dslreports logo
site
spacer

spacer
 
    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»
spc

spacer




how-to block ads




4. Anti Virus Programs

The Software Forum and the Security Forum both have polls. You'll find two examples of them here and here,
in Security forum, that show which programs members of BroadbandReports.com use. It's no indication of which anti-virus program is better, just which one is more popular.

by grobinette See Profile edited by Wildcatboy See Profile
last modified: 2010-11-26 10:38:28

This FAQ is organized into 5 sections:

A. When to use this FAQ.
B. List of free web based anti-virus (AV) scanners.
C. List of free web based multi-engine single file analyzers.
D. Free sandbox analysis tools.
E. List of virus encyclopedias.



A. When to use this FAQ:

If you have an infected or hijacked computer, the full step-by-step instructions for thoroughly cleaning it are here. Following them will bring you back here:
/faq/8428

An anti-virus (AV) package includes an anti-virus scanner (or on-demand scanner) and anti-virus monitor (or real time monitor). This combination works to prevent infections, as well as detecting and curing them.

These web based scanners here do not prevent infections, but they are very useful for second opinions when you are faced with unknown new malware.

If you want something that prevents virus infections, you will need to install an antivirus package. If you want to scan for existing infections, skip to part B.

If you are considering installing an antivirus product:

* Check the VB100% test results at Virus Bulletin. You have to register to look at old test results, but registration is free and they do not spam you. Check the "VB100% Award" "by vendor". Personally I would only consider AVs that have passed six or more VB100% tests in the past 24 months.
www.virusbtn.com

* Check with your ISP. Many ISPs are now offering good quality security suites to home customers for free. The intent is that the cost to the ISP for the security suite will be offset by increased customer satisfaction and decreased support costs, so ISPs try to select effective easy-to-use products. These suites often include an AV, anti-spyware, pop-up blocker and firewall components. You control which components are activated.

* Check out these links (but remember many of us are stuck using an AV we did not freely choose):
/faq/3437
/faq/7728
/faq/3128




B. List of free web based anti-virus scanners:

These free AV scanners detect existing infections and identify and remove the virus (malware) involved.

»www.eset.eu/online-scanner (eset Nod32)
»housecall.trendmicro.com/
»www.pandasoftware.com/products/a···scan.htm
»www.kaspersky.com/virusscanner
»us.mcafee.com/root/mfs/default.asp
»support.f-secure.com/enu/home/ols.shtml
»www3.ca.com/threatinfo/virusinfo/scan.aspx (eTrust)

Your AV and AT vendors cannot reliably protect you from new malware until they receive a copy of it. So click here to submit the suspect file to the anti-virus product makers. Alternatively, submit the file using VirusTotal or Jotti using the links in Part C below.




C. List of free web based multi-engine single file analysers:

These tools are very useful once you have narrowed the problem down to a few files, to confirm what the problem is, and to get the names different AV vendors give it, so you can look it up in different virus encyclopedias.

You pick the file(s) to upload, and the tool runs it through multiple scanners, and tells you what they think it is.

»www.virustotal.com/ (Hispasec lab's multi-engine single file scan and submission service)
»virusscan.jotti.org/ (Jotti's multi-engine single file scan)

(Before deleting malware files, be sure to submit copies of suspect files under any of these circumstances:
- Got onto your system undetected by an up-to-date AV monitor.
- Are not consistently detected by some AV scans.
- Are acting differently from what was described in the AV company's write up.
- The scanner says are generically or heuristically detected (have no specific signature).
- Are heuristically detected, because heuristic methods are prone to false alarms.
- That you have continuing doubts about.
Your AV and AT vendors cannot reliably protect you from new malware until they receive a copy of it. So click here to submit the suspect file to the anti-virus product makers.)


Return to: I think my computer is infected or hijacked: Step 2





D. Free "sandbox" analysis tools:

This tool is useful if Virustotal or Jotti didn't find anything, but you are still suspicious about a file. You pick a file to upload and the tool watches it run on a test (sandbox) system. Then the tool sends a report on what it saw.

