Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Having Antivirus does not keep you safe.


  • Please log in to reply
5 replies to this topic

#1 JohnHenery

JohnHenery

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:31 PM

Posted 06 August 2015 - 08:18 PM

I am new here and have been seeing a lot of the same stuff, and thought this little bit of information might be helpful.

 

 

Antivirus program is a program that either passively, or pro-actively scans the traffic and packet injections that go into your computer.

 

The core of the Antivirus is the the Definitions.

 

The Definitions is a database with a list of Signatures. These signatures are various lines of ones and zeros that indicate a specific type of malware.

 

As a new virus is documented, the database of signatures is updated with one more signature, so from then on, if that virus connects with your computer, the av will scan it, to make sure it does not match any of those signatures, if it does, it will mark it, block it, quarantine it, whatever your av does.

 

This is why you can always still get a virus, depending on how new it is.

For this reason, I recommend an antivirus whos company is based out of a country that is known for producing malware, so that your definitions are up to date before the virus hits the US.

 

Also, and this is most important: Make for certain that your AV is updated, all recommended patches are installed, your Firewall is active, and you take notice of any information the AV provides you. 

 

The main reason for this article is to talk about different types of malware. 

 

Specifically Logic Bombs.

 

A Logic bomb is a type of malware that waits for a specifc action, and then once that parameter is met, it executes it's commands.

 

 

The reason this is important is because if you have a virus, and you go to remove it, using your AV, or your adware removal tool, or manually deleting the suspicous folder/files, you can cause a lot of damage.

 

 

By removing that file, while the virus is active on your system, there could easily be a script within your system that is watching that virus to make sure it is running.

 

If that Logic Bomb exists and is watching that viral program you have installed, and you manually remove it, or use other tools to remove it, you can initiate that logic bomb codem and then that Logic bomb will execute it's commands... those commands could be something as simple as reinstalling the virus, pulling the virus from various other locations back into that folder, rendering the process of getting it removed, useless.

 

 

MOST IMPORTANTLY:

 

It could COMPLETELY wipe your files, crash your harddrive, or even potentially do worse:  

 

 

 

 




 

The simple fix:

 

 

Run in SafeMode.

 

Run scans in safemode, and delete files in safemode.

 

If it is Safemode, non-windows systems files are unable to load. This means that viral programs are unable to load. This means there are no logic bombs that can watch for running applications. 

 

This gives you the chance to remove all of those programs, while they are not running, therefore safely and fully removing them.

 

 

Also, if a virus is on your computer, it has already succeeded. Especially beyond simple greyware, it is not likely to just let the AV remove it. That is why it needs to no longer be running before you try.

 

 

Please respond if you have any questions, or concerns, or disagreements, or if this information has already been shared.


Edited by computerxpds, 06 August 2015 - 08:47 PM.
Moved to AV/AM software forum from AII


BC AdBot (Login to Remove)

 


#2 Eddie7

Eddie7

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:12:31 PM

Posted 06 August 2015 - 09:04 PM

I did not read the whole thing but I must say you're right. :)



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,903 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:31 PM

Posted 06 August 2015 - 09:47 PM

An anti-virus program alone does not provide comprehensive protection and cannot prevent, detect and remove all threats at any given time. Anti-virus and anti-malware programs each perform different tasks as it relates to computer security and threat detection. Essentially, they look for and remove different types of malicious threats. However, there can be some overlap in functionality and detection features depending on the program's scanning engine, how the vendor defines a specific threat and what Naming Standards are used. Anti-virus software is inherently reactive...meaning it usually finds malware after a computer has been infected. The security community is in a constant state of change as new infections appear and it takes time for them to be reported, samples collected, analyzed, and tested by anti-virus researchers before they can add a new threat to database definitions. Further, if you're dealing with zero-day malware it's unlikely the anti-virus is going to detect anything.In simplistic terms, Anti-virus programs generally scan for infectious malware which includes viruses, worms, Trojans, rootkis and bots.

Anti-malware programs generally tend to focus more on adware, spyware, unwanted toolbars, browser hijackers, potentially unwanted programs and potentially unsafe applications.

