Tuesday, May 22, 2007

One Blink and you're infected

I listened to a recent Security Now interview with one of the founders of eEye Security. Mark Maiffret mentioned the Blink Personal Security product, and that it was an all-in-one security solution for individual users. I decided to try it. What a fool I was.
I first tried to download the free "Blink Neighbourhood Watch" version, which requires you to run it without any other antivirus product installed, even though it doesn't have its own antivirus engine. I guess that's why it's free: anyone nutty enough to run Windows without an antivirus program is unlikely to be interested in protection against other unknown vulnerabilities. Blink won't install if you have NOD32 istalled.
I should have stopped there; I didn't. Instead, I paid real money for the Blink Personal Edition because I don't live in North America, where the product is free for the time being. But I was nervous about no antivirus protection on my machine.
I won't bore you with the hassles I had replacing the free serial number with the paid one, other than to say that it required a reinstall, and was a warning of further hassles to come.
I noticed that when using Blink my machine's performance was sluggish, but I foolishly decided that the "extra protection" I was getting was worth it. It isn't. I noticed that the ePower_DMC service was running at a consistent 15%-20% CPU utilisation, unless I turned off the "Application Protection" service. I also found that if I disabled checking on some large data file types, such as *.mdb, *.mdf and *.ldf (SQL data files) then my Access programming work was not too badly affected.
Then, last night I was infected with a Trojan. I admit I was a fool to download it in the first place, but I was used to NOD32 being able to warn me about dodgy web sites and dodgy files. I should have double-checked by using NOD32 on Penny's laptop, but she was asleep already.
Obviously the Norman antivirus engine is brain-dead compared to NOD32, and it let this one through. The image at the top of this article shows the results of a "Full Malware Scan": two false positives, one for BearShare, that has never been installed, and one for riched32.dll, which is a Microsoft file that I wasted considerable time checking.
Also, the support forum is a joke. Anyone can post anything without even registering, so today there was a spam posting about Cialis, FFS! There is no way you can track replies to the posts, or even do a search on previous posts. This is not a good way to treat a paying customer.
The software is klunky: you can look at the names of the Malware enties in quarantine, but you can't get any details about them, such as the file name, file size, version number, etc. You have to look through the logs. And you can't search the logs unless you export them to a text file and use notepad.
There is no right-click option to scan a directory or file for malware or viruses, you only have the option of a scan of the entire machine. You can't find out the date of your virus definitions, unless you find the relevant log entry. I found an entry telling me the virus definition date was 05/07/2007. Either that's two weeks old or it thinks the definitions are dated for July.
There is an "Application Firewall" that monitors activity of installed apps (unless its a trojan like mine) and pops up and asks all kinds of dumb questions. For the first few days this is quite disruptive, especially if you give the wrong answer and disable the clock, Hamachi, SQL Server or whatever. I guess this limits the appeal of the product to techies, but I doubt whether techies will put up with the rubbish I had to. I'm also fed up because when I reported the problem on their forum, the post got deleted.
Blink has been downloaded 13000 times since the Security Now podcast. I wonder whether the average experience has been good or bad. I hope for eEye's sake it is better than mine. Their slogan "Vulnerability is Over™" should read "Vulnerability is Over Here". They claim to be able to detect 90% of all malware. Condoms have a better success rate than that!
I have been spoilt by NOD32, which is lightning fast and super-accurate. In the last few years I have used it I have not been infected with any viruses or trojans, which has saved me a lot of hassle and time. Now NOD32 won't install because it picks up the infection, and the Symantec Security check thinks everything is fine, except for Remote Administrator, which it thinks is malware. The Trend Micro Housecall scan detected part of it, but picked up some false positives as well. I suspect it won't be able to remove it, which means I have to reinstall everything.


Marek Janouš said...

Sorry, but “running Windows without an antivirus” is far from nutty. Antiviruses are in essence only faulty replacement or complement to common sense, as you yourself hint by mentioning your “being spoilt” by NOD32.
I have never contracted a malware in the twelve years of running several versions of Windows, and, until recently, I simply had used no antivirus at all at home. Some time ago, I did install ThreatFire, but I keep it turned off most of the time. There is no need to have it running while I’m not being in actual danger!
I reckon, having an antivirus on while using familiar applications to work with your own files is like wearing a bullet-proof jacket in your own living room; and having that antivirus on while going to familiar websites is like wearing that jacket to your local shopping mall.

Donn Edwards said...

NOD32 spoilt me because it is really good, and does actually catch viruses before they get in.

When I changed to use the Blink software it never ocurred to me that other antivirus detection systems could be so inadequate as to be completely useless, especially given the advanced, premptive detection being touted.

NOD32 is extrely lightweight and fast, yet hightly effective. It doesn't interfere with the system for me to even realise I'm wearing a jacket at all.

I agree that other systems, like Blink, Norton and so on, are such bloatware and slow the machine down so much, that it feels like you're wearing a jacket, boots, backpack and carrying heavy ammunition. NOD32 works better than all of those and doesn't slow your machine down.

I think that running Windows without an AV is nutty because most users have no real idea of the threats their machine is vulnerable to, and usually only find out when it's too late. There are millions of infected machines out there, and a significant number of those don't run AV. Sadly the rest run AV that is either useless or out of date.

Marek if you are knowledgeable enough to run without AV, then you are also careful enough to make sure that you have backups of everything you need to reinstall Windows and your application without losing any data. Most users simply don't have a clue what a backup is, let along how to avoid a virus.

Thanks for the comments!

Marek Janouš said...

Times change. Today, I would agree that with permanent broadband connections one should keep his defences up. I have extensive experience with NOD32, which I used at work, and I generally agree with your assessment of the product.

At home, I keep relying on ThreatFire (alone, despite their sales-driven recommendation to also install their PC Tools antivirus which is crap, and useless alongside TF). I no longer bother to turn TF off, for I have measured that its background service consumes about the same resources either way. (It does slow my aging laptop down by a few percent.)

I fully admit that relying on ThreatFire alone takes one who knows what he’s doing, and neither I would recommend this solution to the average computer user.

As for NOD32: Yes, it is one of the few solutions I would dare to install on a production machine, were there not ThreatFire. Truly, most of the time, it keeps quiet and little known of. I’ve seen it give out a few false positives (I managed a download site…), but perhaps its record is cleaner than that of other solutions out there. It also seemed to interfere with my browser of choice, the SeaMonkey.

Warning: The NSA and 4 million other sick weirdos with "security clearance" have intercepted this page and know that you are reading it.