Rising PC doctor "test", again

[ako]

I "tested" Rising PC doctor again.

First trojan went straight through. Second one killed and corructed it totally (did not work even after cleaning, perhaps the malware was from China?), and installed a nasty rootkit. System was cleaned by Hitman pro, but the cleaning process needed the install cd. Hitman also found a suspicios file which was indeed part of the infection.

I guess I will not test Rising again.... Hitman seems very powerful!

[andyman35]

Quote:

Originally Posted by ako

I "tested" Rising PC doctor again.

First trojan went straight through. Second one killed and corructed it totally (did not work even after cleaning, perhaps the malware was from China?), and installed a nasty rootkit. System was cleaned by Hitman pro, but the cleaning process needed the install cd. Hitman also found a suspicios file which was indeed part of the infection.

I guess I will not test Rising again.... Hitman seems very powerful!

Hitman Pro is indeed a very useful utility but with you talking about the cleanup requiring the Windows CD,does that mean you tested this malware on your real system ?

[ako]

No. Hitman needed to replace an infected system file. I just wonder what happens with OEM-windows owners? Will it work for them too (I mean: is OEM-recovery disk enough)

[andyman35]

Quote:

Originally Posted by ako

No. Hitman needed to replace an infected system file. I just wonder what happens with OEM-windows owners? Will it work for them too (I mean: is OEM-recovery disk enough)

I doubt an OEM recovery disk would be any use since the Windows installation files are usually stored on a hidden partition,it's rare for them to provide an actual Windows cd.I'm not sure how Hitman manages in that scenario

[erikloman]

Quote:

Originally Posted by ako

No. Hitman needed to replace an infected system file. I just wonder what happens with OEM-windows owners? Will it work for them too (I mean: is OEM-recovery disk enough)

It will work with any CD/DVD disk that has the original Windows system file on it.

Quote:

Originally Posted by andyman35

I doubt an OEM recovery disk would be any use since the Windows installation files are usually stored on a hidden partition,it's rare for them to provide an actual Windows cd.I'm not sure how Hitman manages in that scenario

When Hitman Pro needs to clean an infected system file (hence, it is a system file and thus is cannot be deleted as it would cause an unstable system) then Hitman Pro can only restore that file to an original version.

Hitman Pro first searches specific folders on the disk to find a white listed variant of the file (Hitman Pro has a white list of all Windows files, stored in the EXE). If the file cannot be found on the system then it prompts for the original CD/DVD.

Most AV products do not have this unique feature and just keep the infected system file on the machine.

In the near future we plan to add an option for the infected file to be cleaned by one of our partners, resulting in a cleaned file coming from the Scan Cloud.

[ako]

Quote:

Originally Posted by erikloman

Most AV products do not have this unique feature and just keep the infected system file on the machine.

What is a result of this? Is the malware despite of this neutralized?

Joe, what would Prevx do here?

[PrevxHelp]

Quote:

Originally Posted by ako

What is a result of this? Is the malware despite of this neutralized?

Joe, what would Prevx do here?

Prevx 3.0 takes a different approach because most users don't have the original install disks these days (thanks to hardware vendors cutting costs apparently) and most malware is now also searching for copies of the legitimate components and replacing them locally on the system.

This is indeed a major and growing problem so we've developed an entire system to handle it, called "System File Replacement" (or "File Replacement Therapy as we like to call it internally ). If we identify that a file is a critical system component and is infected or patched, we download the exact correct copy from our centralized repository. We match the OS, service pack, hotfix level, and language to get the precise file to prevent any OS incompatibilities.

This also applies to registry entries - if a system registry entry has been changed or removed, we can replace it (and we have generic routines in place to correct malicious HOSTs file entries and malicious LSP chain entries as well).

Let me know if you have any questions with this - system file replacement is one of the many features that we frequently forget to mention

[erikloman]

Quote:

Originally Posted by PrevxHelp

Prevx 3.0 takes a different approach ... If we identify that a file is a critical system component and is infected or patched, we download the exact correct copy from our centralized repository. We match the OS, service pack, hotfix level, and language to get the precise file to prevent any OS incompatibilities.

During the creation of Hitman Pro 3.5 we also had the idea of serving original Windows files from the cloud for system file replacement. But due to possible legal issues we decided to go with the 'search for replacement on local disk and CD/DVD' approach.

The idea of serving original replacement files from the cloud sounds like the perfect approach but we just do not have the guts (yet ) to distribute original Windows files to our users due to possible legal issues.