IPB

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> KIS 2012 misses 2 trojans
cavehomme
post 11.04.2012 15:03
Post #1


Member
**

Group: Members
Posts: 18
Joined: 8.03.2009




In recent weeks I had some performance issues on my laptop and which I systematically ruled out malware having scanned with KIS 2012 and Malwarebytes. Eventually I decided that KIS was once again playing its usual trick of slowing down a PC after months of use and that a complete re-install of KIS might do the trick.

Instead of re-installing I decided to give MS Security Essentials a try. Once thing that ALL professional reviews agree on is that it is the best for avoiding false-positives. I ran the scan and it found 2 trojans buried in the java folders!

trojandownloader:java/openstream.bf

Exploit:Java/CVE-2012-0507.D!ldr

These are genuine, and were not spotted by KIS which was fully active on default settings plus a weekly scan.

Happy for a mod to relocate this post, but people should know about this.
Go to the top of the page
 
+Quote Post
Don Pelotas
post 11.04.2012 16:57
Post #2


Global Moderator
****************

Group: Global moderators

Posts: 28816
Joined: 7.04.2005




Ok so you found a couple of threats an AV didn't detect, what i'm struggling to understand is why this would require a thread with a "but people should know about this"?

No AV including Kaspersky will detect all at all times and i think there would be some strange looking forums if everytime any particular user would feel required to post a well meant albeit not very helpfull post about this. The point is that this forum would one of those with the least amount of these kinds of posts if you study tests, but again no AV ...and certainly not MSE will detect all types of malware at all times. Speaking about a few undetected items takes away the credit AV's should have for actually blocking millions of malware attacks every single day.

Btw. In your case you could have removed the exploit by emptying the java cache..... a lot faster than scanning a full scan.


--------------------
Go to the top of the page
 
+Quote Post
cavehomme
post 11.04.2012 17:14
Post #3


Member
**

Group: Members
Posts: 18
Joined: 8.03.2009




QUOTE(Don Pelotas @ 11.04.2012 13:57) *
Ok so you found a couple of threats an AV didn't detect, what i'm struggling to understand is why this would require a thread with a "but people should know about this"?

No AV including Kaspersky will detect all at all times and i think there would be some strange looking forums if everytime any particular user would feel required to post a well meant albeit not very helpfull post about this. The point is that this forum would one of those with the least amount of these kinds of posts if you study tests, but again no AV ...and certainly not MSE will detect all types of malware at all times. Speaking about a few undetected items takes away the credit AV's should have for actually blocking millions of malware attacks every single day.

Btw. In your case you could have removed the exploit by emptying the java cache..... a lot faster than scanning a full scan.


Hmm, I am a long time Kaspersky user and I don't need to be patronised, thanks. It's a great tool. Now to the core issues that I raised -

- KIS 2012 gradually slows down over weeks / months on Windows 7 SP1 and requires a re-install.

- KIS 2012 database is aware of threats but did not capture them at least in realtime, or possibly in those locations.

- all users need to be aware that no AV is foolproof and a second line of defence, such as regular on-demand scans with another product is needed. Unfortunately KIS2012 will not install when the excellent on-demand product Malwarebytes is already installed. Yes, 2 AVs or realtimes should not be used, but this is on-demand as sweep up that KIS 2012 might leave behind. Your suggestion of a regular cleans of temporary locations is also a useful suggestion.

Go to the top of the page
 
+Quote Post
PATHIAN
post 11.04.2012 18:33
Post #4


Advanced Member I
***

Group: Members
Posts: 132
Joined: 8.09.2008




Once Kaspersky is installed, you can quite happily install Malwarebytes afterwards. It's only the initial installer that is a bit sensitive about other AV products being on the same machine, which is fine IMO as it stops the uninformed user from ending up with clashing products on their PC.

Also, the current KIS installer will remove MBAM and other potentially clashing products as part of the install (it automatically initiates a reboot, then the KIS install will complete).

This post has been edited by PATHIAN: 11.04.2012 18:34
Go to the top of the page
 
+Quote Post
richbuff
post 12.04.2012 03:18
Post #5


Oldtimer
****************

Group: Moderators
Posts: 47357
Joined: 14.06.2007




In addition to what PATHIAN posts above, and in addition to what Don has posted,

If there is any future need to post similar topic in the future, (there ain't, as Don stated) it will not be totally worthless if you do include the full detection details, such the name of the file that is detected and the full path/location.

