There is always questions being asked to me as to what the best Anti Virus is. This is a difficult question. The truth of it is, they can all be beaten. I know that might come as a shock to you, maybe not, but it's very true. I decided to take this post and try to explain why this is difficult.
What I have done is created a simple backdoor trojan using our favorite Metasploit shell_reverse_tcp. I encoded it with Shikata_ga_nai. Loosely translated this is Japanese for "nothing can be done about it". This method basically utilized a polymorphic XOR additive feedback encoder. (for those of you unacclimated to this is means it has the ability to change things in what appears to be a random fashion.)
This is a simple shell code. It has a specific purpose to connect back to any system I tell it to. This should be caught by any normal means. I encoded one version with Shikata_ga_nai and built one version with no encoding. I uploaded both to VirusTotal. This site scans your files that you upload with 41 (at this time) different virus scanners and lets you know which ones found it malicious. Both versions were said to contain no malicious code. Now this could be an unfair test as it was simple code, so I decided to encode Netcat both ways and run that through. For those of you that are not familiar with Netcat; it is a back door program that can be used for good or bad but is definitely seen by major vendors as malicious. I again ran this through Virus Total and the unencoded version was caught 25 of the 41 vendors easily. The version I encoded was not recognized at all.
So what does it all mean Basil? It means that even all of those old viri can get past your anti virus. What you really need is an endpoint protection from companies such as Symantec, McAfee or Sophos. Why are they better? Because they are created to look for "odd" behavior rather than just a signature of the file. This is becoming more and more important as attacks and attackers are getting more complex.
For those of you that will still use the free anti virus programs out there, do what you can to keep them up to date, scan your systems often. Microsoft has released a free version of Anti Virus. You can get it here Microsoft Security Esstentials. Make sure you are downloading this from the Microsoft web site! There are many fakes out there already. I have not tested it fully, but the little I have tested it shows that it is pretty decent for free. It would be nice to run multiple anti virus programs but usually they fight with each other. I am testing this one with AVG on my wife's PC and will report back if they work well together or not. I also recommend running Malwarebytes as often as possible. Especially if you are a constant Facebook or Myspace user. Running it nightly might be a good choice.
As always, if you have any questions, let me know.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment