Jump to content


Photo

anybody see this detection rate on Smart Defender


  • Please log in to reply
22 replies to this topic

#1 laserjet

laserjet

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 168 posts
  • Gender:Male

Posted 18 February 2012 - 07:36 PM

for such a new product wow,
forums.anvisoft.com/viewtopic-9-236-0.html


#2 GT500

GT500

    Mostly Cantankerous

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 6,250 posts
  • Gender:Male
  • Location:Fortville, IN

Posted 19 February 2012 - 11:59 AM

From what I can see, all he did was scan a folder full of samples. That is not a legitimate test.

BTW: We've already discussed Anvisoft Smart Defender, and none of us were very impressed. Perhaps it is different now that it is out of beta. I'll pull up a VM and take a look, but since it is a VM then obviously the test will not be absolute proof of the software's capabilities, since some malware will simply delete itself in a VM rather than run and infect the system.

For we wrestle not against flesh and blood, but against principalities, against powers, and against the worldly governors, the princes of the darkness of this world...


#3 BornSlippy

BornSlippy

    Iconoclast

  • Malware Hunters
  • PipPipPipPipPipPip
  • 2,190 posts
  • Gender:Male
  • Location:London & Lincoln

Posted 19 February 2012 - 12:35 PM

From my reading of this test the results were woeful. 18 detections out of a possible 162 isn't very encouraging, even for a new product. Online scans are useful for checking if a file has malicious intent but worthless in preventing or removing infection. Why not do your own test?
http://virussign.com/downloads.html
Bear in mind that these samples contain a number of false positives and adware that MBAM would not consider worthy of inclusion.
I shouldn't have to remind you of the dangers of dealing with malware samples (even 'deactivated' ones such as these), so only do so if you know what you are doing ;)

The Revolution will not be Malvertised 


#4 GT500

GT500

    Mostly Cantankerous

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 6,250 posts
  • Gender:Male
  • Location:Fortville, IN

Posted 19 February 2012 - 12:43 PM

OK, here's a quick rundown of what I did:

I pulled 10 samples off of S!Ri's VX Vault, and saved them on the desktop of my Windows XP Pro SP3 VM:

Attached File  10_samples_for_anvisoft.png   1.34MB   1 downloads

I scanned them with Anvi Smart Defender's cloud scanner, and here is the result (I don't see a way to save a log):

Attached File  cloud_scanner_results.png   45.85KB   0 downloads

I ran a Quick Scan with Anvi Smart Defender, and here is the log (let me stress that, aside from the samples sitting on the desktop, the installation of Windows on this VM was completely clean):
*****************************************
Anvi Smart Defender - Report
ASD Version:        1.0 RC2
Database Version:   1001-1119-01
*****************************************


Malware.Generic,C:\WINDOWS\system32\commdlg.dll,FILE,463667
Malware.Generic,C:\WINDOWS\system32\dllcache\commdlg.dll,FILE,463667



-----------------------------------------
Anvisoft Corporation. All rights reserved.
Home Page: http://www.anvisoft.com

I installed and updated MBAM, and ran a Quick Scan:
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.19.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: GT500-9D2052302 [administrator]

2/19/2012 12:27:57 PM
mbam-log-scan-001

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 155858
Time elapsed: 2 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 10
C:\Documents and Settings\Administrator\Desktop\1-2.exe (Trojan.Agent.XVatGen) -> No action taken.
C:\Documents and Settings\Administrator\Desktop\1.exe (Trojan.Agent.XVatGen) -> No action taken.
C:\Documents and Settings\Administrator\Desktop\24.exe (Spyware.Zbot.VF) -> No action taken.
C:\Documents and Settings\Administrator\Desktop\25.exe (Trojan.Spam) -> No action taken.
C:\Documents and Settings\Administrator\Desktop\26.exe (Spyware.Zbot.VF) -> No action taken.
C:\Documents and Settings\Administrator\Desktop\setup-2.exe (Trojan.FakeVLC) -> No action taken.
C:\Documents and Settings\Administrator\Desktop\XvidSetup.exe (Adware.Hotbar) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LOLV8HU7\24[1].txt (Spyware.Zbot.VF) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NYFU67IF\25[1].txt (Trojan.Spam) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\XS8N8T8G\26[1].txt (Spyware.Zbot.VF) -> No action taken.

