Poor Handling of Active Malware by Avira Antivir

Discussion in 'other anti-virus software' started by aigle, Jan 19, 2007.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I posted on their forum too.
    I agree. But it was only a different way to test all these AVs( KAV, NOD, Avira, Avast).
    I made it clear.
     
  2. 12fw

    12fw Registered Member

    Joined:
    Sep 12, 2006
    Posts:
    111
    Location:
    Canada
    KAV6, AntiVir, SpySweeper, SuperAntiSpyware and NOD32 scans.

    The purpose was not a test for comparisions, merely to clean the IDE HDD of a family relative, that was externally connected with USB. The purpose was to merely extract/recover certains files and the scans were done as a matter of routine. This is not a test or a comparision by any means.
    KAV6 Scan results with only one scan and deletion and no repeated scan:

    deleted: Trojan program Trojan-Downloader.WMA.Wimad.h File: J:\Documents and Settings\*\My Documents\My Music\downloads\02FE207A\_.asf
    deleted: Trojan program Trojan-Downloader.WMA.Wimad.h File: J:\Documents and Settings\*\My Documents\My Music\downloads\03007B14\_.asf
    deleted: Trojan program Trojan-Downloader.WMA.Wimad.h File: J:\Documents and Settings\*\My Documents\My Music\downloads\03022C3E\_.asf
    deleted: adware not-a-virus:AdWare.Win32.404Search.l File: J:\Program Files\INSTAFINK\instafink.dll
    deleted: adware not-a-virus:AdWare.Win32.180Solutions.ao File: J:\Program Files\Seekmo\seekmo.exe//UPX
    deleted: adware not-a-virus:AdWare.Win32.180Solutions.au File: J:\Program Files\Seekmo\seekmohook.dll
    deleted: adware not-a-virus:AdWare.Win32.Agent.c File: J:\Program Files\Seekmo Programs\Seekmo Toolbar\SeekmoTB.dll
    deleted: adware not-a-virus:AdWare.Win32.180Solutions.ao File: J:\WINDOWS\Downloaded Program Files\ClientAX.dll
    deleted: adware not-a-virus:AdWare.Win32.HotBar.bj File: J:\WINDOWS\Downloaded Program Files\HbInstIE.dll
    deleted: adware not-a-virus:AdWare.Win32.Altnet.a File: J:\WINDOWS\temp\Altnet\adm.exe
    deleted: adware not-a-virus:AdWare.Win32.Altnet.a File: J:\WINDOWS\temp\Altnet\adm25.dll
    deleted: adware not-a-virus:AdWare.Win32.Altnet.a File: J:\WINDOWS\temp\Altnet\adm4.dll
    deleted: adware not-a-virus:AdWare.Win32.BrilliantDigital.3039 File: J:\WINDOWS\temp\Altnet\admdloader.dll
    deleted: adware not-a-virus:AdWare.Win32.Altnet.j File: J:\WINDOWS\temp\Altnet\admfdi.dll
    deleted: adware not-a-virus:AdWare.Win32.Altnet.a File: J:\WINDOWS\temp\Altnet\admprog.dll
    deleted: adware not-a-virus:AdWare.Win32.Altnet.g File: J:\WINDOWS\temp\Altnet\dmfiles.cab/AltnetUninstall.exe
    deleted: riskware not-a-virus:AdTool.Win32.MyWebSearch.o File: J:\WINDOWS\temp\Altnet\mysearch.cab/mySetp.exe
    deleted: adware not-a-virus:AdWare.Win32.Altnet.h File: J:\WINDOWS\temp\Altnet\pmexe.cab/Points Manager.exe//Pex
    deleted: adware not-a-virus:AdWare.Win32.BrilliantDigital.1007 File: J:\WINDOWS\temp\Altnet\pmfiles.cab/sysdetect.dll
    deleted: adware not-a-virus:AdWare.Win32.Altnet.b File: J:\WINDOWS\temp\Altnet\Setup.exe

    Second scan results:

    Free AntiVira (avira engine and definitions) with heuristic set on High. No repeat scan was performed either. Just find and remove.

