|
|
|
ViGuard Not Close Enough For Virus Work
By: Larry Seltzer
2005-02-01
Article Rating: / 0
There are 0 user comments on this Network Security & Hardware story.
Review: Once again a behavior-oriented malware detection product is a good supplement to conventional detection, but no substitute for it yet.The holy grail of malware detection is the generic threat detector, unburdened by the need for updates to account for every new variation of every virus that comes out every day. Such a product could just know a threat when it sees it based on the behavioral characteristics of the program.
These are the claims made by French software company Tegam International for ViGuard, a product that was in the news recently. Back in 2001 a security researcher analyzed the program and wrote that it did not measure up to the companys claims, and as part of the process wrote some exploit code to demonstrate the flaws. For his trouble he was indicted by a French court and is standing trial.
You may read the researchers account of the matter at this page and Tegams criticism of the testing at this page. Tegam still says on its home page that "Hundreds of thousands of workstations protected by ViGuard have never been infected by viruses without a single signature update!"
We obtained a copy of the current ViGuard Security Pack and provided it to Andreas Marx of AV-Test.org, an expert anti-virus research and testing organization at the Otto-von-Guericke University Magdeburg (Germany).
Like all behavior-focused anti-malware products, ViGuard has a learning phase. When something suspicious happens the program warns you and gives you the opportunity to allow or deny the activity (click here to see an example).
AV-Test tested ViGuard against a number of worms, viruses and other types of threats, and it handled most of them admirably. Zafi.C and Sober.I were both flagged by the program.
But Tegam also claims that ViGuard can protect against buffer overflows, such as those in the Sasser and Blaster worms. AV-Test set up a Windows XP SP1 system with no patches, which is vulnerable to both worms, and connected it to the Internet. Before you knew it the system was attacked by Sasser and shut down. (Click here to see it happening and please forgive the German.) The persistent part of the Sasser infection was actually unsuccessful and the system rebooted because a service crashed, but when it reboots it is clean.
Tegam claims that the infection was actually prevented, but AV-Test differs: they claim that only the persistent parts were blocked, and that the worm was running prior to the reboot. In any event, this is a good indication of a situation where a simple firewall would be more effective than ViGuard, as it would prevent Sasser from entering the system to begin with.
A collection of macro viruses were also tested including several from the Wild List. Many were stopped, but four were not: PP97M/Tristate.C, X97M/Laroux.A, .DX & .E. This was surprising, because ViGuard has been certified by West Coast Labs against all wild list attacks. AV-Test was more successful in attacking the system with the infamous MS04-028 JPEG exploit.
Taking a more frontal assault, AV-Test also tried simply to stop the ViGuard Windows service ("vigservice"), an action taken by many worms against many security programs. The "NET STOP" command was successful. A warning is issued, but even if you click on "No," Windows will terminate the service. Other tools like ZoneAlarm Pro or Norton Antivirus protect their system service better—even if you are an administrator, but thats likely the standard situation on a home users PC. Tegam explained that this is a known bug for ViGuard on Windows XP SP2 (the platform used for this test), as the service manager doesnt let ViGuard wait for the user confirmation response, and that it will be fixed in the next revision of the program.
 For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.
AV-Test also tested ViGuard in conjunction with other security software and found conflicts between them. For instance, they tested the Microsoft AntiSpyware beta program on the same system. MS AntiSpyware was not flagged as suspicious by ViGuard, which is as it should be, but when threats were installed they sometimes interfered with each other. An advanced Windows rootkit named Orpheus was installed and MS AntiSpyware was first to pop up with a notification; if MS AntiSpyware was told to allow it to proceed, Orpheus installed without any interference from ViGuard. Tegam said that Orpheus should have been detected on download, but this is not the only way files get on to systems. A floppy disk or USB key could also be used and the file executed directly.
Behavioral blockers such as ViGuard are clearly useful as a supplementary measure, but such technology is not yet at the stage where it can be trusted alone with the job of protecting a computer. Maybe there are a lot of lucky ViGuard users out there who have never had an attack slip through, but we wouldnt take the chance.
