On-demand Scanner Guide

Introduction
Some people may want to install more than 1 anti-virus program because no single anti-virus program can detect all viruses. A good combination of anti-virus programs can enhance overall detection rates.

It's not a good idea to install additional anti-virus programs, even if you have disabled its real-time protection. They may still cause conflicts (eg loaded driver conflicts). However a few anti-virus programs allow you to select what modules to install. Simply install the module of on-demand scan (don't install real-time on-access protection) The producer will take care of the rest, and you are fine.

Some anti-virus producers also offer standalone on-demand scanners for user to download and install. they are also great to backup your on-access real-time (resident) anti-virus programs. More protection, very low risks of conflicts. ;)

List of standalone on-demand scanners
Here's a list of on-demand scanners for you to install in your computer:
Standalone installer:
* Bitdefender 8 http://www.bitdefender.com/PRODUCT-14-en--BitDefender-8-Free-Edition.html (good detection rate, scan and cure, free)
* MicroWorld eScan http://www.mwti.net/products/mwav/mwav.asp (use KAV engine, good detection rate, but scan only, free)
* ArcaMicroScan http://www.arcabit.com/download_product.html?product=ArcaMicroScan (above-average detection rate, scan and cure, free)
* Dr. Web http://www.freedrweb.com/cureit/?lng=en (above-average detection rate, scan and cure, free)
* McAfee AVERT Stinger http://vil.nai.com/vil/stinger/ (watered-down version, limited malware database, not useful; scan and cure, free)
* ClamAV, ClamWin, ClamWin Portable (so-so detection rate, currently this anti-virus program has on-demand scan only, freeware & open source)
** http://www.clamwin.com/
** http://portableapps.com/apps/utilities/clamwin_portable
* Any more to add?

Installer with module selection:
* Avira Antivir http://www.free-av.com/antivirus/allinonen.html (good detection rate, but may have many false positives, free for personal use)
* Command AntiVirus http://www.authentium.com/support/updates.asp (shareware)
* Any more to add?

PS: What combination of anti-virus programs do you think is the best and enough to protect you against known and unknown threats?



Standalone on-demand scanner(st) VS online scanner(onl)

Both will occupy your disk space anyway
st: scan faster
st: more flexible (configuration, scan options)
st: more handy (can scan right on the spot)
st: most of them offer both scan and cure/removal; onl: few offer both scan and cure/removal. Most are scan only
st: very low chance of getting conflicts; onl: probably slightly lower than "st"
st: hardly use more than 1 scan engine; onl: some websites offer scanning individual files with multiple engines
Any more to add?

st = Standalone on-demand scanner
onl = online scanner

PS: Ouch! My comparison looks like too biased. :blink:
More inputs are welcome. ;D


Malware (real-threat) on-demand scan report
Is it a good idea to add additional on-demand scanners to back up your current resident anti-virus program?
This malware (real-threat) on-demand scan report may answer your question:
http://www.wilderssecurity.com/showpost.php?p=839371&postcount=33

-{ Quote: "

Here's a list of on-demand scanners I could find:
* Bitdefender 8 http://www.bitdefender.com/PRODUCT-14-en--BitDefender-8-Free-Edition.html (good detection rates, scan and cure, free)
* MicroWorld eScan http://www.mwti.net/products/mwav/mwav.asp (use KAV engine, good detection rates, but scan only, free)
* ArcaMicroScan http://www.arcabit.com/download_product.html?product=ArcaMicroScan (average detection rates, scan and cure, free)
* Dr. Web http://www.freedrweb.com/cureit/?lng=en (average detection rates, scan and cure, free)

[b]Any more?" }-

Yes, there's a few more listed on nod32sse.com:
http://nod32sse.com/scanners.php

Suggers

-{ Quote: "Yes, there's a few more listed on nod32sse.com:
http://nod32sse.com/scanners.php

Suggers" }-

Hmm... but they are online scanners, not standalone on-demand scanners.

I wonder most of them don't offer a standalone on-demand scanner for us to donwload.

After all, thanks for your help.

