Is Rogue Anti-Virus Malicious or Should We Just Ignore Them

Looks like some people in the Avast forum are pissed that I pointed out that Avast missed a Rogue.   Yes, I know Rogues are not technically malicious and are quite hard for an AV to detect, however I personally think that Rogue’s are the MOST malicious applications out there.

Rogue’s are designed to steal someones identity (and a few bucks) and they do it very well.  That is malicious…very malicious and very very bad.  It is the purpose of (almost all) malware being made today.   I get the feeling that the anti-malware company’s are taking the stance of…”ehh….Rogues are not technically harmful to your computer so it’s not are fault…good luck!” 

Again, I know they are hard to detect, but don’t just discount them as no biggy.  They are the “biggest of the biggy’s” when you consider what they accomplish.

I wonder why Malwarebytes can detect every rogue out there….hmmmm…

, , ,

84 Responses to Is Rogue Anti-Virus Malicious or Should We Just Ignore Them

  1. Dieselman January 18, 2010 at 7:07 pm #

    100% agreed since rogues,when paid for can steal your identity and max out your credit cards. Thats no joke now a days.

  2. malwarekilla January 18, 2010 at 7:20 pm #

    @Dieselman – totally man, glad you’re living in the real world too.

  3. exit2600x January 18, 2010 at 7:33 pm #

    I bundle Malwarebytes with every anti-virus I sell because anti-virus vendors typically have there own reasoning and agenda when it comes to removing threats. Avast should have picked it up, no excuse.

  4. malwarekilla January 18, 2010 at 7:52 pm #

    @exit2600x – Yeah, these days you don’t have a choice. You NEED to give people protection from Rogues or they will lose faith in you and the software you have recommended to them.

  5. Dario January 18, 2010 at 8:53 pm #

    I agree with Matt. Antimalware is supposed to be designed to protect the user’s privacy and data, not the computer. The computer itself could not care less if it got infested if nobody used the thing, it is the user that is affected because he or she cannot work with it or was duped by a scam. It is very weak to point fingers at an honest reviewer (after all, Matt did not lie and simply stated a fact) while three fingers point back at themselves. This gives Avast a bad reputation. I was considering using the new Avast, but I rather stick with MSE now 🙂

  6. atanos January 18, 2010 at 9:52 pm #

    Yep.

    Rogues are pure malware, no doubt about that. Many of them simpy disables Windows Security Center and does all kinds of similar damage to very important settings. Some of these rogues simply blocks everything so theres no way to run anything. Some rogues has rootkit-like behaviour or have rootkits or other nasty stuff in them.

    They are pure malware and that’s it. Period. I just hope that those people at Avast forum reads this blog.

    Btw, I’ve been surffing on that forum for few times and I have to say that they aren’t very smart compared to some other similar forums 😉

  7. bazer January 18, 2010 at 10:20 pm #

    Matt
    so some people gave you stick who love avast. Dont get me wrong i dont get these narrow minded people who are so loyle over their particular malware defence programs. At the end of the day who gives a hell what name it is as long as it works well. Thats why we need people like you matt who test these programs and give us a great guide on whats good and works. Lets face it there is so many crap av programs.

  8. bob3160 January 18, 2010 at 11:05 pm #

    It’s OK to test a program but please do it on a level playing field.
    avast! plus Malwarebytes plus Winpatrol as layered protection have done an excellent job on my systems.
    Any one who expects total protection from one single source, may find their system seriously compromised.
    Once avast!Internet Security is released, that may all change since it will offer:
    1. Continuous protection against viruses and spyware
    2. Ensures all mails sent and received are clean
    3. Keeps you protected from “chat” infections
    4. Stops attacks from hijacked websites
    5. Blocks hacker attacks to protect your identity
    6. Keeps your mailbox free from spam
    7. Allows safe and uninterrupted gaming

  9. Ryan January 18, 2010 at 11:06 pm #

    I’m glad you gave avast a slam maybe other venders need it to. Your reply to malwarebytes detecting every rouge is true and so dose MSE if avast is going to sell a suite they better get there act together…

  10. Dieselman January 18, 2010 at 11:29 pm #

    People you are forgetting the most important thing here…………..Identity theft and credit card fraud. What if somebody gets infected with one of these rogues and actually pays for it. They are doomed and I have seen it happen. You have to cancel all your credit cards. Change you back account. Some of these rouges charge you $50 for the program but then they charge you $50/day everyday. I have seen people with $5,000 bills from these rogues. Never mind the clean up that needs to be done afterwords. Cleaning up your credit and your life is a million times harder then cleaning a rogue out from your pc.

  11. Brad January 19, 2010 at 12:47 am #

    Use to use avast but now use mse, glad I do. I also have p2p blocked (file sharing), and only download software from file hippo or download.com.

  12. shifflav January 19, 2010 at 1:46 am #

    Sounds like the Avast forum folks are suffering from misdirected fervor. They need to complain to the Avast dev’s to fix the problems. You gave a fair review of their product and from my experience, rogues are quite malicious and destructive! Anyone who says otherwise, obviously has no clue.

  13. Weldinglord January 19, 2010 at 2:11 am #

    Just read this article: http://news.softpedia.com/news/114-Windows-Antivirus-to-Avoid-at-All-Costs-130245.shtml

  14. RejZoR January 19, 2010 at 6:53 am #

    Ppl slamming ALWIL for words that came out of my and other avast! Evangelist’s mouth. We are NOT a representatives of ALWIL and we are not employed by them. So our comments or statements do not represent anything official.
    If i say fake AV’s are no biggie, that doesn’t mean ALWIL thinks the same.

