Efficacy of different "detection" apps.

[LuckyStrike]

I performed a scan with "Pest Patrol" and it detected a IMI.1536.A
"dropper". I have presently quarantined the suspect item.

Now, I run various programs to deal with "antisocial" vermin that may come
our way. Running W98se with AVG AV, Spybot S&D, Ad-Aware, Spyware Blaster,
Hosts file, and what-not. All of these are of the latest definitions, and
updates. On occasion I will use an On-Line AV Scanner, such as Trend Micro,
or Freedom On-Line (Zero Knowledge), Panda, and even Norton.

As a side note, despite my settings complying with the Norton requirements,
I am unable to run it lately. I guess it doesn't like IE6. Tells me I must
have at least IE5, active X enabled and what-not. I do this for this scan,
and for this scan only, and it still won't run. Anyway, so much for that.

OK so what I'm getting to here is that Pest Patrol finds stuff that the
other programs do not find. Certain Spyware cookies will be found by
Ad-Aware and PP alike, but on numerous occasions PP finds spyware cookies
that are not detected by any other app I'm running.

Second thing is, Trendmicro and Freedom on-line have detected some "Eicar"
test files that I have onboard the PC (Freedom On-line even detects it in an
..MHT webpage that I have saved as the source for the file), but AVG does not
(as for Symantec- since I cannot get it to run, who knows?) detect these
"Eicar" test files. Before I had quarantined the "dropper" none of the apps
detected it either.

This makes me wonder as to the efficacy of various applications and which
one really is thorough and complete in seeking out the potentially hazardous
flotsam and jetsam. All programs claim to be good, few state "we won't find
such and such". Any observations or experiences of a like nature?

Thanks,

 

[Mike Burgess]

LuckyStrike,
IMI.1536.A = fairly old virus .... I'm suprised it was not detected?
Did the on-line scans detect this?
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=IMI.1536.A&btnG=Google+Search

"PP finds spyware cookies that are not detected by any other app"

Such as? ....... if you provide a few examples, I'll check it out and (if
needed)
add to my HOSTS file. Note: when these are detected, you can also add them
to IE | Privacy = "always block"
http://www.mvps.org/winhelp2002/cookies.htm

AVG should detect the "Eicar" files? Are they zipped?
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 9-03-03]
Please post replies to this Newsgroup, email address is invalid
--

 

[siljaline]

I performed a scan with "Pest Patrol" and it detected a IMI.1536.A
"dropper". I have presently quarantined the suspect item.

Now, I run various programs to deal with "antisocial" vermin that may come
our way. Running W98se with AVG AV, Spybot S&D, Ad-Aware, Spyware Blaster,
Hosts file, and what-not. All of these are of the latest definitions, and
updates. On occasion I will use an On-Line AV Scanner, such as Trend Micro,
or Freedom On-Line (Zero Knowledge), Panda, and even Norton.

As a side note, despite my settings complying with the Norton requirements,
I am unable to run it lately. I guess it doesn't like IE6. Tells me I must
have at least IE5, active X enabled and what-not. I do this for this scan,
and for this scan only, and it still won't run. Anyway, so much for that.

OK so what I'm getting to here is that Pest Patrol finds stuff that the
other programs do not find. Certain Spyware cookies will be found by
Ad-Aware and PP alike, but on numerous occasions PP finds spyware cookies
that are not detected by any other app I'm running.

Second thing is, Trendmicro and Freedom on-line have detected some "Eicar"
test files that I have onboard the PC (Freedom On-line even detects it in an
.MHT webpage that I have saved as the source for the file), but AVG does not
(as for Symantec- since I cannot get it to run, who knows?) detect these
"Eicar" test files. Before I had quarantined the "dropper" none of the apps
detected it either.

This makes me wonder as to the efficacy of various applications and which
one really is thorough and complete in seeking out the potentially hazardous
flotsam and jetsam. All programs claim to be good, few state "we won't find
such and such". Any observations or experiences of a like nature?

Lucky -

Post noted I shall review your comments, et al and post back later.
You may have some flotsam and jetsam...

Regards,


--

siljaline

"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_

 

[LuckyStrike]

Hi Mike,

Responses In-Line.

LuckyStrike,
IMI.1536.A = fairly old virus .... I'm surprised it was not detected?
Did the on-line scans detect this?

http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=IMI.1536.A&btnG=Google+Search

Me too. The unsettling thing is that none of the other On-Line scans found
it either. I was
unable to get the Symantec on-line scan to run despite configuring the PC
to their requirements, so as for them I don't know. I had investigated the
Google finds yesterday; Have quarantined the item.

Such as? ....... if you provide a few examples, I'll check it out and (if
needed) add to my HOSTS file.
Note: when these are detected, you can also add them
to IE | Privacy = "always block"
http://www.mvps.org/winhelp2002/cookies.htm

When I run the apps like PP, Ad-Aware, and Spybot if something is detected I
don't customarily remove the item until I see if it can be detected by the
others. It has been my experience to run Ad-Aware first, as PP always find
something that AW won't.

