PSA: MS Security Essentials & Java Viruses

[chusteczka]

[Update Below]


I have used MS Security Essentials on a few systems because it is free with the expectation that it is "good enough". This seems to be the general consensus here in the forum. However, two systems I work on have had java based viruses that Security Essentials did not detect. A third system had java based viruses that were not detected by the paid version of AVG antivirus.

After scanning and cleaning with a few of the below listed rescue cd's, I plan to install the latest paid version of Norton Internet Security 2011. This will be a first for me to use Norton after so many years of disliking the products of this company but they seem to be receiving very good reviews after their product redevelopment.

Of the below listed rescue cd's, my favorites are Kaspersky and Avira. These two work very well. I then pull the hard drive from the system and scan with Bit Defender installed on Ubuntu linux as a last check after having used the Kaspersky and Avira rescue cd's.


Anti-Virus Rescue Disks
http://connect.microsoft.com/systemsweeper
http://www.mcafee.com/us/downloads/free-tools/how-to-use-stinger.aspx
http://www.f-secure.com/en_EMEA-Labs/security-threats/tools/rescue-cd/
http://support.kaspersky.com/viruses/rescuedisk
http://www.avira.com/en/support-download-avira-antivir-rescue-system
http://download.bitdefender.com/rescue_cd/
http://www.avg.com/us-en/avg-rescue-cd


Then I am following recommendations found here on the forum to scan with SuperAntiSpyware, ComboFix, and MalwareBytes.

Mechbgon's recommendations regarding setting the account as a Limited User with Parental Controls set were previously implemented. However, java is used by the browser and gets through such account-based protection. Microsoft's UAC is also in use, which I find to be very useful despite all the complaints it has received in the past.

I have also uninstalled Java, deleted the following folder where the viruses were located, and reinstalled Java. It seems that Java update has problems with automatic updates from a Limited User account.

C: \Users\<UserAccount>\AppData\LocalLow\Sun\Java\Deployment\cache\

I hope that Norton will live up to its newfound reputation.

 

[FishAk]

If I remember right, Mechbgon's blog covers Software Restriction Policy which is for XP. If you are using W7, AppLocker works much better, and is easier to use.

Also, consider running your browser under Sandboxie.

Both of these techniques have provide better protection than using a paid AV over a free one.

 

[chusteczka]

AppLocker seems to only be on Enterprise versions of Windows and I am working with Home versions, so that does not seem applicable. AppLocker seems very similar to the Parental Controls that is currently implemented.

Sandboxie looks interesting and I will look investigate it further. Thank you for mentioning this.

 

[Zargon]

the top rated AV's get what, 93-95&#37; detection rates

so I am not sur ehow its a surprise you could still get a virus, let alone 'zero day' and 'new' exploit virus flavors

 

[chusteczka]

It is hardly surprising that an MS application is not secure and even less surprising that an MS application missed a virus in a competitor's programming language.

I gave MSE a chance but did not expect much from it. Now that I have seen it fail, my plan is to get rid of it and move on. It also does not surprise me that AVG let a virus through since AVG lost my confidence a few months ago with their update issue that crashed computers, including a few of my own.

I have not seen anyone mention having any issues with MSE and figured that I might as well mention it. As you stated, a couple viruses does not prove the product is bad or less than average. However, people may appreciate being aware of the potential for java based viruses getting through and the file path where they might be found.

And yes, to be fair, you are correct. While these four viruses received were caught and categorized by Avira and Kaspersky, three of them were not yet listed in Avira's virus database. Your point does place this into perspective. Thank you for mentioning it.

 

[KeithP]

I am curious, what were the names of the Java based viruses that got past MSE? Was it the same virus on both machines? I am also curious how you ended up discovering them. Were the machines behaving oddly which caused you to suspect a problem?

Don't mean to be a pest, just wondering.

-KeithP

 

[chusteczka]

These are the important questions that I was considering getting back into but had put behind me while cleaning three machines.

My personal, home computer (Win 7 Pro) has been having difficulty connecting to the internet these past two weeks. Well known pages would not load. Examples are Newegg.com; forums.anandtech.com; and a couple others that I cannot remember right now. I would try to go to those pages and the connection would timeout. Yet, I could get through to Yahoo.com and Google.com at the same time Newegg.com and anandtech.com were not connecting. This had me confused.

I then attempted to go to some of the websites for the anti-virus rescue disks and neither Avira, Kaspersky, nor superantispyware would load. At this point I was getting suspicious but newegg.com and anandtech.com finally successfully loaded so I moved on. I was tired that night, was wanting to go to bed, and put thoughts of a virus aside.

A couple days later, I was on my work laptop (Win 7 Home, non-corporate, small business) in my work partner's home and my laptop started having similar connection issues with newegg.com and anandtech.com. This was when I realized something was wrong, beyond the fact that I was visiting Newegg and Anandtech while "at work". I went to my partner's computer (computer #3, also Win 7 Home) thinking it safe, and downloaded the Avira and Kaspersky rescue disks, then put Avira on a CD and Kaspersky on a USB drive.

Then I started scanning these three machines. First, I scanned with McAfee Stinger since it was small and quick. Stinger came up empty. Here are the results from Avira and Kaspersky. I started my laptop with Kaspersky and my partner's computer with Avira. Later that night, I scanned my home computer with Avira first. Successive scans came up empty after Avira or Kaspersky reported and cleaned the infection from the first scan.

Partner's desktop - 1 virus
My laptop - 2 viruses
My personal home computer - 4 separate viruses


Luckily, I wrote down the names of the viruses from my computer since I wanted to look them up. I could not find any information for three of them but to be honest, I was focused on cleaning and did not search too thoroughly for information on them. Here are the names as provided by Avira. These are the viruses that got past Microsoft Security Essentials.

EXP/java.itq (total of 10)
JAVA/premarin.B (total of 4)
EXP/CVE-2010-0840.BP (total of 3)
JAVA/Exdoer.CF (total of 1)


This is Avira's virus lab.
http://www.avira.com/en/support-virus-lab

I think these were all Applet2.class viruses. All these viruses were found in the directory listed in my first post, repeated here.

C: \Users\<UserAccount>\AppData\LocalLow\Sun\Java\Deployment\cache\
Folders; 1, 7, 9, 25, 15, 22, 25, 26, 29, 37, 41, 45, 46, 47, 48, 49, 52, 55


I did not pay attention to the viruses on the other two computers and am not sure which virus got past my partner's AVG installation.


EDIT:
Today, I changed the passwords for all my financial and bank accounts. Just to be safe.

 

[mechBgon]

It deserves to be pointed out that if your version of Sun Java is not vulnerable to the exploits in question, then they won't work, and are not capable of doing any harm by simply sitting in that directory. Unless they're getting actively accessed after dead-ending in that cache, MSE would only detect them if you ran a full system scan that covered that location.

So I wouldn't draw conclusions just because backscans with other products detected them. The exploits themselves are merely a delivery vehicle anyway... their function is to get the actual attack code onto your system and run it. Once that's done, the exploit's not your actual target, just a "smoking gun." This is one reason I'm crazy about Software Restriction Policy, or Parental Controls on home editions... all the working exploits in the world will still have to find a way around SRP/PC when they want to actually run the payload they delivered.

As long as I'm coming out of lurk mode to touch on this, may I also strongly suggest (1) getting rid of Java entirely unless you really need it for something. and (2) install and fully configure EMET 2.1, and manually add all your browsers, media players, Java, IM clients, email clients, VoIP clients, office/productivity software, and PDF readers to EMET's "Configure Apps" coverage. For the system settings on Win7, I suggest this:

I gave MSE a chance but did not expect much from it. Now that I have seen it fail, my plan is to get rid of it and move on.

I've seen every antivirus fail repeatedly when hunting and submitting malware. It's inevitable. This is why I feel antivirus software is good to have, but only as a third-string defense.

 

[Zargon]

http://www.wilderssecurity.com/showthread.php?t=291821

you can certainly do better, and worse than MSE.