    And ppl also tend to forget several things like the fact that it’s still BETA, that Behavior Shield is still not fully implemented, that signatures even though they are updated are not yet fully operational and working with full capacity and capability (avast! 4.8 is still their primary concern at the moment and it’s VPS format is totally different).
    And last, have you cared to send the missed sample(s) to ALWIL? Ppl tend to complain that X misses Y, but they never send the sample to virus lab. No sample, no detection. Not all vendors have the same honeypots and sources so they don’t detect same things. So what if MBAM detects every fake out there. But can it also disinfect complex file infectors? Can it detect very complex polymorphic viruses? Advanced rootkit detection? I pretty much doubt that it can, since it’s mostly focused on spyware, adware and rogues.
    Sure missing anything is never a good thing but then again, no one is perfect.
    avast!’s weak point might be rogue/fake AV’s, MBAM’s are complex infectors, for someone else are rootkits, some other has problems with exploits and so on and so on.

  15. Eochaid January 19, 2010 at 7:33 am #

    And then there are suites like Kaspersky (paid) or MSE (free) that are not “weaker” at detecting one thing over the other but can handle all malware pretty much equally. I’m sorry but I really don’t feel like having 5 different anti-malware programs on my computer. If a suite is weak at detecting an entire type of malware, in my book, its a weak anti-malware program (especially considering rogues are the most common infections I see on a day to day basis).

    One thing you may have noticed is that every single piece of malware that got through Avast! was also listed on virus total’s website as not being detected by Avast. That means Avast’s definitions, regardless of beta or not, aren’t able to detect it. Okay, so then what about heuristics? Well, if Avast’s heuristics worked maybe that would be a different story. What happened to Alpha stages? What is the point of having a public beta if the product isn’t even functional. How can bugs be detected if the features are even operational?

    Whatever, anyway, I’ll give Avast another look when it becomes a fully functional product (as it is, I didn’t care about a non-functional beta) but for now I’m not going to look to a product that “will get better” or “only has one weakness.” When I get an anti-malware product, I want it to work, I want it to keep my computer clean, not be able to clean my computer once it gets better.

  16. Ryan January 19, 2010 at 7:55 am #

    RejZoR there are plenty of people that send malware and rouges to avast…. being they have 100M users.

  17. Thomas January 19, 2010 at 7:58 am #

    I agree with RejZoR sort of.

  18. RejZoR January 19, 2010 at 8:11 am #

    @Eochaid

    “as it is, I didn’t care about a non-functional beta”

    You don’t get it what i said. If avast! 4.8 doesn’t detect it, that’s not important here.
    avast! 5.0 utilizes generic unpacking engine that can unpack even certain unknown packers, heristics engine and a code emulator based on dynamic translation. None of it is available in avast! 4.8, at least not at such extent.
    And because avast! 5.0 is not out yet, they are not utilizing all the new features yet that can offer enhanced detection of stuff that was not even possible with avast! 4.8. So yes, it makes one hell of a difference whether you like it or not.

  19. Operation Aurora January 19, 2010 at 8:31 am #

    Matt have you heard of operation aurora?? The severe Internet explorer vulnerability?? Read this: http://www.mcafee.com/us/threat_center/operation_aurora.html

  20. idontlikemalware January 19, 2010 at 8:33 am #

    I agreed with Matt. We all should be work together to put them out of bussiness.

  21. 927 January 19, 2010 at 11:26 am #

    MBAM is not a antivirusprgram so it’s wrong to compere it with avast or others.

    The biggest problem is trojans and rouges and MBAM removes them very good.

    Some rouges are difficult to remove and they make (nasty) changes to your pc!
    They are a BIG problem!

  22. Johan January 19, 2010 at 1:14 pm #

    @927!

    Well, Avast is not ONLY an Antivirus software either you know.

    Mbam is Antimalware wich mean it detects all sorts of malware like, trojans, backdoors, rouges, keylogers, viruses, dialers etc….

    And so do Avast even if the software name says “Antivirus” it doesn’t really say much about it’s detection capabilities.

    IMO, All security softwares named like
    “Antivirus Software” should be RE-named to
    “Antimalware Software” UNLESS it ONLY detects Viruses! Much like A2 wich says it is an Antimalware software and according to what it’s suppose to detect, it’s quite right in that case.

    Another one is Supteranitspyware (SAS)

    Does SAS only detect Spywares? NO of course not. SAS detects Trojans and other malware as well.
    So for someone who isn’t really into the animalware business it’s sometimes quite missleading if we look at the names of the products, and compare to what it actually detects.

  23. malwarekilla January 19, 2010 at 2:37 pm #

    @bob3160 – the biggest part of the IS product will be the Sandbox if it’s good.

  24. malwarekilla January 19, 2010 at 2:48 pm #

    @RejZoR – I think Avast does a pretty good job on most everything else except Rogues. Of course that may not be an issue at all of their Sandbox is good.

    All AV forums seem to discount rogues at technically not malicious and it’s true, they technically are not malicious….but (like I said) they are the most malicious to the end user.

  25. Carlos January 19, 2010 at 3:15 pm #

    Dear Matt Rizos,

    I couldn’t agree more with you when you refer to Fake AV as malware. A product that claims something it isn’t to me is deceiving. These rogues install them without user consent and claim they have found 1000+ infections on your computer even when it’s clean. Then, they bundle with Trojan Horses, which disable every application on your computer, from MS Outlook to Internet Explorer. They even have the guts to claim that all applications you have installed on your PC are infected. The sad thing is that companies like ESET, AVAST, and other claim that they don’t detect those fake AVs because they are “not malicious”. What a lot of nerve they got. A fake application that doesn’t let me use my PC until I pay money for them to steal my identity has no value. They are the WORST thing I’ve ever seen before. I hope AV companies take this issue more seriously and stop downplaying it and leaving users in the cold.

    Thanks Matt for this interesting article and keep up the good work.

    Carlos

  26. sded January 19, 2010 at 4:12 pm #

    I haven’t seen anyone at Avast! pissed off, but some do question the review of the incomplete beta. Avast! 5 certainly provides for detection by its Web Shield (and elsewhere) of Viruses, Potentially Unwanted Programs (PUPs) and Suspicious content based on both signatures and heuristics (including code emulation). At least the completeness the beta database for Rogues and how aggressive the default settings are seem to be an issue in the review, so good of Matt to remind Alwil at this point that many think this is very important. As of yet haven’t seen anything from Alwil on the subject, though. Or comments on what else needs to be done (besides pay more attention to the data base and settings for Rogues).

  27. Eochaid January 19, 2010 at 5:10 pm #

    To me rogues are like spyware and adware used to be. Technically spyware and adware are not malicious, meaning they don’t actually harm the computer, only slow it down when you have a lot of it and pop up annoying advertisements. However, they can take user and usage information while browsing the web, send it to companies, and also they are known for being gateways to viruses and trojans.

    For a long time, antimalware companies would not run spyware or adware blockers because it was too hard to detect and not technically malicious. This is just lazy because they are harmful to the user and cause annoyances for the user experience. We expect an anti-malware product to prevent all malware, not just the nastiest ones.

    Rogues are getting the same treatment for seemingly the same reasons but they are completely different. Its true that most rogues don’t do much to the computer, but they are annoying because they pop up and try to sell you theoretical products. I see people all the time paying good money to clean up rogues. Why would they do that if its “no big deal.” Because Rogues are annoying, harmful, and like spyware, pop up while you are working to piss you off. Antimalware companies should realize that rogues are one of the biggest threats on the internet and the most often downloaded infection and therefore, start offering anti-rogue protection with their suites unless they want better software like Kaspersky to steal all their business. People don’t take well to “oh well its not technically malicious, so don’t worry about it.”

  28. 927 January 19, 2010 at 5:36 pm #

    My answer was to Rjezor, he wrote:
    “So what if MBAM detects every fake out there. But can it also disinfect complex file infectors? Can it detect very complex polymorphic viruses?”
    And i say, it does not detect these type of malware. If you got a Virut infection, MBAM wont tell you that explorer.exe is infected

  29. Dieselman January 19, 2010 at 6:06 pm #

    Eochaid………..you obviously did not read what I said and do not understand the dangers of a a rougue anti virus.

  30. Dan January 19, 2010 at 6:19 pm #

    Have you guys tried out these tools? They are from esagelab.com

    Bootkit remover

    This is a free antivirus tool providing generic detection and disinfection of so-called bootkits (such as Sinowal/Mebroot/MaosBoot, Stoned Bootkit etc.)

    Current version: 1.0.0.3 DOWNLOAD (last updated 01-10-2009)
    OS supported: 32-bit and 64-bit editions of Microsoft Windows XP, Server 2003, Vista, Server 2008, Windows 7 (RC1, RTM)
    Archive size: 479 KB
    Binary MD5: 88dad0461d30a91e7a285af4f72462e3 remover.exe

    A bootkit is a program that alters Master Boot Record (MBR) of the system drive to ensure persistent execution of malicious code. In some cases a bootkit will also try to avoid detection by hiding its own code in the MBR.

    Bootkit Remover is capable of detecting malicious boot code (both explicit and sheltered) installed by all kinds and modifications of bootkits. An infected boot code can then be fixed and/or dumped.

    Cleaning all versions of Sinowal (Mebroot) is supported.

    See readme for usage instructions.

    Links:
    Discuss the tool here

    Rootkit.Win32.TDSS remover

    This is a free antivirus utility capable of removing the TDSS rootkit (all modifications).

    Current version: 1.6.3 DOWNLOAD
    OS supported: Windows 2000, Windows XP, Windows Vista, Windows 7 (32-bit)
    Archive size: 1.4 MB
    Binary MD5: 0b0aad85c419e1d45784082ab4914654 remover.exe

    Rootkit.Win32.TDSS remover tool allows complete semi-automatic cleaning of a system infected by the TDSS malware (also known as Tidserv, TDSServ, Alureon, and TDL3). The program will search for hidden and malicious files, drivers and registry entries, and will allow to remove them in one click.

    Note: the TDSS remover is a powerful anti-rootkit by design. Though the tool is adjusted to remove the TDSS malware, it may discover and allow removal of other known or unknown rootkits as well.

    Links:
    Discuss the tool here
    How to use TDSS remover – video

    IOCTL fuzzer

    IOCTL Fuzzer is a command line tool designed to automate searching vulnerabilities in Windows kernel drivers by performing fuzz tests on them.

    Current version: 1.1 DOWNLOAD archive or browse source at Google code
    OS supported: Windows XP, 2003 Server, Vista and 2008 Server (32-bit)
    Archive size: 436 KB
    Binary MD5: ca41d562f2441c28afd11a40707849b2 ioctl_fuzzer.exe

    Usage: ioctl_fuzzer.exe [config.xml]
    If no configuration file is specified, the tool will start in monitoring mode.