-{ Quote: "Hmm... but they are online scanners, not standalone on-demand scanners.
" }-

Sorry, I misinterpreted your post. :-[ ;D

Suggers

-{ Quote: "It's not a good idea to install additional anti-virus programs, eve if you have disabled its real-time protection. They may still cause conflicts (eg driver conflicts)." }-
what if u dont install the realtime protection?

antivir can u let u do that, so it functions only as an ondemand scanner.

When I held a license for F-Prot 3.xx, I used to use it as an on-board backup scanner. You can install just the modules that you want, in my case it was the updater and scanner. It never interfered with any of my primary AV programs including NOD32 and various iterations of AVP/KAV. I'm uncertain whether or not this line will be phased out with the new release looming, but it did work well for me.

-{ Quote: "what if u dont install the realtime protection?

antivir can u let u do that, so it functions only as an ondemand scanner." }-

Good point.

It is not just the real-time protection which will cause conflicts. For example the driver module may crash with your anti-virus program. So even if you disable it, you may still get conflicts.

However if an anti-virus allows you not to install the module of real-time protection (not many will allow you to do so), I think it may take the case into consideration (it may be used in conjunction with other anti-virus program), so the producer will configure it so it will not conflict with others.

In short, yes, it should be safe to do so in this case.

Thanks for your mention.

-{ Quote: "Sorry, I misinterpreted your post. :-[ ;D

Suggers" }-

Never mind. 8) :-[
Good link after all. ;)

If your current av program detects "all in the wild virus" installing another antivirus program for backup is redundancy at its best, it is my opinion that the no one program "finds it all" reasoning for running multiple antivirus and security related programs to protect your computer is just asking for problems and people wonder why they have all sorts of conflicts and issues with their installed software and computer performance.

An antivirus and a complimentry anti-spyware program is all you really need to be safe online, coupled with good computer habits and an occasional online scan from another vendors scanner to verify your security. This has worked well for me over the years and I have never suffered any computer software issues or pc performance problems.

In my opinion, the minimalist approach to security applications has always provided me with the best protection and performance. If I encounter a problem that gets by my current protection, I identify the threat, download the necessary tools to detect/remove the problem then uninstall them. As of yet, I have not needed to do this, my current antivirus and anti-spyware programs have kept me clean, up and running.

Marc

Is there any point in risking conflicts when there are so many good online scanners and sites such as jottis and virus total?
ellison

well jottis and virus total are for scanning individual files, not your computer.

but yes u can use online scanners are good for on-demand.

Detect and remove a threat that wasn't detected and removed by the main scanner.
Is that the purpose of an "on-demand scanner" ?

-{ Quote: "When I held a license for F-Prot 3.xx, I used to use it as an on-board backup scanner. You can install just the modules that you want, in my case it was the updater and scanner. It never interfered with any of my primary AV programs including NOD32 and various iterations of AVP/KAV. I'm uncertain whether or not this line will be phased out with the new release looming, but it did work well for me." }-

The installer of F-PROT 6.X beta doesn't allow you to choose what components to install. Not sure if it will change in the final version.

The installer of Command AntiVirus allows you to choose what components to install. You can choose not to install the "Dynamic Virus Protection" and the "Schedule Scan" and install just the "Command AntiVirus Scanner" and the "Shell Extension"

Wai Wai: Antivir lets you install without loaded drivers, if the the drivers are on your hd but don't get loaded, there cannot be a conflict, unless another AV software blocks installing because it thinks the guard is always active just because you have the main software installed. However that is an installer problem, not something causing system instability and can usually be worked around.

-{ Quote: "Detect and remove a threat that wasn't detected and removed by the main scanner.
Is that the purpose of an "on-demand scanner" ?" }-

Yes, on-demand is just backing up your resident programs.

-{ Quote: "Yes, on-demand is just backing up your resident programs." }-
Let me do some calculations :

1 resident Anti-Virus + on-demand AV
1 resident Anti-Spyware + on-demand AS
1 resident Anti-Trojan + on-demand AT
1 resident Anti-Keylogger + on-demand AK
That's 8 scanners in total.

