Question for users of 64 bit AV or AM

Discussion in 'other anti-virus software' started by KFBeaker, Jul 7, 2011.

Thread Status:
Not open for further replies.
  1. KFBeaker

    KFBeaker Registered Member

    Joined:
    Nov 9, 2007
    Posts:
    33
    I ran across something troubling while trying out a couple antivirus and antimalware programs.
    It seems some of these programs that advertise as being 64 bit capable, in reality, may not be able to scan 64 bit files.

    I'm hoping some of you folks out there can help me and others choose an AV /AM that is fully 64 bit capable.

    If you have a free minute or two, can you:


    1. Either do a Custom Scan or Right-click scan with your AV / AM of the C:\System32\drivers folder.
    (If you do a custom scan be sure to disable cookie or trace scanning so that all you are scanning is the contents of the folder.)

    2. Look at your scan results and note the number of files that were actually scanned. Then open Windows Explorer and navigate to C:\System32. Right click on the 'drivers" folder and click Properties. Note how many files are actually in that folder.

    3. Would you mind posting the name of your 64 bit AV / AM and if it scanned all, few, or none, of the files in the C:\System32\drivers folder?


    -----------------------------------------------------------------------

    From what I have run across:
    Emisosft Antimalware 5.1.0.16 ............ cannot scan files in that folder.
    Malwarebytes v1.5.1 ............... cannot scan files in that folder.
    HitmanPro 3.5 b126 ................ is capable of scanning files in that folder.


    Anecdotally I have read Avast had this issue years ago but have purportedly solved it - I recently uninstalled avast before discovering this matter so I didn't test myself.
    Please correct me if I have made a mistake or am overlooking some hidden option.

    -------------------------------------------------------------------------------


    Why this matters:

    32 bit software, just like 32 bit Windows, can only read into the first 3GB of system RAM.
    A 32 bit scanner, (or an improperly implemented 64 bit scanner,) will only be able to detect malware in 32 bit files and only malware that may be resident in the first 3GB of system RAM.
    To have a fully protected 64 bit system, one should be using AV /AM that can scan in to all 64 bit files and RAM. Otherwise, the PC might be at risk.


    The following is referring to Windows server and XP, but the concept is the same for Vista and Windows 7.
    Microsoft article: http://support.microsoft.com/kb/942589

    Counter-intuitive as it may seem, on a 64 bit OS, the System32 folder is where the 64 bit files and drivers are located. SysWOW64 is the folder where 32 bit "Windows on Windows" files are located.




    So, if your AV / AM is able to scan the files in the C:\System32\drivers folder - please give a shout out!
     
  2. sbcc

    sbcc Guest

    Hi,

    Here's my results. All are right-click context menu scans of C:\Windows\System32 on Windows 7 Pro 64 bit.

    Avast Free 6.0.1184 scanned 15,379 files and 1317 folders in 1 minute, ten seconds.

    Super Antispyware Pro 5.0.1096 - 14479 files in 4 minutes, 49 seconds.

    MalwareBytes Free 1.51.0.1200 - 12200 files in 5 minutes, 27 seconds - though Avast was updating to the latest version while this scan was running, so take the file count and time with a grain of salt.

    I'm surprised that MBAM could not scan system32 when you tested it. Was it something you tried recently, or was it an older version?

    Hope this helps,

    sbcc
     
  3. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    It depends on their drivers and native compatibility. Programs that install in Program Files have no problems scanning 64-bit directories.
     
  4. Kirk Reynolds

    Kirk Reynolds Registered Member

    Joined:
    May 8, 2011
    Posts:
    224
    I've read about some AVs not being able to scan 64 bit processes, like Sunbelt Vipre, according to the faq on their website.
    http://www.vipreantivirus.com/Software/VIPRE-Antivirus/

    I haven't heard about not being able to scan directories where 64bit files are located, though. That's quite a bit to skip over on a 64bit machine...
     
  5. KFBeaker

    KFBeaker Registered Member

    Joined:
    Nov 9, 2007
    Posts:
    33
    @sbcc

    Thanks for taking the time.
    I was hoping to have you folks scan only the System32\drivers folder ... not the entire System32 folder.