    Program capabilities:

    * IRP filtering by process name, driver name, device name, or I/O Control code
    * IRP fuzzing
    * monitoring mode
    * logging output to console and/or file.

    While processing IRPs, the fuzzer will spoof those IRPs conforming to conditions specified in the configuration file. A spoofed IRP is identical to the original IRP in all respects except the input data, which is changed to randomly generated fuzz.

    For usage details, see readme_en.chm inside the archive.

    Hopefully Matthew can test these tools out and tell us what he thinks of them…

  31. Dan January 19, 2010 at 6:49 pm #

    Have you guys ever heard about these tools from esagelab.com? Bootkit remover, Rootkit.Win32.TDSS remover, and IOCTL fuzzer.

    Here’s a discription of each tool…

    Rootkit.Win32.TDSS remover

    This is a free antivirus utility capable of removing the TDSS rootkit (all modifications).

    Current version: 1.6.3 DOWNLOAD
    OS supported: Windows 2000, Windows XP, Windows Vista, Windows 7 (32-bit)
    Archive size: 1.4 MB
    Binary MD5: 0b0aad85c419e1d45784082ab4914654 remover.exe

    Rootkit.Win32.TDSS remover tool allows complete semi-automatic cleaning of a system infected by the TDSS malware (also known as Tidserv, TDSServ, Alureon, and TDL3). The program will search for hidden and malicious files, drivers and registry entries, and will allow to remove them in one click.

    Note: the TDSS remover is a powerful anti-rootkit by design. Though the tool is adjusted to remove the TDSS malware, it may discover and allow removal of other known or unknown rootkits as well.

    Bootkit remover

    This is a free antivirus tool providing generic detection and disinfection of so-called bootkits (such as Sinowal/Mebroot/MaosBoot, Stoned Bootkit etc.)

    Current version: 1.0.0.3 DOWNLOAD (last updated 01-10-2009)
    OS supported: 32-bit and 64-bit editions of Microsoft Windows XP, Server 2003, Vista, Server 2008, Windows 7 (RC1, RTM)
    Archive size: 479 KB
    Binary MD5: 88dad0461d30a91e7a285af4f72462e3 remover.exe

    A bootkit is a program that alters Master Boot Record (MBR) of the system drive to ensure persistent execution of malicious code. In some cases a bootkit will also try to avoid detection by hiding its own code in the MBR.

    Bootkit Remover is capable of detecting malicious boot code (both explicit and sheltered) installed by all kinds and modifications of bootkits. An infected boot code can then be fixed and/or dumped.

    Cleaning all versions of Sinowal (Mebroot) is supported.

    See readme for usage instructions.

    Links:
    Discuss the tool here

    IOCTL fuzzer

    IOCTL Fuzzer is a command line tool designed to automate searching vulnerabilities in Windows kernel drivers by performing fuzz tests on them.

    Current version: 1.1 DOWNLOAD archive or browse source at Google code
    OS supported: Windows XP, 2003 Server, Vista and 2008 Server (32-bit)
    Archive size: 436 KB
    Binary MD5: ca41d562f2441c28afd11a40707849b2 ioctl_fuzzer.exe

    Usage: ioctl_fuzzer.exe [config.xml]
    If no configuration file is specified, the tool will start in monitoring mode.

    Program capabilities:

    * IRP filtering by process name, driver name, device name, or I/O Control code
    * IRP fuzzing
    * monitoring mode
    * logging output to console and/or file.

    While processing IRPs, the fuzzer will spoof those IRPs conforming to conditions specified in the configuration file. A spoofed IRP is identical to the original IRP in all respects except the input data, which is changed to randomly generated fuzz.

    For usage details, see readme_en.chm inside the archive.

    I hope Matthew gives these tools a test to see if they work..

    Also, check out this site http://www.freepcsecurity.co.uk/2009/09/05/tdss-updated/

  32. ryan January 19, 2010 at 9:16 pm #

    Eochaid you are wrong about rouge anti viruses… They can disable your whole computer and make it a recycle bin….

  33. Dieselman January 19, 2010 at 10:13 pm #

    The rogue named “Security Tool” disables your anti virus. Its disables MBAM and SAS. It will also disable you from being to select “safe mode”. The only way I got rid if on one particular machine was to remove the hard drive. Plug it into my connector and scan with MBAM and SAS from my machine to remove the rogue.

  34. Carlos January 19, 2010 at 10:59 pm #

    I think the WORST offenders right now are : “Security Tool” and “Antivirus Live” because they come bundled with some other unwanted “guests” (e.g.: Vundo, Conficker, etc.) and those are the ones who disable EVERYTHING on your computer, from e-mail clients, task manager, to browsers. And it’s so easy to get infected because any legitimate web page can become infected with some banner ads that redirect you to the offenders site. The worst is that if you are not computer savvy enough, you end up clicking on the red X to close your browser upon being promted to download one of those “tools”. I always tell my friends that if they come across with some of those fake messages they just need to either start the Task Manager and shut down the iexplore.exe process from there or just hit ALT F4 simultaneously. Doing that may save your day before it’s too late.

  35. Eochaid January 19, 2010 at 11:32 pm #

    I understand that there are many rogues that are particularly nasty. I’ve seen many rogues that act like trojans, blocking any process you execute, .exes, or destroying the structure of your registry, and I guess I didn’t make that clear.

