|
Posted by Dan W. on October 7, 2006, 10:13 am
If you were Registered and logged in, you could reply and use other advanced thread options
> On Sun, 1 Oct 2006 12:00:58 -0500, "Marek Kalisz"
>
>> This night I downloaded an update to SpyBot the started scan. This download
>> was from See-Cure #2 (Europe) server. Then, after a few minutes, in about
>> 40% of scan, my AV (G Data AVK) warned me about some virus in Spybot:
>
>> Generic.Malware.SYdlg.D42B776F (file: C:\Windows\system32\CloseAll.exe)
>
> That can happen when a resident av responds to a "touch" made by an
> on-demand scanner. Consider....
> - the resident av doesn't recognise a new malware
> - the new malware arrives, but may not run (i.e. remains inactive)
> - the resident av is updated, now can recognise the malware
> - the malware is inactive, so doesn't get detected
> - you use a different on-demand scanner, e.g. SpyBot
> - this scanner reads the malware file
> - this brings the file to the attention of the resident av
> - the resident av then detects and managed the malware
>
> There are two other aspects to this.
>
> Firstly, a scanner may be unaware of locations in which other scanners
> store their material, and thus detect malware within these stores.
> This malware has already been detected and managed, and thus is
> unlikely to pose an active threat, but may be detected.
>
> Usually, each scanner takes pains to hide what they quarrantine so
> that other scanners can't detect it - but this may fail for various
> reasons, and when that happens, you get "new" detections.
>
> Secondly, some management tools may themselves be detected as malware,
> either because what they do could be seen as a risk (e.g. password
> resetters, product key finders, etc.) or because they may contain
> signatures of the malware they clean (e.g. an old GoHip killer that's
> often detected as GoHip itself).
>
>> Now, you can chose SpyBot updates from a few alternate servers. Already in
>> the past I experienced unsuccessful update of some modules from some of
>> those servers (wrong sum, for example) so I had to change server to finish
>> full updates.
>
> Yes, I see that often as well, across multiple systems and sites.
> Spyware Blaster's updates are equally trouble-prone.
>
>> But - if what happened to me with SpyBot is real it means
>> that even "anti"s with an excellent renome aren't completely safe.
>
> Any code can be infected by a generic code-infecting virus, such as
> CIH, Magistr, etc. I've often seen av programs infected this way, and
> I've also seen systems where the infected file count was massively
> higher when the resident av was infected in this way.
>
> If you put on your Matrix-vision glasses, you'll see it's all just
> code; the intention of the code is meaningless.
>
> To the user, it's a resident av scanner.
>
> To an attacker, it's an infectable underfootware file-groper with
> low-level access to every file on the system.
>
> The only reason we don't see the full impact of this as yet, is that
> there are many different resident av out there, with none having such
> a dominant market share that it presents a worthwhile target.
>
> This is a large reason why I hope MS will not build an av solution
> into the OS, as doing so would take the chocks off such attacks.
>
>
>
>> ------------ ----- --- -- - - - -
> Drugs are usually safe. Inject? (Y/n)
>> ------------ ----- --- -- - - - -
Great point and I had not even considered your final point. I guess the
solution is for Microsoft to continue Live Care and like David points
out the antivirus in live one care is not good enough yet to be
considered and I would continue to stay with products such as AVG
anti-virus.
BTW, Chris -- fixing one of the XP Professional computers at school and
Spybot Search and Destroy destroyed special hidden and planted active
vector deep within the registry that would allow the system to be
compromised by a virus ------------------- I was able to save the system
just in time --------------- Threat Factor Determined to be HIGHLY CRITICAL
Also, some adware and other junk and tightened the settings. Installed
Mozilla Firefox -- safer and more secure solution and computer now in
good shape and of course allowed all files shown and removed the really
weak link of remote assistance and control boxes that were checked.
--
Dan W.
Computer User
| 
XML site map