The importance of manual scans?

I might be wrong ... but im pretty sure someone on here said Norton Security Scan auto deletes any finds ... FP boom! gone, was the implication.

I never found anything with it so I didnt find out myself. Anyone else know?

 

Retadpuss sent me through samples that are very new (under a week old). We both scanned the samples with a few security programs.

Remember, just a small number of new files from the millions that exist. Run another test on new samples, and CureIt for example, might have the highest detection.

Didn't actively run the files as they might cause unwanted system effects. Just tested out of boredom, no more no less.

On-demand - 262 total files (files detected)

Prevx (112)
a-squared free (64)
Dr Web's CureIt (57)
Malwarebytes (51) | Hitman Pro (51 - figure could be higher, possibly 67, as 16 uploads failed)
AVZ tool on maximum settings (31)








cont...

 

Cont...

CureIt and MBAM did very well, considering these are all relatively new samples. MBAM scanned the files in the shortest time.

Once Hitman Pro comes out of beta and fixes the odd upload-to-cloud failure, should be quite a useful program...Thanks for your assistance Retadpuss.

 

I think there's definitely a place for manual scanning.

Not all programs will find the same files. Multi-layered security is promoted on this forum and I agree with it. For example, if you combined MBAM, with CureIt, etc etc, you'd see a larger detection/removal of the total files scanned.

 

Absolutly agree, a layered defense is the best way to go, IMO.
Dosen't hurt to have a scanner or two. (or three)

 

Agreed. A couple of scanners is good, but users should use different types of security applications.

I often see members here list 3-5 scanners in their signature - I think to myself - when do these people actually get to use their computers? they must spend all their time scanning!

I know many people play about with scanners for a hobby / fun, but i would say, rather than have lots of scanners, mix it up a bit. Use a full AM - one of the good ones like Norton, Avira etc. Have n on demand scanner if you like - a propper one like A2. If you want two realtime, Prevx is stunning and light and fits with all AMs. A2 is good in realtime as well and wont cause conflicts.

Get a HIPS and use some more prevention in the shape of Sandboxie.

You can run under Returnil for another layer of protection.

These are what i would call real "layers" of security. Each is different. Its a waste of time having 5-6 scanners!

Puss

 

Hey, mate! Great testing - I can see why Hitman Pro might not be the best alternative (atleast now... hope for improvement) and Prevx going strong.

Would you mind testing SAS against the same set, or is it too old by now?

 

Saraceno did run SAS (I cant as Im using Win 7) - cant remember the exact results, but was in trhe 20s I think.

The sample of malware used was not a ramdom sample of new threats, but was made up of those that A2 and Avira missed out of a much larger set. These were origanally missed by them about 5 days ago, but within hours a2 and Avira had added signatures to detect some of them. At the time A2 and Avira missed all these, prevx got 110 of them.

I run tests quite frequently and would say that over the last 6 months, A2 and Avira have been the best at catching new (24 - 48 hour old), with F-Secure doing very well also. In this respect, A2 and Avira have been much better than the rest - by a long way. In the last couple of months, I would say Prevx has been as good and in some cases (like here) better than A2 and Avira.

 

How would you say that Trend and say Panda fair in comparison?

 

Hi Raven,

I have not tested these myself so could not comment based on my own experience - but I know from work done by some associates that Panda is not that good.

 

I wouldn't mind trying: Norman Malware Cleaner - as it similar to CureIt and can scan individual folders and Kaspersky's Virus Removal Tool.

 

Prevx (112)
a-squared free (64)
<<New>>BitDefender Online Scan (64)
Dr Web's CureIt (57)
Malwarebytes (51) | Hitman Pro (51 - figure could be higher, possibly 67, as 16 uploads failed)
<<New>>Norman Malware Cleaner (47)
AVZ tool on maximum settings (31)

 

HouseCall 7.0 might be an interesting go as it probably shows off some new stuff and is wide-known from what I've seen before.

 

Raven, regarding Hitman Pro, just a note Mark (developer) mentioned the scan cloud issue will be fixed shortly and will be much more efficient (within next week or two), and work is commencing on a new version 3.6 which will have improvements and new features. I'm sticking with it!

 

I'll try HouseCall 7 now, but I think it mainly focusses on active infections.

Edit...Spends most of its time analysing the system32 folder and running processes. I think you'd need to run a few threats then run HouseCall. No files detected, but whether it would remove active infections is a different matter.

 

I'd like to echo what "Fly" mentioned earlier in this thread regarding scheduled, Full scans. When our enterprise customers ask why they need to conduct scheduled, full scans when they have the same software executing real-time scans of inbound content, I tell them that the AV/AS vendors may not have a signature that identifies a particular piece of malware until days, weeks, or even months after it lands in your machine. So, the primary value of these full scans is to compare content in the PC with signatures that arrived after the content was originally/last scanned in 'real-time'.

