Any virus which random deletes files?

Discussion in 'other anti-virus software' started by polo, Jul 29, 2002.

Thread Status:
Not open for further replies.
  1. polo

    polo Guest

    Ok I'm being paranoid here! I'm the only one who uses this PC so it's easy for me to keep track of files and settings etc. I kinda have a habit of regularly checking the number of files in directories (like the DIR/OD/A/S command -- list all files inc. hidden in date sort) and seeing if anything's been modified or deleted.

    I know there's special programs to track installations but I just do CHKDSK before and after and see the difference in the folders, hidden and user files. I then count the number in the folder created for the new app and it's subdirs, etc, and look for new files in the DESKTOP folder and Start Menu folder. Sometimes some files are added in c:\windows and c:\windows\system. In the total adds up I'm satisfied. I sometimes do Find All Files and sort it by time/date for 1 day. If the installation produces files which aren't new (i.e. today's date) then you can find it hard to track them down.

    Anyway back to point, I've scaned for viruses, trojans, malware, etc but is there any virus or something which could randomly delete a file from anywhere on your HD?

    I have scraps of paper with today's date and time and chkdsk give this output for records!
     
  2. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    polo - if you haven't already done so, it seems to me that you need to check out both these forums:
    http://www.wilderssecurity.com/index.php?board=8 and
    http://www.wilderssecurity.com/index.php?board=17

    Since both programs seem to be doing what you're doing - only automatically, instead of manually - plus a lot more!

    Your question about whether there are viruses that remove files at random is kind of beggared by the fact that your AV/AT programs should be catching any virii/trojans/worms that do that kind of stuff before they have a chance to do so.

    But to answer your question, try reading all the posts in the 'Viruses and Worms' forum and I think you'll see that there are those that do that. Pete
     
  3. polo

    polo Guest

    I don't believe anything is happening. My point is simply this. I like to keep track of files on my HD. I keep note how many dirs I have or how many hidden files I had and regularly check (once a day) by doing chkdsk to make sure it's the same number. Sometimes I start the day by clearing the Cache and note the number of user files. When I shutdown I first clear the cache and see what that number of files is - it should be the same (approximately) provided no shortlinks haven't been created or I haven't downloaded something or created a letter in Word, etc...

    Is this being too fussyo_O I know once I had so many hidden files and one day it had gone down by 1 and I figure couldn't why as I hadn't uninstalled anything.
     
  4. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Well, polo, I can only speak to NIS File Check, but it does pretty much what you are (I think) possibly spending a lot of time doing. And I suspect it may do it both more thoroughly and with less user intervention than the method you are now using.
    Using NIS File Check, you can specify the kinds of files on your system that you prefer to monitor. You can schedule it to run daily (as I do), preferably at a time when you're unlikely to be using your box. It can be slow on an older machine with a slower CPU and a slow HDD, but it's quite fast on any of the newer PCs (less than five minutes, in most case). If it doesn't find anything, it doesn't bother you or require any interaction at all. However, if it finds a previously checked file that is now missing, a file that was previously not present, a file that has been modified, or a file that has been moved, you will be notified. What you choose to do at that point is up to you, of course. I very seldom see it pop up after one of these scheduled checks. My application suite is pretty stable at the moment and the only reason I should see it is if I update an application or re-organize my hard drive. Of course, if I were constantly downloading, installing, uninstalling applications, etc., then I'd see a lot more notifications from it.
    Well, I obviously don't think you're being too fussy, but it occurs to me that you may be taking more time to do this than you need to. Specifically, in that last example you cite, you would know immediately what the file was and could then decide whether you needed to do a restore. (Other possibility being that you'd updated something that no longer required that executable, nor did anything else on your box.)

    Just a thought for your consideration.
     