Assuming that the resident scanners run automatically (scheduled), you still have to run 4 scanners daily on demand to remove what wasn't found by the resident scanners.

-{ Quote: "Let me do some calculations :

1 resident Anti-Virus + on-demand AV
1 resident Anti-Spyware + on-demand AS
1 resident Anti-Trojan + on-demand AT
1 resident Anti-Keylogger + on-demand AK
That's 8 scanners in total.

Assuming that the resident scanners run automatically (scheduled), you still have to run 4 scanners daily on demand to remove what wasn't found by the resident scanners." }-

Ridiculous isn't it, I think so. I sit back and read in wonderment what some people go through to secure their computers.

Marc

What about Stinger from McAfee?
That's a standalone scanner.

yes, but its definitions are limited to certain malware. same goes for avast's virus cleaner iirc.

ClamWin (http://www.clamwin.com/)

Alphalutra1

-{ Quote: "If your current av program detects "all in the wild virus" installing another antivirus program for backup is redundancy at its best, ..." }-

I think it depends on your definition of "in the wild".

I'm not aware of ANY AV program that reliably detects ALL samples that are circulating in the wild. Don't confuse this with the "in the wild" (ITW) list of viruses that some sites use for testing, as they only include a very small subset of pre-determined samples and they don't in any way reflect what users may encounter in real life in my experience.

I frequently clean machines with infections that are missed by even the very best scanners (detection rates), KAV, BitDefender and McAfee included. If you are at high risk, or are regularly cleaning infected machines, then using multiple scanners is absolutely essential.

here u go: http://vil.nai.com/vil/stinger/

-{ Quote: "ClamWin (http://www.clamwin.com/)

Alphalutra1" }-

Does it offer a standalone on-demand scanner like bitdefender?

Or does it allow us to select to install on-demand scan module only in the installer?

-{ Quote: "Ridiculous isn't it, I think so. I sit back and read in wonderment what some people go through to secure their computers." }-
Yes, at first sight it looks that way. Maybe they love to run so many scanners. It's a mistery for me.

I've seen posts where users run their on-demand scanners WEEKLY. If these on-demand scanners find one or more threats, it means that these threats had time enough to do their evil job. That doesn't make sense to me. So you have to run these on-demand scanners DAILY.
They must spend alot of time on running all these scanners and you have to wait for the scan results in order to remove possible threats, unless they are false positives of course. :)

-{ Quote: "Is there any point in risking conflicts when there are so many good online scanners and sites such as jottis and virus total?
ellison" }-

You will hardly get conflicts from installing on-demand only scanners into your PC. They just waste your disk space, but may get handy when you wish to scan your files/folders/PC with addiitonal scanners.

They don't even hampen the performance of your computer since they are not always running behind your computer like your resident anti-virus program. Just call them when you need them. Very handy and useful.

Feel free to install as many as you wish. ;)

-{ Quote: "here u go: http://vil.nai.com/vil/stinger/" }-

Thanks for the handy link. :)

Very limited virus/malware database. Hardly useful if you are installing some of the best anti-virus programs in your PC. ;)

-{ Quote: "Does it offer a standalone on-demand scanner like bitdefender?

Or does it allow us to select to install on-demand scan module only in the installer?" }-

ClamWin doesn't have on-access protection (but it's planned)

Standalone on-demand scanner(st) VS online scanner(onl)

Both will occupy your disk space anyway
st: scan faster
st: more flexible (configuration, scan options)
st: more handy (can scan right on the spot)
st: most of them offer both scan and cure/removal; onl: few offer both scan and cure/removal. Most are scan only
st: very low chance of getting conflicts; onl: probably slightly lower than "st"
st: hardly use more than 1 scan engine; onl: some websites offer scanning individual files with multiple engines
Any more to add?

st = Standalone on-demand scanner
onl = online scanner

PS: Ouch! My comparison looks like too biased. :blink:
More inputs are welcome. ;D

-{ Quote: "If your current av program detects "all in the wild virus" installing another antivirus program for backup is redundancy at its best, it is my opinion that the no one program "finds it all" reasoning for running multiple antivirus and security related programs to protect your computer is just asking for problems and people wonder why they have all sorts of conflicts and issues with their installed software and computer performance.

