Are virusscanners really this bad? shocking results

Do, or did you, have two boot drives connected at the same time when trying to boot your primary. Windows doesn't like it. It's a common mistake during cloning.

 

i take it you don't use sandboxing or vm techniques to try out programs..

 

Results:

Files moved to the recycle bin:


Had to log in as an administrator to install the antivirus program. The program warned me after install and during its first startup that its definitions were out of date. When I attempted a manual update it told me it didn't need to because it was already up to date. Then during the manual scan it complained again that it wasn't up to date. So who knows? I don't.

First scan results. Default settings:


Multiple locked files, but no scores on a virus. Onward I go, this time I select every scan and threat option and perform another scan:


Two suspicious files:


I forgot to scroll the freakin' window over before I did the screen capture. Nice one!! So, you can't see the file names. Nevertheless, the first is in IE's temporary internet files, but IE wasn't used to download the file. Hasn't been used in weeks, in fact. The second file you can see the beginning of the file name which is enough to see that it doesn't even show up in the recycle bin. The file has a .tmp extension. I don't know what to make of it.

Anyway, pushing 6 hours with no decernable problems.

 

If you're asking me, the answer is no, obviously. My drive is cloned and I was bored when I came across this thread.

 

So does anyone know if this actually is a virus?

 

Frankly, if you're not up to it, and content with your own assumptions; then I'd say to each his own - was just dispensing friendly advice

- Jordan

P.S. Symantec's CEO said in an interview last year that he was going to buy a mac next because the PC had waayy too many viruses/malware - I don't think anything more needs to be said about his confidence level in Symantec's own security products

 

I removed the link to that file...I'm surprised we didn't see it earlier.

Please do not post direct links to infected files, as we don't want accidents happening. Rather, post the name or other information about the virus or obfuscate the web address so that you cannot just point and click to download (like www dot notebookreview dot com).

 

Good point and appreciate the tip Greg! I never clicked on the link, but what Greg said and did was to protect all of us just in case this is/was something malicious. If you play with fire, eventually you will get burned.

 

I think that is the single thing that prevented you from being infected.

Signs from being infected: the trojan fires up several connections to the internet, system becomes very slow, searching on the internet becomes influenced. like searching for antivirus will launch some obscure webpage.

Ok good to know. I thought naming it 'VIRUS!!!!!!.EXE' was enough but I can see where you are coming from.

Why do you say 'Acronis restarts my computer' ?

I would say you run Acronis from a bootable CD or DVD (right? at least thats the way i do it) and then when you're finished restoring the image, you close off. take the cd/dvd out and just reboot your system.

 

I also have Acronis, but once I loaded it onto my cp I only had to insert the cd/dvd once. That is when I had to reboot and restore from my secondary. Like PhilFlow said, it is a wonderful program and it has saved me a few times over the past two years. Once from my primary HDD completely dying and the other two times from viruses crashing my "C" drive. As for myself, I always have my back-ups stored on my secondary HDD and that saves me just in case my primary takes a dive again.

 

Its not so much a single virus but a bundle of horribleness wrapped in an .exe. I still can't see how running an account on limited user is an adequate security solution - the files are still on the system and could still cause trouble. Only when the virus is completely removed would I consider that a success.

 

Out of curiosity I tested Kaspersky Antivirus.

This program handled the malicious file the best of all scanners.

For equal comparison I installed Kaspersky without password protection and without the latest updates.

I double clicked the Virus!!!!.exe file while running in Administrator account.

Kaspersky blocked 7 out of 8 attacks that were launched after doubleclicking the .exe file.

Only one file managed to get through and install something on the system (sh.exe). It did not seem to do any harm. The system kept running fast, nothing happened to Kaspersky itself.

 

Is this the part where I get to say: "I told you so.."?

*runs off*

LoL

Glad to hear you had a positive experience with kaspersky


- Jordan

P.S. For anyone in the US/Canada that's interested in kaspersky, you can get a *real* OEM cd with key for around $20-$30 from www.ncix.com -> also, a lot of scammers sell fake 'generated' keys on ebay that're blocked over time

 

It may have worked the best of those tested, but it still didn't work.

 

Nod32 finally updated. Ran a new scan and it made 3 positive hits. 2 were the same as before and the 3rd was another program also located in IE's temporary internet files. So I had a look at them:



There is that date again, 9/19/2007 5:52 PM. Notice the cookie too. I think the virus had a little something to do with those files. I also think I'm in for a little surprise the next time I start Internet Explorer. Soooo, I thought I'd post this before I take the IE plunge. Let you know soon, if I can that is! I'm going to uninstall Nod32 first just so the virus gets to have all the fun it can in a restricted account.

 

Well I'm coming to you from Internet Explorer with no problems. IE deleted the two program files upon its first exit. I have it set to delete temps automatically upon exit.

The suspicious cookie remains, though I haven't attempted to clear the cookies. There are still only 25 processes running. I also restored the temp files previously moved to the recycle bin prior to running IE. The restricted user seems to be doing a pretty darn good job. All I need to do now is find that mysterious recycle bin file.