Detected: trojandownloader:java/omg!bf and Exploit:Java/CVE-2012-0507.onoz!ldr is not enough information. Name of file detected as such? Full path/location?

And, if you have stuff that can't be removed by simply deleting it, we got a Virus section of this forum for that. smile.gif


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
JohnGA
post 13.04.2012 17:30
Post #6


Advanced Member I
***

Group: Members
Posts: 155
Joined: 4.12.2007




You didn't say what your settings were - by default, Kaspersky does not scan all embedded threats within archives, for example - I suspect that if you had opened the archive, you might have gotten a hit. See "Scan of Compound Files" under the File-Antivirus/Settings.
Go to the top of the page
 
+Quote Post
SaxBlower
post 30.04.2012 14:36
Post #7


Newbie
*

Group: Members
Posts: 3
Joined: 30.04.2012
From: Blandford Forum, UK




QUOTE(JohnGA @ 13.04.2012 16:30) *
You didn't say what your settings were - by default, Kaspersky does not scan all embedded threats within archives, for example - I suspect that if you had opened the archive, you might have gotten a hit. See "Scan of Compound Files" under the File-Antivirus/Settings.

Wow - I thought I was reasonably computer savvy, but I do struggle to understand what Kaspersky means by so many terms - I didn't realise that Compound Files meant archive files
I too have had Microsoft Safety Scanner detect Exploit:Java/CVE-2012-0507.D!ldr - Detected, Not removed.
MS rate the threat as extremely severe, so why doesn't Kaspersky? (meaning why have to learn to delve into the compound settings and alter things we don't really understand etc if it is so severe?)
Go to the top of the page
 
+Quote Post
Lucian Bara
post 30.04.2012 14:43
Post #8


Are You Kidding?
*****************

Group: Moderators
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




Hello
that's just an exploit, it's something that takes advantage of a small mess inside Java (inside the JRE) to do some stuff.
"Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data and ability to cause a partial denial of service (partial DOS) of Java Runtime Environment. "


It depends what Microsoft defines as 'severe'. The CVSS Base Score is 7.5, this is "high" (the range should be 0-4 low, 4-7 medium, 7-10 high), but microsoft probably has other standards.

There is also some other factors here, the severity is usually define taking into account spread as well as it's 'destructive' action



Plus the JRE should have been updated if you enabled auto updates.

This post has been edited by Lucian Bara: 30.04.2012 14:47
Go to the top of the page
 
+Quote Post
JohnGA
post 30.04.2012 14:45
Post #9


Advanced Member I
***

Group: Members
Posts: 155
Joined: 4.12.2007




QUOTE(SaxBlower @ 30.04.2012 06:36) *
Wow - I thought I was reasonably computer savvy, but I do struggle to understand what Kaspersky means by so many terms - I didn't realise that Compound Files meant archive files
I too have had Microsoft Safety Scanner detect Exploit:Java/CVE-2012-0507.D!ldr - Detected, Not removed.
MS rate the threat as extremely severe, so why doesn't Kaspersky? (meaning why have to learn to delve into the compound settings and alter things we don't really understand etc if it is so severe?)


It has nothing to do with the severity of a potential threat, just for what is scanned - if it doesn't scan something, Kaspersky can't tell you about the threat no matter how severe. You might want to experiment with the eicar test virus (http://www.eicar.org/86-0-Intended-use.html) - it will send a test virus embedded and you can see what is detected with the various antivirus products. Properly configured, Kaspersky detects embedded threats.

Go to the top of the page
 
+Quote Post
cavehomme
post 30.04.2012 16:16
Post #10


Member
**

Group: Members
Posts: 18
Joined: 8.03.2009




QUOTE(SaxBlower @ 30.04.2012 11:36) *
Wow - I thought I was reasonably computer savvy, but I do struggle to understand what Kaspersky means by so many terms - I didn't realise that Compound Files meant archive files
I too have had Microsoft Safety Scanner detect Exploit:Java/CVE-2012-0507.D!ldr - Detected, Not removed.
MS rate the threat as extremely severe, so why doesn't Kaspersky? (meaning why have to learn to delve into the compound settings and alter things we don't really understand etc if it is so severe?)