(end)

I then proceeded to run each one of those. The nastier bits automatically deleted themselves (as is typical with running samples like this in a VM).

Here was the only alert generated by Anvi Smart Defender during the process of installing all of that junk:

Attached File  anvisoft_alert_001.png   31.98KB   0 downloads

Unfortunately, I don't have time to run the final scans, as I need to leave. I have paused my VM for now, and will continue once I return this evening. ;)

For we wrestle not against flesh and blood, but against principalities, against powers, and against the worldly governors, the princes of the darkness of this world...


#5 laserjet

laserjet

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 168 posts
  • Gender:Male

Posted 19 February 2012 - 12:52 PM

well i see you ran some testing thanks. It just seemed a bit to good to be true those number comparisons at that link but the topic is not the same topic related but not the same just bringing it to mbam's attention. thank you for your reply appreciate it

#6 Rats

Rats

    New Member

  • Members
  • Pip
  • 8 posts

Posted 19 February 2012 - 10:10 PM

hi all at malwarebytes
I see you have questions about out detection
well a always up for a round of detection
so here you go
ran smart defender against all exe samples form virussign.com package February 19, 2012
and was able to put all samples that were left after right click scan in the cloud scanner a total of 353 mb
I would like to see any other cloud scanner do the same !!!!
If you have any thought's that this test was not honest or proper
then I invite you to repeat it

result here


ho I as so ran malwarebytes against the same samples
if you would like to see how you did which was pretty good

#7 Rats

Rats

    New Member

  • Members
  • Pip
  • 8 posts

Posted 19 February 2012 - 10:12 PM

http://forums.anviso....php?f=29&t=310

since link in post dose not seem to work

#8 laserjet

laserjet

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 168 posts
  • Gender:Male

Posted 19 February 2012 - 10:49 PM

sorry i need to see more testing done by an outside independant source. looks impressive though

#9 BornSlippy

BornSlippy

    Iconoclast

  • Malware Hunters
  • PipPipPipPipPipPip
  • 2,190 posts
  • Gender:Male
  • Location:London & Lincoln

Posted 20 February 2012 - 09:06 AM

Well, it detected something MBAM missed ;)

Attached Files


The Revolution will not be Malvertised 


#10 Rats

Rats

    New Member

  • Members
  • Pip
  • 8 posts

Posted 20 February 2012 - 11:28 AM

Thank you Bornslippy. it also detects Version: 6.0.811 Date: Feb. 14, 2012 as well

files sent to staff ;)

#11 BornSlippy

BornSlippy

    Iconoclast

  • Malware Hunters
  • PipPipPipPipPipPip
  • 2,190 posts
  • Gender:Male
  • Location:London & Lincoln

Posted 20 February 2012 - 11:49 AM

Good, 'cause ScreenHunter is capable of capturing all sort of info on your pc, especially from the desktop :lol:

The Revolution will not be Malvertised 


#12 GT500

GT500

    Mostly Cantankerous

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 6,250 posts
  • Gender:Male
  • Location:Fortville, IN

Posted 20 February 2012 - 03:31 PM

Final logs from my tests:

Anvi Smart Defender:
*****************************************
Anvi Smart Defender - Report
ASD Version:        1.0 RC2
Database Version:   1001-1120-02
*****************************************


Malware.Generic,C:\WINDOWS\system32\commdlg.dll,FILE,463667
Malware.Generic,C:\WINDOWS\system32\dllcache\commdlg.dll,FILE,463667



-----------------------------------------
Anvisoft Corporation. All rights reserved.
Home Page: http://www.anvisoft.com

MBAM:
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.20.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: GT500-9D2052302 [administrator]

2/20/2012 3:20:00 PM
mbam-log-scan-002.txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 156876
Time elapsed: 5 minute(s), 

