Anti-virus cleanup capabilities and it's importance.
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Anti-virus cleanup capabilities and it's importance.

  1. #1
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003

    Anti-virus cleanup capabilities and it's importance.

    I have an early morning flight and only few hours to go, instead of sleeping and dealing with the possibility of not making in time for the flight i decided to read around a bit. It was a year back when i was involved in a project to migrate from at then Trend's HIPS solution (Host based Intrusion Prevention Software) software to Symantec Endpoint protection software. I remember the nights (and days) I spent in sleeping on two chairs while dealing with failed migrations to rising infections. There were also minor problems like the IT head decided to go with testing and deployment just 30 days before trends license was suppose to expire. However my point is when they decided to go with symantec, their main reason's were reporting console, ease of deployment (*******s), market reputation and after sales we dont support you, support.

    It's been a year, we still have out breaks, we still have critical systems being infected (i am not blaming the HIPS solution completely for this) and life is pretty much the same but

    there is this question that comes up to my mind, while technical personnel will look for DETECTION RATE as main criteria for selection, what about "removal rate?". I am sure it has occurred to at least some of us here that with detection there should be complete removal. The idea that if the machine is going to offer critical services is infected its better to rebuild then just clean using an AV software (this might go true for desktops too, its the way you see it) This rule is because we all know that AV will not clean the infected machine completely and there will always be remnant files .

    BUT: Does it matter to you, how much your anti-virus cleans a threat in the wild or basically a threat itself. Would you be okay if just the main executable was deleted with few remnant files and registry entries? Or would you want your AV vendor to ensure ALL portions of the malware (and it's actions) are cleaned off completely?

    This question pop's to my mind because i wandered off to this report:
    http://www.av-comparatives.org/image...moval_2009.pdf

    It's "sad" to me see that no AV was able to clean the machine completely. With AV vendors pushing to the "cloud" and releasing "pulse" (symantec terminology) updates to ensure malware is detected doesn't it matter that it cleans the machine completely? I am sure when you release updates every 15 minutes (or so) you will not be paying attention to the actions of the malware itself but just the executable and any drop off files (surprising some av's dont delete the drop off files !)..

    What are your thoughts, knowing your AV solutions doesn't delete the threat completely (technically). Does it matter or it's okay knowing they actually aren't any destructive files but just few registry entries and few files without extensions.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  2. #2
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242
    For those of us out in the trenches, week in and week out, cleaning this stuff up year after year, the issue(s) you raise regarding the complete removal of malware is nothing new. Malware is getting more and more sophisticated, for example a piece of work that started out as PAV (Personal Anti Virus) and its "relatives" AntiVirus 2009, etc.

    This stuff's defeating ANY installed AV/AS apps on the computer if it's hooked in long enough (a few hours?) to the OS. The .exe's and where they run from change constantly. Every week. And once this stuff's getting into a given PC, they are tough to find and tougher to defeat, though I am picking up some new tricks as I go along. Booting to Safe Mode w/ Command Prompt is the best thing for manually removing some malware. Run taskmgr, then HJT and ass't apps from a USB drive, which is likely to get infected in the process.

    Any chance of completely removing it involves running reg cleaners (Ccleaner has a good one), clearing out temp files, particularly ones that don't want to be deleted, after removing a primary infection. As well as clearing out restore points and any other nooks or crannies this cr@p hides in. So, for me, I don't care anymore if a given AV/security app can clean out everything. Because I know it can't. So I use a repertoire of security apps to cover as many bases as possible. The trade-off is what do you want to live with? A clean Windows install sans user's apps and data. Or the PC close to what it was pre-infection.

    It begs the question as to how one assesses the risk of registry entries and temp files left behind? As for the cloud, in some ways it is nothing new. In other ways, it is, but I digress...
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  3. #3
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Yeah,

    If you delete the executables, a good registry cleaner should get rid of the rest, then use an orphan file detector/cleaner.

