|Jan / 30 / 2015|
|Zoltan Balazs, @zh4ck|
We recently came across an article which again is a FUD regarding how AV sucks. VirusTotal has been writing about this years ago. Although we agree that most AV is not as good as it is stated in the marketing materials, but that is not the point.
Let’s look at this particular exploit for a moment. Quoting from the article, “The attack, originating from traffichaus.com, was launched though an iFrame which was not detected by 52 anti-virus products, researchers said.” Uploading a malicious Flash file to Virustotal, looking at the 0/57 detection rate is just lame.
Here are just a few AV components which can block the infection:
Looking at this particular exploit, I can confirm some AV did detect and block this threat on day 0. Others did not. Angler exploit kit is especially dangerous because of in-memory-malware – which renders a lot of AV protection components useless.
And yes, all AV can be bypassed. Imagine an AV which provides 100% proactive protection, out of the box. If something like this could have happened, this will mean all the developers of the AV company should have been fired, as the AV does not need any maintenance/updates at all. Which means most of the update you get with your AV engine is about threats which bypassed the AV yesterday …
Only a real world protection test, testing all AV components can measure how effective today endpoint protections/internet security suites/AV engines really are.
We would like to thank Kafeine for sharing the sample with us.
Using Virustotal to compare AV protection is unprofessional, and lame. Don’t do that. Especially when it comes to exploit kits …
PS: using Virustotal to test Android AV is more realistic than Windows AV, or especially exploits. AV on Android is most of the time just plain static scanner.
Update (2015/01/30): the screenshot has been fixed