Sunday, March 8, 2009

Anti-Malware

I don't usually like to talk about my work, as I find that this is not one of the most exciting things to talk about. Actually to think of it, even if I think it suppose to be interesting, it might not be interesting to you. :)

Come across this post in Slashdot, http://tech.slashdot.org/article.pl?sid=09/03/07/0137226. Bashing on Symantec Tech Support. Drilling into the post, saw some mentioned about this suppose product called Malwarebytes' Anti-Malware on http://www.malwarebytes.org/.

Downed and tested it, seems pretty impressive and found a few malware which my Symantec Endpoint Protection did not seems to detect. Wait a minutes, isn't the detection of this malware which was detected my SEP a few months back when I installed a game which I was crazy about!!

Looking thru the logs of Malwarebytes, it shows the followings:

Files Infected:
C:\WINDOWS\system32\czkgvi.dll (Trojan.Vundo.H) -> Not selected for removal.
C:\WINDOWS\system32\ljJYRihh.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\alanleehc\Desktop\EvID4226Patch.exe (Malware.Tool) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


The first entry was something that was detected and deleted by SEP a few months ago, I unselect it, and select the reset and click on the removal button. It going to be an interesting experiment.

The questions that came into my mind:
1. Is Malwarebytes really cleaning threats on my system?
2. Is SEP really that bad?

So a little investigation, I try to look for this file C:\WINDOWS\system32\czkgvi.dll. It could be hidden in the alternate stream of a NTFS file, or simply could be hidden as a rootkit. Nope, couldn't find it. Use LADS from http://www.heysoft.de/nt/ep-lads.htm, and nothing in the alternate stream.

Since this is a Sunday morning, and while everyone in the family is still lazying in the bed, I decided the quickest way is to reboot and rerun Malwarebytes to see if it detect this file, since I didn't remove it in the previous detection.

Run the scan again, and YES, it didn't detect the file! Conclusion...
1. Malwarebytes shows the malicious files could be based on registry detecting, and not the actual presents of the malware.
2. SEP could do a better job on removing those registry keys!
3. A detection by a product doesn't really mean it could be totally trusted.

My little girl just woke up, time to channel the rest of my energy to her.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)