

The fact that I can run MSE on a completely infected box and have it find absolutely nothing is what is making me lose favor with it.

 

[YeOldeStonecat]

I hope you do realize that MSE is an *Anti-Virus* program not an *Anti-Spyware/malware/scareware* program. It is designed to stop viruses hence AV2010 isn't a virus it's scareware and that's why programs like SpyBot S&D and Malwarebytes pick them up because they are designed to do so. This goes for quite a few other people in this thread. There is a vast difference in the 2 types of infections mentioned here. Not 1 program will take care of it all.

Actually.....if you're remotely followed antivirus programs over the past several years, most of them have evolved into detecting "threats, malware"...as a generalized term. Not just old school "viruses". Any that remained back in the "we just detect viruses" frame of mine are surely doing poorly right now.

Proof? Go to any decent AV programs website, such as Eset.com
You'll see big fancy words like ""to protect you from viruses and spyware", "the battle against evolving Internet threats. Click below to learn about malware hazards", "Your best defense against Cybercrime", ....and similar things.

Matter of fact, here's a paragraph from Eset.com's Threat Center page, copied word for word
http://www.eset.com/threat-center
"Threats are evolving by the second. It's no longer just about viruses. Spyware, trojans, worms, rootkits, bots and phishing attacks are all on the rise. Malware writers are constantly reworking their code to evade security defenses. The ESET Threat Center features resources to understand the nature of these evolving threats, their impact on your business, and why proactive protection is so important."

Now lets walk over and look at the MSE page, shall we?
http://www.microsoft.com/security_essentials/
In there you'll find the following text.
"Microsoft Security Essentials provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software. "

Furthermore, you can get this AV trend verified by one of Microsofts guys on the MSE team, and he frequents the forums here, Ranma. He frequently talks about rogues and doing all he can to ensure MSE detects/cleans them.

No tool out there is 100% effective, but in utilizing at least several tools at once, with each one getting day 90 or 95% of the bugs on your PC, the end result of the overlapping "finds/removals" of a bunch of various products is better than one.

 

[Ranma_Sao]

Got samples for me? MD5/SHA1 hashes? We have some of the best detection out there, but the rogues are doing their best to defeat us.

You can also call:
1-800-PCSAFETY for support as well.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[thee_rook]

Got samples for me? MD5/SHA1 hashes? We have some of the best detection out there, but the rogues are doing their best to defeat us.

You can also call:
1-800-PCSAFETY for support as well.

This posting is provided "AS IS" with no warranties, and confers no rights.

I will get you all that I can when I can. I come around these quite often, and I would say 90%+ are social engineering infections. Yes they are from clicking the wrong thing. Banner infections are on the downturn since they can be taken care of quite easily by the web host now. Try to let people know to close the windows out by the task bar or "alt+F4" not by clicking anywhere on the pic or web page. They want you to click.

I would still say MSE is one of the best freeware detectors out there bar none and it works seamlessly with Vista/Win7.

 

[ciggwin]

Got samples for me? MD5/SHA1 hashes? We have some of the best detection out there, but the rogues are doing their best to defeat us.

You can also call:
1-800-PCSAFETY for support as well.

This posting is provided "AS IS" with no warranties, and confers no rights.

Can you point us in the direction of how to get these things to send to ya?

I know there is a submission page to send virus files to Microsoft but by the time I find out where they are, the scanning programs have them locked in quarantine or deleted and I'm not sure if there is a way to get them to send... all I get is log files at the end.

 

[Ranma_Sao]

Can you point us in the direction of how to get these things to send to ya?

I know there is a submission page to send virus files to Microsoft but by the time I find out where they are, the scanning programs have them locked in quarantine or deleted and I'm not sure if there is a way to get them to send... all I get is log files at the end.

If you hash them, using MD5 or SHA1 I can see if we have the files already submitted. You can IM them to me.

To submit files, just use the http://www.microsoft.com/security/portal submit a file link and IM me the file id. (Which is the SHA1 Hash)

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[MrGuvernment]

Spybot-Search and Destroy

mostly finds cookies i found, not nearly as good it seems as it used to be, anytime i run a scan on infected systems it just finds come cookies and the odd registry setting.