Which Anti Virus to use?

[Shane]

Hi, Chris,

Been wondering what happened to you.

False positives as in detecting something as being a part of a named
malware when it was not?

Yes. Detecting various items as being CoolWebSearch. Most notably detecting
the Microsoft IE5 Web Accessories as CoolWebSearch components.

Or in rating an edgy app as malware when you wouldn't judge it that?

No. I don't run edgy apps.

Or raising general heuristic alerts on things that were harmless?

Haven't seen anything like that in a long time (lol!, you could probably say
since I stopped using NAV2001!).

I'd consider only the first as a true false positive, e.g. detecting
signature material within an av product as if it were that malware.
If you know of any cases of this, please list them here, as these are
serious flaws we would wish to act on. In the harder test traditions
of the av industry, one false positive can disqualify a product.

There's a big list somewhere - that I'm 99% certain Ron knows about. I don't
really see why he's so positive about it. Anyone serious about testing MSAV
should know about these false positives and I can only imagine the knowledge
is being repressed in a lot of cases.

The second is always going to be controversial when you expand malware
beyond viruses and criminal trojans to generally unwanted commercial
software, as one must do in the 21st century. If anything, MSAS have
been accused of being too weak; they detect things OK, but the advice
on what to do about these detections may be too "soft" for comfort.

The last is simply the way risk management works. Malware scanners
use the blacklist approach when they tell you they blocked a named
malware recognised as such; they use the whitelist approach when they
block all risk behaviors until you indicate it's OK for that
particular program to initiate that particular risk.

So if by "false positive", you mean "I ran a batch file I wrote, and
MSAS popped up a dialog warning me a script was trying to run", then
welcome to the world of risk management - that's not a "false
positive" because it's not a malware detection as such.

http://groups.google.com/group/micr...lse+positive+silj+shane&#doc_519f496d39602241

http://tinyurl.com/7e4kg


Shane

--



The Sugitive

Chapter One: http://tinyurl.com/bcevp

Chapter Two: http://tinyurl.com/ag92o

Chapter Three: Coming to an URL near you soon!

 

[cquirke (MVP Windows shell/user)]

Hi, Chris,
Hi!

Been wondering what happened to you.

I went to Vancouver / Seattle / London, came back for a month, then
went to Kuala Lumper and NZ for a month, from where I've just
returned. I was pretty much out of ngs for that time

Yes. Detecting various items as being CoolWebSearch. Most notably detecting
the Microsoft IE5 Web Accessories as CoolWebSearch components.

That's interesting! These IE5 web accessories; are they part of IE5
and later, or an add-on? I do hardly any pre-XP NT here, so I never
see MSAS running with IE5 as MSAS doesn't run on Win9x and XP starts
with IE6 and versions up from there.

So far, the only commercial malware false-positive I see is AdAware
detecting a crusty old GoHip cleaning utility as GoHip. I'm used to
Spybot shrieking about a setting that's no longer relevant (the risk
has since been fixed at another level) as well as IE's built-in "Alexa
Related" being cited as cm. The closest to false-positive behavior
I've heard related to MSAS was a propensity to delete the user's
"Kazaa Shared Folder" when "cleaning" Kazaa.

OTOH, my favorite interventional av (AntiVir 6) is definitely prone to
false positives, such as signature material within other av scanners,
and material quarantined by other tools. To be fair to AntiVir 6, the
report phrasing suggests a "blurred" detection; it says "signature of
malware XXX found in file YYY" rather than "malware XXX detected", as
it does when it is "sure" it's found a bad guy.

No. I don't run edgy apps.

Haven't seen anything like that in a long time (lol!, you could probably say
since I stopped using NAV2001!).

I see it a fair bit, as I often use my own .BAT as Tasks; it's like
training a firewall's egress monitoring, you just go [x] Don't ask me
again for this detection and then click Allow. It reports .REG. .BAT
and AFAICR .CMD activity as "scripts", if that real-time protection
feature is not disabled. I guess if you disable all the real-time
stuff - as I often, but not always, do - you won't see this.

