VBA32 and eicar

Discussion in 'other anti-virus software' started by n8chavez, May 27, 2006.

Thread Status:
Not open for further replies.
  1. crocodile

    crocodile Registered Member

    Joined:
    Jun 9, 2006
    Posts:
    1
    Update which fixed these eicar realtime detection issues has been available for all registered users since Monday (June 5). The same fix for beta version is available on update resource today. In the case of any problems always feel free to contact us using support-en@anti-virus.by e-mail. We don't check this forum frequently, so it is always better to use that e-mail address when asking for support. And this forum is certainly not a proper place for any refund requests.
     
    Last edited: Jun 9, 2006
  2. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    98031
    Are there any plans for a english resource forum, like the one at VBA32.de?
    That would be extremely helpful.

    Thanks for the reply as to the update, I was using the beta until recently when I applied a new image to try out AntiVir, it will be removed and VBA32 will be re-installed.
     
  3. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,234
    Location:
    Mass., USA
    @ likuidkewl (or anybody else w/ VBA non-beta):

    Can you report on cpu usage?
    Beta version cpu usage VERY high when 'process only new files' is de-selected.
    Cpu spike quite high, but fortunately only transient.
    Much better with 'process only new files' checked.
    Mem usage no increase with latest update / patch.
    I'd like to see one. Maybe I'll petition them. It'd be invaluable for subscribers, developers, not to mention an asset to marketing of the product.
     
  4. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    98031
    Will do when I apply a fresh one, should be sometime this afternoon.
     
  5. SDS909

    SDS909 Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    333
    I didn't request a refund on the forum, I simply stated my intentions and disatisfaction.. I don't think it is your place to determine what this forum is the proper place for, something best left to the moderators/admins.

    I would be lying if I said I wasn't LIVID about these recent security issues that potentially(and quite possibly have) put client/relatives systems at risk - and NOW require me to invest substantial time/effort to determine their systems weren't compromised.. Not to mention the delay with having the problems addressed by you folks. Frankly, VBA32 was a product I really enjoyed, but almost all credibility to me has been lost with this incident.

    Perhaps I am being too harsh, but when it is suddenly discovered that your primary security product works less than 50% of the time - houston we have a problem!
     
  6. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    98031
    I have some further information regarding this issue and will await a response from the support contact before publishing it here.

    I can confirm that the file extraction issue, and 50% detection in the "process only new files" option has been fixed.

    But as of right now I recommend that those of you with the "process only new files" option selected switch back to the default, SIMPLY AS A FAILSAFE!!
    My words above do not mean VBA has not fixed these issues and are not a reputable AV solution, this is simply for your protection and a opinion held soley by me at this point.

    If this is cryptic please forgive me. :)
     
  7. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    Is this problem fixed yet? I understand some of you have been receivibg responses from VBA32 support, which sadly is more than I ever got. But I haven't heard anyone say that they have seen this issue fixed.

    I guess in this case me being incredibly anal payed off.
     
  8. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,234
    Location:
    Mass., USA
    It has been fixed with beta release.
    I'm almost certain problem has also been resolved w/ non-beta 3.11.0.
    You may want to download the eicar files and test yourself, just to give you the 'warm and fuzzies'
     
  9. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    98031
    Yes the original problem has been fixed.
     
  10. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    The .com version of the test file works. However, the .zip files are not detected by the on-access scanner. Is this by design. I know that they are detected by Dr Web and NOD32 (on-access). I think this is really important especially because there is no schedule feature on VBA32. How then are we supposed to know if a compressed malware has been transfered.

    I know they are inactive when compressed, but still....
     
  11. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    98031
    Once it is extracted it will be caught. It hasn't missed any it "recognized" un compressed in standard mode. And the problems with the "Process only new files" as stated have been fixed up. There is still one issue I am awaiting clairification on at another board or by email from support nothing as of yet from the 14th of June in the way of responses.
     
  12. SDS909

    SDS909 Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    333
    Can you disclose this issue to us?
     
  13. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    98031
    If I don't receive a reply in a few weeks I may. I am going to give them until atleast mid-July. I have had very good communication with them so I am extremely hesitant to do so.
     
