Panda Antivirus Adaptive Defense 360

Panda Antivirus Adaptive Defense 360

No Comments

We recently tested Panda Antivirus Adaptive Defense as a continuance to a previous review of NGAV products. Does Panda live up to its claims? Is it the future of Antivirus? It has it’s ups and downs but overall I think the issues we experienced can be fixed. It’s headed in the right direction and overall the interface is designed well for a modern protection platform.

Panda’s current version is 7. x and the product is Adaptive Defense 360. From the marketing on the website, you get the feeling that it’s not your average ‘Panda’ but it’s next-generation, sexy, and ready to eradicate even the most virulent samples.

During the test, I exchanged 178 emails with the vendor over a period of fewer than 90 days. I’ve learned a great deal through direct experience of its stability and effectiveness. It’s been my experience that you’d better test the heck out of these products. Not only with detection but the basic administration features as well. There can be bugs lurking that may not impact you on the security side but potentially impair your ability to control and manage endpoints. I went ahead and dug in using my basic Dell models and hoped for the best. Keep in mind that the things I don’t ‘like’ are bugs that can be resolved – not necessarily fatal issues. Here’s my evaluation…

*** Update 8/13 – Panda is aware of this blog and actively working to fix any of the issues I found. They’ve allocated folks from Product Management, Engineering and other teams to help improve response.

A few things to note:

1. My blog recommends products on occasion but has nothing for sale
2. Bugs like to come out when I’m around so careful if I sign up for a demo
3. I don’t drink the kool-aid so I look forward to lifting the marketing curtain

Machines Tested:

Dell Latitude E6440, E5470, E5480
Dell XPS 8390 (Desktop)
Dell Inspiron (7000 Series)
Windows 7 and Windows 10

Things we liked: 

  • Support is light speed and much more responsive than BitDefender. We received prompt responses and consistent service from all of the techs. They responded appropriately to our concerns. Many times it was just a matter of reproducing the issues and gathering the right data. Panda can trigger a ‘PSINFO’ tool to gather support data without you having to send any technical information to support. In comparison, I’ve waited days and days for BitDefender support to reply. Even when they do it’s not with any urgency. If you call there is typically no way to speak to anyone live at BitDefender until they call you back. Panda is easy to get on the phone and called me often when I was available before the afternoon time.
  • Panda recently implemented anti-tampering. I’ve been advocating for this across a number of products. In Barkly, I could simply stop any of the AV processes, execute malcode and start them again. Panda protected its services even in the services.msc snap-in.
  • EDR function traced the source of execution back to a file on many virus samples we tested. We’d get an alert within 0-15 minutes that showed which process executed a particular piece of code and where it connected to. Very useful and is focused on the context of that execution. Liked this better than the fancy tree in other EDR products. It’s better to be able to alert on this in an e-mail format without needing to access the console.
  • Deployment tools were adequate in that there were no major issues with installing, uninstalling or deploying the files. Minimal interruption or notices to the machine when pushing it down with a script. Removal from the console happens in under 15 minutes on most machines.
  • Panda’s support is phenomenal despite us having many bugs with it on our particular platform that was available to test. They responded quickly and with haste. During our support they offered access to an early release version of Panda AD360 8.x as a way to get past known issues on v7.

Issues we worked with support on:

  • Crashing/Bluescreens – Panda caused many bug checks on my machines with the driver NNSPRV.SYS, and by many I mean over a dozen on multiple machines. The key for some was that they were running Intel Proset Drivers for Wireless on a slightly older version but I can not fully confirm that’s the cause. The crashes continued until we were put on an early release of version 8.0 that seemed to alleviate them. At the time though this was not a general release. Every dump had references to Panda drives in it when the crashes occurred and they happened often.