Next time I'll take note on the spyware cookies that are detected solely by
PP; I usually remove them upon detection without really taking note of the
"who's and what's". For some reason I am not finding the cookies in the logs
for the program. I'll "Ping" you on my findings when the next one arises
Mike.

Thanks for the tip on the IE options privacy configuration.

AVG should detect the "Eicar" files? Are they zipped?

Neither the "Eicar" files, nor the saved as .MHT source page for the "Eicar"
file are zipped. As a side note, Freedom On-Line can be enabled to scan
compressed files, and detects both the file and the .MHT page that was the
source for the "Eicar" file. TrendMicro detects the Eicar File, but not the
saved web page.

For reference I include this post of yesterday to ms.public.security.

Thanks,
--
LuckyStrike
(e-mail address removed)
----------------------------------------------------------------------------
----------------
_______________________________________

Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 9-03-03]
Please post replies to this Newsgroup, email address is invalid
--

message news:%[email protected]...

I performed a scan with "Pest Patrol" and it detected a IMI.1536.A
"dropper". I have presently quarantined the suspect item.

<Snipped for Brevity>

 

[LuckyStrike]

I performed a scan with "Pest Patrol" and it detected a IMI.1536.A
"dropper". I have presently quarantined the suspect item.
<Snipped>

This makes me wonder as to the efficacy of various applications and which
one really is thorough and complete in seeking out the potentially hazardous
flotsam and jetsam. All programs claim to be good, few state "we won't find
such and such". Any observations or experiences of a like nature?

Lucky -

Post noted I shall review your comments, et al and post back later.
You may have some flotsam and jetsam...

Regards,


--

siljaline

"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free
time."
- Neil Stephenson, _Cryptonomicon_
----------------------------------------------------------------------------

 

[siljaline]

<snip>

OT -

Mike, can't see your post in OE? Using Forte as default news handler, if I don't Forte
posts don't show. Bit of juggling act -

What do you suggest?

TIA

--
siljaline

"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_

 

[Mike Burgess]

LuckyStrike,
Panda Active Scan:
http://www.pandasoftware.com/active...guage=2&Country=63&Partner=1&Ref=EN-PR-AS-107

Seems to me I read somewhere (I think) that AVG ignores the Eicar files.
Something about a "known" test file ......... try the below:
http://www.eicar.org/anti_virus_test_file.htm
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 9-03-03]
Please post replies to this Newsgroup, email address is invalid
--

Hi Mike,

Responses In-Line.

LuckyStrike,
IMI.1536.A = fairly old virus .... I'm surprised it was not detected?
Did the on-line scans detect this?

http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=IMI.1536.A&btnG=Google+Search

Me too. The unsettling thing is that none of the other On-Line scans found
it either. I was
unable to get the Symantec on-line scan to run despite configuring the PC
to their requirements, so as for them I don't know. I had investigated the
Google finds yesterday; Have quarantined the item.

Such as? ....... if you provide a few examples, I'll check it out and (if
needed) add to my HOSTS file.
Note: when these are detected, you can also add them
to IE | Privacy = "always block"
http://www.mvps.org/winhelp2002/cookies.htm

When I run the apps like PP, Ad-Aware, and Spybot if something is detected I
don't customarily remove the item until I see if it can be detected by the
others. It has been my experience to run Ad-Aware first, as PP always find
something that AW won't.

Next time I'll take note on the spyware cookies that are detected solely by
PP; I usually remove them upon detection without really taking note of the
"who's and what's". For some reason I am not finding the cookies in the logs
for the program. I'll "Ping" you on my findings when the next one arises
Mike.

Thanks for the tip on the IE options privacy configuration.

AVG should detect the "Eicar" files? Are they zipped?

Neither the "Eicar" files, nor the saved as .MHT source page for the "Eicar"
file are zipped. As a side note, Freedom On-Line can be enabled to scan
compressed files, and detects both the file and the .MHT page that was the
source for the "Eicar" file. TrendMicro detects the Eicar File, but not the
saved web page.

For reference I include this post of yesterday to ms.public.security.

Thanks,
--
LuckyStrike
(e-mail address removed)
-------------------------------------------------------------------------- --

----------------
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 9-03-03]
Please post replies to this Newsgroup, email address is invalid
--

in
message news:%[email protected]...

<Snipped for Brevity>

 

[siljaline]

siljaline,
Sorry ..... never used Forte, so I can't comment.
Is OE using a different news server?

Have OE using MS News as a default news reader.
Using Forte on my ISP's newsreader. There will be a post of two lost regardless of setup.

Not to worry


--
siljaline

"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_

 

[Frank Saunders, MS-MVP]

On Sat, 6 Sep 2003 04:12:39 -0400, "Mike Burgess"

<snip>

OT -

Mike, can't see your post in OE? Using Forte as default news handler,
if I don't Forte
posts don't show. Bit of juggling act -

What do you suggest?

