Poor Handling of Active Malware by Avira Antivir

Off and on I read posts about some AV detecting a malware on somebody,s PC but consistantly failing to remove it. The failure of removal might be due to multiple reasons and i am not expert enough to coment on these reasons but one comon reason which I can guess is an associated malware process running in the memory in which case AV might fail to remove the actual malware.

I did some very crude sort of testing with Antivir PE Classic. I disabled the guard, then executed one malware( Browsezilla), after that when Browzilla was still running as a proces in memeory I truned on Guard, I then just right clicked Browzilla file and imediately Antivir Gurard reoted about the malware. I opted to delete, but it failed to delete the malware file( because its associated process was still runing in memory, that was not detected by Antivir). Multiple trials, same result.

I then played in another way. As I know Avira Gurd only scans HD read n write, it does not scan memory.( I just wonder why an AV doesn,t scan memory in real time just likeBOClean. Must be some logic that I am not aware of). However while ding a custom scan of HD, Antivir scans memory as well. So I let Browsezilla run in memory and started a custom scan of my C drive with automatic action on malware( first option repair and second option delete). Antivir did a complete scan of C drive after which I checked scan report file that showed that Antivir detected malware files but failed to delete them( again because malware was running in memeory). There was a memory scan done according to report file but no more details. It probably did not detect any malware in memory as all detections reported by it were files( no memory process). It is rather strange! Or may be I am missing something.
I tried almost similar thing with another malware-- MUK( Martin,s Undetectable Keylogger). Antivir detects it heuristically. I got same results, Antivir guard and on-demand scanner both fail to delete MUK when the process is still running in memeory. MUK is not a real malware, it is just a simple test exe. So if Antivir can,t remove it, I can hardly expect it to remove any real malware which is runing in memory, what to speak of nasty ones!

Just to compare with another AV, I installed NOD32 and did a similar testing with Browsezilla. Memory scan by NOD32 was much more obvious( NOD scans memory on each on demand scanning-- it,s rather anoying that I did not find any option to stop this default memory scan. Also i was not able to find any option for memory scan only). Memory scan clearly told that a malware process is running in memory and no action can be taken as long as malware process is in the memory. It identified correctly the file source of this process and advised to run a scan of the HD so I did a mnaul scan of HD( infected folder only). It found the malware files, some of them were deleted. However one main file was not deleted as it was in use, NOD put it on list to delete on reboot. The process running in memory was not terminated though but it,s Ok as on reboot the process would not start because the original malware file was put to Delete on reboot. So the results of NOD were satisfactory.( A bit OT but let me say, I really hate when NOD 32 took ages to load on start up plus it has a perfect user-unfriendly configuration).

Tried kaspersky. On manual scan of HD( malware folder) while malware process runing in the memory, KAV found the malware file but said it will be deleted on next reboot( probably because the associated process was runing in memory).( BTW it seems as KAV on deamnd HD scan has no memory scanner added in it( Am I true?).-------- I ran its memory scanner separately, it found the malware processes runing in the memory plus associated files and when I opted for delete, the main malware process was not terminated, instead the main process and the related files were put on list to delete on reboot.( Though it terminated a minor background malware process( its update) instantly). In some cases, the memory scan did not mention anything about malware process running in memory, rather it notified the file that was the source of process, the file was put to delete on reboot and process itself was not terminated.Anyway all of this was satisfactory.

In curiosity I tried AVG antispyware, and it was rather good in this regard. A memory scan while Browsezila runing in memory isentified the source file of the process. I opted for delete. It instantly killed the malware process in memory, the related file was renamed and was put for delete on next reboot. It was eally nice.

With antivir I noticed an interesting thing, when a malware process`was running in memory it was unable to detect the process. It was able to detect malware files but unable to delete or qurantine them but surprizingly it was able to rename malware files. I tried it more than once and same findings. So now I have changed the configuration of Antivir guard as: First action -- Delete, Second action -- Rename, if delete fails. (Before it was repair and delete respectively). I hope it should offer a better protection.

I am an Antivir user, it has top-noch detection but I now seriously doubt it,s malware handling. I wonder how good are other two free AVs in this regard( Avast n AVG) and Antivir Premium as well.
Also I am interested to know how BOclean handles malware processes runing in memory as it is basically a memory scanner as I know.

I need ur comments and opinions based on ur personal experience/ knowledge and will expect some coments from Stephans. I do plan to post this thread on Antivir official forum as well. But I am not sure if it is a good idea!

 

avast! is second to none when it comes to handling active malware (in my opinion avast! is the best), avast! has plenty of tools to effectively handle active malware such as Web Shield (HTTP scanner to effectively stop active malware in a browsers, so no more fuss), boot-time scanner (CHKDSK command-like scanner), move/delete active malware on-the-fly features (and done during restart).

That's why I think while avast! V.4 may not be in the first league of detection-wise, but avast! has many other advantanges that can make it "the first-tier antivirus".

 

I lost all respect for and confidence in Antivir/Avira after it allowed me to download, install and run the new GuardBar Trojan in my browser, on 3 PCs, each with a different OS! This was my way of testing the heuristics of this av app. Forget it; I'll move on to Avast or Active Shield.

Dave

 

Any AV can fail in detection but poor handling of active malware is far more serious in my opinion. I am thinking about AVS now, or Avast.

 

i have heard people having to do a few manual deletes with malware with nod32.
there was an old thread that they used other nod32 tools and it came back.
then nthey installed kav6.0 and it nailed it right away.

i do also think better malware removal is needed.
there is not many charts on removal they are mainly on detection rates.
thats why kaspersky has advanced disenfection technlogy to get rid of the hard to remove threats
you could of used bitdefender 8 free and dr web cure it for your tests as well.
how come you didnt try bitdefender?
or dr web?