  14. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,024
    Location:
    Christchurch, UK
    The problems with both the eicar files and the multiple file execution problem seem to have been answered.


    1. The RTM consistently flags the Eicar files in all File settings.

    2. Likuidkewl's observations with the multiple file executions seem to be unique to the "Process new file" setting of the RTM. In this regards it is very similar to the SmartMode of SpIDerGuard in Dr Web.


    Using this setting is safe if;

    1. The RTM is always enabled. Care must be taken if disabled for some reason as in this mode it ONLY scans files that are updated and/or created.

    2. Files need to be checked regularly with the on-demand scanner.

    3. All downloaded files need to be context menu scanned.

    With these precautions in place, the "Process only new files" setting is a good compromise between performance and protection.
     

    Attached Files:

  15. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    Blackcat-- It seems then that you are not recommending using this "new files only" method. Am I right? Not using it will increase resource usage and yet using it will add holes to you on-access protection. You recommed doing on on-demand scan to make sure. The problem is that doing so requires a lot of user intervention; there is no scheduler. That is why the on-access scanner is vital. Am I way of line here? It sounds like VBA32 needs to fix their on-access scanner, else their product is not safe.
     
  16. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,024
    Location:
    Christchurch, UK
    No, I am quite happy to use the VBA32 RTM with the "process only new files" setting.

    Regular on-demand scanning and checking every new file downloaded is recommended for all AV's and is not unique to VBA32.

    With most AV's the safest setting with the Guard is with the ALL files selected. Therefore, with VBA32 and Dr Web RTM's just a little more care is needed and this slightly extra effort is well worth the improvement in performance.

    But probably not the best setting for newbies ;)

    Further, as you are using Dr Web at the present time, you are probably using SmartMode in SpiderGuard. Since the other modes of scanning generally bring most computers to their knees, you do not even have the option, unlike VBA32 of selecting another scan mode in SG. So similar precautions, when using VBA32, are needed with SpIDerGuard. Now since you are using this AV I presume you are happy with Dr Web and consider Smartmode a safe option?

    Overall, no AV has the perfect on-accesss scanner and there needs to be a balance between protection and performance.
     
  17. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    98031
    I agree with BC, the "Process only new files" opion IS safe, a fluke accident would have to occur while running VBA32 to be able to download and run two "known" malicious programs at the same time in "Ask" mode, under when a virus is found. These two to three things MUST happen for it to be exploited.
    When I say known, if a piece of malware is unkown this would not do much good anyhow.
     
  18. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    Well I have Dr Web on one system and VBA32 on the other. I do like Dr Web's on-access scanner. I just use the default though, which I believe smart mode and similiar to VBAs "scan new files only" option. I never messed with it. I do know this, I have tried download the esciar test file and everything was caught by Spider Guard; both .com and zipped. This is not true with VBA32, hence the need to start this thread.

    I think we can all agree that there needs to be improvements and/or changes to VBAs on-access scanner. I believe you posted that in their forums, right?

    What keeps me coming back to VBA as my primary AV is that it seems to nab things that Dr Web misses.
     
  19. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,024
    Location:
    Christchurch, UK
    Past tense now. It now catches, as it should, both the eicar.com and the two zipped files. This bug has been fixed.
    VBA32's RTM is fine now, it works as it should and is a good choice even in "smart-scan" mode. I was a little concerned with the multiple-file extraction problem BUT this is very unlikely to be seen in real-time. Further, don't forget that users suggested to VirusBlokAda to include this smart-mode scanning which has only recently been implicated.

    If you are not happy with this setting don't forget you have a choice to turn off this setting. You cannot do this, however, with Dr Web. You are stuck with Smartmode in SpIDerGuard. So in VBA32, for set and forget users, select "Scan standard files"/ "Scan selected file types" or Scan all file types".
    Same here ;)

    So it must be doing something right!
     
  20. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,234
    Location:
    Mass., USA
    .com is flagged on download, .zip is not flagged on download (whether 'process new files only' is checked or not). It DOES catch upon manual scan OR when you attempt to un-zip, so you should be quite safe.
    Ahh, I see you're already visiting the forum. you'll see multiple posts/replies re: 'RTM "Process only new files" option'


    [MOVE]Microsoft: What do you want to patch today......[/MOVE]
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.