An antivirus and a complimentry anti-spyware program is all you really need to be safe online, coupled with good computer habits and an occasional online scan from another vendors scanner to verify your security. This has worked well for me over the years and I have never suffered any computer software issues or pc performance problems.

In my opinion, the minimalist approach to security applications has always provided me with the best protection and performance. If I encounter a problem that gets by my current protection, I identify the threat, download the necessary tools to detect/remove the problem then uninstall them. As of yet, I have not needed to do this, my current antivirus and anti-spyware programs have kept me clean, up and running.

Marc" }-

Good point. :thumb:

Yes or no.

I might post some research about virus detection and multi-engine scanning soon, so users can know more about it and whether it is worth having more than 1 engine (even if you have one of the best anti-virus program in the world), and make an informed decision.

-{ Quote: "ClamWin doesn't have on-access protection (but it's planned)" }-

Thanks for your information.

I think the same thing holds true for ClamAV (http://www.clamav.net/) (for Mac OS or Unix-like OS), isn't it?
Answer: Yes, confirmed by Alphalutra1!

See also: ClamAV - The free Anti Virus solution for Windows on Linux
http://linuxhelp.blogspot.com/2005/10/clamav-free-anti-virus-solution-for.html

For a second opinion scanner, I use DrWeb's CureIt, it detects and removes the threats it finds, it will remove viruses, adware/spyware and other malware. It does a thorough job of scanning the hard drive. Next to Kaspersky, it's database is updated almost every hour, sometimes more than once an hour, depending on the threats in circulation.

Marc

-{ Quote: "Does it offer a standalone on-demand scanner like bitdefender?

Or does it allow us to select to install on-demand scan module only in the installer?" }-
It is ONLY an on-demand scanner, it doesn't have an on-access scanner.
---edit---
didn't see the previous reply
---------

to answer your other question, ClamAV for *nix is also on-demand only

Alphalutra1

-{ Quote: "Good point. :thumb:

Yes or no.

I might post some research about virus detection and multi-engine scanning soon, so users can know more about it and whether it is worth having more than 1 engine (even if you have one of the best anti-virus program in the world), and make an informed decision." }-

Recently I have been doing a small research about this and how additional on-demand scanners could be helpful to your main resident anti-virus program. It is just a crude and simple research after all, so don't treat it very seriously.

I would like to make the test as real as possible. Instead of using virus samples in the lab, it seems it is better to test our anti-virus programs in real world circumstances. All the malware grabbed are circulating on the dark side of the Internet, so the threats are real.

About 50 instances have been tested so far. At least 1 scanner can detect the malware.
See the screenshot below or this link for the result:
http://www.wilderssecurity.com/attachment.php?attachmentid=183289&stc=1&d=1158518013
(Note: This is just a preliminary report. It is not intended to be exhaustive. It is just to give users a rough idea about the general situation. I may update the report or test more thoroughly, depending on time availability.)

As you see from the result, the mode of the detection rates per scanner is 4, that is there are only 4 scanners (total no. of scanners are 15) which can detect the same malware for most of the time.

If you use both Avira Antivir and Kaspersky to scan your system, your detection rate is boosted by 20% (ie from 60% to 80%) which is a decent improvement. The second backup scanner usually provides the largest improvement of your overall detection rates. The improvement becomes less and less as you add more backup scanners to your existing ones.

After all, I find the concept of "multiple scanner approach" interesting. Someone like this person might agree with me :D :
-{ Quote: "http://blog.hispasec.com/virustotal/7[/url]"]
The inception of VirusTotal had nothing to do with business plans or profit. It stemmed from a tool that we had developed internally at our Lab at Hispasec in order to perform our own tests with malware samples and AV programs. Among other things, it let us know retroactively all reaction times taken by the engines to detect a given sample. Its original name was SAV, which is what we still use internally.