»research.sunbelt-software.com/Submit.aspx (Sunbelt Sandbox)
»www.threatexpert.com/submit.aspx (Threat Expert)
»sandbox.norman.no/live_4.html (Norman AV's SandBox analysis tool)

Interpreting the report requires some expertise, so post the sandbox results in the BBR Security Cleanup Forum.

If the sandbox analysis does find something the other tools missed, it will be something very new. You'll have submit the suspect file(s to the AV vendors, and wait for advise on how to disinfect your computer. Click here to submit the suspect file to the anti-virus product makers.

I suggest turning the infected computer off and waiting 3 to 4 hours. Then either check your email for replies from the AV makers, or submit the file to the multi-engine file analysers (in section C above) again.

When you finally have a virus name from an AV maker, consult their virus encyclopedia (in section E below) for cleaning instructions.




E. List of virus encyclopedias:

Because vendors sometimes give the same name to different versions of a virus, the encyclopedia for the AV product that made the detection should be checked first.

The CME list can help in translating one AV vendor's virus name to another AV vendor's virus name:
Common Malware Enumeration List
(The CME list is fairly new and I wouldn't consider it 100% accurate yet.)

Always read the entire description of the virus because often there are one or two manual steps required to remove the virus, beyond running the AV scanner or auxiliary virus removal tool:

»www.avast.com/eng/windows_viruses.html
»www3.ca.com/securityadvisor/viru···ult.aspx (eTrust)
»www.f-prot.com/virusinfo/
»www.f-secure.com/virus-info/
»www.grisoft.com/virbase/virbase.···type=web (AVG)
»www.viruslist.com/eng/viruslist.html (Kaspersky)
»us.mcafee.com/virusInfo/default.asp
»www.mwti.net/virus_info/virus_info.asp (MWAV)
»securityresponse.symantec.com/av···odb.html (Norton)
»www.pandasoftware.com/virus_info/
»www.sophos.com/virusinfo/
»www.trendmicro.com/vinfo/virusencyclo/ (Housecall)

(Before deleting malware files, be sure to submit copies of suspect files under any of these circumstances:
- Got onto your system undetected by an up-to-date AV monitor.
- Are not consistently detected by some AV scans.
- Are acting differently from what was described in the AV company's write up.
- The scanner says are generically or heuristically detected (have no specific signature).
- Are heuristically detected, because heuristic methods are prone to false alarms.
- That you have continuing doubts about.
Your AV and AT vendors cannot reliably protect you from new malware until they receive a copy of it. So click here to submit the suspect file to the anti-virus product makers.)


Return to: I think my computer is infected or hijacked: Step 8


Anti-virus vendor virus removal tools
All BBR Security FAQs
The BBR Security Forum


Recent changes:
2008-07-30 (by CalamityJane): Added eset (Nod32) free online AV scanner and two more Sandbox sites.
2006-05-05 Removed RAV encyclopedia since it is apparently no longer being maintained. Thanks AmySheehan.
2006-02-02 Temporarily removed www.mwti.net/products/mwav/mwav.asp for excessive false positives.
2006-01-16 Added some advise on buying anti-virus products.
2005-11-26 Added link to CME list.
2005-09-18 Removed RAV (bought by MS).
Added Kaspersky.
2005-08-19 Added link to Virus Bulletin.
2005-03-05 Re-formatted to make the sections clearer.

Feedback received on this FAQ entry:
  • This is a GREAT resource, from a source that i trust! However, it doesn't appear to have been updated since 2008. I can tell you that A LOT HAS CHANGED in those five years! Viruses have become a whole new breed of nasty. I know it's a hige undertaking, but it would be great if someone could update this. In particular, I don't find a Virus Encyclopedia entry for MalwreBytes (maybe they don't have one?) Thanks, George

    2013-07-15 14:41:41 (geebee2K See Profile)

  • Online Anti-Malware (File) Scanners: http://www.selectrealsecurity.com/online-file-scan

    2011-10-21 16:31:36



by keith2468 See Profile edited by CalamityJane See Profile
last modified: 2008-07-30 12:17:26

Yes, there are still a few.