Memory Processes Detected: 2
C:\Documents and Settings\Administrator\Desktop\25.exe (Trojan.Spam) -> 3544 -> No action taken.
C:\Documents and Settings\Administrator\Desktop\26.exe (Spyware.Zbot.VF) -> 3228 -> No action taken.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{5CBCEC47-1C60-AD41-B6B9-297EA7230A6C} (Spyware.Zbot.VF) -> Data: "C:\Documents and Settings\Administrator\Application Data\Idrio\pyab.exe" -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 9
C:\Documents and Settings\Administrator\Desktop\25.exe (Trojan.Spam) -> No action taken.
C:\Documents and Settings\Administrator\Desktop\26.exe (Spyware.Zbot.VF) -> No action taken.
C:\Documents and Settings\Administrator\Application Data\Idrio\pyab.exe (Spyware.Zbot.VF) -> No action taken.
C:\Documents and Settings\Administrator\Desktop\babylonSK108714.exe (Adware.Dropper.SFX) -> No action taken.
C:\Documents and Settings\Administrator\Desktop\setup-2.exe (Trojan.FakeVLC) -> No action taken.
C:\Documents and Settings\Administrator\Desktop\XvidSetup.exe (Adware.Hotbar) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LOLV8HU7\24[1].txt (Spyware.Zbot.VF) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NYFU67IF\25[1].txt (Trojan.Spam) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\XS8N8T8G\26[1].txt (Spyware.Zbot.VF) -> No action taken.

(end)

I could also run ComboFix for good measure, but I have work to do, and not enough time for playing with malware samples. I will try to remember to do some more tests after I manage to build a new PC, and turn this old one into a dedicated test rig. That should be sometime early to mid March. ;)

For we wrestle not against flesh and blood, but against principalities, against powers, and against the worldly governors, the princes of the darkness of this world...


#13 DarkSnakeKobra

DarkSnakeKobra

    May the penguin be with you!

  • Honorary Members
  • PipPipPipPipPipPip
  • 5,262 posts
  • Gender:Male
  • Location:~
  • Interests:Scripting, GNU/Linux, photography

Posted 20 February 2012 - 03:42 PM

I'll be testing this myself shortly as I'm very interested in how wel it performs. ;) Post the results when done. :)

I'm not a staff member just another Malwarebytes' user.

Advice: Hug your dog, cat etc everyday! :)


#14 wildman424

wildman424

    Forum Deity

  • Malware Hunters
  • PipPipPipPipPipPip
  • 1,684 posts
  • Gender:Male
  • Location:USA

Posted 20 February 2012 - 07:30 PM

Good, 'cause ScreenHunter is capable of capturing all sort of info on your pc, especially from the desktop :lol:

Posted Image
Wildman424
malware fighter

#15 laserjet

laserjet

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 168 posts
  • Gender:Male

Posted 20 February 2012 - 07:47 PM

BornSlippy and wildman424 Double LOL!!!!

#16 DarkSnakeKobra

DarkSnakeKobra

    May the penguin be with you!

  • Honorary Members
  • PipPipPipPipPipPip
  • 5,262 posts
  • Gender:Male
  • Location:~
  • Interests:Scripting, GNU/Linux, photography

Posted 29 February 2012 - 08:41 PM

Okay here are my results.I ran the test in a Windows XP Pro SP3 vm(Windows XP Mode) and tested against the most recent MalwareDomain List listings to see how well they are keeping up. The listings were from that day(27th) and had some nasty ones like blackhole exploit kit. Malwarebytes' detected everything and blocked all the sites with the ip blocker to the point I had to shut it off as it was getting in the way. Anvi Smart Defender didn't do anything. The only thing it did was warn and block one registry change twice. The cloud feature didn't even warn or ask to upload the file requesting the changes.

Malwarebytes' protection log.