One day we realized that the basic function of SAV, i.e. analyzing a sample with several AV engines, could be useful to users and we questioned ourselves: Why don't we make it public? And thus VirusTotal was born.

...
" }-

I didn't take the test very seriously, but the total no. of scanners = 15, not 14. :)

I am sorry, but how could you possibly test clamAV, since it is not built for windows. Secondly, it is an on-demand scanner only, so there can be no real time scanning abilities. Thirdly, I would like to know more about your methods for the test. Did you install each av on a freshly installed xp install? How were the samples detected, by the on-access scanner upon downloading the malware? What kind of malware was used? Was it a corrupted sample that actually wouldn't cause any damage at all? What settings did you use for each av. And I would have to say you did the test very very fast, so I tend to doubt that it reall is testing the on-access scanning capabilities of the products.

And please don't say that this is true:You scanned each downloaded file at either virus total or jotti's, then posted the results.

Alphalutra1

Obviously the test was made using the Jotti service and wasn't real-time. From reading the description, the samples were actual malware, not false positives or corrupted samples (If I understand correctly).
The antiviruses used in Jotti are linux versions, so the detection rates may be different from the windows versions.
Some days ago I used some Jotti Statistics (100 samples detected by at least 2 scanners) for my own curiosity and the results were similar.

-{ Quote: "I didn't take the test very seriously, but the total no. of scanners = 15, not 14. :)" }-

Oh! what a silly mistake. :-[
I should have seeked help for a function (ie COUNTA) to count the total.
Fortunately, other figures are calculated by functions (I don't use that number to do the calculation. They are here for the user convenience), not poor me. So they are still correct.

By the way, this proves that I'm very bad at counting, and my eyes are probably blurring. :wacko:

-{ Quote: "Oh! what a silly mistake. :-[
I should have seeked help for a function (ie COUNTA) to count the total.
Fortunately, other figures are calculated by functions (I don't use that number to do the calculation. They are here for the user convenience), not poor me. So they are still correct.

By the way, this proves that I'm very bad at counting, and my eyes are probably blurring. :wacko:" }-
Nevermind ;D
But I'm convinced that users with 15 scanners are better protected than users with 14 scanners. :)

-{ Quote: "I am sorry, but how could you possibly test clamAV, since it is not built for windows. Secondly, it is an on-demand scanner only, so there can be no real time scanning abilities. Thirdly, I would like to know more about your methods for the test. Did you install each av on a freshly installed xp install? How were the samples detected, by the on-access scanner upon downloading the malware? What kind of malware was used? Was it a corrupted sample that actually wouldn't cause any damage at all? What settings did you use for each av. And I would have to say you did the test very very fast, so I tend to doubt that it reall is testing the on-access scanning capabilities of the products." }-

Thanks for your questions.
Here's my answers to your questions:

ClamAV on Windows - Easy! Call my friend, Jotti ;D
Hey, this is a thread of on-demand scanning. Guess what is going to be tested. :P
As I said, I would like the test as real as possible. So the threat is real and the malware, if executed, will cause real damage to the system.
The type of malware are mainly trojans & backdoors (& the like); a few viruses, exploits, flooders and keyloggers
Actually I'm very slow. It just happens that I have been doing the test recently. However they are simply raw data, and the presentation is very poor (eg no label). It is only me who can manage to read these unreadable mess. What I do is to present the data in a neat way and post it, but it takes me one whole day to do. What a slow man. :thumbd:



-{ Quote: "
And please don't say that this is true:You scanned each downloaded file at either virus total or jotti's, then posted the results.

Alphalutra1" }-

Unfortunately this is true for this test.

Feel free to ask any question if you have any doubt/question about this test.
I'm more than happy to answer. 8)

-{ Quote: "Obviously the test was made using the Jotti service and wasn't real-time. From reading the description, the samples were actual malware, not false positives or corrupted samples (If I understand correctly).
The antiviruses used in Jotti are linux versions, so the detection rates may be different from the windows versions.
Some days ago I used some Jotti Statistics (100 samples detected by at least 2 scanners) for my own curiosity and the results were similar." }-

Your interpretation is flawless. ;D

As to Linux versions VS windows versions, I believe the difference is not going to be substantial.

