On-demand scanners

Thanks for the handy link.

Very limited virus/malware database. Hardly useful if you are installing some of the best anti-virus programs in your PC.

 

ClamWin doesn't have on-access protection (but it's planned)

 

Standalone on-demand scanner(st) VS online scanner(onl)

• Both will occupy your disk space anyway
• st: scan faster
• st: more flexible (configuration, scan options)
• st: more handy (can scan right on the spot)
• st: most of them offer both scan and cure/removal; onl: few offer both scan and cure/removal. Most are scan only
• st: very low chance of getting conflicts; onl: probably slightly lower than "st"
• st: hardly use more than 1 scan engine; onl: some websites offer scanning individual files with multiple engines
• Any more to add?

st = Standalone on-demand scanner
onl = online scanner

PS: Ouch! My comparison looks like too biased.
More inputs are welcome.

 

Good point.

Yes or no.

I might post some research about virus detection and multi-engine scanning soon, so users can know more about it and whether it is worth having more than 1 engine (even if you have one of the best anti-virus program in the world), and make an informed decision.

 

Thanks for your information.

I think the same thing holds true for ClamAV (for Mac OS or Unix-like OS), isn't it?
Answer: Yes, confirmed by Alphalutra1!

See also: ClamAV - The free Anti Virus solution for Windows on Linux
http://linuxhelp.blogspot.com/2005/10/clamav-free-anti-virus-solution-for.html

 

For a second opinion scanner, I use DrWeb's CureIt, it detects and removes the threats it finds, it will remove viruses, adware/spyware and other malware. It does a thorough job of scanning the hard drive. Next to Kaspersky, it's database is updated almost every hour, sometimes more than once an hour, depending on the threats in circulation.

Marc

 

It is ONLY an on-demand scanner, it doesn't have an on-access scanner.
---edit---
didn't see the previous reply
---------

to answer your other question, ClamAV for *nix is also on-demand only

Alphalutra1

 

Recently I have been doing a small research about this and how additional on-demand scanners could be helpful to your main resident anti-virus program. It is just a crude and simple research after all, so don't treat it very seriously.

I would like to make the test as real as possible. Instead of using virus samples in the lab, it seems it is better to test our anti-virus programs in real world circumstances. All the malware grabbed are circulating on the dark side of the Internet, so the threats are real.

About 50 instances have been tested so far. At least 1 scanner can detect the malware.
See the screenshot below or this link for the result:
https://www.wilderssecurity.com/attachment.php?attachmentid=183289&stc=1&d=1158518013
(Note: This is just a preliminary report. It is not intended to be exhaustive. It is just to give users a rough idea about the general situation. I may update the report or test more thoroughly, depending on time availability.)

As you see from the result, the mode of the detection rates per scanner is 4, that is there are only 4 scanners (total no. of scanners are 15) which can detect the same malware for most of the time.

If you use both Avira Antivir and Kaspersky to scan your system, your detection rate is boosted by 20% (ie from 60% to 80%) which is a decent improvement. The second backup scanner usually provides the largest improvement of your overall detection rates. The improvement becomes less and less as you add more backup scanners to your existing ones.

After all, I find the concept of "multiple scanner approach" interesting. Someone like this person might agree with me :

 

I didn't take the test very seriously, but the total no. of scanners = 15, not 14.

 

I am sorry, but how could you possibly test clamAV, since it is not built for windows. Secondly, it is an on-demand scanner only, so there can be no real time scanning abilities. Thirdly, I would like to know more about your methods for the test. Did you install each av on a freshly installed xp install? How were the samples detected, by the on-access scanner upon downloading the malware? What kind of malware was used? Was it a corrupted sample that actually wouldn't cause any damage at all? What settings did you use for each av. And I would have to say you did the test very very fast, so I tend to doubt that it reall is testing the on-access scanning capabilities of the products.

And please don't say that this is true:You scanned each downloaded file at either virus total or jotti's, then posted the results.

Alphalutra1

 

Obviously the test was made using the Jotti service and wasn't real-time. From reading the description, the samples were actual malware, not false positives or corrupted samples (If I understand correctly).
The antiviruses used in Jotti are linux versions, so the detection rates may be different from the windows versions.
Some days ago I used some Jotti Statistics (100 samples detected by at least 2 scanners) for my own curiosity and the results were similar.

 

Oh! what a silly mistake.
I should have seeked help for a function (ie COUNTA) to count the total.
Fortunately, other figures are calculated by functions (I don't use that number to do the calculation. They are here for the user convenience), not poor me. So they are still correct.

By the way, this proves that I'm very bad at counting, and my eyes are probably blurring.

 

Nevermind
But I'm convinced that users with 15 scanners are better protected than users with 14 scanners.

 

Thanks for your questions.
Here's my answers to your questions:

1. ClamAV on Windows - Easy! Call my friend, Jotti
2. Hey, this is a thread of on-demand scanning. Guess what is going to be tested.
3. As I said, I would like the test as real as possible. So the threat is real and the malware, if executed, will cause real damage to the system.
4. The type of malware are mainly trojans & backdoors (& the like); a few viruses, exploits, flooders and keyloggers
5. Actually I'm very slow. It just happens that I have been doing the test recently. However they are simply raw data, and the presentation is very poor (eg no label). It is only me who can manage to read these unreadable mess. What I do is to present the data in a neat way and post it, but it takes me one whole day to do. What a slow man.

Unfortunately this is true for this test.

Feel free to ask any question if you have any doubt/question about this test.
I'm more than happy to answer.

 

Your interpretation is flawless.

As to Linux versions VS windows versions, I believe the difference is not going to be substantial.

