Question for users of 64 bit AV or AM

I ran across something troubling while trying out a couple antivirus and antimalware programs.
It seems some of these programs that advertise as being 64 bit capable, in reality, may not be able to scan 64 bit files.

I'm hoping some of you folks out there can help me and others choose an AV /AM that is fully 64 bit capable.

If you have a free minute or two, can you:


1. Either do a Custom Scan or Right-click scan with your AV / AM of the C:\System32\drivers folder.
(If you do a custom scan be sure to disable cookie or trace scanning so that all you are scanning is the contents of the folder.)

2. Look at your scan results and note the number of files that were actually scanned. Then open Windows Explorer and navigate to C:\System32. Right click on the 'drivers" folder and click Properties. Note how many files are actually in that folder.

3. Would you mind posting the name of your 64 bit AV / AM and if it scanned all, few, or none, of the files in the C:\System32\drivers folder?


-----------------------------------------------------------------------

From what I have run across:
Emisosft Antimalware 5.1.0.16 ............ cannot scan files in that folder.
Malwarebytes v1.5.1 ............... cannot scan files in that folder.
HitmanPro 3.5 b126 ................ is capable of scanning files in that folder.

Anecdotally I have read Avast had this issue years ago but have purportedly solved it - I recently uninstalled avast before discovering this matter so I didn't test myself.
Please correct me if I have made a mistake or am overlooking some hidden option.

-------------------------------------------------------------------------------


Why this matters:

32 bit software, just like 32 bit Windows, can only read into the first 3GB of system RAM.
A 32 bit scanner, (or an improperly implemented 64 bit scanner,) will only be able to detect malware in 32 bit files and only malware that may be resident in the first 3GB of system RAM.
To have a fully protected 64 bit system, one should be using AV /AM that can scan in to all 64 bit files and RAM. Otherwise, the PC might be at risk.


The following is referring to Windows server and XP, but the concept is the same for Vista and Windows 7.
Microsoft article: http://support.microsoft.com/kb/942589

Counter-intuitive as it may seem, on a 64 bit OS, the System32 folder is where the 64 bit files and drivers are located. SysWOW64 is the folder where 32 bit "Windows on Windows" files are located.




So, if your AV / AM is able to scan the files in the C:\System32\drivers folder - please give a shout out!

 

Hi,

Here's my results. All are right-click context menu scans of C:\Windows\System32 on Windows 7 Pro 64 bit.

Avast Free 6.0.1184 scanned 15,379 files and 1317 folders in 1 minute, ten seconds.

Super Antispyware Pro 5.0.1096 - 14479 files in 4 minutes, 49 seconds.

MalwareBytes Free 1.51.0.1200 - 12200 files in 5 minutes, 27 seconds - though Avast was updating to the latest version while this scan was running, so take the file count and time with a grain of salt.

I'm surprised that MBAM could not scan system32 when you tested it. Was it something you tried recently, or was it an older version?

Hope this helps,

sbcc

 

It depends on their drivers and native compatibility. Programs that install in Program Files have no problems scanning 64-bit directories.

 

I've read about some AVs not being able to scan 64 bit processes, like Sunbelt Vipre, according to the faq on their website.

http://www.vipreantivirus.com/Software/VIPRE-Antivirus/

I haven't heard about not being able to scan directories where 64bit files are located, though. That's quite a bit to skip over on a 64bit machine...

 

@sbcc

Thanks for taking the time.
I was hoping to have you folks scan only the System32\drivers folder ... not the entire System32 folder.

J_L, agreed, that's the ideal.
But so long as an antivirus scanner has a 64 bit scanning driver, they can get away with their program files and interface in Program Files (x86)

It would be nice if all x64 AV apps installed in Program Files. But this would likely mean the AV company having to write two interfaces / spend $, yes?

In any event, yeah, I found MBAM odd as it has a scanning driver registered as x64 called mbam.sys. Emsisoft / A squared has one too I believe.



Maybe I was doing something wrong when scanning....

Looking forward to other's results.

 

OK, sorry. Missed that part of the request. MBAM does not scan System32\drivers. Result = 0 files and folders. Eye-opener for me!

Avast - 558 files, 30 folders

SAS - 558 files.

Hope this is more useful than my last post.

sbcc

 

I just scanned the driver folder with MBAM, and the log said that it scanned 10 objects, time elapsed 2 seconds.

I wasn't aware that it couldn't scan all the files, but evidently it can't, or doesn't, rather. Interesting...

 

I just tried scanning system 32 drivers
1. Avast =435
2. SAS =435
3.Outpost AS module =435
4.MBAM = 29
I guess though malware would have to infect other areas outside of these areas ,and then MBAM would kick in ,so im not sure how much of a security issue this is...then again im not an expert
ellison

 

If the AV is 64bit compatible it will scan 64bit binaries as well, otherwise what's the point? And even if 90% of the program is written in 32bit, for as long as system drivers are 64bit and the scan engine is able to handle 64bit binaries, then it will work just like any AV does on 32bit systems.

If some program is compatible with 64bit OS but fails to scan actual 64bit bianries, i'd avoid using such program unless it's a bug which can be fixed. But i think they'd fix that already.

 

Eset 5 RC, only 34 files

 

Gdata 12 = 406.

Kaspersky IS 12 = 427.

Hitman Pro ^^ = 323

 

It also depends how they count the scanned files. Not all use the same method of counting containers...

 

Apparently all of your AV's fail. Mine is at 2500 and still going for the System32 folder.

 

I'm not sure it matters if the exe is 64 bit, if the app is architected to use DLLs and those DLLs are 64 bit. I think this is how Symantec handles their apps...

 

They're not scanning system32, they are scanning system32/drivers.

For me (with Avira obviously) it's 407 of 407.

As a hint, for some of the tools that fail here you might be able to use a workaround and scan "%SystemRoot%\sysnative" instead of "%SystemRoot%\system32". While that directory isn't 'real' (you cannot see it in explorer), it can be used to access the nativeversion of that dir even with unadapted 32 bit apps.

Might not work with every product, depending on how you can pick the scanpath and what APIs they use... but you could give it a try, and maybe post results for others.

See some more background info here:
http://en.wikipedia.org/wiki/WoW64

 

You cannot really mix these, as the type of the exe determines how the program is handled (picking CPU mode and environment). So loading a 64bit dll from a 32bit app is not possible with standard means.

What is done in many cases is, that the relevant parts (services/drivers) are native, and some other applications of the product stay 32bit.

See also:
http://blogs.msdn.com/b/oldnewthing/archive/2008/10/20/9006720.aspx

 

I can confirm your findings with Emsisoft Emergency Kit - it only scans a total of 14 files within System32/Drivers. Hitman Pro scans all files and Prevx 3 scans all files and sub-folders.

Very interesting, well spotted KFBeaker

 

+1 on this
I've got 403 of 403
using Emsisoft v6 with DDA enabled



the answer I got from Fabian:

 

Even with that folder Im sitting at 440 of 452 files. It scans everything in the drivers/en-US folder, etc, and UMDF folder.

 

Why 3GB? If you said 2GB or 4GB, it might have some sense (even though it's not really "system RAM", but rather the virtual address space of every process), but 3GB... not much.

I believe most AVs actually scan files, and not the virtual memory (even during a "memory scan", the corresponding modules/files can be scanned, instead of the real memory). Sure, it's good to have a support for scanning/parsing 64bit executables, but it doesn't have anything to do with memory access.

Sorry, but that's a nonsense.
Unlike the System32/SysWow64 folders - where an automatic redirection takes place for 32bit executables - Program Files and Program Files (x86) are just ordinary folders, and it's up to every application to use one. So some old and/or not-very-well-coded applications may use a hardcoded path (Program Files) and install there, without ever having heard of 64bits.

There might be a recommendation from Microsoft that 64bit apps should go into Program Files and 32bit ones into Program Files (x86) [just guessing, don't that know for sure], but from the programming or functionality point of view, it doesn't matter in which folder the application is. So you can have a 32bit executable in Program Files or a 64bit executable in Program Files (x86) - doesn't matter.

Just note that this virtual SysNative folder doesn't exist on WinXP x64 (if anyone happens to have that), it only "exists" since Vista.



So, there are various aspects here - which are not really connected, and some might be kinda hard to evaluate. Supporting (or not supporting) one thing doesn't mean that the others are supported (or not).

- scanning x64 executable files
- scanning the real Windows\System32 folder
- scanning the full 64bit virtual address space
- installing the app into the Program Files folder

Any of those things, however, can be done by a (properly coded) 32bit scanner, no special 64bit version is needed.

 

According to Windows Explorer for System32\Drivers:
464 Files, 6 Folders

Scan with NIS 2011: 471 items scanned
Scan with SAS: 464 items scanned
Scan with MBAM: 13 items scanned.

 

Not complete nonsense, although I get your point (Avast being an example). What's your say on programs processes without *32?

 

Well, I didn't mean avast! specifically - as it should be fully compatible with x64 in all mentioned points (at least I tried to make it so ). I rather had some weird applications with hardcoded paths on mind... but hopefully that doesn't happen with up-to-date AVs.

Regarding native (x64) applications (if you mean the AV executables themselves)... well, there's no guarantee that the 1st and 3rd point (correct scanning of x64 executables and scanning of the whole address spaces) will be satisfied, but the probability is certainly higher.
But it's not a requirement - to my knowledge, it all can be achieved in a *32 application as well (though it certainly requires more effort).

 

Scan completed on 443 items. MSE.

 

EAM 6 Beta - 409 scanned out of 409 files with DDA