2012/02/28 14:20:57 -0600	VIRTUALXP-53643	XPMUser	MESSAGE	Starting protection
2012/02/28 14:21:02 -0600	VIRTUALXP-53643	XPMUser	MESSAGE	Protection started successfully
2012/02/28 14:21:06 -0600	VIRTUALXP-53643	XPMUser	MESSAGE	Starting IP protection
2012/02/28 14:21:07 -0600	VIRTUALXP-53643	XPMUser	MESSAGE	IP Protection started successfully
2012/02/28 14:21:39 -0600	VIRTUALXP-53643	XPMUser	IP-BLOCK	46.166.152.163 (Type: outgoing)
2012/02/28 14:21:42 -0600	VIRTUALXP-53643	XPMUser	IP-BLOCK	46.166.152.163 (Type: outgoing)
2012/02/28 14:21:46 -0600	VIRTUALXP-53643	XPMUser	MESSAGE	Stopping IP protection
2012/02/28 14:21:46 -0600	VIRTUALXP-53643	XPMUser	MESSAGE	IP Protection stopped
2012/02/28 14:26:42 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Local Settings\Temporary Internet Files\Content.IE5\GZ4NQ96L\info[1].exe	Trojan.FakeMS	ALLOW
2012/02/28 14:26:42 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Local Settings\Temporary Internet Files\Content.IE5\GZ4NQ96L\info[1].exe	Trojan.FakeMS	ALLOW
2012/02/28 14:26:42 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Local Settings\Temporary Internet Files\Content.IE5\GZ4NQ96L\info[1].exe	Trojan.FakeMS	ALLOW
2012/02/28 14:27:20 -0600	VIRTUALXP-53643	XPMUser	MESSAGE	Executing scheduled update:  Daily
2012/02/28 14:27:21 -0600	VIRTUALXP-53643	XPMUser	MESSAGE	Database already up-to-date
2012/02/28 14:34:36 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Desktop\etTcMs.exe	Backdoor.Bot	ALLOW
2012/02/28 14:34:36 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Desktop\etTcMs.exe	Backdoor.Bot	ALLOW
2012/02/28 14:34:37 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Desktop\etTcMs.exe	Backdoor.Bot	ALLOW
2012/02/28 14:34:38 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\Ukhuh\caajk.exe	Backdoor.Bot	ALLOW
2012/02/28 14:38:05 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Local Settings\Temp\tmpab8b5ac1\file.exe	Trojan.Hosts	ALLOW
2012/02/28 14:38:08 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Local Settings\Temp\tmpab8b5ac1\file.exe	Trojan.Hosts	ALLOW
2012/02/28 14:40:37 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplaysvr.exe	Spyware.Password	ALLOW
2012/02/28 14:40:42 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplaysvr.exe	Spyware.Password	ALLOW
2012/02/28 14:40:43 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplaysvr.exe	Spyware.Password	ALLOW
2012/02/28 14:41:16 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:18 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:18 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:18 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:19 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:19 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:19 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:20 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:20 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:20 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:20 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:20 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:21 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:21 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:21 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:21 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:21 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:21 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:21 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:21 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:23 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:23 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:23 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:30 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:30 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:41:31 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:48:20 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:48:20 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:48:20 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:48:20 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:48:20 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 14:48:20 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 15:05:41 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 15:05:42 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 15:05:42 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 15:05:42 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 15:05:42 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 15:05:42 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 15:14:00 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 15:14:00 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 15:18:56 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 15:18:56 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 15:20:56 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 15:20:56 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 15:21:44 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 15:21:44 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 15:21:44 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 15:21:44 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 16:05:04 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 16:05:04 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 16:05:34 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 16:05:34 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 16:05:34 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 16:05:34 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 16:06:21 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 16:06:21 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 16:06:21 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 16:06:21 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 16:06:45 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 16:06:45 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 16:06:52 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW
2012/02/28 16:06:52 -0600	VIRTUALXP-53643	XPMUser	DETECTION	C:\Documents and Settings\XPMUser\Application Data\dplayx.dll	Trojan.QHost.BG	ALLOW

Malwarebytes' scan log

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.28.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
XPMUser :: VIRTUALXP-53643 [administrator]