Therefore, you need both an anti-virus and an anti-malware solution for maximum protection.


Safe Mode is a troubleshooting mode designed to start Windows with minimal drivers and running processes to diagnose problems with your computer. This means some of the programs that normally start when Windows starts will not run.

Why use safe mode? The Windows operating system protects files when they are being accessed by an application or a program. Malware writers create programs that can insert itself and hide in these protected areas when the files are being used. Using safe mode reduces the number of modules requesting files to only essentials which make your computer functional. This in turn reduces the number of hiding places for malware, making it easier to find and delete the offending files when performing scans with anti-virus and anti-malware tools. In many cases, performing your scans in safe mode speeds up the scanning process. Scanning in safe mode was a recommended course of action years ago with many security scanners. This was before malware writers began to employ more sophisticated techniques to counter removal efforts in that mode and before we had programs like Malwarebytes which work effectively in normal mode.

Why not use safe mode? Some security tools like anti-rootkit scanners (ARKs) and scanning programs with anti-rootkit technology use special drivers which are required for the scanning and removal process. These tools are designed to work in normal mode because the drivers will not load in safe mode which lessens the scan's effectiveness. Other security tools are optimized to run from normal mode where they are most effective. For example, scanning with Malwarebytes Anti-Malware in safe or normal mode will work but removal functions are not as powerful in safe mode. Malwarebytes is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, Malwarebytes loses some effectiveness for detection and removal when used in safe mode because the program includes a special driver which does not work in safe mode. For optimal removal, normal mode is recommended so it does not limit the abilities of such tools.

Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. If the malware is not related to a running process (i.e. malicious .dll) it probably will not make a difference performing a scan in normal or safe mode. A hidden piece of malware such as a rootkit which protects other malicious files and registry keys from deletion may not be detected in either mode without the use of special tools. Additionally, if the scanner you're using does not include definitions for the malware, then they may not detect or remove it regardless of what mode is used. If you're dealing with zero-day malware it's unlikely your anti-virus is going to detect anything. However, programs like Malwarebytes can detect zero-day malware and is one reason they are recommended to supplement your anti-virus software. Also keep in mind that there are various types of malware infections which target the safeboot keyset so booting into safe mode is not always possible.

Generally I recommend performing a scan in normal mode unless that mode does not work or the tool is specifically intended for use in safe mode.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 JohnHenery

JohnHenery
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:31 PM

Posted 07 August 2015 - 02:35 AM

You sound very well versed.

That being said, there are a few questions I have that you may be able to answer.

How does the new technology that permits adequate scanning in normal mode address the potential for logic bombs
Additionally, from my experience, it seems like a virus is much harder to remove, when it is running, than your typical adware.


Also, and I may be incorrect, but I had the belief that a 0day attack exploits a vulnerability that is unknown at the present time. Providing that is correct, no antivirus could defend against a 0day because the attack is unknown, therefore undocumented, and not added to the definitions.

Also, I fixed an FBI ransom ware once, and the damn thing locked task manager and the registry, and any other way you could think to access the registry. The real issue is that it disabled the safe mode registry key.

I just downloaded some alternate registry editor freeware garbage and popped back in the registry key.


I will agree that there are certain best practices for different issues, but I have not read much to indicate that running scans in normal mode is a preferred option. If you have any sources, I would very much like to review them.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,903 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:31 PM

Posted 07 August 2015 - 05:36 AM

Safe Mode Scanning - Less Effective
All scans are to be run in Normal Mode
Do I need to reboot into Safe Mode to run anti-malware scans?

BleepingComputer provides several self-help how to guides for running scans in normal mode using various tools:ALso read...The complexity of finding, preventing, and cleanup from malware
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:31 PM

Posted 09 August 2015 - 02:31 PM

If it is Safemode, non-windows systems files are unable to load. This means that viral programs are unable to load. This means there are no logic bombs that can watch for running applications. 

 

 

Safe Mode does not prevent non-windows system files to load. Otherwise, how would your anti-virus program be able to run in Safe Mode?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users