 

I installed Kaspersky. I maximized all the scanning options and then gave it a go.



Nothing!

Then I installed and ran NOD32 again.



This time it picked up one of the files created in the temp folder. The file in the recycler seems to have disappeared. I don't know what to expect from these programs but I'm surprised they don't pick up the PowerISO38.exe file. I guess it's not hard to mask the viruses before they are run.

 

Too bad you did not run the virus form an amdinistrator account. Or you'd have a lot more to show.

 

I bet I would. I wanted to see what would happen with a restricted user account alone, though. Doesn't appear to have been able to do too much. Then again, the scanners seem to be a bit of hit-and-miss so who knows what is or isn't on my computer after running the virus.

 

you're pretty safe in adminstrator mode if you have Kaspersky running. it will show exactly all the names of the trojans and virusses....
come on, you can do it

 

I did not mention this before but Spyware Terminator did ok. Of all the specific spyware tools it did best.

The good: It alerted about all kinds of changes to the system and ports being opened up. It kept running, and the virus did not disable it.

The bad: it was not able to stop the trojans and virusses.

In this little test Spyware Terminator did a lot better than Spyware Doctor, Adaware and Spybot S&D, who were virtually unaware of anything happening.

http://www.spywareterminator.com/ It's also free.

 

Really? "Looking for a muscle-bound cyborg of a security product that'll tell your spyware problem "Hasta la vista, baby?" Keep looking."

 

It's just an antispyware app, nothing more. If they expected more they are going to be dissappointed.

And all it did was notice things. It did not clean, protect or prevent. So I agree with that review.

Anyway, it did a lot better than Spyware Doctor, Adaware and Spybot S&D.

Frankly I don't trust any of these programs to protect me. For real protection I recommend Kaspersky.

 

The PC Magazine review does not agree, and frankly, neither do I.

 

You DO know that PC Magazine/ZDNet/Cnet are all bought and paid for 'reviews', right?

I use to read PC Magazine (along time ago when it was a 'magazine only') and read it religiously mind you - but over the years, I started to notice a trend with the scores the kept giving Symantec/Norton Anti-Virus which was not adding up when being forced to see (first hand) all the infected machines, etc. that had the latest home & corporate versions of SAV, etc.

All in all - one and one, well... equalled two - though I didn't really want to admit/see it


- Jordan

 

Gosh Phil! I thought I died and went to heaven with seeing how you preach Kaspersky like the gospel

LoL

Your new-found fondness for Kaspersky is just a little hard to miss these days is all - not that it's a bad thing


- Jordan

 

Yes, of course. However, the trend and evidence points more towards inflating positive reviews than assassination via negative reviews. I read them, along with other less-than-informed reviewers such as Consumer Reports, and formulate my own opinions.

Of the purchased products, I would go with Kaspersky, NOD32, or ZoneAlarm Security Suite. However, based on what is free, there is little need to pay.

 

You may have misunderstood what I meant.

I mean: in this test, running the malicious file virus!!!!.exe in administrator mode, the only spyware program that noticed anything going on was Spyware Terminator.

Adaware, Spybot S&D, Spyware Doctor did not notice anything at all. Nothing that is.

So in this little test Spyware Terminator is clearly the winner. I am only talking about the real time protection here.

PC Magazine has never tested this specific file so they don't disagree with that. They have done a completly different test.

I never believed there was a need to pay for antivirus programs. That was untill a couple of days ago when I witnessed how easily they were disabled by this trojan. Now I do believe it makes sense to pay for Kaspersky.

 

I am agreeing with PC Magazine's overall opinion of Spyware Terminator; specifically, that is generally ineffective and that there are better choices.

And I believe that I am disagreeing with your overall testing methodology, basing conclusions on the results of a single infectious point and introducing that single infectious point into systems without a systematic and hierarchical defense mechanism implemented.

It would seem that a single infectious point could be created or concocted to be invasive to a majority of systems. An engineered virus it is after all. Systemic testing on multiple fronts is far more valid for interpretation and for inference of results.

Further, it is unreasonable, or perhaps simply foolish, to presume that a system would only be protected by a single barrier. I run a hardware firewall, a software firewall (that block both incoming and outgoing), Anti-Spyware software, and anti-Virus software. Further, I scan for Spyware with multiple software scanners and scan my file system and registry with multiple software scanners as well.

While this might be a tad more than the average user does, it is not actually more than most security suites attempt to do.

Not intended as a flame, nor as a personal criticism. However, it is intended as a serious questioning of your methodology.

 

I think you're reading in stuff that was not there.

I never based conclusions. I never claimed to have ran a systematical, good, objective test.

All I said was "In this little test Spyware Terminator did a lot better than Spyware Doctor, Adaware and Spybot S&D, who were virtually unaware of anything happening."

You see in the words 'in this little test' I am already acknowleding the limited value.

 

Seeing is believing.

Do you have experience with their whole security suite? Sofar I've only tested their Antvirus product.

Edit: I see the Internet security suite only adds 'built-in personal firewall and antispam filter' so it's not that interesting to me.

