Anti-Virus:- Can they remove registry entries? Plus, your opinion on eScan and a bug

Discussion in 'other anti-virus software' started by Firecat, Jan 2, 2005.

Thread Status:
Not open for further replies.
  1. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Hello,

    I want to know whether current AV programs can remove registry entries of viruses? More specifically referring to KAV, AVK (any brand), FSAV, and eScan i.e KAV based engines?

    Secondly, does anyone here use MWTI's eScan commercial? If yes, do you have the latest build (2.6.518.:cool: and (preferably) and AMD CPU?

    I've been using it for a while now and I must say it is pretty impressive. I get about 6 updates a day (Monday to Friday, Sat and Sun we get about 2 or 3), and virus detection is pretty great thanks to KAV engine. With this version it seems that Xbases are used (excluding riskware which can be enabled by modifying an INI file, which is also exactly what I've done). Also, we have a fully functional MWAV which <seemingly> eliminates registry entries of viruses (isn't that great? Once I did a scan. eScan found a trojan. After checking it up on the KAV website, when I looked for its registry entries, they were not there! MWTI says its due to MWAV). What does suck is that when a new version of the proggie is released, I have to download the full updated installer (there is NO patch to update the program to latest version).
    But the email scanner is one of the best out there. MWL works for sure! (You know, intercepting at Winsock level)

    The bug I'm facing is that after starting eScanWin.exe (i.e On Demand Scanner), when I click on Options, and click on the Virus Check tab, and choose 'Prompt required action' from the drop down menu in the field that says 'In the case of an infection', and then I scan the PC with it, what I see is that whenever a virus is detected, the prompt does not appear! In the scanner interface, while scanning, the top right corner shows the symbol of an infection (a bug in a hand), but the prompt does not come and the scanner stops right there!

    MWTI says that it could be PC-specific since they could only replicate it on one of their computers. I wanted to know whether any of you experienced this.

    Cheers,
    Firecat

    (Edit:- I'm going out now. Will be back in 2-4 hours)
     
    Last edited: Jan 2, 2005
  2. Ianb

    Ianb Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    232
    Location:
    UK
    I had something similar when I tried escan a while back. I'd set it to "prompt" just like you and it caught my (zipped, test) virus but froze and didn't prompt me. I put it down to me not configuring it properly at the time - the settings are a mine field.

    How did you change the ini file to use the ext dbase ?
     
  3. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Sorry everyone for being late. After I got back, I got too engrossed in playing HL2 (After all, I am a kid)

    Anyhow, coming to what was asked. eScan's 'h' build (2.6.518.8, the latest) already uses the x-files.avc, pornware.avc/obscene.avc, and adware.avc (i.e paranoid bases except for riskware). In order to enable the updates for RiskWare, please follow these steps:-

    1) Goto the directory where eScan has been installed.
    2) Search for 'Eupdate.ini' and open it with notepad
    3) Here, Search for these lines:

    MAIL_AVC
    ADVWARE_AVC
    PORNWARE_AVC
    RISKWARE_AVC
    X-FILES_AVC

    Now, by default it will be

    MAIL_AVC=1
    ADVWARE_AVC=1
    PORNWARE_AVC=1
    RISKWARE_AVC=0
    X-FILES_AVC=1

    (no need I guess to point out but Advware refers to adware.avc not advware.avc which was the old AVC file for detection of adware)

    Change this to


    MAIL_AVC=1
    ADVWARE_AVC=1
    PORNWARE_AVC=1
    RISKWARE_AVC=1
    X-FILES_AVC=1

    Then save the file. This way, you'll have the full 'paranoid' or SuperSecure bases from Kaspersky Labs/MicroWorld (RiskWare database enabled). Please note that RiskWare database will only be enabled after the next internet update.

    Please note that this feature (as far as I know) is only available on the latest build aka 2.6.518.8. You can download it from ftp://ftp.microworldsystems.com/download/escan/es2k3e/iwn2k3e.exe link (for the Internet Security Edition).

    Check back every three months for a new build (At least that's what MicroWorld tells me, and their office is right in my city)

    Also, even the support personnel at MWTI aren't that sure about what action is taken when RiskWare/Adware/Malware (not viruses or Trojans) are detected. Most of them say that it will be logged only and an option to remove such malware will be included in a future build.