    Found a virus or unwanted program
    'TR/Java.Downloader.Gen' [trojan]
    in file 'nRT.jar-2e8f809-2479f4ee.zip'.
    Action taken: The file was deleted!
    Found a virus or unwanted program
    TR/Java.Downloader.Gen' [trojan]
    in file 'nRT.jar-53fab40d-7f65b32b.zip'.
    Action taken: The file was deleted!
    Found a virus or unwanted program
    'TR/Wimad.A.Gen' [trojan]
    in file 'G:\Documents and Settings\*\My Documents\My Music\downloads\006E86AD\Protected_07_24_2006_00_11_58.asf'.
    Action taken: The file was deleted!
    Found a virus or unwanted program
    'TR/Wimad.A.Gen' [trojan]
    in file 'G:\Documents and Settings\*\My Documents\My Music\downloads\0071CAFB\Protected_07_24_2006_00_15_32.asf'.
    Action taken: The file was deleted!
    Found a virus or unwanted program
    'TR/Wimad.A.Gen' [trojan]
    in file 'G:\Documents and Settings\*\My Documents\My Music\downloads\0307BE55\Protected_08_04_2006_23_19_02.asf'.
    Action taken: The file was deleted!
    Found a virus or unwanted program
    'TR/Wimad.A.Gen' [trojan]
    in file 'G:\Documents and Settings\*\My Documents\My Music\downloads\030EAD3C\Protected_08_04_2006_23_26_36.asf'.
    Action taken: The file was deleted!
    Found a virus or unwanted program
    'SPR/Altnet' [riskware]
    in file 'dmfiles.cab'.
    Action taken: The file was deleted!



    SuperAntiSpyware freeware version detected:
    200 adware cookies
    3 traces of Adware 180Solutions/Search assistant (in system restore)
    1 Adware 180Solutions/Seekmo (in system restore)

    NOD32 and SpySweeper did find some traces of the first scans removal in the System Restore. Note the SpywareSweeper did find 6 more adware cookies.

    No repeat scans for the spyscanners or the NOD32.

    Scans were done in the Normal Modes and all scanners were updated prior to the scan.



    Note: that I had no interest in cleaning/quarantining any files- just deleting infections before I hand the drive back to the owner and let them recover their files to their new machine. This was not an experiment, it is just what the normal user would have experienced. Just a plain and simple "detect and delete" was my main and only concern.
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    We are talking of active malware, not static file scanning.
     
  4. 12fw

    12fw Registered Member

    Joined:
    Sep 12, 2006
    Posts:
    111
    Location:
    Canada
    Aigle
    You are correct. That post of mine is off the topic.

    But I have a question. Why did the kaspersky miss the java trojans when the AntiVir did find those trojans? Is it because the file are static and not dynamic? Is that the reason for the difference in detection. There was no antivirus installed on that drive, so anything could be have been possible.

    12fw
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I can,t answer this. It seems to be heuristic detection that is better in Antivir than KAV. But I am not sure.
     
  6. quadrophonic

    quadrophonic Registered Member

    Joined:
    Jan 24, 2007
    Posts:
    112
    I've been trying to get an answer to this question for several years now.
    Is there an AV program that actually will search the registry for strings and keys associated with the detection, along with look for associated files on the hard drive?

    These AV programs assume that because the virus or trojan was detected, the problem is solved. All one has to do is look at the Symantec site to see how many other exe or dll files are added by some of these things. You also have to include the registry changes Symantec mentions.

    Even if the file is quarantined, a virus or trojan that's been on the hard drive for even a minute can possibly replicate itself or still have remnants somewhere in the OS directory.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I think this type of job is mainly done by AS scanners but I don,t know why it is not necessary in case of AVs. However I assume once main files are removed, rest of debris and reg enteries might be harmless.
     
  8. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,065
    but at stated above especally with spyware if you leave one wrong file then the spyware comes back fully.
    lodore
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I think this type of job is mainly done by AS scanners but I don,t know why it is not necessary in case of AVs. However I assume once main files are removed, rest of debris and reg enteries might be harmless.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.