Check out eWEEK.coms for the latest security news, reviews and analysis.
|
|
�������xV#9(XAӆiy�\v-�4`�,tZIgd�W�ϷKg<�滁ٻ.u IP(�
!GI">0�r�S�|jx~HR}o͛އGs�k�UQ!}�PQ2Ġ建�>�u�ٵAz:�|}@^}σDΛ��D!H/�ԞT�a@]2h�Դ[s2"gԲ9Gԗoˍa2 X��M{@zT@ۗC
< tׁ@`fZF<1Qܧh]
�(
';9Eac�o~{X�3���6BT�|L
J�k4ً�OᐨqGvwoe�YW�+
(ƻ�f�{90}gǤo9=rt(1-uH|ݖ|CXult̀���f��v?�ǭ�����j?�yhO?L�I̅N؎MYnٰ˺}}][൯�#ϙڃc2q�]Ԓ],p,U�0�)L|@�i@
�ӱaG�XAnLaE3,Ӹ4
뾪VQj\(�)NTy||=y-Ӟ>9np&Z:JI4E9\.n2$Q�w
�u-�T\Noy\?6//��N��
�Vַ�߉/ r1�DTTK|:I��I�1r�juW �RM7JQߩ�Q^SW\*U#I-Lcv=ӧH0}В^8rrjt�SKۼmu<8m5ϑ|��bPeM�z(!1h"Βg`�_.:^.9Zg�9oߒiəzNt0��ڟLm3HV[UտnG}K']ĻE��[C9�Cm0Mߑ*⑤f!1x>~iq�n>\NIF,uȿ.W�۾Bdy!$s7�R(�A0Ȱ�o>0@|s@I6�d±�(|˺�r�N��~mI'ԣ#6kiL�
�)B!aB�`u{j>2@̀k��fePX��X`4�R� 9l�f)6�K .F}M)��I�K2ߺr!C��C�Z9nVȨknSAEEI7CD�<�rA\�B(:�PHQ��&�NUIR]y6a>Ucٹw>rY^T'dayA֕i7H�
n�ϱGfyF:7N�?]5;&,qH,0U`N�). Ƹĵ:*o:jQ:�6V)BBZʑT�8ʕ�?7�0B��m�]&�tO ӻi0���;}B[ �Iv"5d}4>ljAGA�ticŦ/@7&�hCZ]Ҏ:L� �ga;Qh.[ N-9H_,�T1>$�n-��J$�nh��-DCw�#˦OM&B:�Gǻ�ښ@��(QѾ}мa��!y�jQ?]�*~S`�=�Ч>�o��ɜ��t�*��Ԡ>Ԇ!~9.b�&;A���z"
� D�EM�i�@(�P!$�O`��r���̀l�b(?JH�X-�Zp։p
(�=�HtFNO-��s㕰XH飲B�^�/_�
2[3CE外ɴa�6�"[�9�yD֫�L/G�wMᅚ6J5oY((UM;*US& 4Lp��ŕdjZ�Ҁ-�,la2Ԑ(��k��y#�
!n;At�끒���\�V3,�+X5{0�qycY@�{���tղyF�ӆ
4$2�WBh�
I!VFg'9oU dܤlrEe�JRy`OEҏa9=�%Ǟ>x^`��3{q%%Ag��-�E梱�P[klYUn)�,joEI���´ε�Z��[�aʶ`/^Ya`ҩE]Q\BKPD@BR)i�
i�)^(yt�NHIעQR�=�=�X9m���,ߪ&UY9?>2ai;ahx
K{�@� �x@��H� >
�
eҊʹ�{u:.`�Cϱ+q=:$wc=`kcjr
�.�O֣ZXpܱ880U�M2 agThjEMas0z q�tX~l\�\CǚM\S7˅a缹/lK
{)f�|~l� X�.8L8d�T�lb84-�l�{;nۈy��sQ_**yUQ?K~�2��;2ne PY6mJ��r�#�Of+nHp]iEre�Px�P[sOL,��`�7s�]%aaðuvnS5`�섏[n�=�70�U�8}���TKo5:;Ȣ4Qy