  • Performance Issues/Hangups – Machine slowdowns on several boxes that include severe delays opening applications. This happened several more times in the last few months with the most recent being on my own machine while I was using it. I captured video of this and called in to offer an impacted machine to Panda. They were unavailable to gather any data and did not recommend any steps to take on the machine at that time. I had to remove the product and could not wait until ‘tomorrow’ to find out what I needed to do. That issue is still not identified or resolved. The burden was on me to prove that this is an issue even though I’ve captured live video of it happening multiple times. Panda was using 10,000 handles on PSANHOST.EXE when the issue occurs. Chrome tabs were completely hung up and simple applications like Notepad.exe took more than a minute to open. The issue was immediately resolved by removing the AV – which by the way was so hung up it took about 30 minutes. After the removal, we could immediately surf the web, and open up applications.
  • Service instability – Panda services were crashing on version 7.x-8.x randomly. We detected this in the monitoring of its services, and the issue impacts the latest version. Support requested that we manually gather using a dump tool for them to access the issue. The main service controlling Panda crashes and says ‘The Panda Endpoint Administration Agent service terminated unexpectedly’ on these machines. There is no fix or explanation for this issue, and it’s separate from the ones shown above. We don’t know why the service keeps crashing off or what to do next. Even if we did, we believe that this ‘broken agent’ issue leads to decreased security for those endpoints when they aren’t able to update or communicate properly. A lot of time being spent manually reinstalling agents to fix this issue.
  • Upgrade Issues – Panda also failed to upgrade from v7 to v8 automatically on around 25% of the computers creating a situation where it was ‘broken’ and not functional. There was, of course, a fix or method for support to help us but it was manual, involved remoting into each machine and again the upgrade just didn’t work without any explanation. Many of the computers have rebooted numerous times and get repeatedly prompted to ‘Upgrade Panda’ when they’ve accepted that menu over and over. Meanwhile, the agents did not have full protection because the install was technically broken between versions.

 (Panda Support)

  • Dropper Detection / Kill Chain Issues – None of the files I opened with Malicious Word Macros were detected until the actual payload ran. Panda did not detect many files on-access but only once they ran and down the line in the attack chain. It will stop the PowerShell command from running but only at the point of execution. A little too close for comfort especially when many other tools see the evil in the Macro’s and malware code embedded in the document. Out of a dozen files of so I got live from the internet, none of the droppers triggered an alert until they tried something fishy. Panda was quick about adding them as a generic type of alert when I sent in samples. There is no automated system or method to submit samples to Panda w/o manually opening an e-mail ticket. Panda’s ‘EDR’ type execution report fails to correlate the malicious .doc I opened and only ‘sees’ the Powershell. But what ran the command? What were the parameters?

 ( Panda Support)

  • False Positives – We found that Panda would trigger on innocuous Windows 10 processes like those that update the Windows Store applications. In some cases it labeled them as ‘potentially malicious’ and in lock mode, it halted execution while it could determine if they were true positive malicious. This wasn’t the only ‘system’ type file and we encountered many more with Nvidia and a driver from Intel.
  • Web Filtering / Phishing – Many of the Malware and Phishing URLs I attempted to visit wasn’t classified by the software. During my investigation of the ‘Master Angler’ story this month I had Panda running and it never blocked any of the URLs. I submitted a URL to Panda with my blog and they added that single address but no others that were obviously running off that same IP. After reporting many of these URLs to Panda I realized that the phishing protection was outsourced to Cyren and not using its own threat intelligence.
  • Buggy Alerting- Malware alerts were configured for the web and alerted directly from the IP via SMTP to my e-mail server kind of strange. Not only that but there were still variables in the e-mail that was unresolved like {ExtendedUrlMalwareinfo}. The other issue was that I’d get tons of duplicates with the same information may be 5-10 e-mails in a blast from a single machine visiting a site. It says ‘Virus deleted’ but I couldn’t find anything malicious on some of these sites.

  • Console Outages –  Web console has issues on several occasions with server-side errors that prevented me from logging in. At this exact moment I keep logging in but it tells me for security reasons my session is timed out

  • Cookie Alarm – Panda sent alerts for cookies detected on machines and I couldn’t turn it off. There was no way to whitelist or otherwise exclude this extra noise.



The New Reality of Stealth Crimeware

The New Reality of Stealth Crimeware

No Comments

Anyone who has been in information security recently knows that it has gotten easier for cybercriminals to build stealth crimeware. The malware we deal with on a regular basis grows ever more difficult to find, while high-end targeted attacks such as Stuxnet and other advanced persistent threats (APTs, the abbreviation I hate) are using ever more advanced rootkit techniques to avoid detection.

Cybercriminals use clever stealth techniques to evade detection because it allows their malware to be more effective, live on a machine or network longer, and thus maximize the compromise. McAfee Labs is now at the point where we detect more than 110,000 new unique rootkits per quarter.

