Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Using Multiple Online File Scanners


  • Please log in to reply
5 replies to this topic

#1 Alan D

Alan D

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 09 August 2007 - 03:16 AM

OK, here's the scenario:

You do a routine scan and it finds a file and your scanner offers to quarantine it. You know that file has been there for a year and it seems likely that this is a false positive, but of course you can't be sure. You need some second opinions. In short, you want to submit the file to the Jotti multiple online scanner at:
http://www.virussscan.jotti.org/
and to the similar one at Virustotal:
http://www.virustotal.com/

Now, how do you go about this? If you let your scanner quarantine the file, and then submit the quarantined file, the online scanners won't recognise it as infected even if it was, because of the encoding that goes on in the quarantine process. So the only way to upload the file is to instruct your scanner to ignore the detection (while your heart pounds a little faster), and then upload the file from its original location.

But there's an additional complication, which I've experienced myself using AVG. When I tried to upload the suspect file, the AVG resident shield kicked in and blocked the upload - so the only way to accomplish the upload was to deactivate the resident shield! And it did, after all turn out to be a false positive - but of course I couldn't be sure of that at the crucial decision-making stage, so this was all quite tricky stuff.

What do others do, in this situation? What procedure do you use to submit a suspected file (which has generated an alert) to the online scanners?

Edited by Alan D, 09 August 2007 - 03:17 AM.

Windows XP Home SP2; AVG 7.5 Internet Security Suite (AV/AS r.t.p, and firewall); Windows Defender (r.t.p on); SuperAntispyware Free; a-squared Free 3.5.0.15; Spybot 1.4 (Immunised, but no Tea-timer); AdAware SE Free; AVG Anti-Rootkit Free; Spywareblaster; MVPS Hosts file (with HostsMan); McAfee Site Advisor.

BC AdBot (Login to Remove)

 


#2 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:05:30 PM

Posted 11 August 2007 - 11:55 AM

AVG has a pinned topic on You Suspect a File to be False Positive.

IMHO, if something has been in quarantine for a year, I think you are safe just to delete it.

Read the pinned topic VirusTotal - Free service to analyze new samples, uses multiple AV scanners .
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner

#3 Alan D

Alan D
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 11 August 2007 - 12:19 PM

AVG has a pinned topic on You Suspect a File to be False Positive.

Thanks - this link actually gives the specific answer to my question, namely, that the AVG advice is to temporarily disable heuristic scanning and/or the resident shield in order to submit the suspect file to jotti or virustotal. Which makes perfect sense, and this is what I've done in the past, though it feels scary when one does it.

IMHO, if something has been in quarantine for a year, I think you are safe just to delete it.

I wasn't suggesting that the file had been in quarantine for a year. I was thinking of the situation where the scanner picks up a file that has been installed on your computer for a long time - and that's one of the reasons why you suspect it's a false positive, because it's been clear on countless previous scans.
Windows XP Home SP2; AVG 7.5 Internet Security Suite (AV/AS r.t.p, and firewall); Windows Defender (r.t.p on); SuperAntispyware Free; a-squared Free 3.5.0.15; Spybot 1.4 (Immunised, but no Tea-timer); AdAware SE Free; AVG Anti-Rootkit Free; Spywareblaster; MVPS Hosts file (with HostsMan); McAfee Site Advisor.

#4 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,574 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:08:30 PM

Posted 11 August 2007 - 05:02 PM

the AVG advice is to temporarily disable heuristic scanning and/or the resident shield in order to submit the suspect file to jotti or virustotal. Which makes perfect sense, and this is what I've done in the past, though it feels scary when one does it.

No experience with viruses, but I find this to be a very interesting question. I suspect other AV products need to do the same, would you think so?

#5 Alan D

Alan D
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 12 August 2007 - 03:10 AM

I suspect other AV products need to do the same, would you think so?

I think inevitably so, yes. I've never been able to think of any alternative solution, and yet when the moment is upon you, and here is a detection, the very last thing you feel you should be doing is turning off your AV/AS real-time protection in order to fiddle about with the suspect file!

I think my question (and my unease) is based really on this essentially emotional reaction. The logic of the situation is different: here is a file that may well have been on your computer for some time, but only now under suspicion. Switching off your AV/AS for a couple of minutes isn't going to trigger it into action in some way; all you're going to do is upload it.

I suspect that the anxiety arises from an inadequate understanding of the protection processes. It feels like taking off a bullet-proof vest, knowing that a sniper may be hiding in the bushes; but of course the situation isn't like that at all, actually.
Windows XP Home SP2; AVG 7.5 Internet Security Suite (AV/AS r.t.p, and firewall); Windows Defender (r.t.p on); SuperAntispyware Free; a-squared Free 3.5.0.15; Spybot 1.4 (Immunised, but no Tea-timer); AdAware SE Free; AVG Anti-Rootkit Free; Spywareblaster; MVPS Hosts file (with HostsMan); McAfee Site Advisor.

#6 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:05:30 PM

Posted 12 August 2007 - 10:26 AM

You are right Alan D.

Switching off your AV/AS for a couple of minutes isn't going to trigger it into action in some way; all you're going to do is upload it.


The chance that you get infected in the few seconds you disabled realtime protection is almost impossible, perhaps if you were surfing unsafe websites.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users