(��Mքi&.}{X�:㼝�� C�X�7A�t�\�����W@/ �/�P�HX�#°tаթ'6=�4.��D7i~Ö'"!t1|ڡ��s�3R*/rw3 T�fJW16JZ,W�j\
=6�2z�4Ebw�c9!о<�_p˹c]771z�?��n_�l��^;F19h>�>�
;�3l2�@3&�z%CjAbu�2L�k}�Y\SQ%7ִuV�Ac^p��Lj� uPH�h%|3�G� 1)>x�dVyGM)nʚ���B=Gm@$�L|%4S(�ӟWMOoN�Ш4�S7}&Mo^g�y�S˙�r�םnxȴ�h�(� V|o��D2g>R�&q3kԯ�:&F}C
�ϳGjZ11s�9_D�7�|6�u7j20/w/�}X�c7o!&�"t/nO]_&"�}{`cuɛ��(.��x�g@5s&DcK�:�ZNLF�t�E;:ҎJB7X���["�+ۃ>�,k0Ϲ$�,3G fS)*R�T
H+Ut�qM×[;iJ}gSߪ裦vt�)SM�!GTP]P��H�z☆�`\'�8�,�Hn
P�)в�O�r �}[�r�/0��yF�*/ "U!T�>#O�P�ZQ|Z!*�jvݘ|$.rsO��Ugw
|/E%!~!FN�i�h�av�[fb;?͵pZ=7e�X~�uB�5y)�aeK8<$p2�B�_v\YJl]^.�q`
e�]%Qhl\@�#fԚfDK42nq,: �5e�V'*} �UT :"iJ^R+/0Ӂ:tHF~3'^ZՋ�qvֺ~/:lae�zp0\ �!9аIm_ 8Wk%e_ūuSJ:m߈;OrT DHc�,�W!zN/fS L
k;d83/hdqH�=��}�i+��R_�Kyˉ��|9�kI*D|d_5gHܰ��r�1;coI!_aߪ�,$<�|C,($�+Wʝ}��E
�� cJ=!�o8kun.�+i9HB[��
�`I/ԩ
#^�?D�rAFzRF�di�aANc�1:�~Qt"wZ5CW/B��~C<�B<�_dxH���'BYGg2%\VIg}yH��NV��~lr_4@*IB88Qxc�ps�A\jl��9�P;PE^gTxQSeo�_�P:x�8쀒N!{7lOء
]n�fɔBJ4:<�q�2؞$iYMzJcTcH�(PPKzI3>�e
vޞ,Hq=Yi@ybZӽK3JJdë ̑m��I+4$/EiA0t[p!�,G���9C�3`Se5�>¸*"�
=4+QYbm�S�mD�:5u<��'2Qf
-�d
Z�P#�[_YL.40{=�]#d=4W�D��c6^�åC`δE�{�OmhsC(P�ESrg��WT@
�vX�%��q覍CL6nwIۼ%O�� +�FG��z=g9�&�=0�Yz$AC`r~䄜3o=^uZAd
a.-=%~d^wom'4w6OUZyX
XJ}~l/It2�D�j9]fgw}�Ȫ̙S;ً~w#S^q;- ��&m^�%3�-ћ�4/LZȥF~vaك*�sxC5?_2n8E~!B!}S\&KeYnQe�@�)&�x/)9�n/<�Y�'%:#ڮ/=a��v�UF��mO�={pn1ր0Fc�Դ؍ǓYkyg�ldz��AX9� >V�vf9$81l�Pf�pyn
֘E�+"y#ĠQI=c2E3`
kl9W�jtBqeVE0p1-�%8\b��ulE;ʷேgɎ۲&ZPu��s-e�\Oc/�%p�cW[���.ěs3�[@�)�k}Oƭp̢�%K�m1jx�M ˷٤AƧ�ӆ]e>[[9qAW)hGʑ�l�1�z&"6�l'wL�LbACs$��be_�p<}�R�i?y45��+!e�G3�55_PK?F;R-]{Sżш���8�
�Hũ3q=�p]S�-��сC.�.[�0
$ux�T9R)�ShzS��}-t+>&
ҙz�tv.�Ő+8ܪ5G/%nM{:�$ɇˏxF0t�[v3Q矔Q5��0�:q�f~/�LUk+E�,lu/a*aNЀ̜�} W ��w��hD}Ynʐ���2wK #O)�ZA�91~�44({�GI�NX0:`Bs¸(�Q:-ĪǺ&
