I recently downloaded a file that I knew would be Malware. It was called document.zip and was attached to a piece of mail that allegedly came from someone at FedEx. The email headers were forged, and the mail itself wasn’t very convincing, so I knew it must be Malware. This mail was sent to a Yahoo account, and Yahoo uses Symantec Norton AV as its anti-Malware scanner. On download Norton failed to detect this as Malware (and when I submitted the file for multi-engine analysis through Virustotal.com it confirmed that Symantec fails to detect this Malware). Fortunately, I have Immunet installed and it indeed caught this one on download. Overriding Immunet I was able to download the file despite having Microsoft Security Essentials (MSE) installed, but when I tried to execute the download.exe contained within the zip file, Microsoft Security Essentials detected it as TrojanDownload:Win32/Chepvil.K. In this case both products would have protected you, but I like that Immunet protected me earlier in the download cycle than Microsoft Security Essentials. It may be that Immunet is better than MSE at unpacking ZIP files. But, fully 45% of Anti-Malware products fail to detect the ZIP file, and 40% fail to detect the EXE file, as Malware.
All that isn’t as interesting as Symantec’s failure to protect me from this threat. It detects neither the ZIP or EXE files as Malware. I got lucky in having different Anti-Malware software on my PC than is used by Yahoo to scan its email. If the PC was protected by Symantec, and that was the only Anti-Malware product on the PC (recalling that little-used Immunet is the only real-time product that can co-exist with other Anti-Malware), then my PC would have been infected.
I think this leads to two recommendations for consumers and a related one for organization system administrators:
1) Whatever Anti-Malware product you choose to run on your PC, you should also run Immunet.
2) If possible, use a different Anti-Malware product on your PC than is used by your email provider to scan email attachments. If you use multiple email providers then this becomes difficult, or impractical, and installing Immunet alongside your chosen Anti-Malware product becomes more important.
3) If you are running an organization’s email system, use a multi-engine Anti-Malware scanner to scan incoming attachments. Or if you use a single scanner, make sure your organization buys Anti-Malware for email and for endpoints from different vendors!