Question about AV Resident Monitors

Discussion in 'other anti-virus software' started by I_lack_commonsense, Feb 1, 2003.

Thread Status:
Not open for further replies.
  1. I_lack_commonsense

    I_lack_commonsense Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    44
    I have looked at the settings in Kaspersky's Resident Antivirus Monitor and noticed that a few less settings were unselected than compared with the "full system scan settings." By this I would just imagine that Kaspersky goes over these files the same way it would in a "full system scan" except it just chooses and selects which files to scan. Is this how most other AV resident monitors work (was wondering specifically about DrWeb and NOD32 as I hear they use much less resources compared to that of Kaspersky)? Is any AV Resident Monitor "stronger" compared to any others?
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
    I_lack,

    Many resident AV monitors limit which file types to scan, and they often restrict the scanning (under default settings) to just the common executable file types, as those are the ones that can endanger the system. I think this is a smart way to do it, after all, why waste system resources scanning files that can't do any harm in their current state.

    Of course, say you had an infected file called "filename.lwm", which would not be executable on most systems and is therefore harmless, and you renamed it to "filename.exe" and accessed it, then your resident AV monitor should catch and crush the bug immediately.

    As to which is "stronger", well that again gets us into the realm of the ongoing debate regarding which AV is better...
     
  3. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    I think most AVs monitoring is a little less thorough than the scanner. That is because there is no need to monitor inside archives, and whatever other selections may be available.
    The monitor needs to be on top of programs as they execute or open.
    A scanner should try to find malware on your computer, whether it is executing or not.
    Lately there have been several discussion regarding scanning/monitoring inside packed executables. It's up to you whether or not you want packed files scanned deeply.
    KAV suffers from two problems. One is the Control Center is a resource hog and really not necessary. The other is if you choose to monitor packed files, since KAV has such an extensive unpacker, it takes time and resources for it to check packed files while monitoring. It does much better if you monitor only on execution or downloading.
    DrWeb is much like KAV, but not quite the resource hog. I have not tried to set its monitoring with the same settings as the scanner, so I don't know how much it would drag my machine down.
    NOD32 is a great AV. If I were using it, I would not be the least bit concerned about packed files getting to me. They do have to unpack and run before they can do any damage.
    Just make sure you have a great AT to use with NOD32 as it does concentrate on viruses. I do not have a problem with that. :D
     
  4. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To Root from Firefighter!

    About everybody's own security, archives scanning has not so much importance, about the web community's security, archives scanning is the only matter that counts!

    The question of archives scanning capability is somewhat the same as in real life with HIV positives. You don't feel ill yourselves, but you are infecting others!

    Poor archives scanner and iMesh, Kazaa or what ever are together a lethal combination. ;)


    "The truth is out there, but it hurts!"

    Best regards,
    Firefighter!
     
  5. xor

    xor Guest

    From xor to firefighter !

    I dont know what is really your problem. You are only concerning about Archiv packers. Then set up a BATCH file witch does unpack all your ZIP files until the last readme.txt was scanned.
    You can do the following trick:

    Extract every file as *.exe.... If it is a (true) executable file it will have a exe header. This means the virus scanner knows then it is a exe file. By writing *.exe you force the RTM to scan this file - with or without exe header.
    It's as this easy. With this method you can even support more archives than KAV does support. Just find all archiv-unpackers and link them together with a call in the batchfile. Make for each packer a custom unpack.BAT with the commands to unpack all. and after this to rename all files to exe files. :D

    [-xor-]
     
  6. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Firefighter: as I responded in your other thread, good detection in the uncompressed files and upon execution is what counts and ultimately prevents infection. An AV that is poor in detection rates will not catch something it won't detect at all whether it's in the archived format or when the file is uncompressed. So even if it appears to do better generally on archives, that will mean nothing if it does not catch the malware in the zip format and then again when the file is unzipped and run.

    In contrast, an AV that is among the best in detection rates may not alert on the zip where it is harmless but will more likely catch the malware when it is uncompressed and/or executed, thus preventing infection.

    Computers do not get infected by a zip, but at the point the file is unzipped and run. So that's when the detection rates really count in preventing infection.

    And for P2P file sharing (and for those engaged in warez and cracks), then an AT is also a must. Not just an AV. And frankly, the user must accept responsibility for their computing practices. If they choose to live on the edge and engage in unsafe practices, they are much more likely to get infected unlike others who practice "safe hex."
     
  7. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To Sig from Firefighter!

    Of course good in the Wild and Zoo detection rates in resident scanning matters. It's unfortunately so, that many of us have not a such situation, so the best way to prevent infections through P2P or what ever, is to remove viruses from every levels from your PC with a good av-program capable to scan enough archives, and I think there are such kind of programs less than 10. :rolleyes:


    "The truth is out there, but it hurts"

    Best regards,
    Firefighter!
     
Loading...
Thread Status:
Not open for further replies.