Pages

Tuesday 27 October 2015

Which Antivirus - 2

Today, another file arrived by email. It was a zip file, unpacked it was a scr file (which is really an exe).

Scanning the zip file, 23 out of 55 products flagged it as malware. Here's the ones that passed it as clean:

ALYac        
AVware        
AegisLab        
Agnitum        
AhnLab-V3        
Alibaba        
Antiy-AVL        
Avast        
Avira        
Bkav        
ByteHero        
CAT-QuickHeal        
CMC        
ClamAV        
Comodo        
Fortinet        
Jiangmin        
K7GW        
Kaspersky        
McAfee-GW-Edition        
Microsoft        
NANO-Antivirus        
Panda        
Rising        
SUPERAntiSpyware        
Symantec        
TheHacker        
VBA32        
VIPRE        
ViRobot        
Zillya        
Zoner


I unzipped it and scanned the scr file.
SHA256: 7ef09594202e5b619ac0332ab122f722684e896f77a2b9839d13ba79f882243f

22 out of 55  flagged it as malware, the following passed it as clean.

ALYac        
AVG        
AVware        
AegisLab        
Agnitum        
Alibaba        
Antiy-AVL        
Avast        
Avira        
Bkav        
ByteHero        
CAT-QuickHeal        
CMC        
ClamAV        
Comodo        
F-Secure        
Fortinet        
Jiangmin        
K7AntiVirus        
K7GW        
McAfee-GW-Edition        
Microsoft        
NANO-Antivirus        
Panda        
Rising        
SUPERAntiSpyware        
TheHacker        
VBA32        
VIPRE        
ViRobot        
Zillya        
Zoner        
nProtect


I find it very surprising and disturbing, that so many products flag it when zipped but not when decompressed, or vice versa. Unzipping a file to scan the contents is very easy to implement (we had it implemented in Findvirus 25 years ago) and obviously important.
It's an exe file the accompanying email said, in this case,
Attached is the information for the duplicate payment of Invoice #39 for $53,182.78. We have applied it to your account as a prepayment. Let me know if you would like this to be applied to future invoices or refunded.

So it's an offer of $53,000; a nice inducement to at least click on the attachment, and clicking on the attachement will run the EXE file. What it does then, I'm guessnig, is download something from a remote server that does the real payload, whatever that is. I'm not interested enough to actually try it out. And anyway, the download could be different for each access (this is called server-side polymorphism, and is extremely difficult for an AV product to handle).

The fact that two dozen products flag it as malware probably means that it's been around for a while, so if the product that you're relying on doesn't flag it, you should be concerned.

But here's a much bigger concern, which I'll leave you to chew over.

Why isn't anyone else mentioning the issue of AV products being so dismal? It's very easy to make such a test; I'd guess that most people are getting several such files emailed to them each week, and it's very easy to use Virustotal.

Why the silence?

No comments:

Post a Comment