Sometimes that mouse is so stealthy, there there is simply no way to catch it. And there two problems with cat&mouse games in the AV worldġ. And all it takes is ONE user-mode hole for Zeus will be modified to take advantage of it, if they believe they are running into too many Kaspersky/Avast-protected users. One you load IE, it will load the required DLLs, and now you have an infected browser process. How can they load a Safe version of IE/Chrome when critical DLLs that the browsers use, have been infected. That been said, I will contest that Safe Zone can't even protect against certain kinds of user-mode infections. They just stick with MITB ("Man-in-the-Browser") type of attacks, by installing all sorts of browser plugins etc - stuff that they can easily do even unelevated.Įxamples include Zeus and SpyEye - malware that has traditionally always come with hardcore kernel-mode rootkits, but whose newer versions are user-mode only.Īgain, very valid comments. After all, they're after your online transactions (and money), and for that, they don't need to own your computer.
This is probably because of UAC - it's meaningful for malware writers to focus on the scenario where they won't have admin access to the system (i.e. That said, there's a clear trend for banking malware today to run in user-mode only (i.e. If that happens, the AV loses its only advantage it had, and then it's really only a fifty-fifty chance that it will win (a "cat and mouse" game). You're absolutely correct that once the malware gets the opportunity to load a kernel-mode driver, the situation becomes very difficult. If they can confirm if their Safe Zone/Safe money feature can protect the user even if system DLLs are infected, then I'd like to understand how. I know the Avast & Kaspersky guys are on this forum. You must assume that this process has also been compromised. I will say again, ONCE THE MACHINE IS INFECTED, they is nothing any product can do to create a process (like IE/ custom chrome) in a safe manner. I think these two companies are promoting dangerous behavior and putting their users at risk. Giving the users the impression that its OK to do financial transactions etc., even if they have reason to believe the machine is infected, simply becuase the "SAFE ZONE" will protect them, is VERY DANGEROUS. Yet, here we have companies like Avast and Kaspersky claiming that they can create a Safe Zone on an infected machine.
Think about this - the system is totally infected, possibly with some of the most sophisticated malware like zeus, ZeroAccess, Cidox, TDS etc., many of which are capable of injected DLLs into any process they please, INCLUDING THE BROWSER. However, what Avast (and Kaspersky) are claiming, is that even if the malware bypasses the security product layers, it will still not be allowed to steal credentials (user-ids, passwords) from transacations conducted within the safe zone. They are not 100% fool-proof and never will be.
Security products aim to block malware from infecting your system. However, let me explain why this is different.