Sign in / up

back to article 'Plague Scanner' controls multiple AV engines, for $0.00

Security researcher Robert Simmons has released a tool that offers a new level of stealth to the malware cat-and-mouse skirmish by shrouding binary analysis. "Plague Scanner" is a free on-premise anti-virus framework - a class of tool that drives multiple anti-virus scanners at once - and is the only free alternative to …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    Seriously?

    What does this take? A single-user license from each AV company with their software loaded onto a series of minimal VMs, each with a writeable network share, and a scheduled task to scan that share every 10 minutes.....and a machine to do the distribution?

    Please tell me I'm wrong.

    2 0 Reply
    1. Sandtitz Silver badge
      Reply Icon

      Re: Seriously? @theodore

      If the AV is active it will scan the file immediately when it is written to the share. The few AV solutions (I'm familiar with) can report positives via e.g. SNMP so the result would be instant. The same AV programs can also be commanded via CLI, so the manual scanning can be invoked remotely.

      0 0 Reply
    2. Anonymous Coward
      Reply Icon
      Holmes

      Re: Seriously?

      On the x86/x64 platform I've been using VM's that exact way, using VMWare Workstation since 1.0.x betas (others later on). Virtualization is what has been driving what I design and how I build, not gaming, spreadsheets, nor database, but there's more than enough bleed through to do the rest nicely. Very nicely indeed. I do the same with browsing the more dangerous dark corners or, back when I did such work, web site construction. The biggest problem you are likely to face is running into something that can not only detect that it is in a virtual machine, then either abort entirely (typically suspecting a security type is probing it) or attempt to break out of the virtual sandbox. And that last one is why you'd still need to destructively zero the box entirely and break out your your "golden images" to restore it and the virtual machines.

      Now being able to do this without having to have that kind of rig just sitting around until file check time would be nice, but for most a burdensome requirement. Hell, my choice would be to use this framework in addition to virtualization (framework in context of a single VM) with a shared directory to which all downloads are automagically deposited. That would be a lot easier on the blow-it-away rigging. Whack the virtual machine, restore from password-protected archive (after md5 check) and you are good to go. [Still doesn't mitigate the breakout scenario. For the real prize/catch of the century, find malware that can breakout of virtualization-on-virtualization with differing hypervisors. Now that I've go to see.

      2 0 Reply
  2. JeffyPoooh
    Pint

    Some IT security experts need to go back and read Turing

    What if the 'framework' has itself been hijacked? What if it's being run in a virtual machine? What if the infected OS just pretends to run it?

    0 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Some IT security experts need to go back and read Turing

      On Windows 7 or higher (like they've smoked a ton of dope creating the next versions) you can use gpedit.msc to edit the local security policy and add your application white list there.

      0 0 Reply
      1. JeffyPoooh
        Reply Icon
        Pint

        Re: Some IT security experts need to go back and read Turing

        "On Windows 7 or higher when cleverly infected you can be fooled into thinking you're using gpedit.msc to edit the local security policy and add your application white list there, when in fact the malware is in complete control and making you think that you're interacting with the OS." [Corrected]

        MM: Are you infected?

        PC:No.

        MM: Can I trust you?

        PC: Yes.

        MM: See? He's clean.

        2 0 Reply
  3. Pascal Monett Silver badge

    Can't say it's a bad idea in itself

    Open Source is arguably the future of computing, where OS and platform security are concerned at least, so this seems a good idea to me.

    Unfortunately, there is the fact that AV scanners are all based on after-the-fact signatures, rendering 0-days possible, that kind of diminishes their value. I have always felt that an executable white list, with the user authorizing new programs at he launches them, is a necessary complement. If an .exe you haven't yet launched tries to start up, you should get a warning and decide whether or not you want to authorize it. At the moment, the Task Manager can only help you shut down an application you don't want running - and malware does its damnedest to keep you away from the Task Manager.

    So yeah, an Open Source AV engine, why not ? Sure, it's not perfect yet, but I think it has potential. Let's give it room to grow, shall we ?

    0 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Can't say it's a bad idea in itself

      Yes,

      Having just been re-infected by a POS browser hijacker today, I am tempted to try this solution (comes from the same site that fixed the above problem)

      http://www.bleepingcomputer.com/download/voodooshield/

      Apparently, it does exactly what you suggest, so it might be worth a try.

      0 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Can't say it's a bad idea in itself

        Yes again,

        Installed VoodooShield and so far so good (all is working). It has varying degrees of whitelist aggressivity,

        If I were being really anal (and trusted the source) I would do a clean install from trusted RO media and then install Voodoo. A test to be performed later, after I sleep. But whitelisting is an approach with promise.

        0 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Can't say it's a bad idea in itself

      You thought the window was long for a security company to research and respond to a zero-day threat? Wait for the unpaid open source community to get the job done.

      Besides.... Signature based anti-virus as a *stand-alone* security technology is dead. The major vendors are all supplementing it with behavior and reputation based technology. Anti-virus is still there, and will continue to be there, it is just not the soup-to-nuts that it was in 2002.

      0 0 Reply
    3. Pookietoo
      Reply Icon

      Re: AV scanners are all based on after-the-fact signatures

      Except they're not - some also use behavioural and heuristic methods.

      0 0 Reply
  4. Spacedinvader

    is the only difference being this one is in the cloud? http://www.herdprotect.com/

    0 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Not quite. Herdprotect only scans running processes (tasks) and those that are autostarting. Herdprotect does look interesting but I don't believe you'd find any "blackhats" using it. [Blackhats have been using multiple malware checkers for years now. It's now part of their procedures when constructing one.]

      0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like