On demand scanning issues

[null]

A freeware MP3 to WAV installation file named ABLEMP3.EXE from:

http://www.all4you.dk/FreewareWorld/links.php

was found to contain a file named WU1345RD.EXE infested with
TrojanDropper.Win32.Small.gt
Actual infestation was confirmed by Kaspersky Lab virus analysis.

I ran some tests using updated av products set to scan archives and
packed files. I wanted to see which scanners could find the Trojan in
the installation SFX CAB file. Of the scanners I tried, only KAV (and
KAV scan engine products) and BitDefender found the culprit file and
alerted.

Scanners which alerted on the culprit file but not on the installation
file included:

F-Prot
McAfee
AntiVir
Clamav
NOD32

Scanners which had no detection at all included:

Trend's Sysclean
Norman Virus Control (NVC)

In this particular case, the SFX CAB installation file can be handled
by Archivers such as Power Archiver. The files "within" can be
extracted to a temp folder. Then the temp folder and its
subdirectories can be scanned with the culprit file(s) exposed for av
scanning.

A general fault of the scanners that can't handle the "containers"
(archivers and packers) is that they report "OK", giving uninitiated
users the impression that the file is safe to Run. In fact, the "files
within" a install file may be packed in a way that some scanners can't
handle. And again, you get a "OK" message. I have seen KAV give
reports such as "unknown" or "error on" and similar for some of these
situations, so apparently it's trying to be honest and let the user
know it can't scan a file. But honesty in reporting is a very rare
thing indeed


Art
http://www.epix.net/~artnpeg

 

[Julian Moss]

A general fault of the scanners that can't handle the "containers"
(archivers and packers) is that they report "OK", giving uninitiated
users the impression that the file is safe to Run. In fact, the "files
within" a install file may be packed in a way that some scanners can't
handle. And again, you get a "OK" message. I have seen KAV give
reports such as "unknown" or "error on" and similar for some of these
situations, so apparently it's trying to be honest and let the user
know it can't scan a file. But honesty in reporting is a very rare
thing indeed

Most setup generators used by developers employ proprietary compression
methods or undocumented ways of storing the compressed data within the
setup EXE. I don't see how virus scanners could realistically be
expected to unpack and scan all these types of package. If you get an
alert as soon as the infected file hits the hard drive, that's good
enough IMO.

 

[null]

Most setup generators used by developers employ proprietary compression
methods or undocumented ways of storing the compressed data within the
setup EXE. I don't see how virus scanners could realistically be
expected to unpack and scan all these types of package. If you get an
alert as soon as the infected file hits the hard drive, that's good
enough IMO.

Well, I'm talking about files that have "hit the drive" that cannot be
scanned on-demand, with no clue to users that they cannot be scanned.
And reliance on realtime av to unpack files when they are Moved,
Copied or Run isn't necesarily going to work either with packers the
av can't handle.

The problem of purposely downloaded install files is best addressed as
early as possible, via on-demand scanning. Install files that cannot
be scanned or extracted from and scanned should be deleted. That's a
part of "safe hex", and the best bet. And never d/l from questionable
sources.


Art
http://www.epix.net/~artnpeg

 

[madmax]

A freeware MP3 to WAV installation file named ABLEMP3.EXE from:

http://www.all4you.dk/FreewareWorld/links.php

was found to contain a file named WU1345RD.EXE infested with
TrojanDropper.Win32.Small.gt
Actual infestation was confirmed by Kaspersky Lab virus analysis.

I ran some tests using updated av products set to scan archives and
packed files. I wanted to see which scanners could find the Trojan in
the installation SFX CAB file. Of the scanners I tried, only KAV (and
KAV scan engine products) and BitDefender found the culprit file and
alerted.

Scanners which alerted on the culprit file but not on the installation
file included:

F-Prot
McAfee
AntiVir
Clamav
NOD32

Scanners which had no detection at all included:

Trend's Sysclean
Norman Virus Control (NVC)

In this particular case, the SFX CAB installation file can be handled
by Archivers such as Power Archiver. The files "within" can be
extracted to a temp folder. Then the temp folder and its
subdirectories can be scanned with the culprit file(s) exposed for av
scanning.

