When Signatures Go Bad…Ouch!

I’m really amazed that this doesn’t happen more often.Β  I suppose it underscores the need for moving to a HIPS based AM solution.

“Users of the BitDefender antivirus software started flooding the company’s support forums Saturday, apparently after a faulty antivirus update caused 64-bit Windows machines to stop working. The company acknowledged the issue in a note explaining the problem. ‘Due to a recent update it is possible that BitDefender detects several Windows and BitDefender files as infected with Trojan.FakeAlert.5,’ the company said. The acknowledgment came after BitDefender users had logged hundreds of posts on the topic. Some complained of being unable to reboot their systems.” src = slashdot.com

, , , , , ,

23 Responses to When Signatures Go Bad…Ouch!

  1. ssj100 March 22, 2010 at 4:09 am #

    Indeed. Signature detection is all a roll of the dice anyway. Default denial of initial execution is the only true form of defense in my opinion.

  2. idontlikemalware March 22, 2010 at 8:22 am #

    Oh my gosh, that’s abomination.

  3. GakunGak March 22, 2010 at 11:16 am #

    The thing is, many users don’t even know what HIPS/BB is!
    How are you gonna teach a person what to allow and what not to?!
    svchost.exe has requested a connection to the internet.
    Do you want to allow this action:
    Yes/No
    mc.exe has attemted to write to registry key, do you allow it?
    Yes/No

    Get serious, some folks do not even care to update/maintain their system!
    Too relaxed, and they risk infection! Too strict, computer is not usuable at all anymore due to restriction to most programs that might be flagged as false positive.

    The only solution TODAY would be to:
    1. Make operating system and mark it as READ ONLY! NO change to the OS except for Windows Update and nothing else. Even drivers are to be seperate, to ease rootkit hunting.
    2. Programs are separate in VIRTUAL environment, sandbox if you like, and if you don’t want, something, you delete it safely, including malware.

    Make this, and you are safer than LINUX! Of course, no one wants that because what AV companies would do then? They would be outta job faster than you can think of it…
    Not everyone is educated on internet threats…

  4. Dario March 22, 2010 at 11:16 am #

    This could be a new tactic of the virus makers to use the antivirus software against themselves by creating viruses that result in the same hash / file signature as system files and antivirus software files.

  5. GakunGak March 22, 2010 at 11:19 am #

    it is very hard for a virus to have digital signature…. that is what I think, though, I could be wrong…

  6. Silviu C. March 22, 2010 at 4:46 pm #

    No man, it just means that relying on any antivirus, be it signature, HIPS or behavior based is never ever going to educate users not to click on stuff.

    Even a basic Windows 7 install (default UAC level) is sure as hell more secure than XP with any antivirus / security suite. I only run an antivirus (Avast) because I do not want an infected USB device to byte me in the a**. This means I’m afraid of *old* stuff, and this is what AVs are good for, catching old stuff – so might as well run the lightest of them.

    Educating users is the real AV, however, no one seems really interested in doing that.

  7. GakunGak March 22, 2010 at 6:16 pm #

    HIPS/BB is USELESS if a user allows something. Signature AV’s are old technology and can’t keep up with everyday viruses… When Vista came out, many complained at first because Vista was too strict, but more secure. People don’t want that, people want to USE their computer, NO QUESTIONS ASKED. They don’t want to answer any questions if only what they do is move their mouse…. Comodo tries as best as they can to reduce popups, but sometimes they legit programs can’t operate because they are sandboxed… I am sure they will sort it out, but the thing is that the protection is based on a following levels:
    1. Laxed, users don’t even care what they have and are happy until they are jacked by malware. That’s where people like Matt come in to save the day and get paid.
    2. Moderated, user have to make a decision based on limited or no information whether something is false positive, dangerous, malicious… They don’t like questions, they want to use their computer for work/fun
    3. Maximum security, everything is on potential terrorist list until proven innocent. Computer usability is on a crippled level because most basic programs are not signed but are safe, or a program needs something but is blocked.
    Just AV is not a solution, HIPS/BB for uninformed users is not a solution, then what is?!