Because MSAS can't run from Bart, can't run without being installed,
and can't install from Safe Mode (unless you start the Windows
Installer service), I don't find it useful as a primary intervention
scanner. By the time I use MSAS, I've already done detect-only scans
with AdAware and Spybot from Bart, and search-and-destroy passes with
both of these from Safe and normal account boot modes.

So I use MSAS as a back-stop to the other two scanners, and leave it
resident where a lot of commercial malware was found (thus strongly
suggesting useless user bad habits). In such cases, I often do leave
the real-time protection features in effect.

There's a big list somewhere - that I'm 99% certain Ron knows about. I don't
really see why he's so positive about it. Anyone serious about testing MSAV
should know about these false positives and I can only imagine the knowledge
is being repressed in a lot of cases.

Ahhh... wait a moment, are you talking MSAS (MS AntiSpyware Beta) or
MSAV (presumably as per OneCare, rather than ye olde DOS 6.xx)? I
haven't played with OneCare or associated av at all.

http://groups.google.com/group/micr...lse+positive+silj+shane&#doc_519f496d39602241

That's MSAS...

http://tinyurl.com/7e4kg

....as is that (in fact, looks like the same URL target)

---------- ----- ---- --- -- - - - -

Don't pay malware vendors - boycott Sony

 

[Dragunov]

*Presently using Norton 05 Internet, and Webroot Spyware. Does
Microsoft offer adequate safe coverage? I have 2 pc'c linked by
Linksys wireless. *

I don't use any AntiVirus software, I don't get viruses,
I use common sense, I know how to set up as to keep viruses out, I use
a firewall, I screen everything and have had pretty good luck (so far).
I've been on-line since 1991
and have had 1 virus. (Jerusalem, around 1992).

I don't recommend this for anyone else. As to AVsoftware,
None of them are worth a crap. My friends all use the stuff and have
all kinds of problems, incl. viruses. I don't have computer problems.

Dragunov

 

[Shane]

I don't use any AntiVirus software, I don't get viruses,
I use common sense, I know how to set up as to keep viruses out, I use
a firewall, I screen everything and have had pretty good luck (so far).
I've been on-line since 1991
and have had 1 virus. (Jerusalem, around 1992).

I don't recommend this for anyone else. As to AVsoftware,
None of them are worth a crap. My friends all use the stuff and have
all kinds of problems, incl. viruses. I don't have computer problems.

Oh, you do! You do! But in your case it's the organic one.


Shane


--



The Sugitive

Chapter One: http://tinyurl.com/bcevp

Chapter Two: http://tinyurl.com/ag92o

Chapter Three: Coming to an URL near you soon!

 

[Shane]

I went to Vancouver / Seattle / London, came back for a month, then
went to Kuala Lumper and NZ for a month, from where I've just
returned. I was pretty much out of ngs for that time

Pretty-much exhausted the intelligent English-speaking location possiblities

That's interesting! These IE5 web accessories; are they part of IE5
and later, or an add-on? I do hardly any pre-XP NT here, so I never
see MSAS running with IE5 as MSAS doesn't run on Win9x and XP starts
with IE6 and versions up from there.

An IE5 add-on that works just as well in IE6 (and iirc - not running it
right now - IE7). These
http://www.microsoft.com/windows/ie/previous/webaccess/default.mspx, or
components thereof.

So far, the only commercial malware false-positive I see is AdAware
detecting a crusty old GoHip cleaning utility as GoHip. I'm used to
Spybot shrieking about a setting that's no longer relevant (the risk
has since been fixed at another level) as well as IE's built-in "Alexa
Related" being cited as cm. The closest to false-positive behavior
I've heard related to MSAS was a propensity to delete the user's
"Kazaa Shared Folder" when "cleaning" Kazaa.

I've gotta admit, I'm so bored (read 'complacent') at never finding
anything, that I haven't run a scan in a long time. Best get round to it I
s'pose.

OTOH, my favorite interventional av (AntiVir 6) is definitely prone to
Really!

false positives, such as signature material within other av scanners,
and material quarantined by other tools. To be fair to AntiVir 6, the
report phrasing suggests a "blurred" detection; it says "signature of
malware XXX found in file YYY" rather than "malware XXX detected", as
it does when it is "sure" it's found a bad guy.