    J_L, agreed, that's the ideal.
    But so long as an antivirus scanner has a 64 bit scanning driver, they can get away with their program files and interface in Program Files (x86)

    It would be nice if all x64 AV apps installed in Program Files. But this would likely mean the AV company having to write two interfaces / spend $, yes?

    In any event, yeah, I found MBAM odd as it has a scanning driver registered as x64 called mbam.sys. Emsisoft / A squared has one too I believe.



    Maybe I was doing something wrong when scanning....

    Looking forward to other's results.
     
  6. sbcc

    sbcc Guest

    OK, sorry. Missed that part of the request. MBAM does not scan System32\drivers. Result = 0 files and folders. Eye-opener for me!

    Avast - 558 files, 30 folders

    SAS - 558 files.

    Hope this is more useful than my last post. :thumb:

    sbcc
     
  7. Kirk Reynolds

    Kirk Reynolds Registered Member

    Joined:
    May 8, 2011
    Posts:
    224
    I just scanned the driver folder with MBAM, and the log said that it scanned 10 objects, time elapsed 2 seconds.

    I wasn't aware that it couldn't scan all the files, but evidently it can't, or doesn't, rather. Interesting...
     
  8. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    I just tried scanning system 32 drivers
    1. Avast =435
    2. SAS =435
    3.Outpost AS module =435
    4.MBAM = 29
    I guess though malware would have to infect other areas outside of these areas ,and then MBAM would kick in ,so im not sure how much of a security issue this is...then again im not an expert :eek:
    ellison
     
  9. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    If the AV is 64bit compatible it will scan 64bit binaries as well, otherwise what's the point? And even if 90% of the program is written in 32bit, for as long as system drivers are 64bit and the scan engine is able to handle 64bit binaries, then it will work just like any AV does on 32bit systems.

    If some program is compatible with 64bit OS but fails to scan actual 64bit bianries, i'd avoid using such program unless it's a bug which can be fixed. But i think they'd fix that already.
     
  10. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,766
    Location:
    Outer space
    Eset 5 RC, only 34 files :doubt:
     
    Last edited: Jul 8, 2011
  11. Gauchoo

    Gauchoo Registered Member

    Joined:
    Aug 15, 2010
    Posts:
    83
    Location:
    Scotland
    Gdata 12 = 406.

    Kaspersky IS 12 = 427.

    Hitman Pro ^^ = 323
     
    Last edited: Jul 8, 2011
  12. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    It also depends how they count the scanned files. Not all use the same method of counting containers...
     
  13. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    Apparently all of your AV's fail. Mine is at 2500 and still going for the System32 folder.
     
  14. Hakuna Matata

    Hakuna Matata Registered Member

    Joined:
    Jul 6, 2011
    Posts:
    12
    I'm not sure it matters if the exe is 64 bit, if the app is architected to use DLLs and those DLLs are 64 bit. I think this is how Symantec handles their apps...
     
  15. marcuskng

    marcuskng AV Expert

    Joined:
    Feb 19, 2010
    Posts:
    49
    They're not scanning system32, they are scanning system32/drivers.

    For me (with Avira obviously) it's 407 of 407.

    As a hint, for some of the tools that fail here you might be able to use a workaround and scan "%SystemRoot%\sysnative" instead of "%SystemRoot%\system32". While that directory isn't 'real' (you cannot see it in explorer), it can be used to access the nativeversion of that dir even with unadapted 32 bit apps.

    Might not work with every product, depending on how you can pick the scanpath and what APIs they use... but you could give it a try, and maybe post results for others.

    See some more background info here:
    http://en.wikipedia.org/wiki/WoW64
     
  16. marcuskng

    marcuskng AV Expert

    Joined:
    Feb 19, 2010
    Posts:
    49
    You cannot really mix these, as the type of the exe determines how the program is handled (picking CPU mode and environment). So loading a 64bit dll from a 32bit app is not possible with standard means.

