ViGuard Not Close Enough For Virus Work

 
 
By Larry Seltzer  |  Posted 2005-02-01 Email Print this article Print
 
 
 
 
 
 
 

Review: Once again a behavior-oriented malware detection product is a good supplement to conventional detection, but no substitute for it yet.

The holy grail of malware detection is the generic threat detector, unburdened by the need for updates to account for every new variation of every virus that comes out every day. Such a product could just know a threat when it sees it based on the behavioral characteristics of the program. These are the claims made by French software company Tegam International for ViGuard, a product that was in the news recently. Back in 2001 a security researcher analyzed the program and wrote that it did not measure up to the companys claims, and as part of the process wrote some exploit code to demonstrate the flaws. For his trouble he was indicted by a French court and is standing trial. You may read the researchers account of the matter at this page and Tegams criticism of the testing at this page. Tegam still says on its home page that "Hundreds of thousands of workstations protected by ViGuard have never been infected by viruses without a single signature update!"
We obtained a copy of the current ViGuard Security Pack and provided it to Andreas Marx of AV-Test.org, an expert anti-virus research and testing organization at the Otto-von-Guericke University Magdeburg (Germany).
Like all behavior-focused anti-malware products, ViGuard has a learning phase. When something suspicious happens the program warns you and gives you the opportunity to allow or deny the activity (click here to see an example).

AV-Test tested ViGuard against a number of worms, viruses and other types of threats, and it handled most of them admirably. Zafi.C and Sober.I were both flagged by the program. But Tegam also claims that ViGuard can protect against buffer overflows, such as those in the Sasser and Blaster worms. AV-Test set up a Windows XP SP1 system with no patches, which is vulnerable to both worms, and connected it to the Internet. Before you knew it the system was attacked by Sasser and shut down. (Click here to see it happening and please forgive the German.) The persistent part of the Sasser infection was actually unsuccessful and the system rebooted because a service crashed, but when it reboots it is clean.
Tegam claims that the infection was actually prevented, but AV-Test differs: they claim that only the persistent parts were blocked, and that the worm was running prior to the reboot. In any event, this is a good indication of a situation where a simple firewall would be more effective than ViGuard, as it would prevent Sasser from entering the system to begin with. A collection of macro viruses were also tested including several from the Wild List. Many were stopped, but four were not: PP97M/Tristate.C, X97M/Laroux.A, .DX & .E. This was surprising, because ViGuard has been certified by West Coast Labs against all wild list attacks. AV-Test was more successful in attacking the system with the infamous MS04-028 JPEG exploit. Taking a more frontal assault, AV-Test also tried simply to stop the ViGuard Windows service ("vigservice"), an action taken by many worms against many security programs. The "NET STOP" command was successful. A warning is issued, but even if you click on "No," Windows will terminate the service. Other tools like ZoneAlarm Pro or Norton Antivirus protect their system service better—even if you are an administrator, but thats likely the standard situation on a home users PC. Tegam explained that this is a known bug for ViGuard on Windows XP SP2 (the platform used for this test), as the service manager doesnt let ViGuard wait for the user confirmation response, and that it will be fixed in the next revision of the program. For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog. AV-Test also tested ViGuard in conjunction with other security software and found conflicts between them. For instance, they tested the Microsoft AntiSpyware beta program on the same system. MS AntiSpyware was not flagged as suspicious by ViGuard, which is as it should be, but when threats were installed they sometimes interfered with each other. An advanced Windows rootkit named Orpheus was installed and MS AntiSpyware was first to pop up with a notification; if MS AntiSpyware was told to allow it to proceed, Orpheus installed without any interference from ViGuard. Tegam said that Orpheus should have been detected on download, but this is not the only way files get on to systems. A floppy disk or USB key could also be used and the file executed directly. Behavioral blockers such as ViGuard are clearly useful as a supplementary measure, but such technology is not yet at the stage where it can be trusted alone with the job of protecting a computer. Maybe there are a lot of lucky ViGuard users out there who have never had an attack slip through, but we wouldnt take the chance. Check out eWEEK.coms for the latest security news, reviews and analysis.

 
 
 
 
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...

 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel