Saturday, November 15, 2008

Security Simmerings…chunky style goodness

image

Lean Snake-meat

I’m trial-testing a new (to me) anti-virus/anti-malware product on our Vista system.  It’s Sunbelt Software’s VIPRE Antivirus + Antispyware program.

It’s a bit of a different product for me as I usually stick with “free for personal use” versions such as AVG Free.  This one is good for just 15 days.  On the plus-side, Sunbelt offers a $49.95 deal to register its use on all the computers in your home for a year.  That does seem like a good value.

I uninstalled AVG Free 8 then after a reboot loaded this one up.  A full scan with VIPRE took 128 minutes and as the image above shows scanned a bunch-load of items.  In all it found five cookies as well as two possible trojans and one potentially unwanted program.  I was a bit shocked at first, but found that one was Abel (of Cain and Abel), one was a utility in NetTools, and the last (PUP) was a tool that allows you to run an application under a different date. So all were in fact, known and approved by me to be on my system.

I must say my first impressions are very positive.  The interface is very logical and easy to navigate. Each time I wanted to do something or find something, I was quickly able to find it, even without having read the Help files.

My only “gripe” at this point is that I was not able to select any of the items found in the middle of a scan to view the details on them.  This led to some mixed concern on my point until the scan completed and I was able to see the details. I’d like to ask the Sunbelt team to allow viewing of detected threat details in the process of the scan, or allow additional columns to be added to the default view that would at least show the location (path) and filename of the threats so some information can be reviewed mid-scan.

I’m not intending this to be a “review” but more of a first impressions.  However, if after the fifteen days are up I’m still happy, I’m pretty sure I’ll be signing up for a subscription and composing a longer review.  In the past I used their Sunbelt Firewall product for a very long time, abandoning it only when it took so long for them to deliver a Vista compatible version…(now available). I was very pleased with the product and company from that experience.

On top of that, CEO Alex Eckelberry’s SunbeltBLOG is a long-time RSS feed of mine and I really enjoy the posts found there. Alex is very responsive and frequently drops into forums and blogs and leaves his comments.  I’m always impressed with his attitude and willingness to engage in constructive discussions on both his company’s product as well as the anti-malware industry in general.

AVG Foul and Alternative Poultry Choices for the Pot

Goodness knows, I’ve been a long-time apologist for AVG Free here on this blog.  It was one of the very first “free” anti-virus products I switched to after leaving a paid-subscription service.  It’s had its ups and downs but overall I still remain pretty pleased with AVG and continue to recommend it for most home-users looking for a free security product.

My complaints remain, however; a very busy interface, difficulty finding and using the “advanced” settings and configurations tools, periodic false-positives, the fact I’ve never been able to get the “upload to AVG” feature for sending sample files to AVG to work, and the fact that it continues to hammer away on a number of my utilities as “Potentially Unwanted Programs” despite the fact I tell it not to.

AVG again has made the tech-circles with reports of nailing false-positives for some critical (or important) system files. Although I personally haven’t experienced any of these recent behavioral problems, they could be a bit disconcerting for AVG noobies not yet accustomed to the frequent AVG false-positives the signatures are know for.

TechBlog: Ooops: AVG thinks key Windows file is a Trojan

TechBlog: Yet another AVG false alarm: Time for an alternative?

AVG virus scanner removes critical Windows file - Security and the Net

This led to me re-evaluating my selection with AVG Free 8 again and giving VIPRE a try.

In my previous AVG Free v8 versus the Competition (Speed to Scan only) post, I came to the conclusion that AVG Free v8 had the fastest performance overall of any free anti-virus product that I had tested.

The runner up was Avira AntiVir Personal.  I said that I would likely choose this as my second choice were I to leave AVG Free 8.  The only drawbacks I find with AntiVir is the fact that the free product did have a few more limitations in this product compared to other free solutions. On the plus-side, Avira consistently leads the pack of SRI’s Most Effective Antivirus Tools Against New Malware Binaries detection list.  See also AV-Comparatives.