To make matters worse, there is another issue that many fail to recognize:

Today’s current OS-based security model is not adequate; cybercriminals know how to get past these defenses every time.

The security industry has to find a new vantage point on cybercriminal behavior to stop and uncover their stealth techniques. It is time for our industry to start looking at security beyond the operating system to gain a more effective view of how cybercriminals operate.

We delve into these and many other issues in our latest report: “The New Reality of Stealth Crimeware,” written by myself and Thom Sawicki of Intel. Download it here.

[wp-pdf-view swf=”” width=”500″ height=”400″ /]


Stealth is the art of travelling undetected, of being invisible. Stealth technology allows military aircraft,
Ninjas, and malware to sneak up on the enemy to launch an attack, gain intelligence, or take over
systems and data.

Although stealth techniques are used in sophisticated attacks like Conficker and Operation Aurora, the
Stuxnet attack offers a new blueprint—and benchmark—for how committed criminals can use stealth
techniques to steal data or target computing systems. Stuxnet innovations included a combination of
five zero-day vulnerabilities, three rootkits, and two stolen digital certificates. Powerful toolkits, like what is available in the Zeus Crimeware Toolkit, make stealth malware development a “point- and-click” endeavor, no longer restricted to the most knowledgeable programmers. While there are no definitive industry figures, McAfee Labs estimates that about 15 percent of malware uses sophisticated stealth technique to hide and spread malicious threats that can cause significant damage.1 These attacks form the cornerstone—the “persistent” part—of advanced persistent threats (APTs).

Malware being sent in job applications

Malware being sent in job applications

If you’re in any kind of business there’s a good chance you have to deal with resumes on a daily basis, especially if you’re a manager or Human Resources professional. While you probably delete that Viagra ad and ignore the promise of Nigerian riches, when a resume hits your inbox, you read it.

Spammers know this and have been increasingly presenting Malware as if it were a resume, hoping that the recipient will be so curious about a potential applicant that they open or run something that they shouldn’t. This practice of using rigged document files goes back to the early 2000’s where exploits for Microsoft’s document format existed even before Office 2000.

Let’s not forget when we could encoded Malware into a MIME header or .eml file and make IE/Outlook execute it… without even opening it. 🙂

These waves of Malware use obfuscation and “dropper” payloads to avoid detection. A dropper serves only to pull a payload, and a backdoor down for Botnet control. It rarely is detected as malicious because of its simple nature. The Antivirus products may continuously delete the Malware payloads, but as time passes with the dropper alive and well. The Malware creators are given the opportunity of changing the package and evading detection.

The Internet Crime Complaint Center (IC3) is reporting that businesses have received Bredolab variants in email attachments masquerading as job applications.

“Recent FBI analysis reveals that cyber criminals engaging in ACH/wire transfer fraud have targeted businesses by responding via e-mail to employment opportunities posted online,” IC3 said in a news release.

They also said: “The FBI recommends that potential employers remain vigilant in opening the e-mails of perspective employees. Running a virus scan prior to opening any e-mail attachments may provide an added layer of security against this type of attack. The FBI also recommends that businesses use separate computer systems to conduct financial transactions.”

It’s called “spear phishing” – malicious code sent specifically to someone in a company who would be expecting that type of email (job applications in attachments in this case.)

“Recently, more than $150,000 was stolen from a US business via unauthorized wire
transfer as a result of an e-mail the business received that contained malware. The
malware was embedded in an e-mail response to a job posting the business placed on
an employment website and allowed the attacker to obtain the online banking credentials
of the person who was authorized to conduct financial transactions within the company.
The malicious actor changed the account settings to allow the sending of wire transfers,
one to the Ukraine and two to domestic accounts. The malware was identified as a
Bredolab variant, svrwsc.exe. This malware was connected to the ZeuS/Zbot Trojan,
which is commonly used by cyber criminals to defraud US businesses.”

“Anyone who believes they have been a target this type of attack should immediately
contact their financial institutions and local FBI office, and promptly report it
to the IC3’s website at The IC3’s
complaint database links complaints together to refer them to the appropriate law
enforcement agency for case consideration. The IC3 also uses complaint information
to identify emerging trends and patterns.”