Alwill Software produces Avast 4Home, which is a free version of their AV for home users.

Grisoft's AVG is still free.

Softwin also has a free AV called BitDefender (previously known as Anti Virus eXpert or AVX).

Personal use of Anti Vir is also free.

Free F-Prot for DOS uses the same definition file as the Windows version. It can be run in command-line mode on Windows.

by Wildcatboy See Profile
last modified: 2007-10-06 20:50:56

Here are a few:

Command on Demand -- seems broken as of Jan 2006
Trojan Scan
McAfee
Panda
Sygate
Bit Defender
Trend Micro
Symantec

by climbers See Profile edited by JMGullett See Profile
last modified: 2007-06-06 13:54:46

Some people would like to have more than one AV program installed on their computer. There are many reasons why this could be useful. For example, since different AV programs use different definitions and are updated at different times, a second AV can catch problematic files missed by the first.

In general, it is fine to have two AV programs installed, but only one of them can be used as a resident, or real-time, scanner.

To explain: AV programs tend to have different parts or "modules" that have particular functions. There is a part that will scan all files as they are accessed or opened, another part that will scan a file when you want it to be scanned (for example, when right-clicking on the file in Windows Explorer) and there may be other parts that are responsible for updating the virus definitions, scanning Internet access or email and so on. These parts or modules go by different names in different AV programs.

If the resident scanners of two different AV programs are used simultaneously, conflicts can result. The computer may run very, very slowly, it may become difficult to access files or the computer may crash altogether.

In order avoid these problems, the system administrator (that is, whoever is installing the software) needs to decide which of the AV programs will be the primary program, or resident scanner, and which will be used as a secondary backup, or on-demand scanner. The primary AV program can be installed as usual, with all of its component parts. When installing the secondary AV program, however, custom installation options need to be used. The exact configuration will depend on the particular AV program, but the idea is to either avoid installing the resident, real-time scanning part or to deactivate it so that it will not start when Windows starts, for example. You'll need to read the documentation for the AV program in order to find out which options to use for the program you are installing as a secondary (or tertiary, etc.) scanner.

A final note: Not all AV programs can be installed as secondary scanners, and some AV programs will try to uninstall any other AV programs during setup. There are often ways to work around this, but not always. To see some examples of AV programs used in combination successfully by members of the Security forum, check this thread: »OK to Have Two Installed Antivirus Programs?

by sybille See Profile edited by JMGullett See Profile
last modified: 2007-06-13 12:28:25

You can use the EICAR anti-virus test files to test that your anti-virus program is working properly.

[re-formatted for clarity]
quote:
This test file has been provided to EICAR for distribution as the "EICAR Standard Anti-Virus Test File," and it satisfies all the criteria listed above. It is safe to pass around because it is not a virus, and it does not include any fragments of viral code. Most products react to it as if it were a virus (though they typically report it with an obvious name, such as "EICAR-AV-Test").

The file is a legitimate DOS program, and it produces sensible results when run (it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!").

...[snip]...

You are encouraged to make use of the EICAR test file. If you are aware of people who are looking for real viruses "for test purposes," bring the test file to their attention. If you are aware of people who are discussing the possibility of an industry-standard test file, tell them about www.eicar.org and point toward this article.

In order to facilitate various scenarios, we provide 4 files for download:

1. The first, eicar.com, contains the ASCII string as described above.

2. The second file, eicar.com.txt, is a copy of this file with a different filename. Some readers reported problems when downloading the first file, which can be circumvented when using the second version. Just download and rename the file to "eicar.com." That will do the trick.