 

Perhaps Stefan could comment on this?

 

Multiple reasons. I have a very limited dial up internet access. Also I was interested more in KAV, NOD and Antivir.

 

if your on dialup,i think the others would take you a LOT longer to try, especially kasperskys first update, it will kill you.

drweb is only a 9mb package to download, and only 9-10mb HD space needed, also updates are just 15kb, i think thats about 3 seconds for dial up users.

 

ive heard that antivir updates are quite big.
i dont know how dr web makes such small updates
lodore

 

I had old downloaded files of KAS, NOD and Avira but not others. Update not imp as I tested just removal on a single or two malwares.

 

Hmm, I think disableing the guard (albeit for testing purposes) is not really using the whole program as it was intended to run.

So, accepting that processes have been allowed to run, then in order to remove them they have to be killed first (task manager or other software). Then removal is possible.

This is how AntiVir works. The Guard is the first line of defence, and would have stopped the malware from executing in the first place.

If the process was running then AntiVir would have shown this in the scan log as a "Warning"

Just my take on the situation.

Steve

 

I hope so.

 

The topic of memory scanners is a interesting one and I haven´t found a definite answer on why the AV memory scanners are (if they are) weaker than AT memory scanners.
I wish that AV experts could enlighten us.

 

Out of the antiviruses I've tried, I can't say antivir has performed any worse than others with me. Even the best have occasional problems, KAV6 is said to be one of the best, but I had to reinstall a test laptop a couple of weeks ago - infected with virus.win32.xorala, it disinfected most files then asked to reboot to do an 'Advanced Disinfection Routine' - but once the computer shut down it would not restart in normal mode, in safe-mode, or using 'last known good configuration', so I reformated. I know this is just one example and doesn't mean anything, but in my experience even the best are not perfect and Antivir is up there with the best, at least that's what I've found.

Regards,
Londonbeat

 

I agree that it should have had an option to at least reboot and remove. I think your criticism is fair.

 

U are right but u know any reliable tests that show Antivir as top noch AV are only related to detection rate, not removal. So who knows which AV is good in this regard!

 

Ya, this is my main point of critisim.

 

I did similar testing with Avast and it,s performance was almost comparable to NOD and KAV!

 

Just think of a scenario. U have guard on. A new undeteced malware comes on ur machine and runs in memory and adds itself to windows start up etc. After few days antivir adds signatures for it, now malware already loads itself with windows boot up and always runs in memory, Antivir will detect it but might not remove it. No reboot option. While NOD, KAV and Avast will have a clear edge here, over antivir.

There might be other scenarios as well.

 

Antivirus vendor want you to have updated OS and updated AV in order to protect you. This mean to protect you of getting infected.

There is many removal tools for diferent types of malware, where antivirus can not help, if it is running in memory.

Thats why we have Safe Mode where most of malware will die or tech support that will provide us with special removal tool or steps to clean-up the PC.

For me right way of testing is to see what real time guard is able to protect you against installing of malware not what guard can eliminate malware. If you are already infected than it mean that AV guard did not do its job.

If software let you install malware and just notify you that it detected malware than it is not right protection, guard should block and stop installation process.

I think that IBK should make this kind of testing

 

Each one of you has posed some very important suggestions. I hope only that the spokespersons of the respective av's. as well as the testers of these av's, shall respond in due time.

Dave
Co-developer (with many others, of course) of C, C+ and C++, and one of the tiny handfull who can explain why C, C+ and C++ are so called by these names.

Add. I would like very much to see addressed by av vendors and testers the following questions in their respective or collective contexts.

1) What is meant by viral?
2) What is meant by trojan?
3) What is regarded as worm?
4) What is meant by destructive?
5) What is meant by adware
6) What is deemed spyware?

It seems, no two av authors concur as per these questions, EVASIVELY SO!

 

I think in this scenario then a new scan would be the answer.

I do see your point about reboots from other A/V companies, and think that as AntiVir has always gone for the "no frills" approach - just the bare necessities, they prefer to have this aspect done manually.

The user manual also mentions what to do in the "Help in case of a problem" section -"Viruses and malware cannot be moved or deleted"

I also think that because they now have two employed (note 9-5 German Time) representatives on their support forum then anything that can't be solved by usual means, can be addressed there.

It simply boils down to the fact that, as you say, AntiVir doesn't have the reboot & remove option that some other A/V solutions do, but that doesn't amount to any kind of security gap or "poor handling", because there is an alternative solution - just not automatic.

Hope this puts your mind a rest a little.

Steve

 

Here's what it says in the help section of Antivir when viruses and malware cannot be moved or deleted:

1)Update Avira AntiVir PersonalEdition Classic.

2)If you use the operating system Windows ME or Windows XP, deactivate System Restore.

3)Start the computer in Safe Mode.

4)Start Avira AntiVir PersonalEdition Classic and the Avira AntiVir PersonalEdition Classic Configuration (Expert mode).

5)Select Scanner :: Scan :: Files :: All files and confirm the window with OK.

6)Start a scan of all local drives.

7)start the computer in Normal Mode.

8]Carry out a scan in Normal Mode.

9)If no other viruses or malware have been found, activate System Restore if it is available and to be used.


Now, does that mean start the scan in safe mode and immediately switch to normal mode, or let the scan finish in safe mode then do another scan in normal mode?

 

How is Bitdefender in terms of cleaning ability?

 

Why such a long trouble when many times ust a reboot and remove option will work( with other AVs)? All this should be the extreme option for an AV.