    A bit of advice: the current build of eScan ('h') puts size restrictions on certain file types even if you've disabled (not checked) the option that says 'Filesize limit for scanning'. Also, certain file types are not even scanned! Plus, there is a bug relating to how you remove those entries. It seems you cannot delete the last file type (whatever it is) on the Scan Restrictions field.

    Here's how you take off the restrictions (for the latest build) :

    1)Start ODS
    2)Click 'Options'
    3)On the 'Virus Check' tab, uncheck 'filesize limit for scanning'
    4)Click on the 'Restrictions' tab
    5)There are three fields here, where file types which are not scanned/which have file restriction/which are to be deleted if virus is found can be configured. Click on one file type, and click 'Remove'. Do this again and again....

    <A message for ianb>:

    May I know your PC specifications please (Windows version, CPU, other hardware)

    (Time to sleep here, I'm going soon. Bye everyone!)
     
    Last edited: Jan 2, 2005
  4. Ianb

    Ianb Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    232
    Location:
    UK
    Thanks for that Firecat.

    AMD SEMPRON 2.3
    512mb DDRam
    Sygate Firewall Free
    Spywareblaster
    Adaware
    Spybot

    Another problem I remember having with escan was that it used to cause ie to crawl on websites with active x \ java. Have you had that ?
     
  5. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Hi,

    I am using Escan and am very pleased with it. I bought it through amazon so got it as a disk. I realise I must be out of date as my build is 2.6.484.8 (Escan 2003 edition).

    The only thing I have found is that the on access scanner takes about 30-60 seconds to activate after everything else has started up on windows XP.

    I changed the auto update setting to check every 30 mins and get very regular updates.

    I will send a e mail to support to see if I can go to the latest build on my licence?

    Cheers for the info.

    Jlo
     
  6. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Hello ianb,

    As I'm on dialup it doesn't make any difference to me (everything is slow on dialup) . So I have not experienced it yet. Also, could you tell me how to find out whether a page has ActiveX/java? Could you please try to give any exact website addresses?

    Plus, please tell me what config you'd got in there. Was it the default i.e out of the box, or had you manually configured eScan Content Administrator (also mention your settings if changes were made to the default)?
     
  7. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Guys,

    (IMP. NOTE:- In my earlier messages I had given how to remove the file scan restrictions. I want to tell you not to remove the MWT entry as it is the format for the infected/suspicious files which are renamed by eScan)

    Two builds have released since build 484. On-access scanner is programmed to start 60 secs after startup in the registry. This has been reduced to 30 in the latest build, making it almost unnoticeable. If you want to modify it however, do the following:-

    -Click Start, then Run, then in the box type regedit
    -Now in Regedit expand HKEY_LOCAL_MACHINE, then SOFTWARE, then MicroWorld
    -Now click on eScan for Windows
    -In the right side of the interface, there will be an entry MonitorDelayValue
    -Set this to 3 or 4, and your problem is fixed (Right click on the value name, click 'modify'. Now in the new window, set the 'Base' thing to 'Decimal' and the 'value data' to whatever you like.

    Lots of bugs have been fixed since build 484. I'll put here what I think is important:-

    - *.MWT added to AVPDOS32 exclusion list
    - Windows XP SP2 support
    - eScanWin giving access violation when we click cancel button during deploy scanning -resolved
    - Updater: Added warning messages if virus signature date is more than 3 days.
    - Added Detection of Spyware and keyloggers (Adware also, RiskWare enabled by editing INI)
    - Access violation in escanwin module when scanning floppy - Resolved.
    - MWAV will not run automatically at startup (on 9x/Me) if system restarted within one hour.
    - eScanWin : Added "Set to low/high/medium priority" button.
    - Monitor: New Driver files
    - MWTSP: Outlook Express used to timeout on fast machines. MWTSP.DLL updated to resolve the issue.
    - MWTSP: MS Outlook used to terminate on non-availability of network. MWTSP.DLL updated to resolve the issue.
    - ODS: Archived files option is used for scanning zip files.
    - ODS: Packed files option is used for scanning compressed files.
    - ODS: In Report, "Delete File" & "Rename File" buttons enabled if file deleted. - Fixed
    - ODS: if 'Report Only' is selcted then instead of showing "virus removed!" show and print "virus detected!"is displayed.
    - ODS: progress bar is displyed while scanning files (finally)
    - MAILSCAN.EXE: Used to crash when a virus mail with too many recipients used to be found. Corrected.
    - Trayicoc and Trayicos : Corrected some Monitor deploys setting and they now work properly.
    - Scan Restrictions added

    (Got to go now, be back in about five hours!)