    However, I am taking the argument that most rogues are not truely harmful in the same sense, which is only partly true, and pointing out that such an attitude is wrong and lazy. The fact is that I see so many antivirus programs that flat out don’t care about rogues (McAfee, BitDefender, and I hesitate to say Avast because we haven’t seen the full capability of this product yet) and I’m pointing out that even the most minor of rogues are dangerous.

    Rogues are like spyware. When spyware first infected computers they were minor but could potentially cause many problems and were generally annoying. Over time, spyware became the dominant threat that led to computer infections. Only when hundreds of thousands of users’ computers became infected by spyware-related threats did anti-malware companies start caring. Its the same thing with rogues. Rogues are extremely dangerous now but they didn’t use to be. By ignoring minor annoyances and threats, anti-malware companies cause their customers time, money, frustration and anger and when you pay for a AV product that doesn’t actually care about the latest threats, its simply wrong.

  36. ssj100 January 20, 2010 at 6:48 am #

    Just my usual reminder that black-lister/behaviour blocker software is not enough these days. You need to enforce a default-deny policy and ensure you are working in a Limited User Account.

    Finally, everyone should be learning how to use programs like Sandboxie. Only this way can you get “100%” security.

  37. ssj100 January 20, 2010 at 6:55 am #

    Oh and Matt, do you ever recommend your customers to switch to a Limited User or Standard User Account?

    If not, good tactics haha.

  38. RejZoR January 20, 2010 at 7:11 am #

    @Carlos

    QUOTE:
    “The sad thing is that companies like ESET, AVAST, and other claim that they don’t detect those fake AVs because they are “not malicious”. What a lot of nerve they got.”

    ANSWER:
    What if you’d read the damn facts for a change and stop accusing these companies of claiming something they NEVER claimed?
    avast! developers NEVER said anything like that and i’m sure they never will. We, the avast! Evangelists are NOT ALWIL Software employees and their (avast! Evangelist’s) statements or comments do NOT reflect the business practices, models, ideas or methodologies of ALWIL Software and their official representatives.
    That was MY opinion and my opinion alone. That’s what I think about fake AV’s. If you don’t share the same opinion, so be it. I could say this on any forum or blog and it wouldn’t mean any more or less than that.

    So all of you stop the avast! bashing crusade and calm down will ya?

  39. Cabiles2 January 20, 2010 at 10:03 am #

    Avast 5 is finally here

    http://www.avast.com/index

  40. Anonymous January 20, 2010 at 12:30 pm #

    I agree with Matt; rogues are no laughing matter. They can cause substantial damage to the end user, with their money and even identity stolen, and going to great lengths to force the user to purchase their so-called products, such as locking security programs and prevent the user from even attempting a scan.

    Hopefully in the future, more antivirus vendors will realize the true potential threat of rogues and equip their antivirus products to deal with them.

  41. Christos January 20, 2010 at 2:36 pm #

    Avast! 5.0 is out of beta!!!

  42. malwarekilla January 20, 2010 at 4:59 pm #

    @everyone – thanks for all the great comments in here guys, tons of great info for everyone.

    I see the Avast 5 final is out now. I’m going to retest the final free and buy a copy of the IS product if I can’t get a demo. Looks like the next 2 weeks are going to be Avast reviews/tests.

  43. Dieselman January 20, 2010 at 5:51 pm #

    ssj100……….time to live in the real world.There is no such thing as 100% secure.

  44. Dieselman January 20, 2010 at 5:53 pm #

    Also ssj100 even though Sandboxie has a 64 bit version it doesn’t have the same protection as in a 32 bit OS. Sandboxie is good but its far from 100%.

  45. Carlos January 20, 2010 at 7:06 pm #

    @ SSJ100: Wake up ! man…There is not such thing as “100%” protection. Not even Sandboxie is 100% bulletproof. I used the trial version of SBIE (3.42) and browsed several shaddy web sites downloading malware on purpose with IE8 sandboxed running on Windows 7 Professional ALL PATCHED and some of these malware somehow managed to STOP the Sandboxie SERVICE and freeze the Internet Explorer. I had to re-enable the SBIE service through the Services console. So, what have you got to say about that?…

    @ ReJZor: Peace out man…Don’t get so pissed off because some critics. Anyahow, you stated you don’t work for AVAST!…right? Be open minded and don’t get mad because some criticism. Every AV company in the world have had their blunders. I use ESET, but I don’t deny the fact that at Wilders Forum, Marcos (ESET moderator) always try to downplay the fact the NOD32 v.4 misses many Fake AV samples and he writes that those ones are not really “malware”….Anyway, I keep hunting those Rogue AVs and keep sending samples to ESET so they can be added to their signatures.

  46. RejZoR January 20, 2010 at 7:22 pm #

    Well, i don’t get pissed over criticisms, i get pissed over something ppl make up out of nothing. Like stating that ALWIL said that rogues are not problematic. They never issued any such statement but yet, ppl are spreading this like they did. This pisses me off and nothing else. I encourage any critics possible for as long as they aren’t made up.
    Because this only helps to improve the program opposed to living in denial.

  47. Mark January 20, 2010 at 8:47 pm #

    @Dieselman

    where did u get this 64 bit sandboxie?

  48. Dieselman January 20, 2010 at 11:26 pm #

    Very easy Mark. From the Sandboxie site. Where else. Come join out forum. I am a Mod here at Remove-Malware.com. Here is the link for Sandboxie 64 bit.

    http://www.sandboxie.com/phpbb/viewtopic.php?t=6842

  49. ssj100 January 21, 2010 at 4:48 am #

    People, please calm down. I said “100%” protection. Please note the quotation marks. When I say “100%”, I mean as close as possible to 100% as you can get.

    Also “Carlos”, how did you configure your sandbox when you were surfing “shady” web sites? Did you have start/run/internet access restrictions in place? Also, were you using a Limited/Standard User Account with Software Restriction Policies/AppLocker enabled?

    Also, if you want to help Sandboxie, why not give me the “shady” web sites and see if I can reproduce your problem? Because for now, all I hear is noise at the moment with no proof that Sandboxie was genuinely bypassed.

    Dieselman, yes Sandboxie 64-bit is still in Beta and will not guarantee kernel level protection for services calling out from the sandbox, but it will still be extremely powerful and provide “100%” protection when combined with a Limited/Stander User account with Software Restrictions/AppLocker in place.

  50. ssj100 January 21, 2010 at 4:54 am #

    Also, I am still currently using a 32-bit system (Windows XP), and don’t plan to move to 64-bit for a few more years. I can still do everything I need to and lightning fast too.

    Also Carlos, what system are you using? 32-bit or 64-bit? Did you report the apparent bypass to the Sandboxie forums? I get excited when there are such bypasses haha, but it doesn’t really concern me, because I also have the powerful layer of LUA + KAfU + SRP + DEP. I doubt any malware can bypass a properly configured Sandboxie + LUA + KAfU + SRP + DEP.

    In fact, as far as I know, Sandboxie alone has NEVER been bypassed when start/run/internet access restrictions are in place. Someone feel free to prove me wrong. I’d be very interested!

  51. Dieselman January 21, 2010 at 5:39 am #

    ssj100 either way you look at it you do not say 100% so stop trying to back track. Your better off saying 99%. I am on Win 7 64 with KIS 2010. Thats all I need. Common sense surfing is the first line in defense. Never been infected in well over 6 years now. Actually 7.

  52. Dieselman January 21, 2010 at 5:40 am #

    Also ssj100 you are talking about Sandboxie being so great but only after you tweak it. Most users do not do that. Step into the real world for a change. Real world people do not have a clue.

  53. ssj100 January 21, 2010 at 5:58 am #

    Okay, whatever pleases you most Dieselman. I’ve been saying “100%” for a long time now. The quotation marks have always been in place, in all the forums I’ve posted in.

    It’s interesting how people get so uptight and seemingly insulted and angry when I type those numbers. Why 99%? It’s not 99% either. 99% is mis-leading, as it suggests an exactness. What would be more accurate would be writing it as: “99.999%”. Then hopefully people will get the point I am trying to make. I just thought “100%” was clear enough haha.

  54. ssj100 January 21, 2010 at 6:02 am #

    Wow, Dieselman, I am indeed talking about the real world. The real world needs education.

    Also, how many times has Sandboxie been bypassed in the real world with just the default configuration in place? These bypasses have been very quickly patched also.

    Also, in the real world, most people do not run as a limited user etc. Does that mean we stop posting about it, and trying to educate peolple?

    I am merely trying to post that you can get very very close to “100%” protection if you want, and it requires very few third party security software. For those that can’t be bothered to learn, fine by me. But it doesn’t mean I can’t post my opinions and try to educate the “real world” haha.

  55. ssj100 January 21, 2010 at 6:17 am #

    By the way Matt, I don’t think you’ve answered my question yet. If you get time, I’d appreciate a reply. Otherwise, no worries.

    Basically I was asking if you ever promote Limited/Standard User accounts +/- Software Restrition Policies/AppLocker to your clients? I’m just interested to know.

    I am betting that, for the majority of your clients, it would take far too much time and effort on your part to educate them about these sorts of things. Right?

    Furthermore, rogues, scareware etc will always succeed in its goal if the computer user is naiive and not experienced/educated enough, no matter what protection you have in place. Therefore, rogue protection/detection is indeed very very important for the “average” user who should understand how to use an Antivirus. Unfortunately, for many people out there, even if their Antivirus alerts of a potential malware, they will simply ignore it and proceed anyway. That is indeed, the REAL world! You can’t win all the time I guess.

  56. Dieselman January 21, 2010 at 11:49 am #

    ssj100 your missing the point. You need to educate people and thats what Matt and I are about. If you tell people that with a certain set up they are 100% secure then that means they can download and do whatever they want never be infected. THAT IS 100% FALSE. Nothing but nothing is 100% effective. Avira’s detection rate is 99.7% at times. Yes I do tell people to set up there Children under an LUA which I have my Son under.

  57. Dieselman January 21, 2010 at 11:52 am #

    100%=Perfection. You CANNOT GET PERFECTION when it comes to fighting malware. Any system at any time can be infected.

  58. Dieselman January 21, 2010 at 11:56 am #

    Real world people are just click happy. Even with the best protection these types of people will just turn things off without even knowing what they are doing. I can fix and clean a pc. A month later they are infected again. I have seen this one guys laptop 6 times in one year. And he is using Avira and Sandboxie.

  59. Dieselman January 21, 2010 at 12:04 pm #

    You can educate people about how to use security and how to safe surf till your blue in the face. Will they listen. Nope. Your pc with your knowlegde maybe 100% secure but in the real world with the average user there is no such thing as 100% secure. People do not know how to use there pc. I ask people “What they were doing last to cause the error or infection?”. They all answer the same way “I dont know.” Its like talking to a 5 year old. Try fixing computers ssj100 and you will see where Matt and I come from.