    The CCleaner reg cleaner is OK but I also use Eusing, which is a bit more comprehensive.

    http://www.eusing.com/free_registry_...ry_cleaner.htm

    I think the commercial products I have used are called "registry doctor" and "registry mechanic"??????????
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #4
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    I'm currently running SEP on 150+ nodes. It looks pretty, and sounds great in theory but in the end, I wind up manually cleaning the more persistent malware.

    Specifically sited was Antivirus 2009. SEP found it, I cleaned it. I've just come to accept that SEP is mostly a tripwire for the more serious malware. Something that alerts me so I know what machine to go fix.

    However, I have found myself wondering why I'm stuck cleaning systems when we're spending major cash on bloated products.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  5. #5
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242
    Quote Originally Posted by ShagDevil View Post
    ... I have found myself wondering why I'm stuck cleaning systems when we're spending major cash on bloated products.
    L.i.c.e.n.s.i.n.g & D.R.M. Rogue apps like Antivirus 2009 and PAV are often
    using multimedia as an attack vector. Users are telling me far more often than
    not they clicked on a video.

    About everything I use to clean up PC's is freeware of some form. And friends
    don't let friends use Windows Media Player...

    HTH, BC
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  6. #6
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Hi SD,

    However, I have found myself wondering why I'm stuck cleaning systems when we're spending major cash on bloated products.
    1. Anything based on signatures or patterns are always behind the pace.
    2. Malware is professional business these days.
    3. Scareware will not show as malware as it generally isn't, it is crapware and a confidence trick. It takes a while to get added as undesirable software due to the fear of legal recriminations?

    Basically there is no application on Earth that will protect users from themselves. Even if you load process protection software they will want it turned off or will just go clicky clicky........................

    An interesting exercise is to run Secunia PSI and update everything it asks to "patched" status. Then look at the "patched" applications and see how many are category 3 or 4 security threats

    Frightening

    I guess part of the problem is that MS Windows has allowed users far too much freedom in the past and they have grown used to it.

    It amazes me the number of machines I see that are running as administrator and without a password.

    Still, it does provide gainful employment
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  7. #7
    Senior Member Cope57's Avatar
    Join Date
    Nov 2003
    Posts
    186
    I noticed that BleachBit is not mentioned in this forum. Ccleaner is is a good application for many things, but there is nothing wrong with having multiple applications to make certain that junk cleaning tasks are thorough. Having those applications running at the same time may not provide favorable results, it is best to use them separately.

    As for an anti-virus application, it is a personal preference of which to use. I choose not to use an anti-virus program. Then again, I really do not share files with anyone.
    Computers do not have problems, they have users.
    ~Cope57

  8. #8
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    I don't necessarily blame these AV vendors for not being able to clean some of the malware floating around. It usually takes 2-3 products to fully clean out the polymorphic malware. I just feel that maybe licensing should cost a bit less considering there's no such thing as 100% security from any one vendor.

    there is no application on Earth that will protect users from themselves
    Yes there is. It's called a circuit breaker.

    Users are telling me far more often than not they clicked on a video
    Yep. Or the email 'looked' safe. Or I was just trying to buy a Snuggie.

    clicky clicky
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  9. #9
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    SD

    At the risk of sounding totally cynical, I believe that AV vendors are relying on "feel good" and "insurance policy" mentalities. If you have an AV product and you get hit then the bad guy was smarter but it wasn't your fault.

    If you don't have an AV product and you get hit, then you are the dumbass and you get fired.

    That's why they can charge what they do

    Yes there is. It's called a circuit breaker.
    Sorry mate! that's hardware, not an application
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  10. #10
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    .. Good discussion .. I'm still concerned with few av's not checking important registry keys (like option to enable hidden file visibility)..

    I use Kaspersky and it comes with this post infection cleanup wizard that checks settings (registry, IE and few other places). It does an acceptable level of work ensuring none on the important registry keys are not changed. I am not sure if other HIPS solutions come with this but I would definitely consider it important.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides