OT, sort of - Malware scanning

[KenK]

I use XP Home though it's likely not relevant to my question.

I use Kaspersky Internet Security. I DL malware data every day - today it
was 950K. Over time many G. Then I scan.

My question: How in the world do Kaspersky, Norton, and others compare the
files on my system to all their data so extremely quickly when I scan my
disk? Is there some 'magic' indicator of malware that is easy to quickly
catch? I doubt it. Does it keep track of files previously checked and skip
them? Maybe it's a closely guarded secret?

Just curious. Any ideas?

TIA

 

[Paul in Houston TX]

I use XP Home though it's likely not relevant to my question.

I use Kaspersky Internet Security. I DL malware data every day - today it
was 950K. Over time many G. Then I scan.

My question: How in the world do Kaspersky, Norton, and others compare the
files on my system to all their data so extremely quickly when I scan my
disk? Is there some 'magic' indicator of malware that is easy to quickly
catch? I doubt it. Does it keep track of files previously checked and skip
them? Maybe it's a closely guarded secret?

Just curious. Any ideas?

TIA

They keep track of the files already on your computer.
Usually by assigning a byte count code.
It works good enough most of the time.

I don't use any active anti-vir at all on this machine,
however I know my computers and when I do scan its from
a Linux boot disk. On this comp it takes 4+ hours to do a
complete scan of 2 or more drives, depending how many I have
plugged in at the time. The w7 laptop takes 2 hours.
Malwarebytes takes 2 hours on this machine.

 

[KenK]

This makes no sense at all...
"I use Kaspersky Internet Security. I DL malware data every day -
today it was 950K. Over time many G. Then I scan."

"I DL malware data every day"
Does that mean you download malware deliberately everyday ?

What are you "really" asking ?

The "Database Signatures" updates Kaspersky uses to check files for
malware.

 

[Paul]

I use XP Home though it's likely not relevant to my question.

I use Kaspersky Internet Security. I DL malware data every day - today it
was 950K. Over time many G. Then I scan.

My question: How in the world do Kaspersky, Norton, and others compare the
files on my system to all their data so extremely quickly when I scan my
disk? Is there some 'magic' indicator of malware that is easy to quickly
catch? I doubt it. Does it keep track of files previously checked and skip
them? Maybe it's a closely guarded secret?

Just curious. Any ideas?

TIA

You're downloading "AV definitions".

The download would normally be a "delta". The comms with Kaspersky
would be like "I have file 1234", and "oh, you need file 1235 then",
and then 1235 is downloaded. If you were to erase 1234, then I presume
they would inventory the files in the "store" they use, and you'd
end up downloading a new copy.

Actually, having had a Kaspersky subscription for a year, it's
a mess in there. They never seem to clean anything up! Whatever
mess they make, just stays there. No attempt is made to remove
unneeded files.

*******

There are a couple ways to detect malware. Signature and heuristics (behavior).
The definition files should contain signatures. They look at the scanned files,
for similarities to the megabytes of signatures in the "store". I'm not up on
all the details, but there can also be polymorphism involved.

http://en.wikipedia.org/wiki/Antivirus_software

"Although the signature-based approach can effectively contain virus
outbreaks, virus authors have tried to stay a step ahead of such
software by writing "oligomorphic", "polymorphic" and, more recently,
"metamorphic" viruses, which encrypt parts of themselves or otherwise
modify themselves as a method of disguise, so as to not match virus
signatures in the dictionary."

The other form of protection, is heuristics. Perhaps you get an occasional
download, which is an addition to the code base of the scanner. And
while using its real-time protection, it watches for "evil activity".

To give an example on Kaspersky, an example I hate, Kaspersky got
in the habit of flagging *every* access to the system random number
generator. Random numbers are used as a seed for some encryption processes.
Knowing the random numbers used, might weaken encryption, and make it
possible for malware to "crack something". Well, just about every program
on the machine, was accessing the random number generator (eight times!).
And the steady flow of warning dialogs was driving me crazy. So, that's
heuristics for you. You'd be amazed "how many yards of trip wire
and frags" are loaded in the computer, when you use an AV
It's no longer your computer - it belongs to the AV product.

Paul

 

[KenK]

You're downloading "AV definitions".

The download would normally be a "delta". The comms with Kaspersky
would be like "I have file 1234", and "oh, you need file 1235 then",
and then 1235 is downloaded. If you were to erase 1234, then I presume
they would inventory the files in the "store" they use, and you'd
end up downloading a new copy.

Actually, having had a Kaspersky subscription for a year, it's
a mess in there. They never seem to clean anything up! Whatever
mess they make, just stays there. No attempt is made to remove
unneeded files.

*******

There are a couple ways to detect malware. Signature and heuristics
(behavior). The definition files should contain signatures. They look
at the scanned files, for similarities to the megabytes of signatures
in the "store". I'm not up on all the details, but there can also be
polymorphism involved.

http://en.wikipedia.org/wiki/Antivirus_software

"Although the signature-based approach can effectively contain
virus
outbreaks, virus authors have tried to stay a step ahead of such
software by writing "oligomorphic", "polymorphic" and, more
recently, "metamorphic" viruses, which encrypt parts of
themselves or otherwise modify themselves as a method of
disguise, so as to not match virus signatures in the dictionary."

The other form of protection, is heuristics. Perhaps you get an
occasional download, which is an addition to the code base of the
scanner. And while using its real-time protection, it watches for
"evil activity".

To give an example on Kaspersky, an example I hate, Kaspersky got
in the habit of flagging *every* access to the system random number
generator. Random numbers are used as a seed for some encryption
processes. Knowing the random numbers used, might weaken encryption,
and make it possible for malware to "crack something". Well, just
about every program on the machine, was accessing the random number
generator (eight times!). And the steady flow of warning dialogs was
driving me crazy. So, that's heuristics for you. You'd be amazed "how
many yards of trip wire and frags" are loaded in the computer, when
you use an AV It's no longer your computer - it belongs to the AV
product.

Paul

What do you recommend instead of Kaspersky, if you have something you
like? I used to use Norton long ago but it got so it was harder to remove
than a virus. I tried free AVs but got malware.

TIA

 

[Paul]

What do you recommend instead of Kaspersky, if you have something you
like? I used to use Norton long ago but it got so it was harder to remove
than a virus. I tried free AVs but got malware.

TIA

There is probably a proportionality. "It can't be good, unless it's
obnoxious."

I haven't the budget, to test all of them.

You can try the charts here. The "Real World Protection Test", shows
Kaspersky, and Trend Micro did well. With some others following close behind
(BitDefender). I don't see a chart for "obnoxious" though

http://chart.av-comparatives.org/chart1.php

Paul

 

[Gene & Betty]

What do you recommend instead of Kaspersky, if you have something you
like? I used to use Norton long ago but it got so it was harder to remove
than a virus. I tried free AVs but got malware.

TIA

I'm sure that everyone will have their own preferance in AV programs, but
mine, for the last year or so, has served me well. Like you, I have had
Norton and it was a PITA. The only thing good that I got out of it was
Ghost, included free, and now I understand Norton will no longer be building
Ghost, so I have had find a replacement for that too. OK let me get down
from my soap box here. My AV of choice? AVAST! free.

http://www.avast.com/index

You will still have to use Windows firewall, unless you buy their pro
version, but it all works together fine. Oh, in case you're interested; to
replace Ghost I use Macrium Reflect, also free

http://www.macrium.com/reflectfree.aspx

If the links don't work copy and paste them to your browser.

Good luck,
Gene

 

[Zaphod Beeblebrox]

On Fri, 19 Jul 2013 09:26:25 -0700, "Gene & Betty"

I'm sure that everyone will have their own preferance in AV programs, but
mine, for the last year or so, has served me well. Like you, I have had
Norton and it was a PITA. The only thing good that I got out of it was
Ghost, included free, and now I understand Norton will no longer be building
Ghost, so I have had find a replacement for that too. OK let me get down
from my soap box here. My AV of choice? AVAST! free.

http://www.avast.com/index

You will still have to use Windows firewall, unless you buy their pro
version, but it all works together fine. Oh, in case you're interested; to
replace Ghost I use Macrium Reflect, also free

http://www.macrium.com/reflectfree.aspx

If the links don't work copy and paste them to your browser.

Another vote for Avast! I switched to it when I felt like Kaspersky was
becoming too much of a resource hog and have never regretted it.

--
Zaphod

Arthur: All my life I've had this strange feeling that there's
something big and sinister going on in the world.
Slartibartfast: No, that's perfectly normal paranoia. Everyone in the
universe gets that.

 

[J. P. Gilliver (John)]

In message <[email protected]>, KenK

What do you recommend instead of Kaspersky, if you have something you
like? I used to use Norton long ago but it got so it was harder to remove
than a virus. I tried free AVs but got malware.

[]
Do you mean you got malware as part of the free AVs, or despite the free
AVs?

(FWIW I run Avira [with ClickOff], and KPF 2.1.5 [from 2003!]. I've
heard claims against Avira, but have never had any problems.)

 

[KenK]

In message <[email protected]>, KenK

What do you recommend instead of Kaspersky, if you have something you
like? I used to use Norton long ago but it got so it was harder to remove
than a virus. I tried free AVs but got malware.

[]
Do you mean you got malware as part of the free AVs, or despite the free
AVs?
Despite.

(FWIW I run Avira [with ClickOff], and KPF 2.1.5 [from 2003!]. I've
heard claims against Avira, but have never had any problems.)

 

[Zaphod Beeblebrox]

On Sat, 20 Jul 2013 14:54:43 -0400, "David H. Lipman"

In message <[email protected]>, KenK
[]
What do you recommend instead of Kaspersky, if you have something you
like? I used to use Norton long ago but it got so it was harder to
remove
than a virus. I tried free AVs but got malware.
[]
Do you mean you got malware as part of the free AVs, or despite the free
AVs?
Despite.

(FWIW I run Avira [with ClickOff], and KPF 2.1.5 [from 2003!]. I've
heard claims against Avira, but have never had any problems.)

Free or paid-for, there is no difference. They use the same signatures and
they both perform "On Access" and "On Demand" scanning.

Help me to understand, it isn't clear to me based on context - are you
saying that all free or paid for AVs use the same signatures (as in,
Avast free edition and McAfee paid edition both use the same
signatures) or that the free and paid editions of a particular AV suite
use the same signatures (as in Avast free and Avast paid editions both
use the same signatures).

--
Zaphod

"So [Trillian], two heads is what does it for a girl?"
"...Anything else [Zaphod]'s got two of?"
- Arthur Dent

 

[KenK]

On Sat, 20 Jul 2013 14:54:43 -0400, "David H. Lipman"

From: "KenK" <[email protected]>

[email protected]:

In message <[email protected]>, KenK
[]
What do you recommend instead of Kaspersky, if you have something
you like? I used to use Norton long ago but it got so it was
harder to remove
than a virus. I tried free AVs but got malware.
[]
Do you mean you got malware as part of the free AVs, or despite
the free
AVs?

Despite.

(FWIW I run Avira [with ClickOff], and KPF 2.1.5 [from 2003!].
I've heard claims against Avira, but have never had any problems.)

Free or paid-for, there is no difference. They use the same
signatures and
they both perform "On Access" and "On Demand" scanning.

Help me to understand, it isn't clear to me based on context - are
you saying that all free or paid for AVs use the same signatures (as
in, Avast free edition and McAfee paid edition both use the same
signatures) or that the free and paid editions of a particular AV
suite use the same signatures (as in Avast free and Avast paid
editions both use the same signatures).

Different anti malware vendoes use different signatures an criteria
for the signatures as well as criteria for declarations of greyware
and Potentially Unwanted Programs (PUPs).

Within a given anti-malware vendor that offers a free vs paid for
version, the signature base is the same.

Vendors may apply different signatures for different products
targeting a different subszet of malware.

For example Microsoft.
All their programs use the saem engine but Windows Defender uses a
different signature base than Security Essentials and the MS MRT uses
a subset of the signature base used Security Essentials.

I hope this helps and does not make it more confusing.

Thank you. Very useful information.

 

[Zaphod Beeblebrox]

On Mon, 22 Jul 2013 12:10:22 -0400, "David H. Lipman"

On Sat, 20 Jul 2013 14:54:43 -0400, "David H. Lipman"

From: "KenK" <[email protected]>

[email protected]:

In message <[email protected]>, KenK
[]
What do you recommend instead of Kaspersky, if you have something you
like? I used to use Norton long ago but it got so it was harder to
remove
than a virus. I tried free AVs but got malware.
[]
Do you mean you got malware as part of the free AVs, or despite the
free
AVs?

Despite.

(FWIW I run Avira [with ClickOff], and KPF 2.1.5 [from 2003!]. I've
heard claims against Avira, but have never had any problems.)

Free or paid-for, there is no difference. They use the same signatures
and
they both perform "On Access" and "On Demand" scanning.

Help me to understand, it isn't clear to me based on context - are you
saying that all free or paid for AVs use the same signatures (as in,
Avast free edition and McAfee paid edition both use the same
signatures) or that the free and paid editions of a particular AV suite
use the same signatures (as in Avast free and Avast paid editions both
use the same signatures).

Different anti malware vendoes use different signatures an criteria for the
signatures as well as criteria for declarations of greyware and Potentially
Unwanted Programs (PUPs).

Within a given anti-malware vendor that offers a free vs paid for version,
the signature base is the same.

Vendors may apply different signatures for different products targeting a
different subszet of malware.

For example Microsoft.
All their programs use the saem engine but Windows Defender uses a different
signature base than Security Essentials and the MS MRT uses a subset of the
signature base used Security Essentials.

I hope this helps and does not make it more confusing.

It does clarify things and it is what I thought you were saying -
otherwise I'd have had to disagree ;-)