Yeah, funny that. I'd prefer if they all put it that way. It's getting the
non-scientifically-minded to understand that seems - to me anyhow - to be
the sticking point. On one hand I'd rather the public leave it to the
specialist to sort out and on the other I wish the public would learn to do
it themselves!

No. I don't run edgy apps.

Haven't seen anything like that in a long time (lol!, you could probably
say
since I stopped using NAV2001!).

I see it a fair bit, as I often use my own .BAT as Tasks; it's like
training a firewall's egress monitoring, you just go [x] Don't ask me
again for this detection and then click Allow. It reports .REG. .BAT
and AFAICR .CMD activity as "scripts", if that real-time protection
feature is not disabled. I guess if you disable all the real-time
stuff - as I often, but not always, do - you won't see this.

Because MSAS can't run from Bart, can't run without being installed,
and can't install from Safe Mode (unless you start the Windows
Installer service), I don't find it useful as a primary intervention
scanner. By the time I use MSAS, I've already done detect-only scans
with AdAware and Spybot from Bart, and search-and-destroy passes with
both of these from Safe and normal account boot modes.

Quite a while since I tested Bart, too. Looks like the possibilities have
increased reassuringly - or at least are being exploited more. Must look at
the plugin situation. Or do you write your own these days? Anyway, can't
really find the time 'til Christmas is over (and the goose has gotten flat).

So I use MSAS as a back-stop to the other two scanners, and leave it
resident where a lot of commercial malware was found (thus strongly
suggesting useless user bad habits). In such cases, I often do leave
the real-time protection features in effect.

Time to test it again, I guess. Though I'm beginning to feel remiss to the
nth degree!

Ahhh... wait a moment, are you talking MSAS (MS AntiSpyware Beta) or
MSAV (presumably as per OneCare, rather than ye olde DOS 6.xx)? I
haven't played with OneCare or associated av at all.

When I was halfway through my original response I suddenly wondered if I'd
misread, seeing as how the subject is about AV and I was talking about MSAS!
So, while I verified I was indeed responding to comments about MSAS, I
appear to have begun referring to MSAV!

Not only have I not played with OneCare, I hadn't even heard of it! As for
6.22 I can't be bothered to run it anymore (finally!).

That's MSAS...


...as is that (in fact, looks like the same URL target)

Yeah. I probably shouldn't do that. I guess it's a bit like my onmouseover
javascript, an exercise in redundance I've forgotten the point of!

Where'd you go in London? btw I just saw the John Nichol docu in which he
goes up in one of the Lightnings at Thunder City! Far out!

Shane

--



The Sugitive

Chapter One: http://tinyurl.com/bcevp

Chapter Two: http://tinyurl.com/ag92o

Chapter Three: Coming to an URL near you soon!

 

[cquirke (MVP Windows shell/user)]

"cquirke (MVP Windows shell/user)" wrote

(on MSAS false-positives)

An IE5 add-on that works just as well in IE6 (and iirc - not running it
right now - IE7). These
http://www.microsoft.com/windows/ie/previous/webaccess/default.mspx, or
components thereof.

OK. I usually prefer to disable all browser enhancements, using
Firefox or IE7 beta if I want an integrated search bar.

Really, that it false-positives, or Really, that I dig AntiVir 6?

I used to think of it (by reputation, untested) as behind Antivir,
which in turn was behind AVG. I was pleasantly surprised to find it's
clean to install, survives scraping over, works from Bart, doesn't run
underfoot (resident) unless you force it to, and detects a lot more
than most things, esp. trojans and fringe commercial malware.

So it's really good as a second or intervention scanner. As AVG 7
cannot be used any other way, I still use that as primary/resident av.

Quite a while since I tested Bart, too. Looks like the possibilities have
increased reassuringly - or at least are being exploited more. Must look at
the plugin situation. Or do you write your own these days?

Yep. The plugin thing is quite easy and powerful, most apps that will
run when scraped over (as opposed to being installed) to a new PC,
will work as plugins, but you need to use RunScanner plugin if you
want the inactive HD registry to be accessed, instead of Bart's.