M\aP]�*nRAgt2qK�JcuL�7c$Tv��ŗ�ISy!e^EG^��zwonR_(Nw�G>)j ���.=�ˬI
1aB4ճp�Z/Z6Ыm[3�n3zK,XT$�tM�AO�� A$�HBa?��Y~ISֲCJgz/$dy.geI)Jj yKo
iNp]@�jB9Nci(aeJ�C5�S=I� �EO[9�CoWn'HJIRm#|�>��"`k9f uKm��'��4L%�h^ԃ\\gNCG&H ~���M�� `�F� XM[bL_4Bl=�/gV܉B$U�Zxu��~N@uaX� vX�NK�h˺__*JJeI,$zߙX�}-w7:J(4F}j
L�� <"�5���E�0�|[Lx&
ϫPVzU
i�Q9A{4ae[-Sc= *�Q[[V�0,,uwI�/�t'��ܛm�!p
{A`z`Rj5�Ǣ�� C��%!P"�(i5 �Vg&6�<��݉�A]�h��8�^2
˥��Njg{�1�1�1�1z#fTJ/7b꯰e@} �����IQ{K1lIX]|!!n[z��`\;VŶd�LrQjFKU~�k(ŕ3[$q�"*�Msr4y[VgaK��#�ME
cƭM2�<��>.aom��r8-GY߮ܖ3fӆԙ@W��Z�Š9>E�Fj$4fjn�f4�[[@��XQBCjĽD�-��$PA��3_NhH]*�TRY5a+\iQ"�`�zs�@��퀂Dv9"ymE4z(�-t(�ԙ�!#
?P #K�:A5�&�戒q8|�2G���A�Մx�E�#Wp@KRY- {'|�/ݠ�:e?
k�QZ$I�Ƿi\
�V$cuuuu���E[8㫓/$|ˈk�(@.�jAwk[�`�H� `I�C�X!rg�v-�~5�ЪEaKb�)F-:E%�M7H�D�f)ܙD8$|,D }Ejx5\$w�{}�_^i\w`n%�!��&��pc7hh��z!o �{4mZ߶W3ߡ ,c2#�dz|LF�*]�!@8�C�U�y�
H�!���pPiA�L/":ϨL'fplX�f[k�JmߞHbx�|5CZ$�ߧ~Ũ36/AgVq|$Dmf?�ITbmG<�a}y�0d! {絃ϱ:S_:'푿wUD5�AXȲ�a]urV°
uZd{ۿeICA}qM{ѳ+�"X!��%S@+l�gC=k:nY_Qo �f��r��^��۩00jW6q2(��o4�h�?� ٩aeLfER3�A۶9b+m�+�ն,-1,�óE.L +#yt<Ѕ�R�rY4%VB[[_[_vȲ3g���.��� d�H�@85+QY'V�
[IHg�s~D/\",N�kf`�3aD��5z
/H|p�ʱ�\;�zaֱ�p 8�9W ?b5?�bW闶Uģ!Ae^�e͗+�I�O_�OAb�6Y3z�%0��ba��B�_pMts�7O֢q?P@$C#DѡrU����|�Po|Պ�[NiҡQ7
fX ��ך`jT�>p\{�-�12ݨ=|'.=:as��@�a]I�D)�6:eA@)|0E�;L4~�:6Mm˟�OzH~��l*ㇽe�9q�/^E:��\ߤ}xbu~Kpq-J�Q q��7�{oi@=Ip ��FǞ�)=WÞp}0
G%�kM)G>?�G�?S+e2\�Oo��v?2DŦW75R%9#ǀ�S��^�a)qc�C%ˉ�=|���AE&�p<ƽ�7
$?؎7ѭ6ǜMEf^iO�T9�>�#u9b?=GutNj-biA�c�2·{D÷[c'R���ek�0Q�5�=5�\U�BI��?⫳�ZJA[76Ǎ/j���b^�hc;Xe�̅bS;�b mj��LrSZ9Owz��t�#F�㕛���^e!%7Ƙ�'E]T�zXʲ��Gj�W��AƖ}8b�_j���~WOR&mgE*l�@4�`c"$eR$2=/৪啢Z*Unh��&�CmW�9ZєV){�dE�ޙ6�|aoLAj�2G|y`�z9Eѝ^��3B�s�3G^l/9�F.F{<:p�&iqۏ�o[ͳ�α04&X<1�tF.t[M�@&�3=рH:.5L=~̏XJ0筘_[�F�FV:G6ڊb