Curiously, I did not see Sunbelt Software’s VIPRE listed in either location. So I really have no way to see how they would stack up in these tests by comparison.

If I did go with AntiVir I would probably also use it in tandem with either (or both) Malwarebytes' Anti-Malware (free but $ for full-feature version) and ThreatFire (freeware).  I had always relied on ThreatFire’s HIPS type protection before, but it seemed to conflict with COMODO’s firewall and kept locking up my XP system’s hard-drive so I just uninstalled it from everything for now.

Then there is COMODO’s Internet Security suite which remains a free security product that bundles both it’s awesomely hardened firewall along with some interesting anti-virus/anti-malware products.  Certainly worth looking at as well as an integrated anti-malware/anti-virus solution if you are tempted to walk away from AVG Free 8.

Finally, I found this security software review site that uses YouTube videos to highlight its findings: Remove Malware.

Pure Angus Meatiness

Microsoft® Malware Protection Center : Malware and Signed Code – Yep, it’s a brief discussion on code signing and how it is beneficial to preventing malware.

Microsoft® Malware Protection Center : Win32/FakeSecSen - A Nasty Piece of Work – MMPC staff take some of the fake security programs to task. I frequently see evidence of these at work where users were surfing, got a pop-up and the program/presentation looked quite legitimate and tricked the user into installing the app on the system.  Then our Symantec program alerts on them, (but can’t remove them) and off we go to pull them off the system.  It’s probably even worse for many home users. It’s a great roundup and discussion.

Wi-Fi Networking News: WPA Not Cracked, But Still Vulnerable and Security experts reveal details of WPA hack - News - heise Security UK – The weakness of the WPA chain is finally fully out.  It is a flaw, but probably nothing for the average home user to be deeply concerned about…at least not quite yet.  If you are really concerned and your Wi-Fi router supports it, consider switching to WPA2.

Windows Incident Response: More Deleted Keys Goodness! – Harlan shows just how valuable the ability to find (and recover) deleted registry keys can be. Neat stuff.

Windows Incident Response: New Code Posted – Harlan also kindly offers up a plug-in to his RegRipper tool that will help recover deleted registry key information for investigators and SysAdmins.

SynJunkie: The Story of a Hack - Part 2. Breaking In – SynJunkie is continuing his class on how a penetration attack occurs.  So far it has been quite educational and nicely documented.

Shoulder Surfing a Malicious PDF Author « Didier Stevens – This was really cool.  Didier was able to obtain a malicious PDF file that actually retained the incremental changes the malware writer used to try to get the PDF bomb ticking.  He provides a great analysis and I wonder what applications this technique could play for forensic examiners as well who could find some good clues and data as well.  If nothing else it is good information to be familiar with.

--Claus

3 comments:

JMisner said...

Hi Claus,

I noticed that you often mention about your problems with ThreatFire and Comodo Firewall. Have you tried making sure that the Defense+ component of Comodo is not only 'disabled' under it's security level, but also fully 'deactivated permanently' in settings? I've found that during Comodo 3 installs, even when turning off Defense+ in the wizard, it is often still partially enabled after reboot. Going back and making sure that it is both 'disabled' and 'deactivated permanently' makes sure that it is completely off in the Defense+ Settings dialog.

I support your decision in using Cyberhawk/ThreatFire as it seems to be far more intelligent than Comodo's Defense+ for use as HIPS software on a PC. I myself run Avast, Comodo (firewall only), and ThreatFire together without any issues whatsoever on my ThinkPad T40 running XP SP3. When you get a chance, give this excellent 'free security suite' another try!

