Originally Posted by Burillo (Post 46656)

This thread has its fair share of bullshit but nevertheless is very informative, especially that post by we3z about kernel-level trojans. so i'll just put my two cents in this discussion.

So, first of all, Bhullarz, no offense, but your "HACKERS", "VIRUSES", "TROJANS" and all the other scary words capitalized look like cheap advertising :D
on a serious note, IMHO you're both right and wrong at the same time. It's true that new malware appears at much higher rate than it goes to the databases of the AV software (especially the free ones), but we all know that pretty high percentage of this malware is being detected by heuristics and "decoy" computers that are used by the AV companies for automated malware detection.
And despite your ravings about infected cracks and keygens the truth is that most of the cracks and keygens are clean if you download them from right sources. On any serious forum (where users are computer enthusiasts) anyone who posts trojan will sooner or later (probably sooner than later) get detected, banned and have his message deleted. Same goes for any serious torrent tracker - if something is reported as fake or trojan - it gets checked immediately by the community - and trust me, most users of such websites aren't exactly dumb computer illiterate leechers. The real danger comes in "true" filesharing networks like ed2k or limewire - but the thing is, almost every trojan i met there had fixed size and was easily detectable once you know how it looks like. A pretty much safe practice would be using some kind of sandboxing software, be it a virtual machine or Sandboxie.
As for that firewall thing... Few posters made some valid points about firewall penetration techniques, and there even is a website that concentrates on exactly that - they write "leaktests" and test them against popular firewall programs (just google Matousec). I myself use the firewall that is stably in first five for several years now and don't use an antivirus at all. The most valid point was that if the trojan was connect - they will get detected. This is not true if they were using legitimate program (like IE) to connect, but that would be true if the firewall was able to detect potentially dangerous actions. For example, i downloaded a keygen. I know it shouldn't try and execute IE, don't i? That's the whole thing, it's that simple. Of course, that won't help if the ring0 trojan was already there, but when it gets installed it will install a driver and that will be detected by firewall! So proactive security (and your own vigilance to unusual behaviour) might be your last chance if signature-based security fails.

PS this post is no bullshit - i can't count how many viruses i've blocked when they tried to own me and i even manually deleted several trojans from my system using solely my firewall and some extra tools (HijackThis, Sysinternals stuff and others). Yes, i shouldn't have been allowed them in the first place but sometimes i make mistakes too:D

Originally Posted by neo_vi (Post 38385)

This can't happen when u re smart than the virus program. I've all the keygens and cracks but i'll archive it and protect it with a password. there are many other techniques too.. :lipsrseal