  5. snowy

    snowy Guest

    numbers..in this sort of case...may actually be useless.........as Joe mentioned .. MODIFIED FILE...plays a role........having ten files at start-up...and ten files at shut down.....but really having nine un-infected files and one infected file....well you can see the point...

    as Spy 1 mentioned...having an anti-virus\anti-trojan scanner should alert a user..........an for those "yet unknowns" other means of alerting can be used...just counting files oneself...wellllllllllll
    NIF that Joe mentioned I have never used but looks like a very nice program......
    an how about changes made to the registry.....counting files wont alert a person to that...
    just my 1 1\2 cents comment

    snowman
     
  6. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Well, I know Albert thought about it at one point. (Primarily from our perspective of monitoring for changes to the AG/NIS/NPF configuration settings, which just happen to be stored in the registry.

    You don't want to monitor the entire registry; it may be rather large on some boxes these days and actually there are more changes going on in the registry routinely than a lot of people realize. No, what you want to do is monitor certain keys in the registry.

    Turns out that there are alternative solutions for this and they do work in real-time, if desired! For example, The Cleaner has a little memory-resident chunk known as TCM.EXE. You can actually modify the registry keys it monitors to your own personal satisfaction. (I would suspect this could raise some havoc with system performance if you got a bit too grandiose.)

    Matter of fact, I'm glad you brought this subject up. I'd meant to modify TCM.EXE to monitor the NIS registry keys. I was actually wondering if this might provide a capability (with a few simple extensions) to version the firewall ruleset.
     
  7. snowy

    snowy Guest

    JOE

    hi friend...for sake of discussion....my comment was not direct to NIF....specifically.....never having used it I would be out of line to make such a specifically directed comment regarding NIF.........

    however...but oh yes I do want to monitor the entire registry in real time....just off the top I can think of Regmon....an there are others that do monitor the registry in real time........is it a needed fucntion.....well I suppose that each particular user would need to ask theirselfs that question....is it complicated.....not really...but again depends on the opinion of the user...I would suppose.......will ever user follow such a practice....very doubtful....imo.
    imho....all programs should offer self-protection to prevent un-authorized changes being made to them...if nothing more than a simple pop-up saying "do you really want to make these changes"".....if this was added to all programs it would nearly make this discussion moot......an just how complicate would such an added alert be to make.......my guesstimation only...not very complicated....
    after some recent program hi-jacking...of which I wont refer names......I am really.....an very honestly wondering why more vendors have not taken immediate action to protect their products...their investment...their customers.....am even more wondering why it was not done from the very birth of the idea to build a program......there may indeed be very valid reasons why such actions were not taken........I definitely admit my lack of knowledge regarding this......
    being on this subject.....I have to ask myself....with all the rightous complaining about the holes in M$...of which I do my share.....how is it any differant with an individual software product......don't the same standards apply? perhaps the smaller product just has not been exploited as yet....therefore the exploit remains yet unknown.....but why sit and wait for the exploit when a few lines of code could simply cause a pop-up asking the user if he\her wants to allow changes\modification to the program\\keys etc
    now I may be wait off base here....my sincere apology if such is the case.....this is an issue that has long been on my mind......an rarely discussed...... an Joe you seem like a very nice person.....a knowledgable person.....an if you can shed some light on my curious questions....I will read every word with utmost interest.

    snowman
     
  8. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    snowman - You might want to d/l the trial version of The Cleaner, just to check out TCMonitor.

    But I've also found that the freeware program, RegProt, does a pretty good job, too. http://www.diamondcs.com.au/web/htm/regprot.htm.