And as a long-time reader of your blog, I kindly suggest you try Avast 4.8 again instead of AVG. It's extremely quiet, includes excellent anti-spyware and anti-rootkit support (uses GMER technology), and it recently beat just about every other antivirus in the reputable AV-Test (http://www.virusbtn.com/news/2008/09_02) and also scored "Advanced+" on AV-comparatives. Low resource usage...just works. Forgive me for sounding like an Avast fanboy or anything, I just see your undying support through AVG's blunders while the also-free Avast has been chugging along without a hitch. I've installed it on all my client's machines and I never hear back from them through all the automatic updates -- a miracle. If you have any troubles feel free to write back, I've duplicated and fine-tuned this setup many times.

Thanks again for a great blog!

Claus said...

@Joe - Wow. Thanks for taking the time to leave a great comment!

Yes, I have mentioned a suspected ThreatFire/Comodo problem more than a few times. It befell my XP Home SP3 desktop system and for a while I swore I was about to loose my second HDD unit. Curiously these were also running on both the Vista and XP Home laptops without the same behavior. It may have also been tied to a third (unidentified) application as well.

I appreciate your insight and suggestion on Defense+. I did in fact "fully" disable the Defense+ feature for the Comodo firewall. I first ran into it in this post ( Vista KB942763 Update Failure and Solution ). I figured I didn't need both ThreatFire and Defense+ going at the same time as that might cause some conflicts. It did seem odd that one has to effectively double-disable it to stop it working.

I wish I had more time to have puzzled the issue out. A review of the system logs didn't provide any clue while it was occurring and only a hard-reset would free it again...for a while. My gut feeling is that it had something to do with the ThreatFire updating process but I never was able to prove it. I suggest that as the lockups would often kick off about five to ten minutes after boot and the desktop had settled in. Whatever the root-cause was, it seemed particular to the specific combination of programs and services running on that particular system.

I do like to try to keep the same security combination running across my systems, just to make administration and support a bit simpler. When the girls have a problem I can pretty quickly know and walk them through the configurations with all things same.

I don't pick up that you are being an "Avast fanboy". Avast is a very good alternative candidate for folks looking for a free security suite. It does rank highly in AV testing. To be fair, back when I was moving away from my paid McAfee program, I settled on AVG pretty much based on a combination of tech site feedback, but also because I preferred its user interface a bit more over Avast. Funny how things like that can make a difference regardless of the technical factors.

And that undying loyalty with AVG has been as much because I like a good puzzle and it has certainly provided more than a fair amount of entertainment and curiosities for me in terms of blog material. It is a good product, and it does have a few issues as well.

I can say that I am likely to be moving on from AVG Free in the coming months and trying out other similar security products. So I will definitely keep Avast in mind!

Please feel free to continue to drop your comparative perspectives of Avast along the way here when I continue to post on such anti-virus/anti-malware related topics! It would provide a valuable counterpoint!

--Cheers!

Claus V.

JMisner said...

I've had similar problems with installations, but not the same specific one you had with KB942763. For instance, I often have to disable ThreatFire to get certain things to install otherwise the installer will run into multiple problems. On that note, ThreatFire has been updated to version 4.0 probably since you may have last used it, maybe solving the issues you had before? I understand using the same security combo across the board as I do the same with Comodo and Avast, and also ThreatFire where need be.

For the longest time, I actually avoided Avast because I distrusted it's interface as well, and it's focus as an antivirus alone instead of being a full antimalware solution. After version 4.8 came out with the much better antimalware engine and using my favorite antirootkit app GMER's technology built-in, I started installing it on my virtual machines and on clients' PCs to great success. This caused me to abandon my own beloved Kaspersky suite completely and I haven't looked back! Oddly enough, having Comodo, Avast, and ThreatFire running at the same time seems to put less of a resource drain on my system than the Kaspersky suite alone.

I'll gladly share my Avast experiences in your posts. Sadly though, they haven't been very eventful, especially compared with AVG this year! With any luck, if you ever switch to Avast, then AVG will be solid as ever and Avast will have plenty of blunders to write about. :)