3. The third version contains the test file inside a zip archive. A good anti-virus scanner will spot a "virus" inside an archive.

4. The last version is a zip archive containing the third file. This file can be used to see whether the virus scanner checks archives more than only one level deep.

Once downloaded, run your AV scanner. It should detect at least the file "eicar.com." Your AV monitor may not even let these files be downloaded.

Good scanners will detect the "virus" in the single zip archive and may be even in the double zip archive.

Once detected, the scanner might not allow you any access to the file(s) anymore. You might not even be allowed to delete these files. This is caused by the scanner putting the files into quarantine. The test file will be treated just like any other real virus infected file. Read the user's manual of your AV scanner on what to do or contact the vendor/manufacturer of your AV scanner. You might not be able to directly delete the files. You may have to tell your AV scanner or monitor to delete or quarantine them for you, or your scanner or monitor may automatically delete or quarantine the files. It is worth looking this up in the help or manual of your AV product now, rather than when you encounter a real virus.

Important note: EICAR cannot be held responsible when these files or your AV scanner in combination with these files cause any damage to your computer. You download these files at your own risk. Download these files only if you are sufficiently secure in the usage of your AV scanner. EICAR cannot and will not provide any help to remove these files from your computer. Please contact the manufacturer/vendor of your AV scanner to seek such help.


The files, and the instructions for using them, are here; just scroll down to the "Download area":
»www.eicar.org/anti_virus_test_file.htm (www.eicar.org)




All BBR Security FAQs"
The BBR Security Forum

by keith2468 See Profile edited by JMGullett See Profile
last modified: 2007-06-13 12:34:39

There are many reasons why your new anti-virus scanner and anti-virus monitor package might not work right, might make your system run more slowly, or might make your system hang.

What follows is a checklist that you can print-off and go through one item at a time.

First some definitions:

Anti-virus monitor/AV monitor/ Real Time Monitor/RTM: The part of the anti-virus product that normally runs all the time checking files before they are executed (run). Some also check files before they are renamed, copied, displayed or edited.

Anti-virus scanner/On demand scanner: The part of the anti-virus product that runs on demand, or on a scheduled basis, and checks all files, or all files that have certain file types (executable files), for any virus, or for any virus that has ever been in the wild.

Anti-virus email scanner: An extra part of the anti-virus product that scans email and email attachments before they get to the email product (email viewer). Logically it sits between the real email server (at your ISP) and the email client (Outlook Express or whatever).

There are other parts to AV products, including the: control panel, updater, quarantine facility, and sometimes instant message attachment scanner, rescue disk maker, and reporting facility.

The checklist:

1. Usually you can only run, or have installed, one AV monitor at a time. AV monitors have "hooks" into the operating system that cause the AV monitor to scan a file before it gets loaded for execution (and sometimes before it is renamed, copied, edited, etc.).

When you have two AV monitors installed these hooks can interfere with each other, causing the system to hang or slow down. (Also, it used to happen to that one monitor would see the other monitor's signatures in memory and sound a false alarm.)

The solution is to disable one of the AV monitors.

If problems remain, uninstall one of the AV monitors.


2. If you are running an on-demand AV scanner from one company, and an AV monitor from another company, it may be necessary to disable or pause the AV monitor in order to avoid lockups.

To avoid software conflicts, it is preferable and cleaner to completely remove the old AV product before installing the new AV product. Many AV monitors do not work well when another AV monitor is installed.

(If you are running an Internet based AV scanner, you wont have lockups, but the scanner will run scan faster if you disable the AV monitor. If you do this, do not work on the computer until the AV scanner has completed its work and the AV monitor is re-activated. )


3. Check that your system meets the minimum requirements of the AV package.

These requirements are usually on the box or on the website. Requirements usually increase with newer versions.


4. Run a utility to completely uninstall your old AV product.

Your old AV product may not be completely uninstalled by the standard Add/Remove Program function.