    What is done in many cases is, that the relevant parts (services/drivers) are native, and some other applications of the product stay 32bit.

    See also:
    http://blogs.msdn.com/b/oldnewthing/archive/2008/10/20/9006720.aspx
     
    Last edited: Jul 8, 2011
  17. Zorak

    Zorak Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    149
    Location:
    Australian Capital Territory
    I can confirm your findings with Emsisoft Emergency Kit - it only scans a total of 14 files within System32/Drivers. Hitman Pro scans all files and Prevx 3 scans all files and sub-folders.

    Very interesting, well spotted KFBeaker :thumb:
     
  18. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763

    +1 on this
    I've got 403 of 403
    using Emsisoft v6 with DDA enabled :D



    the answer I got from Fabian:

     
  19. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    Even with that folder Im sitting at 440 of 452 files. It scans everything in the drivers/en-US folder, etc, and UMDF folder.
     
  20. i_g

    i_g Registered Member

    Joined:
    Aug 30, 2006
    Posts:
    133

    Why 3GB? If you said 2GB or 4GB, it might have some sense (even though it's not really "system RAM", but rather the virtual address space of every process), but 3GB... not much.

    I believe most AVs actually scan files, and not the virtual memory (even during a "memory scan", the corresponding modules/files can be scanned, instead of the real memory). Sure, it's good to have a support for scanning/parsing 64bit executables, but it doesn't have anything to do with memory access.

    Sorry, but that's a nonsense.
    Unlike the System32/SysWow64 folders - where an automatic redirection takes place for 32bit executables - Program Files and Program Files (x86) are just ordinary folders, and it's up to every application to use one. So some old and/or not-very-well-coded applications may use a hardcoded path (Program Files) and install there, without ever having heard of 64bits.

    There might be a recommendation from Microsoft that 64bit apps should go into Program Files and 32bit ones into Program Files (x86) [just guessing, don't that know for sure], but from the programming or functionality point of view, it doesn't matter in which folder the application is. So you can have a 32bit executable in Program Files or a 64bit executable in Program Files (x86) - doesn't matter.

    Just note that this virtual SysNative folder doesn't exist on WinXP x64 (if anyone happens to have that), it only "exists" since Vista.



    So, there are various aspects here - which are not really connected, and some might be kinda hard to evaluate. Supporting (or not supporting) one thing doesn't mean that the others are supported (or not).

    - scanning x64 executable files
    - scanning the real Windows\System32 folder
    - scanning the full 64bit virtual address space
    - installing the app into the Program Files folder

    Any of those things, however, can be done by a (properly coded) 32bit scanner, no special 64bit version is needed.
     
  21. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,049
    Location:
    USA
    According to Windows Explorer for System32\Drivers:
    464 Files, 6 Folders

    Scan with NIS 2011: 471 items scanned
    Scan with SAS: 464 items scanned
    Scan with MBAM: 13 items scanned. :doubt:
     
  22. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Not complete nonsense, although I get your point (Avast being an example). What's your say on programs processes without *32?
     
  23. i_g

    i_g Registered Member

    Joined:
    Aug 30, 2006
    Posts:
    133
    Well, I didn't mean avast! specifically - as it should be fully compatible with x64 in all mentioned points (at least I tried to make it so ;)). I rather had some weird applications with hardcoded paths on mind... but hopefully that doesn't happen with up-to-date AVs.

    Regarding native (x64) applications (if you mean the AV executables themselves)... well, there's no guarantee that the 1st and 3rd point (correct scanning of x64 executables and scanning of the whole address spaces) will be satisfied, but the probability is certainly higher.
    But it's not a requirement - to my knowledge, it all can be achieved in a *32 application as well (though it certainly requires more effort).
     
  24. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Scan completed on 443 items. MSE.
     
  25. Divenow

    Divenow Registered Member

    Joined:
    Sep 18, 2010
    Posts:
    37
    EAM 6 Beta - 409 scanned out of 409 files with DDA
     
    Last edited: Jul 11, 2011
Loading...
Thread Status:
Not open for further replies.