 

Ummmm, the title of your "report" is titled Real-time Threat Scan Report", which in my mind says that it is an on-access scanning test. Change the title please to reflect that it is an on-demand scanning test, and tell us what samples you used.

Cheers,

Alphalutra1

 

Hehe...

By the way, bad anti-virus scanners tend to detect something which most other good anti-virus scanners can detect. For example, I can't see any instance that UNA or VirusBuster is the only scanner which can detect the malware [not false positive] (if you find it, it's a golden scene. Snapshot it as fast as possible and probably sell it ); however I could see a few instances where one of the excellent anti-virus scanner, like Kaspersky, is the only scanner which can detect the malware but not other.

If you are going to add the fifteenth scanner, it is probably a bad one and it hardly help (don't tell me you are going to add Kaspersky as the fifteenth scanner, or I will beat you up ). But yes, 1 instance is 1 instance. If you, by any chance, can catch a malware which all 14 scanners are missed, you are rewarded and better protected.

 

Oh, sorry!
I intended to type "real threat" but it turned out to be "real-time threat".
It's high time to take some rest today.

The type of malware are mainly trojans & backdoors (& the like); a few viruses, exploits, flooders and keyloggers (may subject to changes as I add more to test).

After all, the current report is just preliminary.
I may update the report or test more thoroughly, depending on time availability, but may take a while to do.

 

1. The best scanners have a real-time protection. The real-time shield PREVENTS the installation of malwares. Since you only can have ONE real-time shield to avoid possible conflicts, your prevention isn't sufficient, because it is based on only ONE scanner.

2. Scanners don't stop the EXECUTION of malwares that have been installed on your computer and the execution of a malware is alot worse than the installation of a malware, because that's where the real evil begins.

3. Scanners don't detect everything, which means
- that installed malwares are not always removed.
- that the execution of these not removed malwares will continue day after day.

Aren't you worried about this even when you get the message "Congrats. No threats found."

 

"No threat found" is really meant to be "No threat (detectable by AV) is found". We don't know whether the computer is 100% safe. It simply mean we are safe from threats which can be detected by that AV.

It may be even worse when it comes to trojan which intends to steal people passwords and personal information. They tend to be personalized and selective. If the malware writer just send the file to you, it may be running safe for many many years simply because anti-virus companies can't get reach to this trojan and analyse it. Malware writers can also amend an existing trojan and create a special variant just for you or a small group of targets. It may also able to bypass ALL anti-virus programs.

I don't think anti-trojan programs are doing much better either. They can only detect what they are supposed to detect. Their on-demand detection rates are usually much lower than anti-virus programs.

Heuristics may help a bit, but not much.

 

In other words scanners can't be trusted, even when you run 15 of them and that is my point. They also have too many holes and require too much time for detection/removal. Malwares are getting smarter and harder to remove.
That's why I prefer the rollback method to remove threats of any kind, including trojans.

 

Yes, you are right.

This is always a losing game.

It is just too easy to bypass all anti-virus programs. Anti-virus programs use blacklist method to detect malware. If it is not in the database, the malware will be left undetected. That's why most are getting into heurisitcs now. It helps a bit, but not much.

To me, it seems to be a false sense of security that one thinks its program is very secure when its anti-virus program can detect 100% of ITW virus. Think about it. A malware writer create virus and spread it worldwide. Later anti-virus experts catch it and add it into the database. The same malware realise this and create a variant which can again bypass all anti-virus programs. Don't think it is difficult to create a variant. It is very easy indeed. It can probably be made within hours or a day. Yes, the same old original virus is still circulating in the wild, but the malware writer will spread different variants to slaugther different victims. In my opinion, "100% ITW virus" is by no means equal to "secure".

After all, I feel the whole security game is also a losing game to me.

 

As to the rollback method, it is okay as long as you keep your snapshots in a safe place (eg DVDs). However it has several limitations and problems:
- it couldn't save anything - settings, files, all sort of changes. It causes great inconvenience to users who need to save something on the computer
- you will still be affected between each session. When a trojan and keylogger is installed silently, they may have stolen some of your personal data or passwords before you shut down and reboot your system.

I would prefer sandboxing and virtualization methods.

What do you think?

 

By the way, it doesn't hurt to install additional on-demand scanners. They don't occupy you system resources (or just very little like automatic update). They just waste your disk space.

But I'm not going to install 15 on-demand scanners. It's rather pointless to do. The worse-end anti-virus programs hardly catch malware which are missed by ALL the better-end anti-virus programs. Simply select a few best anti-virus programs to install as on-demand scanners - it's enough.

 

I separated my system [C:] from my personal data [D:], so my frozen snapshot has no personal data. I'm still working on this separation, because I recently discovered "nLite" and my pre-tests were very promising to move the folder "Documents and Settings" completely from [C:] to [D:] and not just the folder "My Documents" like many users do.
I just need more time to complete these tests.

Once you have separated your personal files from your system partition [C:] you can change any personal file
and keep the changes without doing anything special. I'm doing this already for six months without any problems.

So what is left ? The good changes on your system partition [C:], which seems to be a problem at first sight,
because they are removed by the frozen snapshot together with the bad changes after reboot.
The crucial question is : "Do you need the good changes in a frozen snapshot ?"
After all a frozen snapshot removes the bad stuff, so I don't need scanners and their daily updatings anymore to remove the bad stuff. There is no bad stuff anymore that needs to be removed.

To stop the installation and the execution of malwares, you need a software like Anti-Executable or Prevx1. I just can't choose between the two, but that is just a matter of time.

My biggest problem is TIME to do it and to test it.