    FINAL NOTE:- Anybody can upgrade to the latest build of eScan, provided they have a valid license and atleast have an older version of eScan 2003 (build 462 and above, not sure about older builds). So jlo can happily upgrade to eScan 'h' build without any problems. Just use your normal CDKey (license key).

    Cheers,
    Firecat
     
    Last edited: Jan 3, 2005
  8. erikguy

    erikguy Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    236
    Location:
    Salem, OR
    Re: Anti-Virus:- Can they remove registry entries? Plus, your opinion on eScan and a

    Hey Firecat, I'm just using the free escan but thought you might want to take a look at this anyway. Quote from Microworld Toolkit Utility.txt
    Good luck. I hope the people of Wilders like you more than they like me.
     
  9. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Re: Anti-Virus:- Can they remove registry entries? Plus, your opinion on eScan and a

    I know about that. It is also a part of eScan's commercial edition. MWTI says it is essential for the proper functioning of the program. You might know that the free eScan no longer cleans/removes viruses.

    Thanks anyway, though. It does answer my first question(just wanted to make sure). By the way, does it only remove registry entries of specific viruses or does it remove entries of all viruses?
     
  10. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Hey Guys,

    are you still here? Anyhow, given that MWAV/eScan may be removing registry entries of viruses, but does KAV (or any KAV or non-KAV based product) do that other than eScan (Any that you know of other than McAfee)?

    Be back in 1.5 hours!

    Cheers,
    Firecat
     
  11. Schouw

    Schouw AV Expert

    Joined:
    Jan 4, 2004
    Posts:
    29
    Location:
    Netherlands
    Yes, KAV can delete/change reg entries.
     
  12. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Re: Anti-Virus:- Can they remove registry entries? Plus, your opinion on eScan and a

    avast! and AntiVir too.
     
  13. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    FINAL NOTE:- Anybody can upgrade to the latest build of eScan, provided they have a valid license and atleast have an older version of eScan 2003 (build 462 and above, not sure about older builds). So jlo can happily upgrade to eScan 'h' build without any problems. Just use your normal CDKey (license key).

    Cheers,
    Firecat[/QUOTE]



    Thanks Firecat,

    I have e mailed support and they tell me my registration key is out of date. (I bought it via Amazon as (Select Escan by Focus software). They give you a key for six months and then you fill out a box and get the second six month key. (See this PDF for more info) http://ww2.focusmm.co.uk/userguides/apps/Escan Registration Guide.pdf

    I have e mailed them back explaining this and am waiting further instruction although the build I am using seems to work fine.

    Cheers

    Jlo
     
  14. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Thanks Firecat,

    I have e mailed support and they tell me my registration key is out of date. (I bought it via Amazon as (Select Escan by Focus software). They give you a key for six months and then you fill out a box and get the second six month key. (See this PDF for more info) http://ww2.focusmm.co.uk/userguides/apps/Escan Registration Guide.pdf

    I have e mailed them back explaining this and am waiting further instruction although the build I am using seems to work fine.


    -------------------------------------------------------------------------

    REPLY BEGINS FROM BELOW:-

    Jlo,

    I purchased eScan directly from MicroWorld, and I am able to upgrade to the latest build without any problems, at least as long as my license is valid. If your license has only expired for 6 months, then try renewing it with the steps given by Focus. If it has expired for 12 months, then you'll have to buy anew.

    They could be saying that for various reasons. First of, I want to ask you whether you get that popup which says 'your eScan contract period is over...'. Secondly, have you had to wipe your hard disk since installing eScan (in that case, they may tell you that by looking at your date of purchase and seeing whether you're using it beyond that because after a format of hard disk, installation of eScan would cause expiry dates to reset). That's upto you, you get that cleared.

