Re: malware

Started by Baz, Nov 09, 2010, 19:23:43

Previous topic - Next topic

0 Members and 5 Guests are viewing this topic.

armadillo

Quote from: Baz on Nov 10, 2010, 14:12:51
Gary if I reset that will it start all the annoying pop ups telling me I havent got this set or AV is out of date etc.Thats why I stopped it originally.Do I need it on

If you are sure that your Nod32 AV definitions are up to date, you do not not need the popups from Windows Security Centre. I have mine disabled.

What version of Nod32 virus signature database is yours now? At time of this post (16:45GMT), Nod32 is at 5607 dated 20101110.

Glenn

AntiVirus 2009/2010 are 2 trojans, that try to make you pay money to buy the product to clear the infection, but it doesn't exist.
Glenn
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

pctech

And they get your Credit Card details into the bargin.

Baz

#28
Quote from: Gary on Nov 10, 2010, 16:06:54
It does sound like it, reset it anyway if you get those popups you may well have a security issue, and need to run something better than Nod32 its not great at picking up things like AV 20009/2010. Disable your System restore as well when you run an AV as system restore will basically copy the rouge av anyway. Try using something else other than Malwarebytes to see what comes up, Prevx would be good if you can install it. If you have been infected again, then you have security issues with your system somewhere.  :( turn the firewall on and what date are your nod32 updates at? Have you got all your MS patches as well?

well I always thought Malwarebytes was good,have ran Superantispyware which didnt find anything except tracking cookies.

Have also never had any bother with NOD,firewall is on and NOD up to date as of tuesday and another update planned for tonight.what do you recommend that is better than NOD?


just checked NOD definitions and are up to date same as Armadillo said

armadillo

Thanks Glenn and Mitch. Now I know what Gary meant. I guess then that it is the thing that Nod32 has in its AV definitions here?
http://www.eset.com/threat-center/threatsense-updates/search?q=antivirus2010

So I still don't understand what it is that Nod32 is suggested not to detect. Of course, given that no AV product has a 100% detection rate, it is always going to be possible, at any one time, to find a threat that is detected by AV software A but not by AV software B, whatever A and B are.


Is there any evidence that Baz's machine has ever been infected by AV2009 or AV2010? (Forgive me if I missed an earlier post where he said that it had).

Rik

Glenn suggested it at reply #14.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

armadillo

Quote from: Baz on Nov 10, 2010, 17:17:05
what do you recommend that is better than NOD?

I will be interested to see what anyone says in answer to that. Nod32 has one of the highest detection rates of all the AV products. That applies both to detection based on its up to date virus database definitions and detections, based on heuristics, of malware not discovered at the time the databases (of all the AV products) were updated.

All the top AV products have a very high detection rate, up in the 99%+ range. It is also important that the AV software does not generate false positives. Nod32 is good on that score too.

http://www.av-comparatives.org/

I see no reason for you (or me) to replace Nod32 with something else.


Quote
just checked NOD definitions and are up to date same as Armadillo said

Good. I don't think you need to worry about the Security Centre message then, provided it can be established that your system has not been infected with Antivirus 2010. And I believe Nod32 would find it in a full system scan if that were the case.

Quote from: Rik on Nov 10, 2010, 17:26:00
Glenn suggested it at reply #14.

Thanks Rik. But that is no more than a suggestion then, at this stage. I think that the registry entries detected by Malwarebytes are just as likely to be the legitimate ones placed there by turning off the Windows Security Centre alerts manually. It should be possible to detect it if it is present. I suggest Nod32 would find it but there is no harm in doing an on-line check with an on-line AV scanner, such as

http://housecall.trendmicro.com/uk/

or

http://security.symantec.com/sscv6/home.asp?j=1&langid=ie&venid=sym&plfid=20&pkj=QKEUORVWHFHMFNZMBBX&bhcp=1


Rik

 :thumb:

Thanks, 'Dillo.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Steve

I agree Malwarebytes should have shown up a few more problems with a 'classic' AV 2010 infection than it did. Isn't it difficult to install and run Malewarebytes when AV 2010 is present?
Steve
------------
This post reflects my own views, opinions and experience, not those of IDNet.

