AntiVir tutorial

[frpeter]

Hello,

Forgive me if this is in the wrong place, not sure where else to post it/

I have put up a tutorial on Avira's AntiVir for getting maximum protection from it.

Please let me know what you think.

The link is http://tanaya.net/AntiVir/

Thank you in advance.

[nihil]

"Avira"? wot? hell's teeth man, I have used it when it was H+Bedv Gmbh

I would question the scanning on closing/writing files. I only ever bother on the open/read process. If something nasty has gotten onto your system and is infecting files on write, I don't think your AV will spot it, unless it is using some sort of checksumming or behavioural analysis technology. I don't do it because it is a resource drain with little added benefit IMO. Also, if you do regular system scans the infected files will be spotted.

I take the view that AV is basically retrospective so the chances are that an infection on closing a file won't be spotted anyway because the virus won't be in the pattern file.

As for "action for concerning files" (I see they still have that quaint Germanic English )

No! you do not delete................ every false positive will get killed.........oh! what fun.

If the user is reasonably competent then set it to Interactive and report the incident.

If the user is not competent, tell it to attempt a clean/repair and if it can't do that then quarantine the file. It will at least let whoever gets to fix the machine see what has been removed from active service.

[frpeter]

"Avira"? wot? hell's teeth man, I have used it when it was H+Bedv Gmbh

I would question the scanning on closing/writing files. I only ever bother on the open/read process. If something nasty has gotten onto your system and is infecting files on write, I don't think your AV will spot it, unless it is using some sort of checksumming or behavioural analysis technology. I don't do it because it is a resource drain with little added benefit IMO. Also, if you do regular system scans the infected files will be spotted.

I take the view that AV is basically retrospective so the chances are that an infection on closing a file won't be spotted anyway because the virus won't be in the pattern file.

As for "action for concerning files" (I see they still have that quaint Germanic English )

No! you do not delete................ every false positive will get killed.........oh! what fun.

If the user is reasonably competent then set it to Interactive and report the incident.

If the user is not competent, tell it to attempt a clean/repair and if it can't do that then quarantine the file. It will at least let whoever gets to fix the machine see what has been removed from active service.

Same here... About a year ago, H+BEDV grew into a larger firm and new E.U. laws required a new charter from what I understood of the press release.

Memory resident viruses are exactly why you want to scan on write. you want to block any virus from writing itself out.

Heuristic scanning is a must in today's computer world. Especially now with more viruses being able to mutate their own code. The heuristics analysis can catch these too. With the new breed of heuristic scanners, patterns are not as important as the pattern is only for a positive ID. The heuristic engine spots traits that virus/trojans/worms may use.

Delete is the best option to guanentee the complete removal of the virus. The repair option usually doesn't work and only serves to give a new user a false since of security. The only good virus is no virus.

As I said on the page, I have never had a false positive. I will say that it is possible though.

Experienced users do not need this web page as they already know what is best for them...

[nihil]

Hmmm, this may take a bit of understanding:

Memory resident viruses are exactly why you want to scan on write. you want to block any virus from writing itself out.

1. You scan memory on bootup so if there is a virus it will be detected then. If it isn't, then it won't be detected when (if) you write it back.

2. If your system gets infected during your current session, once again the AV has failed, and it won't be detected.

3. Most recent memory resident viruses don't write themselves back. they have no need to, as they are already in their host which installs them into memory to begin with. They then infect other executables as they are run. They will also terminate themselves to avoid detection. The days of the old TSR are long gone

Delete is the best option to guanentee the complete removal of the virus. The repair option usually doesn't work and only serves to give a new user a false since of security. The only good virus is no virus.

I don't hold with that, nothing will run out of quarantine so that is adequate. The first option should be to attempt to clean, OK mostly this cannot happen because the whole file is the virus (appending and prepending are out of fashion these days).

If a user tells me what is in his quarantine folder I can quickly tell him what should be deleted, and I also have a far better idea of what damage might have been done.

Also consider important Word, Excel and Access files............. you don't really want to delete those do you?.............backups?

[frpeter]

Hmmm, this may take a bit of understanding:

1. You scan memory on bootup so if there is a virus it will be detected then. If it isn't, then it won't be detected when (if) you write it back.

2. If your system gets infected during your current session, once again the AV has failed, and it won't be detected.

3. Most recent memory resident viruses don't write themselves back. they have no need to, as they are already in their host which installs them into memory to begin with. They then infect other executables as they are run. They will also terminate themselves to avoid detection. The days of the old TSR are long gone

I don't hold with that, nothing will run out of quarantine so that is adequate. The first option should be to attempt to clean, OK mostly this cannot happen because the whole file is the virus (appending and prepending are out of fashion these days).

If a user tells me what is in his quarantine folder I can quickly tell him what should be deleted, and I also have a far better idea of what damage might have been done.

Also consider important Word, Excel and Access files............. you don't really want to delete those do you?.............backups?

This makes the assumption that you are not infected to begin with. This is erroneous as it takes only SIX (6) seconds to infect an unprotected Windows machine, the base assessment of most new users. AntiVir's heuristics analysis fall in here to catch even unknown viruses. In all the systems I have set up with this, I've never had any problems or viruses get past AntiVir. I won't say it can't happen, but I will say that a machine running this level of protection is most likely NOT going to be affected.

Lets us also forget that Code Red, Nimda, and many older viruses that should not be out there any longer still are. The fundamental structure of a TSR program hasn't changed and is still very common... There is plenty of virus research code available that proves this.

For an experienced user perhaps, for the scope of a new user that has no idea what a computer virus is, NO. If every new computer came with this level of protection, spam zombies would be reduced by 90% at least. The focus of this article is on a group of people that have little or no experience either with computers or AntiVir.

Anything left on the hard drive is a subjected risk, nor is it maximum protection, and that includes a quarentine.

Any infected file should be deleted. There is no better time to learn how to back up important data then right at the moment the brand new shiney computer is unpacked. USB and CDRW drives are an affordable and practical solution.

It is better to give a new user an absolute situation they can understand rather then a questionable one filled with false hope.

Maximum protection means just that - maximum, unquestionable, uncomprimising, absolute, the same results all the time, and no gray areas protection.

[Alokpatidar]

Recently i changed my AV and switched to AntiVir, i was believing tht Symantec is good enough. But a couple of days back my Symantec Client Security (updated) stopped working may be the reason was W32.blackmal. After that symantec was failed to scan i tried norton internet security but was not abel to install coz of some error. But now its working fine and detecting trozans and viruses.
Its really hard to find which one is best AV( which doesnt exist ).

[nihil]

Well, I can understand some of the bitching about this site, and its recent lack of serious security content

If you DO NOT UNDERSTAND THE DIFFERENCE BETWEEN ANTIVIRUS AND A FIREWALL please do not post on security sites.

AntiVir comes out as lacklustre in comparative tests..................

"Heuristics"? ha! bloody ha!


Rule #1..................don't let the stuff on your system in the first place............... AVs won't help you much there