    You can try sending an email to MicroWorld support (support@mwti.net). MWTI support told me that even if you have a Focus license, and if it is current and running (aka license is valid), you will be able to use the latest builds. I'd say that sending an email to MWTI may be your best bet.

    Also, if you have a cable/broadband internet connection, you can download the new build and try out yourself to see whether your current license key works. If not, renew it and try again. Surely a broadband user would get that 18+ MB file downloaded in about 5 minutes. Worth a try, after all if it works, you get overall better protection.

    I'll be going in 10 minutes.

    Cheers everyone,
    Firecat
     
  15. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Thanks RejZor and Schouw,

    Do you mean only viruses or can avast! and AntiVir and KAV (or KAV based) scanners also remove registry entries of trojans/adware/riskware etc.?

    Going now to sleep!

    Have a nice day everybody.

    Regards,
    Firecat
     
  16. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    You can try sending an email to MicroWorld support (support@mwti.net). MWTI support told me that even if you have a Focus license, and if it is current and running (aka license is valid), you will be able to use the latest builds. I'd say that sending an email to MWTI may be your best bet.

    ,
    Firecat[/QUOTE]


    Hi,

    Yes my first 6 month licence is still valid according to the program (Until June 2005) but I think it may be valid for the old build which came on the CD disk.

    I have e mailed MWTI about the problem and am waiting a reply.

    Thanks for your help.

    Kind Regards

    Jlo
     
  17. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Hi,

    Well I updated to the latest version and now my licence is not recognised :'(

    so have been put on to an evaluation version instead. I have e mailed the Reseller 'Focus Software' and 'MWTI' to sort out a remedy!

    Cheers

    Jlo
     
  18. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Re: Anti-Virus:- Can they remove registry entries? Plus, your opinion on eScan and a

    Avast! and AntiVir attempt to clean registry entries that are related to the detected file. AntiVir also checks system INI files (like win.ini).
     
  19. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    jlo,

    I have contacted support again and they told me the same thing, that you can use the latest builds even if you have a Focus license.

    I also contacted the sales department, and the woman there told me that there must be some sort of a license key problem. She said that if you had to reinstall Windows, and then install eScan, such problems were likely. She told me that you should contact MicroWorld. If it is a license key problem, you'll probably be given a replacement key or something like that.

    If you haven't recieved a reply yet, try support@mspl.net (The Indian branch). Try to re-send your email, since MWTI said that they have not recieved any e-mail regarding a Focus license today (Maybe someone on a different shift got it, this guy did not,though.)

    You can also contact specific support personnel:

    orson@mwti.net (Orson Michael Noronha, Senior Tech.Support executive)
    nitin@mwti.net (Nitin G.S., Tech Support)

    Or the sales department at sales@mwti.net, or sales@mspl.net

    If you have a Yahoo! or Hotmail account, you can use yahoo messenger/MSN messenger to get into an online chat with Tech support:

    escanchat@hotmail.com
    escanchat@yahoo.com

    Hope that helped. Today I've got lots of time so I'll be around. Be back in five hours! Please do keep me updated on this.

    Regards,
    Firecat
     
    Last edited: Jan 4, 2005
  20. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    JLO,

    I'm still waiting. Anything about this issue? What did MicroWorld tell you? Were you able to upgrade? Do tell me please.

    Regards,
    Firecat
     
  21. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    Re: Anti-Virus:- Can they remove registry entries? Plus, your opinion on eScan and a

    Please pardon my intrusion into your post. But, I just discovered MWAV and have only ran it 2-3 times. I found this post about updating MWAV
    https://www.wilderssecurity.com/showpost.php?p=365685&postcount=35, and I THINK it works.

    Sorry, I'm new to this site, and I'm really not sure if I even understand your comment, but, I can only make a fool of myself. :eek:

    Mike
     
  22. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Re: Anti-Virus:- Can they remove registry entries? Plus, your opinion on eScan and a

    I was talking about the commercial version of eScan, flinchlok.
     
Loading...
Thread Status:
Not open for further replies.