Is this a normal behavior of an AV?

Hi all,

OK, may be this sounds obvious, but this week I run an on demand scan, with KAV, and a worm has been detected, P2P-Worm.Win32.Alcan.a, and the infected file was deleted.

Now here is the problem: all the sympthoms of the worm were still there: unable to execute regedit, cmd command...etc

The problem has been fixed, when I came across this thread: https://www.wilderssecurity.com/showthread.php?p=458243#post458243, where a procedure for a clean up has been recommended.

So my question is, are the AVs doing their job by just deleting the infected file, and leaving behind all the sympthom, and it's up to the user to go through a procedure to make a complete clean up?

Thanks, Jeremy

 

Jeremy, this is something I've noticed is being discussed in several threads here on this Board; in particular, look up firecat's recent posts and you'll find plenty of comments about the ability of various AV's to cleanup the damage done to the registry, etc.

In your case, the worm modified the registry to affect executables; with most AVs, I think, you have to fix this manually, but there is plenty of information from the vendors to show you how to fix it. Sites like Symantec, TrendMicro, McAfee -- or you can Google for information.

Firecat and others seem to think this "cleaning" process can be automated, but I'm not so sure about that. We still need detailed malware analyses from the Vendors, the "Removal Instructions" sections, heh .. hope that helps .. just my opinion ..

 

Thanks Randy_Bell for your answer, I'll find out about firecat post, I guess it wouldn't be an easy task, He is a massive poster

No, my antivirus was on and I wasn't infected on the registery side, only files have been added to the system directory. Maybe I have been infected, because I didn't update fast enough, eventhough I update daily, or it just that the AV missed it for one reason or another.

 

Hi all,

I use RegDefend to protect the registry. It would seem like it would have been enough, even if this worm got past KAV. In regards to worms, I am also running DiamondCS's Wormguard. From what I can tell, it is considered excellent protection against worms. Does anyone have any comments on this? Is their a better product to run alongside ProcessGuard and RegDefend to guard against the kind of problem that is being discussed in this thread? Thanks.

Rich

 

I dont require registry cleaning to be automated - but it sure would save a normal user some effort if the AV did that by itself.

Trend Micro does offer a tool to be dropped into the PC-cillin folder, which will allow PCC to remove the registry entries. However, one has to go and manually download the newest version of this tool every now and then. Why cant this be included as part of the updates?

KAV, Like I said, is not too good at registry disinfection. It does it well sometimes, or badly other times (in my personal experience).

 

I'm working on a tool to fix this. It will be released shortly.

Sometiomes worm is cleaned,but AVs don't bother with disabled regedit,taskmanager and so on...

 

You may want to check this thread

https://www.wilderssecurity.com/showthread.php?t=80567

Regards

 

Thanks RejZoR for this usefull tool.

 

Did it helped? I'm really interested in real-life situations. My simulations in sandbox are still only simulations...

 

RejZor,

Your tools are simply incredible, I truly like the power mode for web shield in the Avast external control tool, many thanks for that.

 

RejZoR, I've already used the Killbox tool for clean-up, I didn't had the chance to test your tool, in case I figure out, how I've been infected...I'll make a simulation. By the way, what does your tool do?, Because mainly, my problem was that files have been added to my system directory, and my register wasn't infected, I had Regdefend installed, even though it didn't pop up. So, my issue have been fixed, by letting killbox tool delete the suspicious files on reboot, without doing any delete/restore of the register.

 

Hm,maybe reg defender doesn't monitor that registry area (such monitors usually monitor startup section,services(reg entries) and shell extensions.

 

Maybe you are right, however I didn't have to use HijackThis, as mentionned in the lean up procedure, or do it manually, to remove any register entry to make the sympthoms disapear.I made also a search, with jv16 power tool, for suspicious keyword mentionned in the clean up procedure: MsConfigs, p2pnetwork...etc, and didn't find any.