KAV picking viruses up that nothing else will

[Clive]

In the past 3-4 years I've tried the following AV programs

NOD32
AVG 6 & 7
McaFee
Norton/Symantec
Panda
Avast (current)

I tried KAV about a year ago and couldn't get it to run. However I installed
it today and it picked up Kak.Worm in an old *.pst (Outlook) file.

None of the other AV programs have found this.

Is this a fals indication, or is KAV just better?

Clive

 

[Bill]

Is this a fals indication, or is KAV just better?

KAV typically has a better detection rate.

 

[null]

In the past 3-4 years I've tried the following AV programs

NOD32
AVG 6 & 7
McaFee
Norton/Symantec
Panda
Avast (current)

I tried KAV about a year ago and couldn't get it to run. However I installed
it today and it picked up Kak.Worm in an old *.pst (Outlook) file.

None of the other AV programs have found this.

Is this a fals indication, or is KAV just better?

Submit the file for analysis to:

(e-mail address removed)

Explain that you wonder if it's a false positive. In my experience,
they respond to such questions very quickly.

BTW, there can be problems sending files zipped, even with a password.
They get zapped somewhere along the way. I've had good results by
simply using alternate compression methods such as RAR. No need for
password protection.

Let us know what they say.


Art
http://www.epix.net/~artnpeg

 

[Jeffrey A. Setaro]

In the past 3-4 years I've tried the following AV programs

NOD32
AVG 6 & 7
McaFee
Norton/Symantec
Panda
Avast (current)

I tried KAV about a year ago and couldn't get it to run. However I installed
it today and it picked up Kak.Worm in an old *.pst (Outlook) file.

None of the other AV programs have found this.

Is this a fals indication, or is KAV just better?

I don't thinks the others can scan inside .PST files.


Cheers-

Jeff Setaro
jasetaro@SPAM_ME_NOT_mags.net
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

 

[Jeffrey A. Setaro]

Submit the file for analysis to:

[Snip]

Why? This isn't a false positive... It's not surprising that KAV would
find and a copy of JS/Kak in and old Outlook message store (.PST
files) and the others can't or don't. Kaspersky actually scans the
message store and can identify infected files or message contained in
the message store. To the best of my knowledge none of the other can
do that.


Cheers-

Jeff Setaro
jasetaro@SPAM_ME_NOT_mags.net
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

 

[null]

Why? This isn't a false positive... It's not surprising that KAV would
find and a copy of JS/Kak in and old Outlook message store (.PST
files) and the others can't or don't. Kaspersky actually scans the
message store and can identify infected files or message contained in
the message store. To the best of my knowledge none of the other can
do that.

The best of your and my knowledge may be inadequate, that's why. AV
products are adding new capabilites all the time.

OTOH, I do expect that it's not a FP. But I'm not certain. The best
way to find out for sure is to have it analyzed.


Art
http://www.epix.net/~artnpeg

 

[Jeffrey A. Setaro]

The best of your and my knowledge may be inadequate, that's why. AV
products are adding new capabilites all the time.

This is along standing issue... KAV has been scanning message stores
for several years (at least since version 3).

OTOH, I do expect that it's not a FP. But I'm not certain. The best
way to find out for sure is to have it analyzed.

I highly doubt it's a false alarm... Sending the full .PST in for
analysis kind silly (your talking about something that could be
several megabytes in size... My local Notes mail file is over 200MBs).

The OP could try and extract the suspect message and submit that (but
he could also end up infecting himself in the process). Better to
leave things along.

It's not that the other AV products he's tried can't detect a dinosaur
like JS/Kak, they can. They just can't parse the Outlook message store
to find it.


Cheers-

Jeff Setaro
jasetaro@SPAM_ME_NOT_mags.net
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

 

[null]

This is along standing issue... KAV has been scanning message stores
for several years (at least since version 3).

Tell me something I don't know. The question is whether or not other
av have added the capability or not.

I highly doubt it's a false alarm... Sending the full .PST in for
analysis kind silly (your talking about something that could be
several megabytes in size... My local Notes mail file is over 200MBs).

That would indeed be silly


Art
http://www.epix.net/~artnpeg

 

[Jeffrey A. Setaro]

Tell me something I don't know. The question is whether or not other
av have added the capability or not.

Most of them have adopted the pop3 proxy method of scanning e-mail...
:-(

That would indeed be silly

Yup...


Cheers-

Jeff Setaro
jasetaro@SPAM_ME_NOT_mags.net
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

 

[optikl]

Jeffrey A. Setaro wrote:

I highly doubt it's a false alarm... Sending the full .PST in for
analysis kind silly (your talking about something that could be
several megabytes in size... My local Notes mail file is over 200MBs).

Mine is over 140 megs. And that's small compared to most of our users.

 

[null]

Mine is over 140 megs. And that's small compared to most of our users.

Moz email has a "Save as" feature under the File menu for individual
messages. I suppose Outbreak doesn't have that? Moz also allows you to
Save attackments. I suppose Outbreak doesn't have that either?


Art
http://www.epix.net/~artnpeg

 

[Jeffrey A. Setaro]

Moz email has a "Save as" feature under the File menu for individual
messages. I suppose Outbreak doesn't have that? Moz also allows you to
Save attackments. I suppose Outbreak doesn't have that either?

Can't speak for Outlook since I don't use it... But in Lotus Notes you
can export individual message as ASCII or RTF format documents. You
can save attachments or save and delete attachments from the mail
file. You can also full text index and archive e-mail (my local
archive contain of 10,000 messages).

Cheers-

Jeff Setaro
jasetaro@SPAM_ME_NOT_mags.net
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

 

[Howard Harris]

Moz email has a "Save as" feature under the File menu for individual
messages. I suppose Outbreak doesn't have that?

Yes it does, including save as text only or html

Moz also allows you to
Save attackments. I suppose Outbreak doesn't have that either?

Yes it does.

(I use Polarbar as my default mailer)

 

[Jeff Layman]

If, for some reason, it was necessary to forward this old message to
someone, wouldn't the AV programs pick it up at the time it was sent (an
hopefully interrupt the process)? While the Worm is just sitting in the
..pst file I suppose it's harmless enough.

 

[null]

If, for some reason, it was necessary to forward this old message to
someone, wouldn't the AV programs pick it up at the time it was sent (an
hopefully interrupt the process)?

KAV's realtime monitor would, so it would have to be temporarily
disabled.

While the Worm is just sitting in the
.pst file I suppose it's harmless enough.

KAK affects old unpatched versions of OE. According to F-Secure, NT
based OS are unaffected:

http://www.f-secure.com/v-descs/kak.shtml


Art
http://www.epix.net/~artnpeg