Kaseya Community

Poor detection rates for FakeAV malware

  • temp1.jpg
    I am a one man shop using Kaseya & KES for about 2 years to manage about 200 machines. In the last few months my customers seem to get hit with the fake AV crap that we are all too familiar with. Usually 2 or so infections a week. AVG (both 8.5 and 9) resident shield (and Web Shield + Link Scanner) completely miss the threats. I then have to use MalwareBytes to fix the machine...

    So I am totally ready to toss AVG out the windowMad But what to replace it with? I am thinking about Kaspersky since supposedly that is the new KES3 vendor Kaseya will be using. But just because Kaseya picks some new vendor does not mean it will have any better detection rates than AVG. I need a little more scientific way to evaluate the current AVAS products, with the most important benchmark being detection rates. So I kept a copy of the latest fake AV file (e.exe) that was detected by MalwareBytes on a machine that got hit yesterday. I then submitted it to www.VirusTotal.com, which runs the submitted file past 39 different AVAS products and reports whether each AVAS product detected anything. Below is a screen shot of the results showing that only 7 products detected the malware. No surprise - AVG did not detect anything. But, neither did Kaspersky Sad The only ones that did detect anything were CAT-QuickHeal, eSafe, Microsoft, NOD32, Panda, Sophos & Sunbelt.

    I know one virus submission is not by any means conclusive. But it is a starting point and provides useful data that may very well determine what AV product I end up choosing.

    Has anybody else ever run this sort of test? Any results? I would think if some of us started doing this with malware we encounter that we could share our results and have an excellent indicator as to what AVAS products work the best... I wonder if the VirusTotal website publishes any sort of detection summary encompassing all the files submitted? That info would be priceless!

    Legacy Forum Name: Poor detection rates for FakeAV malware,
    Legacy Posted By Username: ReedMikel
  • The reason the fake AV guys are in business (yes - I said business), is because they are actually good at their job. Each time they release a new variant, it takes a few days for the industry to catch up. Usually after a week or so, most of the field will be onto that version and block it.

    My suggestion is to wait another week and then see what the results are.

    Jeff

    Legacy Forum Name: KES,
    Legacy Posted By Username: Jeff.Keyes
  • While I feel your pain on the 'fake av' stuff, I would never recommend changing AV vendors based on the results of any surveys on detection rates. None of them are anywhere near 100%, because as Jeff says, the 'bad guys' know how signature based detection schemes work. They are inherently 'reactive' - until AVG/Norton/Kasepersky/whoever actually gets their hands on the particular variant in question, they can't say 'this file is a virus'.

    Granted, there are some improvements being made in heuristic/behavior-based detection methods, but there are drawbacks to this approach as well - namely false positives.

    My experience has been that few AV products will regularly detect anything malicious that has been out for less than a week. Here's a still-relevant 4 year old article that describes the weaknesses of signature based detections:
    http://www.zdnet.com.au/eighty-percent-of-new-malware-defeats-antivirus-139263949.htm

    So, rather than chase AV vendor results and make decisions based on a 'moment in time' analysis of their detection rates, I concentrate on making sure that my systems have the smallest possible threat surface that they can. For me this means:
    - Removing all 3rd party software that isn't required for the user to do his/her job
    - Making sure any 3rd party software left is always up-to-date and patched.
    - MS updates, goes w/o saying
    - No local admin rights where possible/feasible

    Finally, and probably most importantly (and most challenging), user education. Most of the 'fake av' infections I've seen are brought on because the user was tricked into clicking on something they shouldn't have, or opening a email attachment, or whatever. Rather than try and explain every possible scenario to watch out for, I try and give them a crash course in social engineering and how to avoid falling victim. Regarding the 'fake av' stuff specifically, this can usually be boiled down to 'if you see an alert or message that scares the hell out of you, warns you that you have security problems, or offers to 'fix' something for you, then DO NOT click on it!'

    If you really want to see some comparative detection information, Virus Bulletin does regular testing and publishes their results (registration requirements vary, some areas free, some not):
    http://www.virusbtn.com/vb100/index

    Hope this helps!

    Legacy Forum Name: KES,
    Legacy Posted By Username: benny@geeksaknockin.com
  • Hmmm, can anyone explain why MalwareBytes has *always* found these FakeAV threats on my clients' infected machines, while AVG "sees" nothing? Does MalwareBytes have an inside track on the malware? I don't think so. Instead, I think AVG does a poor job of malware detection. Jeff - you said it yourself: you explained to me that when you asked AVG why they missed so many threats (that MalwareBytes detected), AVG told you they were afraid of being sued in cases of questionable malware. That just makes no sense at all, and I'm running away from any AV company that says something like that Eek If it were just one or two isolated cases where MalwareBytes found something that AVG missed, then I would not be as concerned. But I've encountered this scenario for many months now - where AVG misses malware that MBAM always finds.

    Anyway, I have to find a better AVAS product. Staying with the status quo is not getting me anywhere, and actually provides a false sense of security to my clients. And it's costing me a lot of man hours. So I'll continue testing infected files against sites like VirusTotal.com and pick a vendor that detects the type of malware I am encountering every week.


    Jeff.Keyes
    The reason the fake AV guys are in business (yes - I said business), is because they are actually good at their job. Each time they release a new variant, it takes a few days for the industry to catch up. Usually after a week or so, most of the field will be onto that version and block it.

    My suggestion is to wait another week and then see what the results are.

    Jeff


    Legacy Forum Name: KES,
    Legacy Posted By Username: ReedMikel
  • Some other thoughts/ramblings:

    I have taken away local admin rights (more than a year ago at most sites), yet continue to have clients infected by FakeAV malware.

    Clients are using OpenDNS.com for web filtering.