DorsetBoy

Quote from: armadillo on Nov 10, 2010, 16:39:26
I do not understand what you mean. NOD32 has one of the highest detection rates of any AV system and it is non-intrusive. When you say "picking up things like AV 20009/2010" (and I assume you mean 2009/2010), what are you referring to? Is AV2009/2010 a virus that you say Nod32 does not pick up or do you mean a version of Norton or Kaspersky, i.e NAV2010 or KAV2010 is better than NOD32? IMHO, NOD32 knocks the socks off Norton though Kaspersky is excellent if your system is compatible with it. I was a beta tester for Kaspersky for a year or so but I got several blue screens per day (even with the final release candidate) and eventually settled on NOD32 as I got fed up after about 100 restores of my system with Acronis True Image.

PS - one can never tell without facial expressions to go by. I am not being combative. I am just genuinely interested in what you mean because I did not understand it.

Nod32 sadly no longer has a good detection rate and frequently misses malware. The AV 2009/2010 is a rogue application that poses as a Security Suite or the Windows Security Center and is extremely hard to remove.

Baz needs to run an online AV test , try some of these scans and see what gets picked up http://www.idnetters.co.uk/forums/index.php?topic=22885.0

armadillo

Quote from: DorsetBoy on Nov 10, 2010, 18:03:00
Nod32 sadly no longer has a good detection rate and frequently misses malware.

I disagree.
http://www.av-comparatives.org/

Do you disagree with them?


QuoteBaz needs to run an online AV test , try some of these scans and see what gets picked up http://www.idnetters.co.uk/forums/index.php?topic=22885.0

Agreed.

Steve

I remain to be convinced that there is any evidence of a Malware infection
The image below shows the result of a Malwarebytes scan of a PC infected with AV2010


Steve
------------
This post reflects my own views, opinions and experience, not those of IDNet.

armadillo

As far as I can see, nobody has offered any evidence that Baz's system has ever been infected with AV2010.

Here is a screenshot from regedit on my system for the keys that Baz shows in his Malwarebytes screenshot.



As can be seen, the same items are set in my registry and I have no reason to belive my system has been infected by AV2010.

I simply have Windows Security Centre warnings manually disabled on my system too and always have.

Simon

There's a sticky list of online scanners here somewhere.  Sorry, I can't link to it now.
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

armadillo

Quote from: Simon on Nov 10, 2010, 18:25:43
There's a sticky list of online scanners here somewhere.  Sorry, I can't link to it now.

It is the link DorsetBoy gave in reply #34.

I still see no evidence that Baz's system is infected. All we have seen is the registry entries that are generated by a legitimate manual suppression of warnings from Windows Security Centre, as my regedit screenshot shows. Steve showed what an AV2010 Malwarebytes scan looks like.

On-line scans, however, do no harm and are a good idea to run from time to time, so long as one is aware of the dangers from false positives.

Technical Ben

Hope it's not one of those "we found a cookie, to a website. Not a bad website, just a website. Probably Google. So we are going to make you panic and our virus scanner look cool, by flagging it" warnings. :/
A second opinion (online scanner) may help.  :thumb:
I use to have a signature, then it all changed to chip and pin.

armadillo

Quote from: Technical Ben on Nov 10, 2010, 18:44:29
Hope it's not one of those "we found a cookie, to a website. Not a bad website, just a website. Probably Google. So we are going to make you panic and our virus scanner look cool, by flagging it" warnings. :/

Actually, I hope (and believe) that it is one of those warnings. Better that than the real thing  :thumb:

Gary

#42
Quote from: armadillo on Nov 10, 2010, 16:39:26
I do not understand what you mean. NOD32 has one of the highest detection rates of any AV system and it is non-intrusive. When you say "picking up things like AV 20009/2010" (and I assume you mean 2009/2010), what are you referring to? Is AV2009/2010 a virus that you say Nod32 does not pick up or do you mean a version of Norton or Kaspersky, i.e NAV2010 or KAV2010 is better than NOD32? IMHO, NOD32 knocks the socks off Norton though Kaspersky is excellent if your system is compatible with it. I was a beta tester for Kaspersky for a year or so but I got several blue screens per day (even with the final release candidate) and eventually settled on NOD32 as I got fed up after about 100 restores of my system with Acronis True Image.

PS - one can never tell without facial expressions to go by. I am not being combative. I am just genuinely interested in what you mean because I did not understand it.
Nod is not great at picking up the rouge Virus installations like AV2009/2010 for windows, thats something that has been discusesd on the Wilders forums before, its a good AV but you need something else like Prevx to look for these kind of things that's all. No one AV solution can find everything. Right now for instance Norton and Avira  I believe had the top detection ratings of a around 99% followed by Kaspersky 2011  :) At the end of the day there is no 'right' AV but a sensible multilayered approach is always sensible.
Damned, if you do damned if you don't

armadillo

#43
Quote from: Gary on Nov 10, 2010, 20:27:50
Nod is not great at picking up the rouge Virus installations like AV2009/2010 for windows, thats something that has been discusesd on the Wilders forums before, its a good AV but you need something else like Prevx to look for these kind of things that's all. No one AV solution can find everything. Right now for instance Norton and Avira  I believe had the top detection ratings of a around 99% followed by Kaspersky 2011  :) At the end of the day there is no 'right' AV but a sensible multilayered approach is always sensible.



In the latest report from http://www.av-comparatives.org/

the decreasing order of detection rates was Avira, Norton, Nod32, Kaspersky. Avira was somewhat ahead of the other three, which were very close together.

Purely in terms of detection of Windows viruses, the order was Kaspersky, Norton, Nod32=Avira

For scripts, the order was Avira, Norton, Kaspersky, Nod32

In false positives, the worst by a very long way was Kaspersky.

I think it is misleading to suggest that "Nod32 no longer has a good detection rate and frequently misses malware" (DorsetBoy) or that "need to run something better than Nod32" (you). The overall detection rate of Nod32 was 98.6%; Kaspersky 98.3%.

All four of those AV products have very high detection rates. In any one set of tests, each of them will miss some things that another detects.

av-comparatives awarded three stars to Avira, Norton and Nod32 and two stars to Kaspersky, taking false positives into account. After all, a product that reports everything as malware (whether malware or not) would have a 100% detection rate but it would be unusable.

I agree that a multilayered approach is sensible. Some products may have particular strengths in certain areas. It is sensible to use them provided that they do not also mislead with false positives.

I searched the Wilders forums for any evidence that Nod32 had a poorer detection record for antivirus2009 or antivirus2010 than any other AV software and could not find any. Maybe you could point me to a specific reference. I am suspicious of anecdotal reports. av-comparatives.org carry out large-sample tests and they statistically analyse them. They also point out that in small-sample tests, there is a substantial probability of a poor product performing better than a good one.

Rogues keep changing and so do the AV definitions. On any one day, a rogue may be detected by one AV but not by another. The next day, it is the other way around.

I'll have a look at Prevx. I had not heard of it so thank you for that.

On a lighter not, I love the typo "rouge" for "rogue"

I wonder if this  :evil:  is an example of a "rouge"

Gary

#44
Quote from: armadillo on Nov 10, 2010, 22:23:49

In the latest report from http://www.av-comparatives.org/

the decreasing order of detection rates was Avira, Norton, Nod32, Kaspersky. Avira was somewhat ahead of the other three, which were very close together.

Purely in terms of detection of Windows viruses, the order was Kaspersky, Norton, Nod32=Avira

For scripts, the order was Avira, Norton, Kaspersky, Nod32

In false positives, the worst by a very long way was Kaspersky.