Ummmm, the title of your "report" is titled Real-time Threat Scan Report", which in my mind says that it is an on-access scanning test. Change the title please to reflect that it is an on-demand scanning test, and tell us what samples you used.

Cheers,

Alphalutra1

-{ Quote: "Nevermind ;D
But I'm convinced that users with 15 scanners are better protected than users with 14 scanners. :)" }-

Hehe... :D

By the way, bad anti-virus scanners tend to detect something which most other good anti-virus scanners can detect. For example, I can't see any instance that UNA or VirusBuster is the only scanner which can detect the malware [not false positive] (if you find it, it's a golden scene. Snapshot it as fast as possible and probably sell it 8) ); however I could see a few instances where one of the excellent anti-virus scanner, like Kaspersky, is the only scanner which can detect the malware but not other.

If you are going to add the fifteenth scanner, it is probably a bad one and it hardly help (don't tell me you are going to add Kaspersky as the fifteenth scanner, or I will beat you up :-X ). But yes, 1 instance is 1 instance. If you, by any chance, can catch a malware which all 14 scanners are missed, you are rewarded and better protected. ;D

-{ Quote: "Ummmm, the title of your "report" is titled Real-time Threat Scan Report", which in my mind says that it is an on-access scanning test. Change the title please to reflect that it is an on-demand scanning test, and tell us what samples you used.

Cheers,

Alphalutra1" }-

Oh, sorry! :-[
I intended to type "real threat" but it turned out to be "real-time threat".
It's high time to take some rest today.

The type of malware are mainly trojans & backdoors (& the like); a few viruses, exploits, flooders and keyloggers (may subject to changes as I add more to test).

After all, the current report is just preliminary.
I may update the report or test more thoroughly, depending on time availability, but may take a while to do.

-{ Quote: "Oh, sorry! :-[
I intended to type "real threat" but it turned out to be "real-time threat".
It's high time to take some rest today.

The type of malware are mainly trojans & backdoors (& the like); a few viruses, exploits, flooders and keyloggers (may subject to changes as I add more to test).

After all, the current report is just preliminary.
I may update the report or test more thoroughly, depending on time availability, but may take a while to do." }-

1. The best scanners have a real-time protection. The real-time shield PREVENTS the installation of malwares. Since you only can have ONE real-time shield to avoid possible conflicts, your prevention isn't sufficient, because it is based on only ONE scanner.

2. Scanners don't stop the EXECUTION of malwares that have been installed on your computer and the execution of a malware is alot worse than the installation of a malware, because that's where the real evil begins.

3. Scanners don't detect everything, which means
- that installed malwares are not always removed.
- that the execution of these not removed malwares will continue day after day.

Aren't you worried about this even when you get the message "Congrats. No threats found." ???

-{ Quote: "1. The best scanners have a real-time protection. The real-time shield PREVENTS the installation of malwares. Since you only can have ONE real-time shield to avoid possible conflicts, your prevention isn't sufficient, because it is based on only ONE scanner.

2. Scanners don't stop the EXECUTION of malwares that have been installed on your computer and the execution of a malware is alot worse than the installation of a malware, because that's where the real evil begins.

3. Scanners don't detect everything, which means
- that installed malwares are not always removed.
- that the execution of these not removed malwares will continue day after day.

Aren't you worried about this even when you get the message "Congrats. No threats found." ???" }-

"No threat found" is really meant to be "No threat (detectable by AV) is found". We don't know whether the computer is 100% safe. It simply mean we are safe from threats which can be detected by that AV.

It may be even worse when it comes to trojan which intends to steal people passwords and personal information. They tend to be personalized and selective. If the malware writer just send the file to you, it may be running safe for many many years simply because anti-virus companies can't get reach to this trojan and analyse it. Malware writers can also amend an existing trojan and create a special variant just for you or a small group of targets. It may also able to bypass ALL anti-virus programs.