A general fault of the scanners that can't handle the "containers"
(archivers and packers) is that they report "OK", giving uninitiated
users the impression that the file is safe to Run. In fact, the "files
within" a install file may be packed in a way that some scanners can't
handle. And again, you get a "OK" message. I have seen KAV give
reports such as "unknown" or "error on" and similar for some of these
situations, so apparently it's trying to be honest and let the user
know it can't scan a file. But honesty in reporting is a very rare
thing indeed


Art
http://www.epix.net/~artnpeg

Art-
I scanned it with Avast and it did not catch it either.(I didn't try to
open it)By the way,are there any free AV products that use the Kapersky
engine?
-max

--
To help you stay safe see: http://www.geocities.com/maxpro4u/madmax.html
This message is virus free as far as I can tell.
Change nomail.afraid.org to neo.rr.com so you can reply
(nomail.afraid.org has been set up specifically for
use in Usenet. Feel free to use it yourself.)

 

[null]

Art-
I scanned it with Avast and it did not catch it either.(I didn't try to
open it)By the way,are there any free AV products that use the Kapersky
engine?

Yes. I recently put up at my web site both a automated utilility and
"manual instructions" for obtaining and updating a free scanner
offered by Microworld Systems, the Escan people.

I've received some mixed bag feedback on my utility. Some had no
problem with it while others complained of erratic behaviour,
apparently caused by wget.exe (the internet file downloader). I can't
figure out why. I've been using wget for years now with my upater
offerings, and have never heard of such a problem. I may withdrwaw my
utility since I can't figure out why a few users have experienced
problems.

If you want to do me a favor, and if you're brave <smile> please try
my utility and let me know how you make out. Otherwise, use the manual
instructions. Regarding the latter, a folder named c:\Downloads must
be created and used since the KAVUPD.EXE updater supplied by
Microworld only downloads to that directory. All extracted files go to
that working folder. The extracted working av program is
c:\Downloads\mwavscan.com

When using mwavscan.com, I suggest limiting its use to the default
settings. That should be sufficient for handling installations of
Trojans and I-Worms. And you can also aim it at just a download folder
and set it to scan all files when you want to check downloads. The
thing is, the scanner "shoots first and asks questions later", so to
speak. If you allow it to scan your entire drive(s) for viruses,
especially worrysome with the "scan all files" set, any false alarm
results in renaming, deleting or cleaning. There is no way to just
have it do a scan with report only. This is the downside of using
mwavscan. An upside is that users will have a super scanner for
checking memory, the registry, and main Windows and system files for
installed Trojans and I-worms (and viruses in those areas). It uses
the extra defs, so it's quite a extensive malware zapper. And the
default scan goes very quickly. A log file is generated.


Art
http://www.epix.net/~artnpeg

 

[null]

A freeware MP3 to WAV installation file named ABLEMP3.EXE from:

http://www.all4you.dk/FreewareWorld/links.php

Correction. I was just informed by the webmaster that site doesn't
offer downloads. So I was misinformed by a user I was helping.
However, I found the downloads from these sites of the subject
software are all Trojanized:

http://www.all4you.dk/FreewareWorld/links.php
http://www.hitsquad.com/smm/programs/AbleConverter/download.shtml
http://www.guitar.sk/mp3_ogg_converter.htm
http://www.sharewarejunction.com/download-19906-2.htm
http://www.zdnet.fr/telecharger/windows/fiche/telecharger/0,39033957,39080029s,00.htm

was found to contain a file named WU1345RD.EXE infested with
TrojanDropper.Win32.Small.gt
Actual infestation was confirmed by Kaspersky Lab virus analysis.

<snip>


Art
http://www.epix.net/~artnpeg

 

[null]

However, I found the downloads from these sites of the subject
software are all Trojanized:

Whoops. Forgot to delete the first one

http://www.hitsquad.com/smm/programs/AbleConverter/download.shtml
http://www.guitar.sk/mp3_ogg_converter.htm
http://www.sharewarejunction.com/download-19906-2.htm
http://www.zdnet.fr/telecharger/windows/fiche/telecharger/0,39033957,39080029s,00.htm

Art
http://www.epix.net/~artnpeg

 

[null]

If you want to do me a favor, and if you're brave <smile> please try
my utility and let me know how you make out.

Never mind. I just withdrew it. My daughter just reported a problem
with it and she's a good non-techy user test case

The "manual" instructions remain at my web site, of course.


Art
http://www.epix.net/~artnpeg

 

[Frederic Bonroy]

Correction. I was just informed by the webmaster that site doesn't
offer downloads. So I was misinformed by a user I was helping.
However, I found the downloads from these sites of the subject
software are all Trojanized:

http://www.all4you.dk/FreewareWorld/links.php
http://www.hitsquad.com/smm/programs/AbleConverter/download.shtml
http://www.guitar.sk/mp3_ogg_converter.htm
http://www.sharewarejunction.com/download-19906-2.htm
http://www.zdnet.fr/telecharger/windows/fiche/telecharger/0,39033957,39080029s,00.htm

I didn't check them all but it seems they all link to the same file on a
Slovakian server. I certainly would have expected ZDNet to pay more
attention to what files it links to... :-(

 

[madmax]

Never mind. I just withdrew it. My daughter just reported a problem
with it and she's a good non-techy user test case

The "manual" instructions remain at my web site, of course.


Art
http://www.epix.net/~artnpeg

What a good scanner
Thank you for info!
-max

--
To help you stay safe see: http://www.geocities.com/maxpro4u/madmax.html
This message is virus free as far as I can tell.
Change nomail.afraid.org to neo.rr.com so you can reply
(nomail.afraid.org has been set up specifically for
use in Usenet. Feel free to use it yourself.)

 

[Julian Moss]

The problem of purposely downloaded install files is best addressed as
early as possible, via on-demand scanning. Install files that cannot
be scanned or extracted from and scanned should be deleted. That's a
part of "safe hex", and the best bet. And never d/l from questionable
sources.

It may be safe, but I don't think it's realistically practical. The
most popular setup programs used to distribute application packages are
probably InstallShield, Inno Setup and the Microsoft Installer. I don't
know of a virus scanner that can scan inside any one of them. So there
is no alternative to relying on the real-time scanner to detect the
virus in the application components as they are extracted to the hard
drive during the installation process. That is, unless you want to
restrict the software you use to that which comes in
"install-it-yourself" zip files.

 

[null]

It may be safe, but I don't think it's realistically practical.

Works for me.

The
most popular setup programs used to distribute application packages are
probably InstallShield, Inno Setup and the Microsoft Installer. I don't
know of a virus scanner that can scan inside any one of them.

I don't scan downloads from MS or sources of major application
software such as Mozilla, etc. Never had a malware problem in many
years of internet activity. It's fooling around with untrustworthy
software that gets users into trouble. And they tend to use just one
av scanner since they depend on realtime monitors. That's a formula
for disaster


Art
http://www.epix.net/~artnpeg

 

[null]

What a good scanner

Indeed. I'm happy there's a free KAV-based GUI type on-demand av
available capable of cleaning and updating. It should be a boon to
users who get themselves into deep doodoo.

Thank you for info!

You're welcome.


Art
http://www.epix.net/~artnpeg

 

[Julian Moss]

I don't scan downloads from MS or sources of major application
software such as Mozilla, etc. Never had a malware problem in many
years of internet activity. It's fooling around with untrustworthy
software that gets users into trouble. And they tend to use just one
av scanner since they depend on realtime monitors. That's a formula
for disaster

Nor have I, though I often download free- and shareware utilities
written by small companies (such as my own) and even university
students, using nothing other than my own Tech-Protect GUI shell for
F-Prot for Dos (http://www.tech-pro.net/techprotect.html) for
protection.

What upsets me is that SP2 now puts up dialog boxes when people run
software from sites like mine that say, in effect, that it is not to be
trusted. When the problem is not that it contains malware but that the
developer doesn't make enough money from it to pay Verisign $400 for a
code signing certificate.