Agreed
Go to the top of the page
 
+Quote Post
cavehomme
post 30.04.2012 16:22
Post #11


Member
**

Group: Members
Posts: 18
Joined: 8.03.2009




QUOTE(Lucian Bara @ 30.04.2012 11:43) *
Hello
that's just an exploit, it's something that takes advantage of a small mess inside Java (inside the JRE) to do some stuff.
"Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data and ability to cause a partial denial of service (partial DOS) of Java Runtime Environment. "
It depends what Microsoft defines as 'severe'. The CVSS Base Score is 7.5, this is "high" (the range should be 0-4 low, 4-7 medium, 7-10 high), but microsoft probably has other standards.

There is also some other factors here, the severity is usually define taking into account spread as well as it's 'destructive' action
Plus the JRE should have been updated if you enabled auto updates.


....therefore 7.5 is high. High is bad enough for me for MS to decide to call it a severe threat! KIS should be identifying and dealig with this threat on default settings, not requiring to tweak to higher settings. The reason that KIS do this is because KIS will perform too slowly and annoy users, so more convenience = lower security in the KIS world. I am still using KIS on 2 machines but when I have some time I will test 2013 and see if it is more watertight on default. If not, then I will switch perhaps to Comodo, if they have got their act together by that time.
Go to the top of the page
 
+Quote Post
Lucian Bara
post 30.04.2012 17:59
Post #12


Are You Kidding?
*****************

Group: Moderators
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




It's not lower security. An inactive threat (like inside an archive) can not be activated without it being unpacked, when it's unpacked kis will catch it with default settings.


QUOTE
If not, then I will switch perhaps to Comodo, if they have got their act together by that time.

OK, have fun with Comodo.
Go to the top of the page
 
+Quote Post
cavehomme
post 30.04.2012 18:18
Post #13


Member
**

Group: Members
Posts: 18
Joined: 8.03.2009




Not in a rush to try Comodo, had too much "fun" with them in the past with their so-called production version typically behaving like beta, or even alpha software. The comodo community are guinea pigs. I am relatively happy with KIS, but always evaluate various products at least annually. I always considered Kaspersky the best in detection and prevention, but this incident knocked my confidence and I do believe that scanning within archives should be a default. Catching it there is better than to risk not catching it upon execution.
Go to the top of the page
 
+Quote Post
Don Pelotas
post 30.04.2012 18:47
Post #14


Global Moderator
****************

Group: Global moderators

Posts: 28816
Joined: 7.04.2005




QUOTE(cavehomme @ 30.04.2012 16:18) *
I always considered Kaspersky the best in detection and prevention, but this incident knocked my confidence and I do believe that scanning within archives should be a default. Catching it there is better than to risk not catching it upon execution.

This is a perfect example of why an AV vendor should not always use "the customer is always right" as a guiding light. smile.gif

What we're in essence discussing here is feeling contra actually being at a higher risk. First of all there is a reason why AV's do not waste time scanning archives in real-time: It's will drag your system down without adding protection and secondly there is no higher risk that it would not be detected when extracted/executed in real-time then during a manual scan.


--------------------
Go to the top of the page
 
+Quote Post
SaxBlower
post 30.04.2012 19:07
Post #15


Newbie
*

Group: Members
Posts: 3
Joined: 30.04.2012
From: Blandford Forum, UK




ai.gif
QUOTE(Lucian Bara @ 30.04.2012 16:59) *
It's not lower security. An inactive threat (like inside an archive) can not be activated without it being unpacked, when it's unpacked kis will catch it with default settings.
OK, have fun with Comodo.

Thank you. That is exactly the answer I needed.
I had more or less deduced that this was the case, but I wanted it spelling out to me & making clear.

I find it difficult to know what many Kaspersky related terms and settings mean and what their consequences might be - for instance, I have been trying to ascertain what "Delete Filter" is/refers to when one right clicks on some (not all) component items - What happens if you do Delete Filters? Can you re-set or reinstate them
Sorry I've gone off-topic, but I have wasted so much valuable time trying to find out - so many Kaspersky searches with no luck

Regards ...
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic

 



Lo-Fi Version Time is now: 18.04.2014 06:58