Saturday, December 06, 2008

Issues with AV

I noticed Hogfly's been blogging lately about issues with AV, here and here. It's some good stuff, and I think bears repeating...AV is NOT a silver bullet, and I think most of us are really very well aware of that.

A while back, I commented about an issue presented by AV company write-ups providing incorrect information; in this case, identifying a Registry entry that was created not directly by the malware itself, but by the shell as a result of how the malware was launched on the system. Given the level of technical ability of many malware analysts, you'd think it would be an easy catch.

Well, I ran across this one at the MS Malware Protection Center Encyclopedia this morning - malware identified as Win32/Autorun.GR, and yet the write up (as of this morning) gives no indication of any sort of autorun capability, via a Registry setting or otherwise. Ag;ain, as of this morning (6 Dec), the description simply states that the malware writes itself to the root of all available drives; however, there's no description or discussion whatsoever of why this malware is referred to as "autorun". Yeah, yeah, I know that the Technical Details state that additional info is pending analysis, but if you're gonna call it "autorun", shouldn't there be a reason for that? After all, if the files are just written to the root of the drive without any other means of initiation, wouldn't that then be something like "Win32/Usersgottaclickme.GR"??

On the other hand, VirusList has a good write up on AutoRun.ah which pretty clearly states where the autorun capability comes from. At least from this write up, you can pretty clearly see the steps you need to take to prevent this malware from affecting your infrastructure.

The more information you can get, the better prepared you can be to address the threat. I know that on the surface, to many, the issue of viruses and malware seems pretty pedestrian, but to be honest, there are a number of organizations out there that get pretty badly hung up by viruses (not even worms) and other similar issues.

1 comment:

Jimmy_Weg said...

I've commented here and elsewhere about this issue. I think that I cited VirusList, too, particularly the Vgrep feature. From my side of the fence, it's difficult to exhaust defenses when documentation is so lacking. McAfee does a pretty good job of providing indications of infection, at least for its versions of a threat. One thing I'm doing is running suspect machines in a VM and launching the AV tool to see exactly what's been done historically. It's also easier to examine other defenses in a virtual environment.