OTOH, if there's a lot of dropped system .DLLs and CLSID stuff, it can
get very daunting indeed. Dependency Walker helps.

As for 6.22 I can't be bothered to run it anymore (finally!).

I still have a site on 6.21, I don't think they'll upgrade to 6.22

Where'd you go in London? btw I just saw the John Nichol docu in which he
goes up in one of the Lightnings at Thunder City! Far out!

I stayed in a B&B on Vincent Square, which is between Victoria Station
and the river. After Vancouver and Seattle, wich are lovely but
somewhat generic cities, London felt like an OTT "London" theme park,
and when I saw the lovely old B&B (a huge arched and gargoyle'd
ediface that reminded me of Hogwarts) I just grinned from ear to ear!

Thunder City, just outside Cape Town? Yep, they got Lightning, Hunter
and Buccaneer there, and other lovely old birds in CT include Dakotas
(still in use, mostly with turboprop engine refits tho), a Shackleton,
a Ju-52 (!!) and a Bell Iroquoi in 'nam-style paint.

I went to an air show in CT lately, and it was interesting to see how
many military jet aircraft were in fact privately owned and operated.
In addition to the Thunder City crew, there was the Sasol Tigers
flying four Czech Delfins, and outside the show I saw three yellow
Hunters that are run/sponsored by M-Net.

---------- ----- ---- --- -- - - - -

Don't pay malware vendors - boycott Sony

 

[Shane]

An IE5 add-on that works just as well in IE6 (and iirc - not running it

OK. I usually prefer to disable all browser enhancements, using
Firefox or IE7 beta if I want an integrated search bar.

I have Firefox set as default. Mostly - these days - I install web
accessories just for the Add to Trusted/Add to Restricted buttons. Only
search bar I use is Google (in Advanced Features Disabled mode) but, like I
say, I use FF anyway.

Really, that it false-positives, or Really, that I dig AntiVir 6?

The 'dig' one. Wasn't ready for that revelation but then I have been off the
scene myself much of the last few months (and especially the last
couple...you know about the 'crash'? You appear to have been out of the loop

I used to think of it (by reputation, untested) as behind Antivir,
which in turn was behind AVG. I was pleasantly surprised to find it's
clean to install, survives scraping over, works from Bart, doesn't run
underfoot (resident) unless you force it to, and detects a lot more
than most things, esp. trojans and fringe commercial malware.

So it's really good as a second or intervention scanner. As AVG 7
cannot be used any other way, I still use that as primary/resident av.

I'll try it. Thanks for the tip.

Yep. The plugin thing is quite easy and powerful, most apps that will
run when scraped over (as opposed to being installed) to a new PC,
will work as plugins, but you need to use RunScanner plugin if you
want the inactive HD registry to be accessed, instead of Bart's.

OTOH, if there's a lot of dropped system .DLLs and CLSID stuff, it can
get very daunting indeed. Dependency Walker helps.

Thanks.


I still have a site on 6.21, I don't think they'll upgrade to 6.22



I stayed in a B&B on Vincent Square, which is between Victoria Station
and the river. After Vancouver and Seattle, wich are lovely but
somewhat generic cities, London felt like an OTT "London" theme park,
and when I saw the lovely old B&B (a huge arched and gargoyle'd
ediface that reminded me of Hogwarts) I just grinned from ear to ear!

Yeah, the 'theme park' thought is about right. It's disappointing how
unresidential 'town' is - as opposed to, for instance, Paris - but it's
fabulous for travelling around in doing the sights. Now that I've moved out
I miss it terribly. My last year there I finally got round to seeing places
I always intended to but had somehow always found an excuse not to - usually
'just not in the mood!' - and would get a Travelcard and spend half a day
just going from one end to another and as many places in between as I could
think of that evening. Of course, just riding the Tube is a history tour in
itself!

Thunder City, just outside Cape Town? Yep, they got Lightning, Hunter
and Buccaneer there, and other lovely old birds in CT include Dakotas
(still in use, mostly with turboprop engine refits tho), a Shackleton,
a Ju-52 (!!) and a Bell Iroquoi in 'nam-style paint.