I don't think anti-trojan programs are doing much better either. They can only detect what they are supposed to detect. Their on-demand detection rates are usually much lower than anti-virus programs.

Heuristics may help a bit, but not much.

-{ Quote: ""No threat found" is really meant to be "No threat (detectable by AV) is found". We don't know whether the computer is 100% safe. It simply mean we are safe from threats which can be detected by that AV.

It may be even worse when it comes to trojan which intends to steal people passwords and personal information. They tend to be personalized and selective. If the malware writer just send the file to you, it may be running safe for many many years simply because anti-virus companies can't get reach to this trojan and analyse it. Malware writers can also amend an existing trojan and create a special variant just for you or a small group of targets. It may also able to bypass ALL anti-virus programs.

I don't think anti-trojan programs are doing much better either. They can only detect what they are supposed to detect. Their on-demand detection rates are usually much lower than anti-virus programs.

Heuristics may help a bit, but not much." }-
In other words scanners can't be trusted, even when you run 15 of them and that is my point. They also have too many holes and require too much time for detection/removal. Malwares are getting smarter and harder to remove.
That's why I prefer the rollback method to remove threats of any kind, including trojans.

-{ Quote: "In other words scanners can't be trusted, even when you run 15 of them and that is my point. They also have too many holes and require too much time for detection/removal. Malwares are getting smarter and harder to remove." }-

Yes, you are right.

This is always a losing game.

It is just too easy to bypass all anti-virus programs. Anti-virus programs use blacklist method to detect malware. If it is not in the database, the malware will be left undetected. That's why most are getting into heurisitcs now. It helps a bit, but not much.

To me, it seems to be a false sense of security that one thinks its program is very secure when its anti-virus program can detect 100% of ITW virus. Think about it. A malware writer create virus and spread it worldwide. Later anti-virus experts catch it and add it into the database. The same malware realise this and create a variant which can again bypass all anti-virus programs. Don't think it is difficult to create a variant. It is very easy indeed. It can probably be made within hours or a day. Yes, the same old original virus is still circulating in the wild, but the malware writer will spread different variants to slaugther different victims. In my opinion, "100% ITW virus" is by no means equal to "secure".

After all, I feel the whole security game is also a losing game to me. :'(

-{ Quote: "
That's why I prefer the rollback method to remove threats of any kind, including trojans." }-
As to the rollback method, it is okay as long as you keep your snapshots in a safe place (eg DVDs). However it has several limitations and problems:
- it couldn't save anything - settings, files, all sort of changes. It causes great inconvenience to users who need to save something on the computer
- you will still be affected between each session. When a trojan and keylogger is installed silently, they may have stolen some of your personal data or passwords before you shut down and reboot your system.

I would prefer sandboxing and virtualization methods.

What do you think?

By the way, it doesn't hurt to install additional on-demand scanners. They don't occupy you system resources (or just very little like automatic update). They just waste your disk space.

But I'm not going to install 15 on-demand scanners. It's rather pointless to do. The worse-end anti-virus programs hardly catch malware which are missed by ALL the better-end anti-virus programs. Simply select a few best anti-virus programs to install as on-demand scanners - it's enough.

-{ Quote: "What do you think?" }-
I separated my system [C:] from my personal data [D:], so my frozen snapshot has no personal data. I'm still working on this separation, because I recently discovered "nLite" and my pre-tests were very promising to move the folder "Documents and Settings" completely from [C:] to [D:] and not just the folder "My Documents" like many users do.
I just need more time to complete these tests.

Once you have separated your personal files from your system partition [C:] you can change any personal file
and keep the changes without doing anything special. I'm doing this already for six months without any problems.

So what is left ? The good changes on your system partition [C:], which seems to be a problem at first sight,
because they are removed by the frozen snapshot together with the bad changes after reboot.
The crucial question is : "Do you need the good changes in a frozen snapshot ?"
After all a frozen snapshot removes the bad stuff, so I don't need scanners and their daily updatings anymore to remove the bad stuff. There is no bad stuff anymore that needs to be removed.

