Review: Once again a behavior-oriented malware detection product is a good supplement to conventional detection, but no substitute for it yet.
The holy grail of malware detection is the generic threat detector, unburdened by the need for updates to account for every new variation of every virus that comes out every day. Such a product could just know a threat when it sees it based on the behavioral characteristics of the program.
These are the claims made by French software company Tegam International for ViGuard,
a product that was in the news recently. Back in 2001 a security researcher analyzed the program and wrote that it did not measure up to the companys claims, and as part of the process wrote some exploit code to demonstrate the flaws. For his trouble he was indicted by a French court and is standing trial.
You may read the researchers account of the matter at this page
and Tegams criticism of the testing at this page.
Tegam still says on its home page that "Hundreds of thousands of workstations protected by ViGuard have never been infected by viruses without a single signature update!"
We obtained a copy of the current ViGuard Security Pack and provided it to Andreas Marx of AV-Test.org,
an expert anti-virus research and testing organization at the Otto-von-Guericke University Magdeburg (Germany).
Like all behavior-focused anti-malware products, ViGuard has a learning phase. When something suspicious happens the program warns you and gives you the opportunity to allow or deny the activity (click here to see an example
AV-Test tested ViGuard against a number of worms, viruses and other types of threats, and it handled most of them admirably. Zafi.C and Sober.I were both flagged by the program.
But Tegam also claims that ViGuard can protect against buffer overflows, such as those in the Sasser and Blaster worms. AV-Test set up a Windows XP SP1 system with no patches, which is vulnerable to both worms, and connected it to the Internet. Before you knew it the system was attacked by Sasser and shut down. (Click here to see it happening and please forgive the German.
) The persistent part of the Sasser infection was actually unsuccessful and the system rebooted because a service crashed, but when it reboots it is clean.
Tegam claims that the infection was actually prevented, but AV-Test differs: they claim that only the persistent parts were blocked, and that the worm was running prior to the reboot. In any event, this is a good indication of a situation where a simple firewall would be more effective than ViGuard, as it would prevent Sasser from entering the system to begin with.
A collection of macro viruses were also tested including several from the Wild List. Many were stopped, but four were not: PP97M/Tristate.C, X97M/Laroux.A, .DX & .E. This was surprising, because ViGuard has been certified by West Coast Labs
against all wild list attacks. AV-Test was more successful in attacking the system with the infamous MS04-028 JPEG exploit.
Taking a more frontal assault, AV-Test also tried simply to stop the ViGuard Windows service ("vigservice"), an action taken by many worms against many security programs. The "NET STOP" command was successful. A warning is issued, but even if you click on "No," Windows will terminate the service. Other tools like ZoneAlarm Pro or Norton Antivirus protect their system service better