Protection: Enabled

2/28/2012 3:06:23 PM
mbam-log-2012-02-28 (16-04-55).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 195511
Time elapsed: 53 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Documents and Settings\XPMUser\Application Data\dplayx.dll (Trojan.QHost.BG) -> No action taken.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{6E7C7E8C-0AD3-AD41-84E7-4AB396FC69A1} (Backdoor.Bot) -> Data: "C:\Documents and Settings\XPMUser\Application Data\Ukhuh\caajk.exe" -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 5
C:\Documents and Settings\XPMUser\Application Data\Ukhuh\caajk.exe (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\XPMUser\Application Data\dplaysvr.exe (Spyware.Password) -> No action taken.
C:\Documents and Settings\XPMUser\Local Settings\Temporary Internet Files\Content.IE5\GZ4NQ96L\info[1].exe (Trojan.FakeMS) -> No action taken.
C:\Documents and Settings\XPMUser\Local Settings\Temporary Internet Files\Content.IE5\QTMNSHIB\etTcMs[1].exe (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\XPMUser\Application Data\dplayx.dll (Trojan.QHost.BG) -> No action taken.

(end)

Unfortunately I didn't quite figure out how to save logs right away(have to click the number by Threats Found for window that offers it) so I just took a screenshot rather then going back and rescanning.

They didn't perform well at all. The alerts were unclear and didn't contain enough info for the user to make a choice. They also need to provide a more direct option for log saving rather then have the user figure it out as they likely wouldn't have.

Attached Files


I'm not a staff member just another Malwarebytes' user.

Advice: Hug your dog, cat etc everyday! :)


#17 GT500

GT500

    Mostly Cantankerous

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 6,250 posts
  • Gender:Male
  • Location:Fortville, IN

Posted 01 March 2012 - 12:53 AM

Buttons, was that a VM or a live test box?

For we wrestle not against flesh and blood, but against principalities, against powers, and against the worldly governors, the princes of the darkness of this world...


#18 DarkSnakeKobra

DarkSnakeKobra

    May the penguin be with you!

  • Honorary Members
  • PipPipPipPipPipPip
  • 5,262 posts
  • Gender:Male
  • Location:~
  • Interests:Scripting, GNU/Linux, photography

Posted 01 March 2012 - 10:35 AM

VM. :) Windows XP Mode is an installation package for Windows Virtual PC that installs Windows XP Professional SP3 for Windows 7 Professional/Business/Ultimate/Enterprise users. :) I did test it against the spycar test files so it has basic protection at the very least, but I felt like it was doing absolutely nothing.

I'm not a staff member just another Malwarebytes' user.

Advice: Hug your dog, cat etc everyday! :)


#19 GT500

GT500

    Mostly Cantankerous

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 6,250 posts
  • Gender:Male
  • Location:Fortville, IN

Posted 01 March 2012 - 05:51 PM

VM. :)


Being a VM, some samples will delete themselves when you run them, so it wasn't a proper test (just like the one I conducted wasn't proper), however it still shows that the protection in Anvi Smart Defender is rather lacking...

Of course, when it came to most of the samples I would find, MSE was the only thing that detected most of them. Even MBAM would fail on a lot of them.

For we wrestle not against flesh and blood, but against principalities, against powers, and against the worldly governors, the princes of the darkness of this world...


#20 DarkSnakeKobra

DarkSnakeKobra

    May the penguin be with you!

  • Honorary Members
  • PipPipPipPipPipPip
  • 5,262 posts
  • Gender:Male
  • Location:~
  • Interests:Scripting, GNU/Linux, photography

Posted 01 March 2012 - 07:52 PM

Being a VM, some samples will delete themselves when you run them, so it wasn't a proper test (just like the one I conducted wasn't proper), however it still shows that the protection in Anvi Smart Defender is rather lacking...

Of course, when it came to most of the samples I would find, MSE was the only thing that detected most of them. Even MBAM would fail on a lot of them.


Yep. Mostly it was to show they appear to be armatures and lacking in experience or knowledge when it comes to malware. They certainly are making poor products that don't do anything at all other then waste space on a users hard drive. I recommend they go and receive some training first before releasing a product as they are just making themselves look bad with a wannabe program. Just my two cents. ;)

I'm not a staff member just another Malwarebytes' user.

Advice: Hug your dog, cat etc everyday! :)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users