 

LOL! With a title of Are virusscanners really this bad? shocking results it has all the hallmarks of a supermarket tabloid. I keep waiting for the page three girl to show up.

 

I've only bought the whole suite in the past, plus at a literal couple dollars more - who wouldn't?


If you can, I WOULd just buy the Kaspersky Internet Security OEM from nicx.com - it's a good deal at under $30 I think


- Jordan


P.S. You can choose not to install certain aspects of the entire suite if you like - down to even the included modules

Install the whole thing and see what's useful to you and not

 

In all fairness I find the results pretty shocking too. Perhaps I'm a little niave, but I would expect antivirus software to stop viruses rather than failing and having the viruses turn around disable them. Pretty shocking. I probably am niave, but I'm surprised nonetheless.

 

I agree with you on that on. I wrote that to get attention. And I meant every letter of it.

I was personally shocked by how easily easily Norton, Avast, NOD32 were disabled by the virus. Not only were they disabled, their installation also got messed up, preventing them from ever running again.

In my subjective opinion that is really bad performance for security software.

I believe many people would be shocked if they knew this.

 

PhilFlow, I have not heard anything back from US-CERT yet on this virus, but it could take a bit. Have you really found anything that prevents this thing from corrupting your system yet?

 

Absolutely.

First: Most important recommendation came from swarmer: if you run a possibly suspicious file, or if you're doing anything possibly dangerous, do it from a limited user account. The basic useraccount setting in XP is administrator account, which is very dangerous for this.

I ran this file from a limited user account with a free virus scanner installed and not much happened (once with Avast, another time with Antivirus PE).

Second: jordy and some other people recommended Kaspersky. I ran the infected file in administrator account with Kapsersky installed. Kapsersky effectively blocked 7 out of 8 attacks. One action of the malicious file slipped through. This was however not a critical one, it seemed.

Based on this little test, Kaspersky came out best for two reasons.
- The system kept running at the same pace, without any problems.
- The installation of Kaspersky itself kept working 100% perfect.

None of the other scanners i tested did those two things. Someone told me that McAfee Enterpise is also able to block the virus, I don't know if this is true, I only tested McAfee AV that failed.

Also I gave an honorable mention to Spywareterminator. Not for cleaning the system nor for preventing infection. The only thing I liked was that it was actually aware of bad things happening and telling me with several alerts. In this way (are you reading John ) it did better than the other spyware apps i tested that had no clue of anything going on.

Another thing I learned is the immense value of keeping images. I use Acronis True Image and it lets me restore my whole system within 15 minutes. With this new experience I will make images much more often.

And what's funny for me, since I am no big fan of Vista, I was always complaining about the huge amount of clicks that are necessary in Vista to install stuff, and change settings. I now understand why this is, and I will appreciate Vista more.

I may be able to run another test. If anyone has some suggestion on what application to test I might give it a go. I am considering ZoneAlarm Anti-Spyware or Spyware blaster.

 

To the person who said its a virut:

Did it infect .exe files?

I had a virut infection on one of my machines very recently. I was using nod32 on that comp and nod32 itself got infected. So I just wanted to know if its the same thing and if kaspersky AV stopped it then i could start feeling comfortable again having installed escan instead of nod32 because escan has the kaspersky AV engine.

Can someone run the test on escan and post back here on how escan fared against this virus?

I posted on nod32's forum abt the virus that i got.

Code:

http://www.wilderssecurity.com/showthread.php?p=1078713 

 

yes, it did.

(ps. i think win32/Virut.A was the name or something like that)

This sounds very similar.

If escan is as good as Kaspersky then you are safe for this one i think.

On top of that, Kaspersky lets you install a password, i think it would be even safer.

Maybe someone else will, i won't be doing this because I am not so interested in escan.
But you could do it too, if you just make an image of your harddrive you can start testing yourself.

 

Like PhilFlow had stated, Acronis True Image is a great program and saves you from losing all of your important data. I have used it for a couple of years now and it has saved me a few times.

 

Wow. That is somewhat disturbing results. But I must ask, has this virus been out for awhile? If it was a new virus when you conducted this test, I can see how it might slip through the antivirus software...much of antivirus software is, after all, reacting to existing viruses.

The only other anti-virus I'm interested in seeing tested is Sophos, though as it is a corporate one I can see it may be difficult to acquire. My university provides it free is why I'm curious. I would test it myself, but I don't particularly feel like reinstalling Vista again just to test one virus. Hence why I don't wouldn't blame you for not wanting to test anymore, either.

 

What I feel necessary to stress is that this is not one solitary virus as many people are presuming. Yes, the bundle comes wrapped in one .exe file but its basically a lethal concoction of other malicious files. The reason it can take things down so easily is because it hits them incredibly hard and fast. I wouldn't be too concerned with viruses and university, especially if you are primarily connecting through a residential network - the networks tend to be incredibly secure and normally have immensely strict firewalls (I can't access World of Warcraft, P2P networks or Torrents; only Port 80 is open as far as I know) and the only way a system will become infected is due to downloading dodgy files such as Phil's Virus!!!!!!!!!.exe