One more point, when I'm asked why are signature based tools useful when 'your products can supposedly stop the same malware', I generally have a two answers and a clarification. First, signature based tools can intercept inbound content before the targeted process consumes it, which means little if anything must be cleaned up or rolled back. Second, which is similar to the first point, our products do not delete malicious content, only 'neutralizes' their effect. Eventually, the signature-based tool will have a signature for it and delete it. Although, we may have our products delete or provide the easy option of deleting them too. As for the clarification, our products do not intervene on what happens within a web browser, such as malicious Java scripts in one tab stealing or injecting data into another tab, for example. A signature-based AS might intercept that. Although, I prefer to use two or more separate web browsers to compartmentalize sensitive web activity from other web activity.

Cheers,

Eirik

 

I find on demand specific file/folder scanning extremely useful when testing real Malware against various Anti whatever. I know it only shows a snapshop in time at that particular momemt of those Apps capabilities, or not. But nontheless over a period of time you can definately see a pattern emerging of which Apps are on the ball and which are lagging !

 

Awhile back in this thread, there seemed to be a consensus of sorts that SAS and MBAM work best on active infections. One poster aptly wrote, "I never saw anyone's PC get infected by a static folder of samples". To some extent this consensus was perpetuated by Marcin from MBAM when he wrote,

With that info in mind, I have come to realize and understand that relying on manual scanning isn't as wise as I once believed it to be. In fact, I echoed a question asked on that very thread... "if the programs that did poorly on the test are really only truly effective when malware is active and running on a system, why do they have right-click scanning built in?" . That question went unanswered.

I still use MBAM and one or two others maybe once a week, but seeing the responses in that thread helped me to understand the specialization (limitations and strengths) of some of these AM programs.

 

going by these results and other results from other testing, there is only about a 50 percent chance or less that your AV would detect any malware on your PC.
to get a 80+ percent you would have to have about 3 different AV's running on your pc.

I don't know why not people just use some thing like the free version of Returnil.
and have a near 100 percent bullet proof protection. Instead of wasting time playing around with scanners

by the way for OS imagaing Macrium Reflect also has a free version.

 

These samples were new, so I'm gathering most AVs will detect more of these files in the next week or so.

I know there is a lot of debate regarding the value of on-demand scans, and Page42 raised a good point, if on-demand scans weren't of any value, then why do security programs integrate 'right-click' scanning.

The argument will go on, and it's all down to personal preference. If people want to wait till there is an active infection before attempting to remove the file, that's all ok with me. I prefer to first find out if a file is malicious before it is run or installed. eg. USBs used between work, clients, and home system, need to be scanned before any files are run - too much valuable information can be lost. And even if an AV has a 50 per cent chance of detecting a new unseen file, that has to be better than a 0-chance of detecting a file being loaded with malware.

So where does it leave those programs that aren't as high on the on-demand scan tests, and that are better on active infections? These programs will always be in demand and utilised by many who have malware on their machine that bypassed an AV (or no AV). There will be a demand for them just like those programs that excel at on-demand scanning. To have both is better than having one over the other.

arran, I agree Returnil/Shadow Defender are excellent programs, but these still demand a change, although small, to the average consumer's computing behaviour. They'll ask, 'why aren't my files deleted, the ones I cleared while Returnil was running? You telling me the deleted files will return? Why can't I install a program whenever I want to, I don't want to have to reboot. Takes too long and I'm busy! Why didn't my program install properly after reboot? Where did it go?'

This slight loss of convenience will keep these people away from virtualisation programs such as Returnil/Shadow Defender. The fact is, they don't think they'll ever be 'infected', and when/if they do, their mentality is that they'll just take it to a 'computer man' to fix.

 

I see now that this question can be taken as either a defense of on-demand scanning or an indictment of it, depending on how you read the words. My intent was to piggy-pack on Marcin's own words, which implied that his program performs much better on active infections than on right-click scanning a folder full of malware. I think it was almost an admission on his part that right-click scanning was next to useless in many cases. And from that I asked the question, why include the right-click scan as a feature if the performance is so poor compared to cleaning active malware?

Since some of us here at Wilders tend to talk about "a great many people" in terms of a group comprised of individuals other than ourselves, I will follow that same course and say, I bet a great many people are consequently misled by right-click scanning a folder, finding no infections, and then feeling comfortable that there is no malware in the folder, when in fact it could be fully loaded with malware.

 

Hi Arran. Please remember that this was not a normal sample, but one comprised of malware that A2 and avira misssed.

Having 3 scanners wont give you three times the protection. On new malware, it will give you a tiny to no added protection. If you want to improve protection you will need something that responds to behaviour. the test referred to here was on demand. Had this been a live infection test, Prevx would have scored even better as it will have picked up on malware behaviour.

A HIPS would be good to use. I have tested thousands of samples and with Prevx and Zemana installed NOTHING has ever evaded both.

You are right about Returnil - good way to be safe against unknown malware - but, this wont protect you against data theft etc.

 

Yep Sandboxie is very good - but Im having problems with it under Win7 - waiting for a fix!

 

I think that statement is very debatable.

 

Lol, had to laugh at his one, I've been here for a few years, and this has to be the most assinine answer I have ever heard.