The website and email support for your old AV product is the first place to look for help on uninstalling the old product. AV makers whose products dont uninstall cleanly using the normal Add/Remove program function do make utilities that will remove most of these registry entries and left over files.

The website and support email of your new AV product is the second place to look for help on uninstalling the old product. Some vendors will email you an un-installation script for removing a rival's particular product cleanly.

Some products, like Norton Internet Security, have both an AV part and a firewall part. They may require 2 or 3 utilities be run to remove all the components.

Be sure to get the removal utilities for the exact product and version of your old AV, and for the particular operating system version you are using. Read the instructions on the utility download page top-to-bottom before starting.

Removing Norton Anti-virus:
»service1.symantec.com/SUPPORT/na···_sch_nam
»service1.symantec.com/SUPPORT/en···osv_lvl=

For Norton Internet Security (NIS), Norton System Works (NSW), and other Norton or Symantec products, search the Symantec Knowledge Base here:
»www.symantec.com/search/

McAfee Support:
»ts.mcafeehelp.com/default.asp

Removing McAfee VirusScan:
»ts.mcafeehelp.com/default.asp?si···1024x768

Panda Software Support:
»www.pandasoftware.com/

If you still have problems:

a) Manually rename directories and files for the old AV that are no longer needed. (I put xx at the front of the name, and a few days later run a search on xx* to find things to cleanup.)

b) Download and install SpyBot S&D (see the Security Software Updates topic at the top of the BBR Security Forum for a link).

c) Update SpyBot S&D.

d) Backup your entire registry (or in XP create a System Restore Point):

- How to back up a registry:
»service1.symantec.com/SUPPORT/ts···_doc_nam (XP, 2000, NT, Me, 98, 95)

- To create a System Restore point in Windows XP, go to Start / All Programs / Accessories / System Tools / System Restore. Select Create a restore point and click Next. Type in Removing AV registry entries as the name of your restore point, and click Create. Wait a minute while the restore point is taken, and click Close.

e) After backing up your registry, run a scan with SpyBot S&D.

f) Now you have a choice. Either:
(i) Use SpyBot S&D to remove the registry entries for parts of the old AV product that no longer exist (do not change other registry entries at this time) -- OR --
(ii) Make a note of the registry entries and email the support for your new AV product asking for their advice (they may write a script to remove them for you, or they may tell you the entries dont matter).


5. Run the updates and check for new versions of your new AV.

Most (all?) AV products can update the virus signatures completely automatically. And most can update significant parts of their programs automatically. But some require manual downloads to update to new versions or to make major updates to the version you are licensed for.

So visit the support section of your new AV makers website to ensure that you have the latest program updates. They may cure your problems.

(See the Security Software Updates topic at the top of the BBR Security Forum for a link. For Kaspersky check here: »www.kav.ch/ )


6. Scan for disk corruption.

From Windows Explorer, right-click on the disk drive, select properties, select tools, and check for errors. (Do not normally select recover damaged sectors.)
»support.microsoft.com/default.as···ct=winxp


7. Reinstall your new AV.

There may have been a system problem or conflict while you were installing your new AV product. Re-installing your new AV product, and re-updating it, should cure this kind of problem.


8. Don't run test versions of things.

If you are running a test version of the AV package, or your operating system, or something else, there may be compatibility problems. Finding compatibility problems between different versions of products from different vendors is the main reason for running public tests.

If you are running a test version, you are in the test program. Be sure to let the vendors of the test product (and in later test stages, the vendor of the other product) know you are having a compatibility difficulty so they can address it.


9. Use other tools to check for malware.

Some malware waits until there is no AV monitor running to fully deploy. This type of malware can come to life during the gap between disabling your old AV and getting all the updates for your new AV.

Or, if you just upgraded your operating system, you may have gotten infected because your system wasnt patched or behind a firewall when you first connected to the Internet.