MSE is not getting the ratings it was 2 years ago sadly

 

[chusteczka]

Update

Thank you all for your help, especially mechBgon. I have been learning his suggestions for the last month or so. Although I still have not yet installed the EMET 2.1.

My personal account is a limited account with parental controls setup. After learning how this works, I have been setting up other computers in this manner.

It seems my problems were not originally caused by a virus. My Samsung HD103UJ 1TB hard drive with Win7 system installation died a week ago, and has now been successfully replaced with an OCZ Agility 3 AGT3-25SAT3-120G 2.5" 120GB SATA III MLC Internal Solid State Drive (SSD) but that is another story as told in a post in this thread.

Does this sound like BS to you? Does to me!



With this discovery, I must in all honesty absolve Microsoft Security Essentials of the blame I attributed to them for having missed the java viruses. The most likely situation is the viruses were never active and just sat in the directory, unable to execute due to the parental control and Limited user policies as mechBgon has so well described on his webpage and mentioned above.


My experiences with the new and improved Norton Symantec anti-virus are mixed. Many improvements have been made but their software remains bloatware. I have an AMD 6 core cpu that slows down when Norton auto-scans my system and uses two to three full cores on my cpu. Although the culprit may really have been my failing hard drive. I have not noticed the latency since installing my system onto the OCZ SSD.

However, another system with an AMD 3 core cpu and standard HDD sees 80% total usage from Norton. The whole idea of having multiple cores is to isolate bloatware to a single core and leave the other cores untouched. Thereby providing no noticeable latency to the user. Norton has improved their threaded programming abilities to effectively utilize all the cores on a multi-core system and cause noticeable latency for the user. Interestingly, their programming success has led to user dissatisfaction.

 

[gsellis]

The concept of AV as it stands is the biggest issue regardless. AV using signatures is always reactive. Symantec SEP and Cisco Security Agent (now discontinued) are better models. Using known risky actions such as "If a process tries to write to &#37;windir\system32, then prompt/deny" are proactive. There will be some zero day that might get through, but you get way ahead doing it that way. Limited User and DEP do the same things for a suite of issues (limited users cannot write to system32). DEP prevents processes from writing outside their allocated virtual space (execute from data space, write to another process' space, etc.)

As for me, with the exception of the twopalms.com page, I have not needed Java on my new machine. So I have not loaded it. Considering that Sun Java executables still has many C routines in them that are known to be exploitable with day zero exploits, it will continue to be a risk even at the core level.

 

[chusteczka]

gsellis, I have wondered what DEP does. Thank you for your explanation.

I forgot to add that I do need to have java installed on my machines since Open Office is used daily on each of them. Open Office is integral to my work, especially in converting my partner's hand drawn mechanical drawings into .tif images and manipulating them in Open Office - "Drawing" for paper output. There are some things Open Office does better than Microsoft Office, besides being free, and I take full advantage of it.

 

[Gamingphreek]

The concept of AV as it stands is the biggest issue regardless. AV using signatures is always reactive. Symantec SEP and Cisco Security Agent (now discontinued) are better models. Using known risky actions such as "If a process tries to write to %windir\system32, then prompt/deny" are proactive. There will be some zero day that might get through, but you get way ahead doing it that way. Limited User and DEP do the same things for a suite of issues (limited users cannot write to system32). DEP prevents processes from writing outside their allocated virtual space (execute from data space, write to another process' space, etc.)

As for me, with the exception of the twopalms.com page, I have not needed Java on my new machine. So I have not loaded it. Considering that Sun Java executables still has many C routines in them that are known to be exploitable with day zero exploits, it will continue to be a risk even at the core level.

DEP does something slightly different than that actually.

You are speaking about a generic buffer overflow exploit. DEP addresses a more specific vulnerability in which code is launched from a portion of the Virtual Address Space that is normally unexecutable.

You still need various techniques such as ASLR and what not to help prevent against most buffer overflow exploits.

Java is inherently safer than C code; however, when using JIT Compliation, it is much easier to circumvent certain protections that would otherwise block a program.

Layered Security for the win

 

[jadinolf]

I am using MSE on a seldom used computer.

So far so good.