I think it is misleading to suggest that "Nod32 no longer has a good detection rate and frequently misses malware" (DorsetBoy) or that "need to run something better than Nod32" (you). The overall detection rate of Nod32 was 98.6%; Kaspersky 98.3%.

All four of those AV products have very high detection rates. In any one set of tests, each of them will miss some things that another detects.

av-comparatives awarded three stars to Avira, Norton and Nod32 and two stars to Kaspersky, taking false positives into account. After all, a product that reports everything as malware (whether malware or not) would have a 100% detection rate but it would be unusable.

I agree that a multilayered approach is sensible. Some products may have particular strengths in certain areas. It is sensible to use them provided that they do not also mislead with false positives.

I searched the Wilders forums for any evidence that Nod32 had a poorer detection record for antivirus2009 or antivirus2010 than any other AV software and could not find any. Maybe you could point me to a specific reference. I am suspicious of anecdotal reports. av-comparatives.org carry out large-sample tests and they statistically analyse them. They also point out that in small-sample tests, there is a substantial probability of a poor product performing better than a good one.

Rogues keep changing and so do the AV definitions. On any one day, a rogue may be detected by one AV but not by another. The next day, it is the other way around.

I'll have a look at Prevx. I had not heard of it so thank you for that.

On a lighter not, I love the typo "rouge" for "rogue"

I wonder if this  :evil:  is an example of a "rouge"
As far as results percentages are unreliable at best as I see it, percentages have a a limited lie or truth value, they show that at one point in time any product did whatever at that given moment based upon a test that is itself only a percentage of a greater whole if you will, an hour later that controlled percentage is less relevant in the Virus game as in many others, so for all we know NOD32 is better now, or worse.

I tend to think there is no need to stand staunchly by any product in any marketplace these days, times change and so does ones needs. What I do like though is a product that does what it needs to in the least protracted way possible, a bit like product reviews, if you know what I mean.

As for the typo, like say an AV product, things get through sometimes.   :)
Damned, if you do damned if you don't

armadillo

Quote from: Gary on Nov 10, 2010, 23:29:10
As far as results percentages are unreliable at best as I see it, percentages have a a limited lie or truth value, they show that at one point in time any product did whatever at that given moment based upon a test that is itself only a percentage of a greater whole if you will, an hour later that controlled percentage is less relevant in the Virus game as in many others, so for all we know NOD32 is better now, or worse.

I tend to think there is no need to stand staunchly by any product in any marketplace these days, times change and so does ones needs. What I do like though is a product that does what it needs to in the least protracted way possible, a bit like product reviews, if you know what I mean.

As for the typo, like say an AV product, things get through sometimes.   :)

I think we are in full agreement on this :)

Camera forums have staunch defenders of brands and models and that always seems to me a bit pointless. My standpoint is that I tend to defend a product against comments that might lead someone to lose faith in it unnecessarily but I would be happy to drop a product which I felt had been demonstrated to be no longer effective.

FWIW, I downloaded, installed and ran PrevX. Refreshingly lightweight at less than 1MB. Installed in moments, took 2m35s for its first scan and declared my system clean. Not sure what I would have done if it had found something.  ???

One thing I do not like is that it does not ask if you want it to start at system boot. It starts a service and the service protects itself from disabling or deletion. I would rather have a simple on-demand scanner option with no underlying service. It is possible to turn off protection until a user choice to re-enable it. However, the service still starts at system boot. I have not found that enabled protection interferes with anything though, having tested web access in https, http password protected and plain http mode.

I shall give it a few days before I decide if I want to keep it, uninstall it or roll back with Acronis.

Gary

Quote from: armadillo on Nov 11, 2010, 00:37:10
I think we are in full agreement on this :)

Camera forums have staunch defenders of brands and models and that always seems to me a bit pointless. My standpoint is that I tend to defend a product against comments that might lead someone to lose faith in it unnecessarily but I would be happy to drop a product which I felt had been demonstrated to be no longer effective.