  8. Dario March 22, 2010 at 8:20 pm #

    The only solution I see is education. The fact is that people who have the ‘know how’ will not get infected even if they don’t have any anti virus installed. The other fact is that there are always people who do not care even if they would get free education on this topic. These people will have to work on a computer that is so restricted that they cannot do anything with it but browse the interweb (and still need an admin to install updates). I would say, educate yourself and reap the rewards of a clean, fast and stable computer (and money in case of people like Matt). The best anti malware solution is always within your brain.

  9. GakunGak March 22, 2010 at 9:49 pm #

    I understand what you are saying, but educating EVERYONE is not something that is remotely possible, not even in theory. And, what use is your brain when you have your virus installed without your knowledge? I’ve seen viruses in PDF documents etc… Without av, you never know….
    Look at Linux. Some newbie users are googling how to disable password prompts because it is irritating to them…
    I say again, either read only OS and virtualise everything or let’s have:
    1. “Hey, everybody, this is Matt, from remove-malware.com, and tonight, I am gonna teach you how not to get infected at all using you common sense…”
    2. “Hey, everybody, this is Matt, from remove-malware.com, and tonight, I am gonna teach you how to take care of your computer”
    3. “Hey, everybody, this is Matt, from remove-malware.com, and tonight, I am gonna teach you how to recognize you have malware”
    Etc…. ITS NOT GONNA WORK! out of 100, maybe 40 would learn something. The rest will…. do what the rest do….
    Good talking to ya, bro! πŸ™‚

  10. Michael Seegmiller March 23, 2010 at 3:08 pm #

    Hi Matt,

    Avira 10 has just been released today, and per CNET/download.com initial review they somewhat not that convince of this new version. of course they did not review it against some malware samples they just merely checked out the new interface.
    Can you please make your video review on it. i cant wait for your thorough review on how it will do against malwares. but for me i will stick with “Comodo 4.0” i am very much convinced by your recent review that this is the best security apps right now. but i still want to see your review on Avira 10.0

  11. KinderMan March 23, 2010 at 4:52 pm #

    Avira 10:

    * AHeaDTechnology – detects unknown viruses by profiles

    * AntiVirProActiv – detects unknown viruses by behavior (Only Premium Version)

    Is AheaDTechnology the same as AntiVirProActiv? cuz if it’s not the free version may be not be safe as it should be. We need behabior blockers for free πŸ™‚

  12. Thomas March 24, 2010 at 10:50 am #

    Can Someone post on CNET saying how Seth ( tech reviewer) doesn’t TEST anti virus??? I’m not over 13 so i can’t.

  13. Dario March 24, 2010 at 10:57 am #

    Here is a review for Avira 10: http://www.youtube.com/watch?v=_MDo10Us2v4&feature=youtube_gdata

  14. Dieselman March 24, 2010 at 11:12 am #

    Can you people PLEASE stop spamming Matt’s threads. Have some respect for crying out loud.

  15. KinderMan March 24, 2010 at 12:14 pm #

    @Dieselman: Can you please add the name of the person that you are talking about, please? Cuz this way looks like you are talking about everyone πŸ˜‰

  16. Dieselman March 24, 2010 at 1:27 pm #

    Thats pointed at everybody that is talking about Avira such as Thomas.

  17. KinderMan March 24, 2010 at 3:59 pm #

    I agree that they should use Forum to do those requests but next time redirect your post to the person that you talking about, please. πŸ˜‰

  18. Thomas March 25, 2010 at 5:15 am #

    y meeeee???? I always get in trouble πŸ™

  19. Dieselman March 25, 2010 at 10:42 am #

    Well then stop doing what you are doing. Stick to the subject at hand.

  20. malwarekilla March 25, 2010 at 2:36 pm #

    I have to agree with Dieselman here. It’d be really cool if everyone would post in the proper post/forums. Just do a search on the blog or forum for the right thread.

  21. Thomas March 26, 2010 at 7:21 am #

    SRY Evryone

  22. GakunGak March 26, 2010 at 9:50 am #

    Don’t feel bad, we all go offtopic sometimes, like me πŸ˜›

  23. Michael.B QLD Australia March 29, 2010 at 1:47 am #

    Happened on the 5th of March Here is Australia. The local big Telco, Telstra run Bigpond ISP’s own Security Software had a bad update. Made computers not load into windows. Lots of un happy customers. It Does happen more often!

Leave a Reply