Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Question About Coexistence Of Malware Scanners


  • Please log in to reply
5 replies to this topic

#1 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,577 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:12:58 AM

Posted 07 September 2006 - 07:57 PM

I've always wondered how some of the antimalware jobs are synchronized (or not).
Today I saw this very interesting, and easy to read, description of some of the processes involved and how to cope with them
http://forum.zonelabs.org/zonelabs/board/m...essage.id=16326
Never mind that it refers to ZA, probably suite or pro in this instance. It likely applies to other products used in conjunction with Spybot S&D or javacool SpywareBlaster and similar.

I'm sure this is old hat to the experts of this site, but to just normal users I thought it might be somewhat educational. But immediately begs for a Question to the experts: it makes sense does it not?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,780 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:58 AM

Posted 08 September 2006 - 06:11 AM

No single product is 100% foolproof and can detect and remove all threats at any given time. The security industry is in a constant state of change with new infections coming out on a daily basis. Each vendor has its own definition of what constitutes spyware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another. Thus, a layered defense using several products to supplement your anti-virus provides the most complete protection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,577 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:12:58 AM

Posted 08 September 2006 - 03:30 PM

Quietman7, I'm aware of what you wrote. I read BC :thumbsup:
But my question was more about the ' examination and removal struggle' for lack of a better term.
All the tutorials here and advice elsewhere, while fabulous and useful, seem to assume (am I wrong here?) you've got nothing on the computer, so the suggestions are to install this and scan, install that and scan ... fine and good when starting from from a filthy, unprotected jungle of a computer.

But sometimes there are conflicts when something already is running and now a new thing starts a fight with an existing anti malware application. It is not always clear when to be in safe mode for instance or which scanners might conflict. I don't mean any of this as a complaint, but just to toss an idea about to get some feedback on compatibility.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,780 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:58 AM

Posted 08 September 2006 - 04:05 PM

All the tutorials here and advice elsewhere...seem to assume (am I wrong here?) you've got nothing on the computer, so the suggestions are to install this and scan, install that and scan ... fine and good when starting from from a filthy, unprotected jungle of a computer.

When we are helping users with malware removal, we often suggest downloading various anti-malware scanning tools like Ad-Aware, Spybot, Ewido, and sometimes trials like Counterspy, Spysweeper etc. even if they have another scanning tool. The only problem that I have encounterd is that some of these tools can interfere with various fixes (removal instructions). When that is the case, I simply advise the victim to temporarily disable it.

I suppose there can be performance issues with those that are resource heavy and there can be a point of overkill by using too many. But I'm not aware of any incompatabilty issues with using several of the well known programs together. Thats not to say this is always the case, just that I have not encountered a problem.

Anti-virus programs are another matter. You can have more than one anti-virus program installed on your system as long as only one of them is actively running and providing real time protection. The other should only be used as an on demand scanner. However, even when one of them is not running, problems can still arise when the active anti-virus detects the non-active one's definitions or quarantined files.

The concern with using more than one anti-virus program is due to conflicts that can arise from them both running together at the same time in real-time protection mode. Anti-virus software componets insert themselves into the operating systems core and using more than one can cause instability, crash your computer, slow performance and waste system resources. When actively running in the background while connected to the Internet, they both may try to update their defintion databases are the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance.

While operating in real-time mode, each program will often interpret the activity of the other as a virus and there is a greater chance of them alerting you to "False Positives". Further, if one AV finds a virus and then the other also finds the same virus, then both programs will be competing over exclusive rights on dealing with that virus. Each piece of AV software will attempt to seize the offending file and quarantine it. If one AV finds and quarantines the file before the other one does, then you encounter the problem of both AV's wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetivite cycle of endless alerts that continually warn you that a virus has been found.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,577 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:12:58 AM

Posted 10 September 2006 - 08:37 PM

That is precisely what I was mumbling about and you said so well and filled few unknowns at the same time.

In terms of workflow then, your method currently is to react to conflicts if and when they occur. No problem here, time is a finite commodity. It's just I was wondering whether all this collective knowledge could be put into one reference, from which we can learn that AV-X product conflicts with AV-Y when both are running, or even if one exists and another scans. That's all. No big deal.

(BTW, I haven't had much luck running Spybot TeaTimer with Zone Alarm suite due to the conflict over registry items. So I just use a2 and S&D to scan and to see various settings. SpywareBlaster and/or PestPatrol coexist real-time. So a list of what works with what would be cool to have :thumbsup:)

Thanks again for such a nice and thorough description and explanation.

#6 jgweed

jgweed

  • Members
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:11:58 PM

Posted 11 September 2006 - 12:01 AM

I would suggest that many of the Tutorials and other such informative posts almost presuppose some kind of infection COULD be present on your hard drive.
If, for example, you read the preparation guide for posting a HJT log, you will find that it requests you download, install, update, and run several anti-malware applications. Now none of these should conflict if you use them to scan your hard drive, one application at a time; the only potential conflict would be if you ran several real-time protection modules (e.g. Spybot's teatimer) or several AVs concurrently (this is especially so if you launch both to provide real-time protection). Even running one AV, with the other only used occasionally for a hard drive scan (and the other temporarily turned off) can present problems in the form of reporting the other's definitions as malware. For that reason, most "experts" here recommend only having ONE AV on your hard drive, and using the many on-line scans available as a double check.
I would only suggest that these particular caveats are generic because they seem to apply to almost any configuration of security applications, and therefore do not need to be specific and cross-referenced.
Regards,
John
Whereof one cannot speak, thereof one should be silent.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users