Trusteer Rapport – Protects Online Banking against Botnets

Trusteer Rapport – Protects Online Banking against Botnets

Rapport is a lightweight security software solution that protects web communication between enterprises, such as banks, and their customers and employees. The product is free for the customers of over 70 different banks, AND can also be downloaded independently of those services for FREE. You can protect any web site you choose outside of the network, and also use the tool with Chrome, IE and Firefox.

Rapport implements a completely new approach to protecting customers and employees. By locking down customer browsers and creating a tunnel for safe communication with the online website, Rapport prevents Man-in-the-Browser malware and Man-in-the-Middle attacks. Rapport also prevents phishing via website authentication to ensure that account credentials are passed to genuine sources only.

Rapport’s unique technology blocks advanced Trojans including Zeus, Silon, Torpig and Yaludle without the need to constantly update and chase the different variants of these Trojans. Its proprietary browser lockdown technology simply prevents unauthorized access to information that flows between customer and employee websites regardless of whether these attempts were generated by new or known Trojan variants. Rapport is also capable of preventing very targeted and under the radar phishing attacks.

Enterprises such as banks can easily configure the system to protect customers and employees and begin offering them Rapport software for quick download from their website. Following a simple one time installation process, Rapport begins securing browsers, works in the background and does not call for a change in user behavior – customers and employees can bank and use the internet as usual – thus enabling fast adoption. Rapport comes with a rich management application that enables enterprises to effectively trigger alerts, view and analyze data as well as manage security.

Rapport is focused on preventing online fraud committed by financial malware and differs from Anti-Virus because it:

* Locks down access to financial and private data instead of looking for malware signatures

* Communicates with your online banking website to provide feedback on security level and report unauthorized access attempts

* Allows for immediate action to be taken against changes in the threat landscape.


* Blocks Zeus, Torpig, Silent Banker and other Man-in-the-Browser attacks
* Blocks Keyloggers and screen grabbing
* Blocks Man-in-the Middle attacks
* Blocks Phishing attacks
* Works on both Windows and Mac
* Protects immediately upon install
* Complements other security software
* Transparent to customers and employees unless a threat is detected
* Delivers advanced reporting on current and new threats including zero-day attacks
* Comes with pre-packaged marketing tools and materials
* 24×7 support option


* Prevents wire and ACH fraud
* Protects against account takeover attacks
* Deployment within weeks, requires no change to enterprise applications
* Fast notification of threats affecting your customers and employees
* Fast adoption by customers using proven tools
* Added security with no change in user behavior
* Proactive rather than reactive to threats and incidents

Browser Lockdown – This technology specifically prevents unauthorized access to sensitive information in the browser. Before launching the browser, Rapport verifies its integrity, preventing unauthorized modifications to the browser’s executable. Rapport locks down all programmatic interfaces to sensitive information inside the browser while it is connected to a protected website. This prevents browser add-ons and other pieces of software from accessing login information, financial information and transactions based on customized policy created with the enterprise. Additionally, Rapport protects the browser’s memory and prevents any pieces of code injected into the browser’s memory from capturing or modifying sensitive information.

Keystroke Lockdown – Rapport prevents tampering and reading of data by encrypting sensitive information from the moment it is typed into the keyboard until it reaches the browser. Trusteer encrypts keystrokes very low in the operating system’s kernel and keeps them encrypted inside the kernel and user space to achieve this goal.

Communication Lockdown – This technology enables Rapport to verify the legitimacy of the website that the customer or employee is currently using, preventing the submission of sensitive information to fraudulent websites. What’s more, verification of a direct connection with the website and assurance of encryption are also confirmed to prevent Man-in-the-Middle attacks. This technology prevents many ACH FRAUD transactions and efforts of trojans such as Torpig & Zeus.

Actionable Intelligence – All policy violations, such as attempts to read password fields and change web page content are reported to the Trusteer cloud-based fraud analysis service. Trusteer’s team of fraud analysts works 24×7, analyzing information from customers all over the world in order to identify new attack patterns. Advanced automatic update mechanisms allow Trusteer to react immediately to new threats. Organizations are immediately alerted regarding new attacks as they occur, instead of days, weeks, and even months after the fact.

These are not the days of the Nimda Virus, so get protected!

PC users:

Mac users:

Ping web site