Review: Once again a behavior-oriented malware detection product is a good supplement to conventional detection, but no substitute for it yet.
The holy grail of malware detection is the generic threat detector, unburdened by the need for updates to account for every new variation of every virus that comes out every day. Such a product could just know a threat when it sees it based on the behavioral characteristics of the program.
These are the claims made by French software company Tegam International for ViGuard,
a product that was in the news recently. Back in 2001 a security researcher analyzed the program and wrote that it did not measure up to the companys claims, and as part of the process wrote some exploit code to demonstrate the flaws. For his trouble he was indicted by a French court and is standing trial.
You may read the researchers account of the matter at this page
and Tegams criticism of the testing at this page.
Tegam still says on its home page that "Hundreds of thousands of workstations protected by ViGuard have never been infected by viruses without a single signature update!"
We obtained a copy of the current ViGuard Security Pack and provided it to Andreas Marx of AV-Test.org,
an expert anti-virus research and testing organization at the Otto-von-Guericke University Magdeburg (Germany).
Like all behavior-focused anti-malware products, ViGuard has a learning phase. When something suspicious happens the program warns you and gives you the opportunity to allow or deny the activity (click here to see an example
AV-Test tested ViGuard against a number of worms, viruses and other types of threats, and it handled most of them admirably. Zafi.C and Sober.I were both flagged by the program.
But Tegam also claims that ViGuard can protect against buffer overflows, such as those in the Sasser and Blaster worms. AV-Test set up a Windows XP SP1 system with no patches, which is vulnerable to both worms, and connected it to the Internet. Before you knew it the system was attacked by Sasser and shut down. (Click here to see it happening and please forgive the German.
) The persistent part of the Sasser infection was actually unsuccessful and the system rebooted because a service crashed, but when it reboots it is clean.
Tegam claims that the infection was actually prevented, but AV-Test differs: they claim that only the persistent parts were blocked, and that the worm was running prior to the reboot. In any event, this is a good indication of a situation where a simple firewall would be more effective than ViGuard, as it would prevent Sasser from entering the system to begin with.
A collection of macro viruses were also tested including several from the Wild List. Many were stopped, but four were not: PP97M/Tristate.C, X97M/Laroux.A, .DX & .E. This was surprising, because ViGuard has been certified by West Coast Labs
against all wild list attacks. AV-Test was more successful in attacking the system with the infamous MS04-028 JPEG exploit.
Taking a more frontal assault, AV-Test also tried simply to stop the ViGuard Windows service ("vigservice"), an action taken by many worms against many security programs. The "NET STOP" command was successful. A warning is issued, but even if you click on "No," Windows will terminate the service. Other tools like ZoneAlarm Pro or Norton Antivirus protect their system service better—even if you are an administrator, but thats likely the standard situation on a home users PC. Tegam explained that this is a known bug for ViGuard on Windows XP SP2 (the platform used for this test), as the service manager doesnt let ViGuard wait for the user confirmation response, and that it will be fixed in the next revision of the program.
For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.
AV-Test also tested ViGuard in conjunction with other security software and found conflicts between them. For instance, they tested the Microsoft AntiSpyware beta program on the same system. MS AntiSpyware was not flagged as suspicious by ViGuard, which is as it should be, but when threats were installed they sometimes interfered with each other. An advanced Windows rootkit named Orpheus was installed and MS AntiSpyware was first to pop up with a notification; if MS AntiSpyware was told to allow it to proceed, Orpheus installed without any interference from ViGuard. Tegam said that Orpheus should have been detected on download, but this is not the only way files get on to systems. A floppy disk or USB key could also be used and the file executed directly.
Behavioral blockers such as ViGuard are clearly useful as a supplementary measure, but such technology is not yet at the stage where it can be trusted alone with the job of protecting a computer. Maybe there are a lot of lucky ViGuard users out there who have never had an attack slip through, but we wouldnt take the chance.
Check out eWEEK.coms for the latest security news, reviews and analysis.