�URG!�[�..�veRˇh9��MK_&Ƙde�cD�x�b1bV�NM;I�P}7Y?d`��'t�^G!ғVQ�Qwn@kb��>Ҟ8;q~ܔtbq,�)�:�&|RtyM��L��SxC�7RPՊ�$'p�No�@��`mĬO4O|�S�� �֎LIxC#�Uڔicuk+�փފ> -3A@:-uĐz'cW�df"$@���\�_�k6Ezh.usv��!Ϝ)k��Cۑ7+0L}FG��Z>>0.�a�f'l
I�EeE.�dy; wG9¶3v�c�V+6��<ٟ0>g?F�rVБ`%b'r %,7jͻ_o;ʑG7FDuz
1i?�*ejT�K�K
2�@�k�8%��6>||�t�wf,��X�f��!������dxH
�!E!�*"��mX�r)6\?$'!oE!�Km�F.cu�99�:!K��qf�zr9�9f~ 0�J3*NF.JE��Y �d����w
j�)C�׆(cNbI *͕!�,9��Z�la&4�;�^ ҙ�e��s��1�}V�Oe~vkt@M�3X
g9.C'[�jeE9�Yl{!,gN~L�@qǹԔ0�~(T
$!Ѕ8�i,)@"!��9͉�+�$}
3Vþ�/#~|aЇ{�\
�3+z+��ÔP(S|�+V0cU-&n+uG^ϧ.u,_4!W�)Wh����2!CvGC!T�h`�!uP }a3bqu7Ø�O}K�$�'Mվ&'�^^¶-R%�u>o>7n~nz�q/楾xQ(;MzY�qdzʔTN'#.ͅdEh,]W.�}UtQYm�5ٳ0mu/7`J��/!j�bTc1�acT qvvt؊Km9�
g%8ٝ/L:5RO-j��7n���Z
(C)stXi8\�(:hO�v;izRZl�rM 5:6!&�):�pp\
�?k�~M�/ZEku~,Soɇ�35֚�V_�5a_+�՚_�u�Wk{�Z+�՚_�}^+ϫ5&c����ˬ_~W�枔u�]�cR�M�r!{%])7eM'i��k(s3g�g=U�#3-�"eou��|.�
|ޭ1'g81 U\K[�F8XQd�3��7]�xsPݮ'�x/5�����WWx-CԳs�?ڎNޝ{f0�8�O?�8oCdy\$ dnN=:?��%�Os�WY�n-Z�� %GC?�k
p7{��Rg<3�;Xu�n[O,5j4o�&KZ}YPS$MDB�'pZ0��H-���gɥ8_аs���7xF
mao8#�AϰLt ;K�2VKb'"aڌ�Cb�t@TMV�YI0ZI9*����QP�B�4L۰W)Y7��y�a8�a�n%[�]�"z%��^>FGG&>k�j"�1 ͛�.�Eu/�/� {_B1��B����f@)9�6b/`{8�z3�ŇN3}o|uz�I�2ؐ"&ή�w�uʿ�.ӁDcw&�]4w�Y@Dc�
Ʊ�XG��P{#iSr
P3�l1A�Љ
|u�en2�&�3!U{�ߵTxx e.sE\�j=Nؖ1"�QSV*�u2$~{1K5�6zw̻�~�=�z�;�p/�#C0t �k�<:= �/Ǝqp
pT� `Z]��xS�=i�^:a9ݸq�F\1")aߢ§0mxn����Z\R0�;҉嬙P/c��퉜PFĊ��ܝ4ڀPJ]Hr�|̝��Xs@8>�cz[<ۺ9d܆,0�t]ݨ3ᓸ"��,x`�Vx.37ǚ1�{�L:DƧ;b/� H�w�ax�z22�1��D亄mv���Kڝ`/M{Ğl����5%D$�&.�~4�I�m}�x���K
�5$I�0y