FWIW, I downloaded, installed and ran PrevX. Refreshingly lightweight at less than 1MB. Installed in moments, took 2m35s for its first scan and declared my system clean. Not sure what I would have done if it had found something.  ???

One thing I do not like is that it does not ask if you want it to start at system boot. It starts a service and the service protects itself from disabling or deletion. I would rather have a simple on-demand scanner option with no underlying service. It is possible to turn off protection until a user choice to re-enable it. However, the service still starts at system boot. I have not found that enabled protection interferes with anything though, having tested web access in https, http password protected and plain http mode.

I shall give it a few days before I decide if I want to keep it, uninstall it or roll back with Acronis.
Prevx if you buy it is a great program, it has to build up a picture of your PC and needs to do this at system boot, it uses virtually no resources, Ray on here uses it as well, its good to see a product that is not signature reliant  :)
Damned, if you do damned if you don't

armadillo

Quote from: Gary on Nov 11, 2010, 01:12:36
Prevx if you buy it is a great program, it has to build up a picture of your PC and needs to do this at system boot, it uses virtually no resources, Ray on here uses it as well, its good to see a product that is not signature reliant  :)

I have just uninstalled it. I found it interfered with another program (a photo resizing program) even when PrevX was turned off. That is, merely having the PrevX service running interfered with the other program. PrevX did not object to the program either on the scan or during the running of the program. But it caused the program to crash. I repeated the test several times. Each time, PrevX crashed it. After uninstalling PrevX, the program ran fine again. The program itself is kosher. I have even reported one or two bugs in it and had direct correspondence with its creator. Malware writers do not normally produce free, portable (i.e. no need to install) programs, enter into email with bug reporters and publish the nature of the reported bug on their website.

Hence, I believe that the PrevX service is causing unnecessary intervention. It would not be the only process to do that. Comodo is another free program that interfered with processes even when it was turned off. The trouble with "security" software is that it is difficult to write it without interfering with some legitimate processes. Given that PrevX found no malware during a deep scan, I am content to uninstall it and to conclude that it is more annoyance than value, at least for me.

Thank you for the reference to it though. It was an interesting experiment.

By the way, I am not sure that PrevX is not signature reliant. When it was scanning, it was downloading the whole time (i.e. my router internet light was flashing). So I think it possibly just keeps its signatures on the PrevX server. Possibly it accesses its server for something other than signatures.

Lance

Probably uploading all of your personal data! :D
Lance
_____

This post reflects my own views, opinions and experience, not those of IDNet.

Gary

Quote from: armadillo on Nov 11, 2010, 02:48:36
I have just uninstalled it. I found it interfered with another program (a photo resizing program) even when PrevX was turned off. That is, merely having the PrevX service running interfered with the other program. PrevX did not object to the program either on the scan or during the running of the program. But it caused the program to crash. I repeated the test several times. Each time, PrevX crashed it. After uninstalling PrevX, the program ran fine again. The program itself is kosher. I have even reported one or two bugs in it and had direct correspondence with its creator. Malware writers do not normally produce free, portable (i.e. no need to install) programs, enter into email with bug reporters and publish the nature of the reported bug on their website.

Hence, I believe that the PrevX service is causing unnecessary intervention. It would not be the only process to do that. Comodo is another free program that interfered with processes even when it was turned off. The trouble with "security" software is that it is difficult to write it without interfering with some legitimate processes. Given that PrevX found no malware during a deep scan, I am content to uninstall it and to conclude that it is more annoyance than value, at least for me.

Thank you for the reference to it though. It was an interesting experiment.

By the way, I am not sure that PrevX is not signature reliant. When it was scanning, it was downloading the whole time (i.e. my router internet light was flashing). So I think it possibly just keeps its signatures on the PrevX server. Possibly it accesses its server for something other than signatures.
Pity, if you had gone to Wilders and talked to Prevx help they would have made sure that was fixed in the next release, Prevx scans your machine and then compares anything that looks erroneous with its data base, then if need be downloads a removal tool. Or steals or your data  ;)
Damned, if you do damned if you don't