To stop the installation and the execution of malwares, you need a software like Anti-Executable or Prevx1. I just can't choose between the two, but that is just a matter of time.

My biggest problem is TIME to do it and to test it. :)

Unless one is a risky surfer, there is no need for a second
AV scanner. Especially if one uses one of the top AVs. Most folks I know use Norton, McAfee or AVG free. In about 6 years of fooling with this stuff and asking questions I do not know of a single person who ever got infected except one or two who did not keep their AV or Windows updated.

I have used on line scanners and not one has ever found any malware. I have used Avast Free, Bit Defender paid, KAV, F-Secure, and now also Avira.
Get a good one, and it will take care of you unless you do risky/dumb things. If it makes you feel better then scan with an online scanner like KAV or Bit Defender once every few weeks. I would bet they don't do anything except take up time for the scan.

I simply do not buy the claims that such and such found tons of viruses on machines that used Norton or other good AVs. In those few cases it would be traced to lack of updates or dumb "clicks" where nothing will protect you.

Best,
Jerry

-{ Quote: "I separated my system [C:] from my personal data [D:], so my frozen snapshot has no personal data. I'm still working on this separation, because I recently discovered "nLite" and my pre-tests were very promising to move the folder "Documents and Settings" completely from [C:] to [D:] and not just the folder "My Documents" like many users do.
I just need more time to complete these tests.

Once you have separated your personal files from your system partition [C:] you can change any personal file
and keep the changes without doing anything special. I'm doing this already for six months without any problems.

So what is left ? The good changes on your system partition [C:], which seems to be a problem at first sight,
because they are removed by the frozen snapshot together with the bad changes after reboot.
The crucial question is : "Do you need the good changes in a frozen snapshot ?"
After all a frozen snapshot removes the bad stuff, so I don't need scanners and their daily updatings anymore to remove the bad stuff. There is no bad stuff anymore that needs to be removed.

To stop the installation and the execution of malwares, you need a software like Anti-Executable or Prevx1. I just can't choose between the two, but that is just a matter of time.

My biggest problem is TIME to do it and to test it. :)" }-


Sounds good! :)

1) How do you deal with the cases where malware infect your personal data as well?
2) If you move "documents and settings" away and don't take a snapshot, what if they are infected? It is a place malware will keen on attacking.
3) How do you prevent trojans and keyloggers etc. from stealing your passwords or other sensitive data between each session? The bad stuff are removed only when you reboot / restore your system, not during the session.
4) Some programs do not save changes in "documents and settings", rather they save in "program files".

Just a small tip. It may help a bit by moving the system partition to any drive except C. It's C drive which most users install Windows. Some malware writers may simply hard-code their malware, assuming Windows is in C drive. They will not work in this case since the Windows is not in C drive. It doesn't really help much, but since you are playing around with moving folders, you may as well try it. It isn't hard to do anyway.

-{ Quote: "Unless one is a risky surfer, there is no need for a second
AV scanner. Especially if one uses one of the top AVs. Most folks I know use Norton, McAfee or AVG free. In about 6 years of fooling with this stuff and asking questions I do not know of a single person who ever got infected except one or two who did not keep their AV or Windows updated.

I have used on line scanners and not one has ever found any malware. I have used Avast Free, Bit Defender paid, KAV, F-Secure, and now also Avira.
Get a good one, and it will take care of you unless you do risky/dumb things. If it makes you feel better then scan with an online scanner like KAV or Bit Defender once every few weeks. I would bet they don't do anything except take up time for the scan.

I simply do not buy the claims that such and such found tons of viruses on machines that used Norton or other good AVs. In those few cases it would be traced to lack of updates or dumb "clicks" where nothing will protect you.

Best,
Jerry" }-

I usually use additional on-demand scanners to scan suspicious files/folders. It is similar to what we would use the online Jotti scanner (virusscan.jotti.org).

Sometimes but not too ofen, I may use them to scan my whole computer. This is to verify that my computer "is still clean", so to speak, not just a false sense of security given by my resident anti-virus program.