�w{'�sr�=�Η��%�AbX�vu$$�}9= �ڴgߞ�sY��D֣�4!zW��fDF焾�H)aa"j;-A
#.;vl>:�q�o�gM"Xm�,�h�PP"Sq/!1G)1h_
YY/��8�_5�m$��I�Kh4�/[5��b8�gKJgrF��cw]/I)�H[aȹD.Jww�vAg=[Y,�&���/ă_���
\[h=/n���[#�1Q9֜�j�gwc�x&%�mY d�v.ye�hEZW$m,�HhR=�6T@|=
%{6HDR��}N�0N'.}Au+�K:���&̃ڍM[
�U|ٱsW`0ŴѶ��Z
Q�o~l(Ck��
�y`�w4`g8Χ�^p祎P�hU|�l>cy w�>$/C2J_�v{[/'B``W-Y�֣�m4�`G.$߁*to C+7^?OJ��A /ăi/��=��&ވ�Z� �Ԣ?Oj�g�)+S9,@Ƃ?�rLw&q恜��/Wtm2�ml�/>@�Q�z�Faox)�Gڶ5M`p�ۂ{ʐXhW��#ʅ.-Sl�ܞ~�/���y;m��*z| X^b��0,20
{
{q:�{hفG���H�xԭ{t[�qz@��xQ�b�La壊v E9b�\��Q�pC�ؕEǎ��d�kǺ7}^�|lڕa=t�+��c�c&ngFb�+�
�f_��=[>�܊;I!V���^f+`ٱO�R6Ȥ{� y�6 !yyev҅
^袸ʍI,F`c^d;+)ؐ�9�3���{�0bO���1l3�Qv7]M`�F*)Au�Ұ�·�� x��2�)�Oqg,�ـU訄�.k*�N-J���7=�KF�u\���U����c�s}C%�z`*&ر`=bp8�te0Q�LF�鄅6�s�3a?�U`2M�߿Z�.$Ac�D5ȱ�`,�ӊ�Hv"V윔IJLΡnjMqQ!�a�#ٔ} M(�8,B�Y��גOv!GlxGs->Pّ�>sυA�Ă+<"e�}%Ix�+)/,O.fȟ�
--�MAV$_�DG!�
zso}��N���c9$7��Oj�~*d`"n�g_F/~UT�b1Zʹ�~e~au�U�`D�Ͻ7�b�L�;�%��~�`x8�2�^��u]cduȏ5�b �vVMҟ �WALaKg��}�CԹ�|Xl5#�bǒfM-rU_0�OA>�gͥ�Z-K�T���qԪf�oEpjD9�SN���$.QޞZ�CR2AaRjОjaj�x @
�Rf_6F7m0�A̹;|�caKW;*�~v=F3R��\72.�DCx�gQ5ݸ1!ޑ/x�':8ߪ{?E%�m2H�6� *\0x@%|&��݂}D��sd�a;G�Do֞N�^�Yvl�_.XOoDiB$laŞDPA*M~K(�_ʉ�$j/Yf�tYؠCM`�m_<ٹnӗoձU(;sxOd.�q
��w[X=8R ӟ�x,s����u�=0�ɲW�YqY�YW�a̻�yP}kX(#P{+-ܘU�f:
丠Ȥ_/ǞU��:}tBȠ"m9,�D}MxL|u3V᱇3l�B =`k$ڱ8o?g^lnуpE1��[v"
HɅE
�N�~�.�.(g@@H��
W��\�.ɜ?�[h!B�2.�]H&,D~�U�,��~�ʩoiҎ$�?@Bn���MmOs�\ `�4zl\V"Ԇ$�B}})�X�68>K�W{8�y,x/�C*u<'p�]k�bnB;�9avc❹8& N穘e.2^��3�^H,wcx[sJ�6�MR$=ilBaz 3�,ʱx[a(A^�g;Oa$�aD�SR?J�t
jGZ%_JG;<-C EB�^f8�j��ǯc˦$��XG�br|YBY4j;6.^̎�j�O�.a;�4Cm#,ɔ=�{+�>}
h-�ق&ٷ�Ӑ
}ݕ�WO�W�CSB�zU�oH)a'2(Wr�g5[/KOۗ㔾#L�q3),h!(�ъ2۳f��xi'�+ fʬ]�po)"a�
|
Network Security & Hardware 