    User education only works so well. e.g. I have a non-profit that has a very high turnover rate for some of the night shift staff. So keeping them educated about malware is just not feasible. I need an AVAS product that truly protects users from all this crap.

    Let's face it, I bet all of us IT experts, at one time or another, have seen some of these well crafted malwares display what looks like a genuine Microsoft alert (e.g. an imitation Windows Security bubble pops up in system tray). So if it almost fools me, my users stand no chance Sad

    One thing I have noticed about my clients' recent infections is that the damage is limited to the current user. e.g. registry entries like HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ or files like C:\Documents and Settings\\Local Settings\Application Data\\. No doubt damage is limited to the current user because I have removed local admin rights. So I am thinking that once a machine is infected, the fastest remedy may be to delete the infected user's profile. That could even be scripted using MS's DelProf.exe utility. I'd have to reconfigure Outlook (Exchange mailbox in most cases) and a few other things, but I think it would be a good bit faster than running various AVAS tools in an attempt to disinfect.

    Legacy Forum Name: KES,
    Legacy Posted By Username: ReedMikel
  • Along with Benny's recommendations we push to have a UTM device at our clients (Untangle, Fortigate, etc).

    Legacy Forum Name: KES,
    Legacy Posted By Username: Coldfirex
  • We use a mixture of KES and Symantec. I can tell you that no one AV will catch these. We have two customers that use Kaspersky still from when they were with their old support companies and they have had the fake av a couple of times. Let me say from our limited exposure to Kaspersky is that is a huge resource hog. The ones we have seen are running everything so that may be why but I doubt we will move to that if it's the new KES option. Most likely we will try it on our test lab and go from there. It seems running an AV and the Corporate Licensing of Malwarebytes might be the best option. And like you we've tried restricting users and not giving them administrator rights and they still get it. Sad

    Legacy Forum Name: KES,
    Legacy Posted By Username: jasonp
  • MalwareBytes does seem to have excellent detection databases and algorithms. I'd say almost 100% of the machines that got infected with AVG were able to be cleaned using MBAM (I use their Technician's License). I hope that means if I was using MBAM's corporate product that their realtime protection would have prevented the malware infection in the first place. I believe most of the recent infections happened thru their browser (usually Firefox 3.5).

    jasonp
    It seems running an AV and the Corporate Licensing of Malwarebytes might be the best option.


    Legacy Forum Name: KES,
    Legacy Posted By Username: ReedMikel
  • We have had 4 different clients get infected within last 4 business days. One was on KES, one were on symantec endpoint, one was on Microsoft one care and last one was in trend worry free. All 4 got infected by people looking at websites looking for holiday information and golf information. Someone can correct me if I am wrong but I do believe a company needs some type of web or proxie server to stop the infections. Antivirus alone will not prevent it when the end user clicks on the link and perhaps installs active x controls and does the dirty work for the virus. How do you educate a user to know when a link is good or bad, and many do not have an idea about where to go. Only way is to prevent the infection from the web.

    Legacy Forum Name: KES,
    Legacy Posted By Username: gdoubinin
  • I was under the impression AVG's Web Shield and Link Scanner were supposed to provide protection against malicious links. I have no way of knowing how often, if ever, it has protected any of my users. All I know is that some users continue to get infected while browsing the Internet. I am getting a copy of their Firefox browser history to see if I can find a common website that might be responsible for the malware. But all this detective work is very time consuming Sad

    Legacy Forum Name: KES,
    Legacy Posted By Username: ReedMikel
  • I feel the frustration. I had a client that went to a link that was infected, we got it cleaned. I laughed when the same person went to the same link in two days and got reinfected. The customer threatened the end user that next time the bill will be passed onto the user. We have CA secure content manager in 4 sites that does spam and proxie web browing for virus and malware and we have not had these infections on any of the clients. The link scanner is great at giveing the green marks next to the link but many clients do not have an idea about the green check marks when they are googling.

    As you mentioned, I am not sure on how good the AVG webshield or link scanner works due to I have not had anyone say that their was a green check mark next to the link and they got infected.

    Legacy Forum Name: KES,
    Legacy Posted By Username: gdoubinin
  • TSC_FAKEAV_Cleaner.zip
    We are in the same boat! We use Trend Micro WFBS and enable the best practices configurations. Trend catches the threat but cannot do anything with it. So we are notified and then run a combination of Malware-bytes and Trend's FakeAV Cleaner (attached here). This is a stand-alone app that runs. You could probably create a kaseya script to run it on infected machines (I haven't had time to build one yet).

    We have started deploying SonicWALL with CGSS (Total Secure) for gateway security. Those sites seem to stay clean.

    However, as a previous poster mentioned, most infections come from users allowing the threat in by clicking on something.

    Legacy Forum Name: KES,
    Legacy Posted By Username: jfox
  • As far as gateway protection, is anyone familiar with the ProtectLink Gateway service which can be purchased for Cisco SMB routers (e.g. RV042)?

    Product info: http://www.cisco.com/en/US/products/ps9953/index.html

    This is a Trend service that Cisco is offering...

    Legacy Forum Name: KES,
    Legacy Posted By Username: ReedMikel
  • Has anyone tried Malwarebytes paid version to see if its real-time protection works against the fake AVs? It may detect it after the fact, but real-time is where it counts.

    Legacy Forum Name: KES,
    Legacy Posted By Username: pnorman
  • Excellent point. I just assumed it did, but you know what they say about assume Smile
    pnorman
    Has anyone tried Malwarebytes paid version to see if its real-time protection works against the fake AVs? It may detect it after the fact, but real-time is where it counts.


    Legacy Forum Name: KES,
    Legacy Posted By Username: ReedMikel