 

[Julian Moss]

Indeed. I'm happy there's a free KAV-based GUI type on-demand av
available capable of cleaning and updating. It should be a boon to
users who get themselves into deep doodoo.

I'm intrigued how any KAV based product can be free when no version of
Kaspersky that runs on Windows is available as freeware, as far as I
can see (and I have looked!)

 

[null]

I'm intrigued how any KAV based product can be free when no version of
Kaspersky that runs on Windows is available as freeware, as far as I
can see (and I have looked!)

Antidote SuperLite is based on the KAV scan engine. But it doesn't
offer cleaning:

http://www.vintage-solutions.com/English/Antivirus/Super/

It's also strictly on-demand. It has no updater. The package offered
is updated every Friday.


Art
http://www.epix.net/~artnpeg

 

[null]

Nor have I, though I often download free- and shareware utilities
written by small companies (such as my own) and even university
students, using nothing other than my own Tech-Protect GUI shell for
F-Prot for Dos (http://www.tech-pro.net/techprotect.html) for
protection.

Yes, I took a look at that when you had previously posted the url.
Neat idea. But I have to be frank and untactful as usual, I'm afraid.
F-Prot just rates a B or a B+ for detection. The KAV and McAfee scan
engines get the A

I very definitely have no need for realtime av while using email and
newsgroups due to the safe and sane apps I've chosen to use. The only
"iffy" thing I do is to leave Java Script on all the time while
browsing with Mozilla. You never know when the bad guys might find a
vulnerability and beat the Moz developers to the punch with an
exploit. I do use Proxomitron with some JS correction settings which
probably do increase security somewhat. But basically, I find no need
(yet) for realtime av.

Now, I have thought of one or two possibilities for the use of
realtime scanning. I backup weekly to a cloned drive on a removeable
tray using XXCOPY. I once tried using KAV version 3.5 realtime monitor
while doing the copying. It worked fine, and would have blocked
copying anything it found. It saves the time taken by a full h.d. scan
for routine backing up since XXCOPY only copies newer files.

The other idea that this thread leads me to consider is using the
realtime monitor of KAV during times when I'm installing software or
running it for the first time.

So why don't you design a realtime monitor using MWAVSCAN.COM?
There's also the KAV updater, KAVUPD.EXE in the Escan Toolkit Utility,
so you might be able to put together a complete and truly excellent
package.


Art
http://www.epix.net/~artnpeg

 

[Julian Moss]

So why don't you design a realtime monitor using MWAVSCAN.COM?
There's also the KAV updater, KAVUPD.EXE in the Escan Toolkit Utility,
so you might be able to put together a complete and truly excellent
package.

It's not a trivial consideration to re-implement it using a different
AV package, but at the time I did the version 2.0 update I did look to
see if there were any true 32-bit scanners that were any good and
freely available. I didn't find any. MWAVSCAN is completely unknown to
me, but having looked at the website I don't see anything to lead me to
believe I could use it in the way I use F-Prot.

There's also the factor that I've been an F-Prot fan for many years and
am comfortable with the product. I know what the format of the log it
produces looks like so I can parse the name of the virus out of it and
display it in a GUI dialog.

Tech-Protect uses F-Prot in exactly the form it is provided by Frisk
Software. I don't have to go through some process to extract components
from another package. Personally, I feel that the developer might be
unhappy with me if I did that, but it would also means that I wouldn't
have a package that is a simple install anyone can do. Perhaps F-Prot
isn't consistently among the top scanners these days, but it's still
pretty good when compared with the well known free alternatives like
AVG, Anti-Vir and so on.

 

[null]

Perhaps F-Prot
isn't consistently among the top scanners these days, but it's still
pretty good when compared with the well known free alternatives like
AVG, Anti-Vir and so on.

Indeed.


Art
http://www.epix.net/~artnpeg

 

[Bart Bailey]

When the problem is not that it contains malware but that the
developer doesn't make enough money from it to pay Verisign $400 for a
code signing certificate.

There have already been work-arounds for such a contingency:
http://news.com.com/2100-1001-254586.html?legacy=cnet