10-07-2010, 05:19 PM
Please read the list of vulnerable anti-viruses at the bottom of this linked page.
http://www.matousec.com/info/articles/kh...ftware.php
Especially with regard to Windows XP Microsoft Security Essentials is the only A/V that is not susceptible to kernel hook attacks(Vista and 7 use more usermode drivers so it is not as common for them to be susceptible, although I have seen it happen). Every other A/V hooks into SSDT which in turn can and will be easily bypassed by many new malware variants. There has been a great trend in these particular kinds of malware lately mainly because some moron blackhat released a kit for all of the script kiddies to use.
Keep in mind that most of the SSDT attacks are 32bit based. So far 64bit versions of Windows appear to be doing well, but it is only a matter of time before 64bit variants start rearing their ugly heads I am sure.
With the network of honeypots that my cohorts and I run the most effective combination has been Microsoft Security Essentials coupled with Threatfire. Threatfire alone is susceptible however MSE catches the SSDT hookers as they come in. Threatfire is very well geared for stopping buffer overflows, PDF exploits, and Java driveby attacks. Of course nothing is 100% and nothing can protect against stupidity and ignorance.
If you are unfortunate enough to get infected by one of these malware variants the removal is a pain in the ass. It has to be removed from outside of the operating system i.e. using a livecd bootdisk most of the time because often it will bring in ring3 and then a ring0 rootkit.
http://www.matousec.com/info/articles/kh...ftware.php
Especially with regard to Windows XP Microsoft Security Essentials is the only A/V that is not susceptible to kernel hook attacks(Vista and 7 use more usermode drivers so it is not as common for them to be susceptible, although I have seen it happen). Every other A/V hooks into SSDT which in turn can and will be easily bypassed by many new malware variants. There has been a great trend in these particular kinds of malware lately mainly because some moron blackhat released a kit for all of the script kiddies to use.
Keep in mind that most of the SSDT attacks are 32bit based. So far 64bit versions of Windows appear to be doing well, but it is only a matter of time before 64bit variants start rearing their ugly heads I am sure.
With the network of honeypots that my cohorts and I run the most effective combination has been Microsoft Security Essentials coupled with Threatfire. Threatfire alone is susceptible however MSE catches the SSDT hookers as they come in. Threatfire is very well geared for stopping buffer overflows, PDF exploits, and Java driveby attacks. Of course nothing is 100% and nothing can protect against stupidity and ignorance.
If you are unfortunate enough to get infected by one of these malware variants the removal is a pain in the ass. It has to be removed from outside of the operating system i.e. using a livecd bootdisk most of the time because often it will bring in ring3 and then a ring0 rootkit.