  60. LordRahl January 21, 2010 at 1:29 pm #

    lol this is now a fight

  61. Dario January 21, 2010 at 2:16 pm #

    I agree with Dieselman, antimalware tools are only 50% of the solution to fight malware, the other 50% is the education of the public. Why are these things not taught in schools? Would not hurt to have even 1 school day dedicated to educate people on malware.

  62. ssj100 January 21, 2010 at 6:44 pm #

    I don’t see it as a fight. I completely agree with Dieselman haha. Please read ALL my posts carefully and do it while taking some deep breaths haha. I think he is just trying to pick a fight?

    Again, I repeat, when I say “100%” I mean as close as possible to 100% as you can get, all things being equal.

    Of course some people will always get infected. If you install an Antivirus for them, they can simply ignore the Antivirus alert and allow everything.

    What I’m trying to say is that promoting free measures like working in a LUA/SUA is very important, but I am aware that it’s not going to work for a lot of people, as these people don’t even know what a left mouse click is.

    I was just trying to make a point. Education is indeed very important, as I have mentioned in my previous post already! And with my previous posts, I am trying to educate people who take the time and trouble to go through the motions of learning themselves and are interested in computer security.

    To be honest, most people who understand what we’re talking about and post here are the ones who don’t actually need much security (as they have good common sense and experience), but perhaps these same people will go about spreading and promoting LUA + SRP + DEP, which are security tools that come freely with your OS!

  63. ssj100 January 21, 2010 at 6:45 pm #

    And good on you for setting up and promoting LUA Dieselman!

  64. ssj100 January 21, 2010 at 6:46 pm #

    How many people’s computers do you have to fix who run as LUA? I’m guessing much less, for various (and obvious) reasons.

    Thanks for the information!

  65. Carlos January 22, 2010 at 1:41 am #

    @SSJ100: You believe that LUA is the universal drug that cures-it-all…Is that what you mean?….When IT Administrators at workplaces grant access to users and place them in the Restricted User group (Limited User, Standard User or whatever you call it) is not necessarily means that they do that with your theory in mind. They do it because they want to PREVENT users from installing/uninstalling programs at work. Not because the want to apply SSJ100 theory about avoiding virus infections. That’s the point. By the way: I hate Windows XP. As soon as Microsoft released Vista back in January 2007 I dumped XP for Vista even with all its shortcomings. I’m now using Windows 7 Pro 32-bit if that is what you want to know. And, yes…on Win 7, Sandboxie 3.42 FAILED with default configurations. After I downloaded some malware samples from .cn and .ru web sites ( I did NOT execute them) SBIE froze, IE 8 stopped responding and had to shut it down and when I checked the SBIE service was STOPPED. How do you explain that? Is SBIE 3.42 100% safe???….no !!!

  66. Dieselman January 22, 2010 at 2:04 am #

    Thank you Carlos. Should have upgraded to Win 7 64 bit. I love mine.

  67. bo.elam January 22, 2010 at 2:31 am #

    Hi Matt, thanks for this great videos. I personally have learn from watching them how to be almost 100% secure when I surf internet. I like to thank you specially for the 3 Sandboxie videos which turned me on to it. I am sure that if you had Avast and Sbxie running together when you ran these tests the infection would not have happen. I am using Avira and most likely it would also fail against most rogues so its a blessing to be running sandboxed despite what Carlos and Dieselmen say of Sandboxie.
    Greetings from Central America, hope you and Dieselmen have a fun year working against the bad guys.
    Bo

  68. bo.elam January 22, 2010 at 3:01 am #

    Hi Dieselmen, You are a very experienced internet security man, I am not but just a regular plain dummy user and it was easy for me to learn how to use the box. Dieselmen if I learned , and it was quick, anybody can buddy. As a matter of fact you never stop learning and that’s part of the beauty of the program and it might not be 100% bullet proof but to most of us that use it, its more than 100% because it works despite what you think of it. Since I been using it (11 months) nothing absolutely nothing has come in . So if you just surf like a normal user most likely you will not get infected. It has never happened that I know of. Now I do know that sometimes while playing with samples, like Carlos, infections have happen, but regular users like me don’t play with malware samples. To finish my friend, come on you know that the changes that SSJ100 talks about are very easy to do. There are only 2 or 3 changes that should be done and the box becomes a real beauty. It took me about 2 days after I started using the box to understand them and apply them.To finish you ought to suggest to your customer that has Sandboxie and gets infected to just use Sbxie or ah even better do like Matt in the video , remember he gets rid of all other browser icons on the desktop and tells the user to only use the one that looks like a pizza.
    Take care man
    Bo

  69. bo.elam January 22, 2010 at 3:13 am #

    SSJ100 , keep on putting the good word about the box. I am also doing so on my side of the world.
    Later brother
    Bo

  70. ssj100 January 22, 2010 at 9:59 am #

    No, I believe that a lot of computer users out there would be much safer when running as LUA with SRP in place. That is the point. Why are you trying to deny it?

    Look at Linux. Linux systems have got it right from the start. Running as administrator is NOT safe at all. In fact, I would predict that a significant proportion of malware out there would be stopped dead in its tracks simply by running as a limited user.

    Anyway, sounds like you people need some articles and other people’s opinions to be convinced. For some reason, I get that you are not understanding my points at all. Try reading here:
    http://www.wilderssecurity.com/showpost.php?p=1608911&postcount=59

    http://www.wilderssecurity.com/showpost.php?p=1533486&postcount=5

    Hope those links can further educate people here. I am only trying to help. If you can’t be bothered trying to understand why running as a Limited User is so beneficial security-wise, then that’s your problem haha.

    And yes, Sandboxie when configured properly (NOT default configuration) and when used in a Limited/Standard User account with SRP enabled gives very close to 100% protection in the right hands. I know many people out there who have run tens of thousands of malware through Sandboxie and it has never been bypassed by their tests. Ask “Peter2150” at the Wilders forums and “Buster” at the Sandboxie forums.

    Oh and by the way, I love Windows XP. Everything works perfectly for me, and lightning fast too.

  71. ssj100 January 22, 2010 at 10:09 am #

    And Carlos. No, LUA does not “cure it all”. But it certainly reduces the malware attack surface significantly.

    And feel free to PM Windchild from the Wilders forums if you have any other questions about LUA – he is the most knowledgeable person on the internet I know of. He was the one that convinced my to move to LUA several months ago. I also wasn’t convinced…until I tried it. Here’s one of his posts:
    http://www.wilderssecurity.com/showpost.php?p=1608918&postcount=60

  72. Sensible_Sam January 22, 2010 at 10:42 am #

    Completely agree with ssj100. However, LUA, SRP etc have their own pitfalls and doesn’t work for everyone.

    But in saying that, the majority of people out there should be using Limited or Standard accounts. You will never catch a main-stream Linux system defaulting to run as an administrator. In fact in Linux Ubuntu, you can’t even run as administrator. And for good reason too.

  73. Dieselman January 22, 2010 at 11:30 am #

    OMG. I should have known where I know you from. Wilders is a bunch of security freaks. People over at Wilders change there set up ever day. Stay away from Wilders unless you want to put a padlock on your pc.

  74. Johan January 22, 2010 at 2:45 pm #

    HAHA WOW Dieselman!!!!

    So what you are saying is,
    that people should stay away from Wilders ONLY because SOME of the posters/readers changes their setup everyday?
    That’s just a stupid acclaim, for one I don’t change my setup everyday 🙂

    What about the content/information that is available at Wilders did you forget about that as well?

  75. Dieselman January 22, 2010 at 4:58 pm #

    No I did not forget it. Either way Wilders is a bunch of security freak. Why dont they just not bother turning there pc’s on.

  76. ssj100 January 22, 2010 at 7:40 pm #

    Hey Dieselman, yes I agree with you to an extent regarding Wilders, but it’s quite entertaining reading the forum from time to time!

    Not sure what happened to my previous posts, but I was stating again why LUA etc is so beneficial. Here’s what Microsoft themselves say:

    http://technet.microsoft.com/en-us/library/bb456992.aspx#EGAA

    And here’s an excellent post about it also:
    http://www.wilderssecurity.com/showpost.php?p=1533486&postcount=5

    Anyway, seems like you’re not allowing this to go through. Clearly I have done something wrong. I would appreciate it if you could tell me what I did wrong. Thanks for your time.

  77. Anonymous January 22, 2010 at 7:55 pm #

    Considering how malware is advancing nowadays, being a “security freak” and having a ton of protection on the computer is better than having little protection.

  78. Dieselman January 22, 2010 at 11:48 pm #

    Too much doesn’t mean your better protected. There is such a thing called overlapping security. All I need is KIS 2010 and common sense.

  79. Raygen January 25, 2010 at 4:26 pm #

    Rogues are an interesting breed, and to be honest I don’t think they can be detected or stopped consistently in their current form until the inherent problems in the Windows architecture is addressed.

    i mean look at how many versions of Vundo is around…that darn thing is still infecting folks and new versions come out every day..it never ends..

    I think the only way to prevent these rogues is for Windows to sand box the browser inside of a virtual machine using Intel and AMD virtualization extensions built into modern day processors..even though that may not be the answer either.

    I think MalwareBytes does so well because its an app that is dedicated to detecting only rogues and spyware, it doesn’t fare too well against polymorphic worms and viruses, again that’s not what MalwareBytes was designed for though.

    Anti-Virus vendor have a tough time with Viruses alone, and i think spyware protection is better served with a 3rd party app,(super AntiSpyware) same with general malware.(MalwareBytes) to supplement your AV application be it Avast, Norton, etc…

  80. ssj100 January 25, 2010 at 9:55 pm #

    bo.elam, just curious as to what malware has escaped the sandbox genuinely? Keep in mind that most of the reported “bypasses” of Sandboxie have been proved WRONG (usually either due to the user not realising what has actually happened, or due to the user not using Sandboxie correctly). And as far as I know, there have been no genuine “bypasses” when Sandboxie’s start/run/internet access restrictions are in place.

  81. Johnny January 26, 2010 at 5:15 pm #

    Whilst users like us try to take our security more seriously, so many people just don’t and I hate to say this, but these kinds of people tend to be in the majority. I’ve fixed a number Virus infected laptops for my friends. All they want to do is go on facebook or what ever else they do, but they just don’t understand the risks and when I try to explain things to them they go cross eyed at me. I had one almost fool for one of these rogue applications.

  82. Mike June 14, 2010 at 3:21 am #

    Hmm? You guys can be at 99% if you want, but I’ve never seen anything get past Sandboxie, let alone thru my Kaspersky, Defense+, Threatfire, S&D All of my on-demand scanners, MBAM Pro, PeerBlock, etc. If any malware gets past all of this shit they can just have my identity, because I will have died from shock.

Leave a Reply