Make sure you didn't accidentally add him to OE's Block Senders List.

 

[siljaline]

Make sure you didn't accidentally add him to OE's Block Senders List.

Me! block Mike B - hmmm.... thank you for the suggestion.
I'll have a look but I doubt it, got to be Mike's HOST file that's causing all the
trouble

Regards,


--

siljaline

"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_

 

[Kent W. England [MVP]]

My AVG6 Resident Shield detects eicar.com and eicar.zip and eicar.zip in
another .zip file.

 

[Robert Aldwinckle]

....

Mike, can't see your post in OE? ....
What do you suggest?

siljaline,

Your Message-ID shows that you are posting through a different
news server than the one that we use so it just means that that message
hasn't shown up there yet (if it will).

Have you considered using the msnews public server?

msnews.microsoft.com


As long as this is OT can you tell me if Forte users can add Message-ID
to their caches? E.g. could you go out and get Mike's post with this URL

nntp://msnews.microsoft.com/microsoft.public.windows.inetexplorer.ie6.browser/#[email protected]

and then have it insert properly into this thread? This is something
that OE sorely lacks. If the message wasn't there when we tried to
retrieve them and if the server later becomes synchronized so that the
missing message is stored under a lower sequence number the best
we can do is retrieve it to look at it and save it as a separate document
with no further connection to either the newsgroup or its thread.
Otherwise we would have to Reset the newsgroup and refresh its
entire cache! The problem becomes more annoying the more that
a site's servers are found out of synch. Fortunately msnews servers
are more often completely in synch than not, particularly for new messages.


HTH

Robert Aldwinckle
---

 

[LuckyStrike]

Mike,

It's quite possible that there may be a "readme" on AVG ignoring "Eicar"; I
haven't seen one, but AVG does "ignore" it, that's for sure! <g>

Now, regarding the Panda Scan; I ran it after de-quarantining the
IMI.1536.A, and it did not detect it! It did seem to detect something
different that nothing else detected though! Copied/ pasted from scan log of
Panda.
9:19 PM 9/6/03
Incident Status Location

W32/Sobig.C Disinfected Personal
Folders\Re: Submited (004756-3463) (screensaver.zlq)

Note the spelling of the word "Submitted" above. This is not my handiwork. I
am not sure where the D***** comes from.
This seems to be something that was perhaps in my OE newsreader saved
messages? I am not sure. The mystery and intrigue get deeper and deeper.

One program finds "Eicar", one finds IMI.1536.A, one finds this W32/Sobig.C.
None agree on anything.

BTW, Thanks for the link on the "Eicar" - that was a pretty definitive
article on the subject.

I depart, but still I am baffled. I guess I'll just "quarantine" the IMI.
thing for the time being.

Regards,
--
LuckyStrike
(e-mail address removed)
----------------------------------------------------------------------------
----------------

LuckyStrike,
Panda Active Scan:
http://www.pandasoftware.com/active...guage=2&Country=63&Partner=1&Ref=EN-PR-AS-107

Seems to me I read somewhere (I think) that AVG ignores the Eicar files.
Something about a "known" test file ......... try the below:
http://www.eicar.org/anti_virus_test_file.htm
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 9-03-03]
Please post replies to this Newsgroup, email address is invalid
--

message news:[email protected]...

Hi Mike,

Responses In-Line.

http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=IMI.1536.A&btnG=Google+Search

Me too. The unsettling thing is that none of the other On-Line scans found
it either. I was
unable to get the Symantec on-line scan to run despite configuring the PC
to their requirements, so as for them I don't know. I had investigated the
Google finds yesterday; Have quarantined the item.


When I run the apps like PP, Ad-Aware, and Spybot if something is

detected

I
don't customarily remove the item until I see if it can be detected by the
others. It has been my experience to run Ad-Aware first, as PP always find
something that AW won't.

Next time I'll take note on the spyware cookies that are detected solely by
PP; I usually remove them upon detection without really taking note of the
"who's and what's". For some reason I am not finding the cookies in the logs
for the program. I'll "Ping" you on my findings when the next one arises
Mike.

Thanks for the tip on the IE options privacy configuration.

AVG should detect the "Eicar" files? Are they zipped?

Neither the "Eicar" files, nor the saved as .MHT source page for the "Eicar"
file are zipped. As a side note, Freedom On-Line can be enabled to scan
compressed files, and detects both the file and the .MHT page that was the
source for the "Eicar" file. TrendMicro detects the Eicar File, but not the
saved web page.

For reference I include this post of yesterday to ms.public.security.

Thanks,
--
LuckyStrike
(e-mail address removed)
--------------------------------------------------------------------------
--

----------------
_______________________________________
Mike Burgess http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 9-03-03]
Please post replies to this Newsgroup, email address is invalid
--

in
message I performed a scan with "Pest Patrol" and it detected a IMI.1536.A
"dropper". I have presently quarantined the suspect item.

<Snipped for Brevity>