And some malware particularly targets AV, anti-trojan and firewall products, shutting them down, or leaving them running in a disabled state.


10. If none of these things resolves your problem, Follow the checklist /faq/8428. Post your details, including operating system, old AV product, and new AV product in the BBR Security Forum, and ask for help.


Other Links:

The EICAR anti-virus test files (you can use these regularly to test that your AV is working):
/faq/9655

Anti-Virus Product Developer Index:
/faq/3128

How to restore a registry:
»support.microsoft.com/default.as···duct=w98 Article ID: 221512
»support.microsoft.com/default.as···ct=winxp Article ID: 307545
»service1.symantec.com/SUPPORT/ts···_doc_nam

System Restore in Windows XP:
»support.microsoft.com/default.as···ct=winxp Article ID: 306084
»support.microsoft.com/default.as···ct=winxp Article ID: 310405

Search Microsoft Knowledge Base:
»support.microsoft.com/search/?adv=1

by keith2468 See Profile
last modified: 2005-02-26 16:05:08

There are a good number of complaints in the Security Forum regarding various anti-virus products. In addition to voicing complaints in a public forum, if the complaints are legitimate, there are other ways to make your voice heard.

While a public forum may allow a dissatisfied consumer to vent their feelings against a particular corporation, most of these public railings turn into flames against other posters and product bashing: It is highly unlikely that the "right people," the ones who run these corporations, are viewing the complaints in the forums.

Instead of arguing with one another about the shortcomings of a product, take the time that you spend responding to another poster and direct it at the corporation instead.

If you have a valid complaint, sit down and write an old-fashioned snail-mail letter, call one of the toll-free numbers many corporations provide or, as a last resort, e-mail the corporation and detail your dissatisfaction with their product.

Following is a list of contacts for the major anti-virus providers and the ones most frequently debated in the forums:

Contact Symantec Global Headquarters
Contact Symantec Public Relations
Contact Avast
Contact Computer Associates
Contact F-Prot
Contact F-Secure and F-Secure's Partners
Contact Grisoft
Contact McAfee
Contact Panda
Contact Sophos
Contact Trend Micro Worldwide
Contact Kaspersky

Don't just sit back and complain -- do something to promote change.

Feedback received on this FAQ entry:
  • Could you please give e-mail addresses to forward complaints to Symantec.

    2007-10-22 15:01:02



by Sparrow See Profile edited by Wildcatboy See Profile
last modified: 2007-10-06 21:00:33

Yes! You can manually download and install Intelligent Updater files updated and posted daily on Symantec's site at http://securityresponse.symantec.com/avcenter/download.html.

Or, you can make your own little program that will fetch those Intelligent Updater files automatically and install them. In effect, it replaces the LiveUpdate feature of NAV.

You can find the easy instructions on how to make this nifty little program at http://www.dslreports.com/forum/remark,3290940~...

Feedback received on this FAQ entry:
  • This FAQ is in the process of a major re-write. If you need help, please feel free to contact me via the IM system@dslr or contact me via email on my profile page: http://www.dslreports.com/useremail/u/122916 AmySheehan 17 Nov 2007

    2007-11-17 19:35:46 (amysheehan See Profile)

  • More info about the outdated info in this FAQ: http://www.dslreports.com/forum/remark,3290940 dated May 2002 - last post early June 2002 - most external links to Symantec sites for reference are non-working Most of the directory listing info for ftp links have been changed or updated on the Symantec site as well. -amy- :)

    2007-10-12 05:52:24 (amysheehan See Profile)

  • Would like to send you updated info re: Daily Updating now all post 2005 products replaces Live Update. Also- FTP links have moved and more versions have been added for 2008 users and Vista versions. Would you like for me to send along all the details and links ? -amy-

    2007-10-12 05:29:43 (amysheehan See Profile)



by MeeToo7 See Profile edited by JMGullett See Profile
last modified: 2007-06-06 13:57:04