I'm starting to consider going. I often overlook, in the enthusiasm for
seeing these engineering works of art, that they come with the sort of
people smart enough to appreciate them.

I went to an air show in CT lately, and it was interesting to see how
many military jet aircraft were in fact privately owned and operated.
In addition to the Thunder City crew, there was the Sasol Tigers
flying four Czech Delfins, and outside the show I saw three yellow
Hunters that are run/sponsored by M-Net.

Great stuff! Saw a lot of old stuff flying over the house after Fairford
this year, eg MiG 21's, which I'd never seen before, and a couple of
Phantoms. The Italian air display team flying home in formation. I'd have
gone but for my father being in hospital. Wherever I go these days the RAF
VC10s seem to be following me and I'm beginning to feel they owe me a flight
(before they get retired very soon now).

Don't pay malware vendors - boycott Sony

I was of a similar frame of mind, but have been given a new Cybershot! Well,
at least that wasn't what came with the $crap$ - and I have the various
rootkit scanners.

Shane


--



The Sugitive

Chapter One: http://tinyurl.com/bcevp

Chapter Two: http://tinyurl.com/ag92o

Chapter Three: Coming to an URL near you soon!

 

[cquirke (MVP Windows shell/user)]

On Sat, 31 Dec 2005 12:22:55 -0000, "Shane"

The 'dig' one. Wasn't ready for that revelation but then I have been off the
scene myself much of the last few months (and especially the last
couple...you know about the 'crash'? You appear to have been out of the loop
at the time...*or were you!!*...My God, suddenly it's all so clear! <g>).

Still murky here... yes, I was geographically disturbed (in a guud
way) for the last few months, but I'm all better now.

I'll try it. Thanks for the tip.
YW...

Yeah, the 'theme park' thought is about right. It's disappointing how
unresidential 'town' is - as opposed to, for instance, Paris

I've only spent 2 nights in Paris in 1983, so I don't know much about
the place - especially as I don't understand French and wasn't a big
city walker in those days (constrained by family and tour group ties)

- but it's fabulous for travelling around in doing the sights.

My fave are the canals. It's an expensive place, tho.

Of course, just riding the Tube is a history tour in itself!

Yeah - it's palpable in the older stations especially. Right now,
Kuala Lumper is my fave city, and the monorail there's quite a trip;
it banks round corners, but not in a way that makes it easier standing
up, somehow. Use of those roof handle thingies is recommended++

Great stuff! Saw a lot of old stuff flying over the house after Fairford
this year, eg MiG 21's, which I'd never seen before, and a couple of
Phantoms. The Italian air display team flying home in formation. I'd have
gone but for my father being in hospital. Wherever I go these days the RAF
VC10s seem to be following me and I'm beginning to feel they owe me a flight

I haven't seen any of those in the metal, heh

I was of a similar frame of mind, but have been given a new Cybershot! Well,
at least that wasn't what came with the $crap$ - and I have the various
rootkit scanners.

It's tricky with commercial malware.especially DRM-related; can you
trust your scanner vendor to detect it? My stance on Sony is
pragmatic as much as it is punitive; as a tech who has to support what
he builds and sells, I don't consider Sony trustworthy when it comes
to software bundled with optical writers and so on, much less laptops
and thier BIOSs. Who knows when they'll try it on again?

Camera should be OK, in that it would stretch plausible deniability to
drop DRM malware from software that comes with a camera.

My new camera's another Canon, after my beloved 4Mp Ixus bit the dust.
The value of my two batteries was a bit more than the gap between the
5Mp model (that uses different batteries) and the 750 7Mp model (that
does use the same batteries), so I specc'd upwards

My first digital camera was a generic 3Mp that turned me on to
costless photography. My second was the 4Mp Canon that turned me on
to macro mode (which suuucked on the generic). The new 7Mp Canon has
turned me on to video clips; smooth, low light OK, 640x480, v.nice

-------------------- ----- ---- --- -- - - - -

Tip Of The Day:
To disable the 'Tip of the Day' feature...