    Generally, the only problem a lot of times with these programs is that 'go off' so much (and usually on the type of things that Joseph referred to - harmless) that after a while you just either ignore/accept the changes without studying them - or you simply turn the reg monitor off and leave it off. Pete
     
  9. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Oh, I didn't take it as being directed at NCF. I must admit I did respond partly in terms of why it's not included in NCF. And I agree with you that registry monitoring is something that doesn't get enough attention.
    That would be overkill to me; I'd rather monitor a select set of critical key. Of course my critical set could well differ from yours (and yours might include the entire registry!) :)
    I agree that it is a needed function and, now having taken the time to go back and check out customizing TCM.EXE, I find it won't quite do what I'd like. In TCM.EXE, you have to specify the individual keys of interest (apparently). Whereas in REGMON (at least), you can simply specify branches of the registry tree (which is more in line with the function I was thinking of).
    You see, if I wanted to monitor the registry keys associated with configuring AG/NIS/NPF, that's actually a variable number of key (and it can get to be a rather long set, also). In this instance, just knowing that something had changed wouldn't be of much help; I'd prefer to know which specific key and what specific key value got changed (or deleted, as the case may be). This is where the cute little 'before' and 'after' functionality in TCM (and probably other products) comes in so handy -- it allows you to see what the registry entries used to look like and it lets you see what they look like now. Furthermore, if you don't like what you see now, most of these tools give you the ability to delete, or edit the new value or simply restore the last baseline of the registry. That's a lot of functionality to be adding to NFC, especially when other products (also freeware/shareware) already have it.
    With regards to this part of your post, I think this is a different subject and is important enough that it should be treated in its own thread; not buried halfway down in a thread about 'what viruses do what'. Why don't you snip this portion and move it to a new thread, maybe in the "Other Security Issues" forum, where it will get the attention it rightfully deserves?
     
  10. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    It might be worth his time to take a look at TCM.EXE just to understand what kind of processing capability it adds after an anomaly has been detected, but now that I've played with it, it does not have the front-end diagnostics that I would need for the issue snowman discusses. Indeed, right off hand, it does look like RegMon in particular would be better suited (I still need to take a more detailed look at that one.)
    I did take a look at RegProt, a quick one to be honest, but I couldn't tell if the registry keys it checked were pre-programmed into the utility or whether the user could modify the list, nor could I tell if I had to enter individual keys (like TCM) or whether I could simply specifiy branches of the registry tree (like RegMon, apparently). Also, I couldn't tell exactly how much processing control was then made available in the event an anomaly was detected.
    I agree with you on this -- it was certainly true in my experience.
     
  11. snowy

    snowy Guest

    JOE

    thank you very much for your reply.....which I did read with great interest.......I am in full agreement with both you and Spy 1 on all points.....said of course as a layman....
    an yes..the "over-kill" factor is very valid.....the average user would not do it mostly likely...an the experience user may find it far to time comsuming......an there is always that ever present question....."hmmm..should I allow the changes"......
    my sincere respect to you Joe...you are addressing the issue....although I don't use your product...I will always remember this discussion....an if ever I find a need for such a program...it will be your product that I purchase....it will not even have to be the very best...just the fact that you have shown this interest tells me that your work is a sincere effort to produce a better product...an that I respect.
    as for creating a new thread.....I'll pass.

    again my thanks to you Joe/.


    Spy 1

    an my thanks also tou you.....you made excellent points........imho


    snowman
     
  12. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    You're quite welcome. Pete
     
  13. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Snowy,

    Minor point of clarification: I don't really have any products myself. The products that I frequently refer to are developed by either Albert Janssen or Sven Schaefer (for the most part). And, if you're ever interested, the price is definitely right -- all of these guys' stuff is freeware! :cool: And there's likely to be more shortly where that came from.

    If you were under the impression that I work for (or even promote) Symantec's products, you would be wrong. Yes, I use them and answer questions on them (as best I can), but I don't exactly 'promote' or 'sell' them. Indeed, if you were to ask someone at Symantec about me, they would probably turn red and start muttering under their breath! :rolleyes:
     
  14. snowy

    snowy Guest

    Joe

    thank you for the clarification...yes I was mis-taken.....however.. still respect the honesty you displayed...had a great time discussing this subject....an sharing with you and Pete.......it would be such a pleasure if more discussions were as objective and pleasent.

    snowman
     
Loading...
Thread Status:
Not open for further replies.