Is a file malware if isn't doing anything malwarelike?

Discussion in 'other security issues & news' started by trigent, Mar 26, 2011.

Thread Status:
Not open for further replies.
  1. trigent

    trigent Registered Member

    Joined:
    Mar 26, 2011
    Posts:
    6
    This is a general question, not related to any particular malware program or file.

    Getting different results from different malware scans is common. some programs alert about a file being a trojan or riskware , others may say that the same file is ok. this had led me to wonder:

    let's say that file abc.exe is labeled a trojan by a particular on demand scan:
    1. doesn't this mean that abc.exe, if it is a trojan, only operates when i run it?
    2. if abc.exe is a trojan, and i run it, wouldn't it produce another file, or activity, that would be picked up as suspicious in other scans or at other times by an active malware program?

    perhaps the question can be summed up as: if abc.exe is really malware/trojan/virus wouldn't i be seeing other files or activities reported by always active scanners? Not just the abc.exe file by itself, while it isn't being run?
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    if abc.exe when it runs acts as malware then it matters not whether it is active or inactive to be considered malware
     
  3. trigent

    trigent Registered Member

    Joined:
    Mar 26, 2011
    Posts:
    6
    this gets to the heart of my question. if abc.exe really was malware, wouldn't i likely have gotten some notice from the realtime AV program (currently Avast) when abc.exe was doing something malware-like, or see other files appear in the on demand scan that abc.exe created during its malware activity?

    iow: since the on demand scan shows abc.exe as malware, but no other files, and there is no notice from real time scanner while abc.exe runs, then likely abc.exe is really not malware? wouldn't there be some other indication of abc.exe being malware other than being labeled as such by an on demand scan?
     
  4. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    no AV is all knowing so they can't and don't detect all files that are malware as malware. The only way to know if abc.exe is malware is to inspect it by someone who knows how to determine if something is bad. That takes time
     
  5. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    when a malware successfully execute/run it may have the ability to go undetected... o_O
     
  6. trigent

    trigent Registered Member

    Joined:
    Mar 26, 2011
    Posts:
    6

    ok. this is starting to clear things up for me. so...
    if abc.exe is malware it's activity may not be noticed by real time av, while abc.exe is running.

    also, if is safe to say that if abc.exe doesn't make any other files when run (presumably recognized by various on-demand malware scans), then nothing mal-like will result from it if i am not running abc.exe? or can these things alter some other file, which is now doing the dirty work, making abc.exe unnecessary, and real time av doesn't have a clue what is happening?
     
    Last edited: Mar 27, 2011
  7. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,095
    If abc.exe doesn't make any other files when run (that you or your AV can see) - does not mean that a network stream can't get out/or back in to control your computer if it has been trojanized without you or your AV knowing about it.

    Doesn't matter if you or abc.exe is running itself or a copy of itself in a shadow process that goes undetected. And, yes if you are not running abc.exe a renamed executable could be doing the dirty work right under you chin - and realtime AV doesn't have a clue what is happening because it already happended when there was no signature or pattern filter to catch it when you first became infected.

    All the more reason to be paranoid and have a clean verified backup to refresh your system when warranted - and a strong layered security strategy for remaining unscathed.

    -- Tom
     
    Last edited: Mar 30, 2011
  8. trigent

    trigent Registered Member

    Joined:
    Mar 26, 2011
    Posts:
    6
    thanks. this explains it to me. in past (only once or twice, thankfully), when i had clearly been infected, a scan would show a list of files of various types as infected.

    this experience led me to wonder about the occasional .exe that an on demand scan (malwarebytes, norton power eraser) finds, with no other files suspect. this led to my question about expecting to see other files if the .exe wasn't a false postive.

    since there isn't any other behavior (other than normal, ongoing windows quirkiness), i guess that i will assume that these finds are false positives.

    and yes, i have regular backups. and rollback.

    thanks.
     
Loading...
Thread Status:
Not open for further replies.