Jump to content
buckZor

Bad Press for KAV - WMF exploit

Recommended Posts

I'm trying to defend a move to KAV in our organization from Symantec, this doesn't help:

 

http://www.eweek.com/article2/0,1895,1907131,00.asp

 

AV-Test, which tests anti-malware products, has been tracking the situation closely and has, so far, analyzed 73 variants of malicious WMF files. Products from the following companies have identified all 73:

 

* Alwil Software (Avast)

* Softwin (BitDefender)

* ClamAV

* F-Secure Inc.

* Fortinet Inc.

* McAfee Inc.

* ESET (Nod32)

* Panda Software

* Sophos Plc

* Symantec Corp.

* Trend Micro Inc.

* VirusBuster

 

These products detected fewer variants:

 

* 62 — eTrust-VET

* 62 — QuickHeal

* 61 — AntiVir

* 61 — Dr Web

* 61 — Kaspersky

* 60 — AVG

* 19 — Command

* 19 — F-Prot

* 11 — Ewido

* 7 — eSafe

* 7 — eTrust-INO

* 6 — Ikarus

* 6 — VBA32

* 0 — Norman

Share this post


Link to post

Hi,

yes i have also saw this ...

 

 

KL boys any answer on this q ?

 

Tnx

 

 

I'm trying to defend a move to KAV in our organization from Symantec, this doesn't help:

 

http://www.eweek.com/article2/0,1895,1907131,00.asp

 

AV-Test, which tests anti-malware products, has been tracking the situation closely and has, so far, analyzed 73 variants of malicious WMF files. Products from the following companies have identified all 73:

 

    * Alwil Software (Avast)

    * Softwin (BitDefender)

    * ClamAV

    * F-Secure Inc.

    * Fortinet Inc.

    * McAfee Inc.

    * ESET (Nod32)

    * Panda Software

    * Sophos Plc

    * Symantec Corp.

    * Trend Micro Inc.

    * VirusBuster

 

These products detected fewer variants:

 

    * 62 — eTrust-VET

    * 62 — QuickHeal

    * 61 — AntiVir

    * 61 — Dr Web

    * 61 — Kaspersky

    * 60 — AVG

    * 19 — Command

    * 19 — F-Prot

    * 11 — Ewido

    *  7 — eSafe

    *  7 — eTrust-INO

    *  6 — Ikarus

    *  6 — VBA32

    *  0 — Norman

Share this post


Link to post
Hi,

yes i have also saw this ...

KL boys any answer on this q ?

 

Tnx

 

There is no answer to be given here. It's plain cut - Symantec were detecting this as Bloodhound.Exploit.56 and kaspersky missed some of the modifications of this during the very early hours of their existance. Kaspersky does detect all known strains of the exploit now... and contonues to do so. A non justification of a switch from one product to another shouldn't be based on a single 'malware' event. In most cases Kaspersky Lab has and does provide protection many hours before Symantec's offering does.

 

If you want to make the move from Symantec to Kaspersky why not base this on reaction time, comparative tests and ease of use and system resource consumption. In all cases.... Kaspersky Labs software is _superior_. My opinion is mirrored by many experts in the antivirus field :blink:

 

P.S. I'm not a KL employee :rolleyes:

Share this post


Link to post

Time will tell how this sorts out, and I didn't post this to flame. As stated, I am the one trying to get our company to move away from Symantec (the great Satan). This type of press though, does look bad, and you have to understand that KAV representatives (on a conference call) laughed when I asked them to compare Symantec's definition release time to theirs and in fact stated that "Symantec never beats us to definitions". So that statement, is thrown back at me by my others when they have press like this to throw in my face.

 

So I'd love to be armed with information, and how do you know that KAV 'right now' is protecting against all known variants?

 

Regardless, thank you for the response.

Share this post


Link to post
So I'd love to be armed with information, and how do you know that KAV 'right now' is protecting against all known variants?

 

The reason Kaspersky was missing detections is they weren't scanning WMF files in the first place. They released a patch for this. You see, previously WMF files were seen as non-infectable. By default the AVP engine scans infectable files only (by content). The patch remedied this. Since kaspersky releases additions to the antivirus database hourly then you can safely assume they will detect the new variations (or modifications) of the newest malware before symantec who release additions to their databases at daily intervals.

 

EDIT: You can see all of the detections for objects attempting to exploit the WMF vulnerability here

Share this post


Link to post
EDIT: You can see all of the detections for objects attempting to exploit the WMF vulnerability here

That's only 15 detections so far (up to .p) as of this post. A lot lower than 61 supposedly counted in the report quoted above.

Share this post


Link to post
That's only 15 detections so far (up to .p) as of this post. A lot lower than 61 supposedly counted in the report quoted above.

 

there is no need to create a signature for every single exploit version, one signature will be able to detect several of them. additionaly to this signatures KL has released an heuristics record for this exploit. it has also updated this heuristics record several time to cover all of the known and hopefully also most if not all of the unknown version of this exploit. IMO at the moment KL detection of this exploit is very good.

Share this post


Link to post
That's only 15 detections so far (up to .p) as of this post. A lot lower than 61 supposedly counted in the report quoted above.

 

Further to SASO's post - these are just generic detections. There is also exact detection for the some of the objects attempting to exploit the WMF vulnerability. They are classified as Agent, Small etc. These detections added to the generic detections would bring the number of total detections close to the 61 you mention.

 

EDIT: Without going too much OT I would like to bring your attention to a new patch released by ESET for the WMF vulnerability. It works on all Win32 platforms. (Not just 2k/XP - as with Ilfak Guilfanov’s fix.)

Edited by I_Kenefick

Share this post


Link to post
there is no need to create a signature for every single exploit version, one signature will be able to detect several of them.
You're right - I had forgotten about that. This is likely how Symantec works too as I see Bloodhound.Exploit.56 has been updated several times since it was released.

Share this post


Link to post

As an update, I've just seen a post at Wilders translating results from German (source), which says that as of 31 December, Kaspersky, along with 20 other AVs, recognise all 73 variantrs under discussion. Unfortunately, 5 other AVs left some variants undetected, but that may have since been corrected.

Share this post


Link to post

The Updated Testing Result ( Jan 4th )

 

Detect All ( 206 Sample )

* Avast!

* BitDefender

* ClamAV

* eSafe

* eTrust-VET

* eTrust-VET (BETA)

* F-Secure

* F-Secure (BETA)

* Kaspersky

* McAfee

* McAfee (BETA)

* Nod32

* OneCare

* Panda (BETA)

* Sophos

* Symantec

* Symantec (BETA)

 

Unable to Detect All ( missed ):

Fortinet 18

Fortinet (BETA) 18

AntiVir 24

eTrust-INO 25

eTrust-INO (BETA) 25

Panda 25

Ikarus 26

Norman 26

Ewido 47

AVG 59

Trend Micro (BETA) 60

VirusBuster 61

QuickHeal 63

Trend Micro 63

Dr Web 93

VBA32 110

Command 119

F-Prot 119

 

* beta means Beta Signature

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.