Scanners - results (?)

* This covers anti-malware & anti-virus apps; I wasn't quite sure where to post it. Move this post to another area, if you wish. *

I had 12 files in a net download DIR., (a mix of .hta and .txt and .log and .pdf and .exe files) and I scanned this DIR with 7 security apps. Results were:

TrojanHunter - gave no file count.
SuperAntiSpyware - 12 files,
A-Squared - 12 files,
Ewido - 12 files,
SpySweeper - 18 files,
DrWeb - 209 files,
Nod32 - 213 files.

My point here, or what I'd like to ask, is this:

while the two AVs looked deeper than other apps, were I doing a full hard drive scan NOD32 and TrojanHunter are the same ones that most often can't open/peer into or unpack this or that... "a file's locked, in use, packed by this or that..." which to my mind seemingly defeats the stated purpose of a security app (and I may be wrong about that, as to how these apps go about their actual work).

I think someone in these forums mentioned that KAV products can
open or unpack or check or otherwise peer into almost anything. That true? If so, I don't know if that alone would make KAV products vastly superior but somehow I always find it a bit vexing watching long lists scroll by, and the app saying it can't check file A or B, due to it being packed by this or that.

If the app can't check file or files before hand then we're all banking on
or assuming that one or more of our apps'd catch something, as it unpacks/uncloaks, to do its work if a file did in fact harbor something not in our best interests? Is it assumed that said file is not "bad" just by virtue of landing on our PCs, until/unless it reveals its true colors of ill will?

And given scan results above: are AVs made to dig deeper, or
conversely, do the anti-spy/malware apps not have to look as deeply perhaps, in order to do their work?

 

I think a file that contains something 'bad' is bad whether it's packed deep down inside an archive, or whether it's sat on your desktop called "Hello_i'm_a_bad_file.exe". The thing is that it's not actually doing anything 'bad' to you while it's in this state. Now some people like to be able to detect bad files before they execute. Some people are only interested in them 'revealing' themselves once 'unpacked'. And i suppose there are some that enjoy watching there security app spring into action and 'NAIL THAT SUCKER!". A sort of perverse way of watching a bullfight waiting to see the 'kill'. My personal choice is that it's detected before it can launch. But some malware is very deep rooted, an archive within and archive within yet another archive etc. So it can be near impossible to get inside that, especially if it's password protected. The thing is though that no matter whether you use KAV which is best at seeing inside archives, or something else, the malware needs to be in the said application's database. Everything else may as well be redundant. If it's not in it's database and you are left relying on heursitics then you may be in trouble. So some vendors concentrate on 'adding' malware and worrying less about their ability to 'see inside' a packed file. As long as it's in their database then once it 'reveals' itself then it can pounce. And you can sit their and get that 'perverse' feeling of enjoyment that some so covet, and watch your app take out the malware.

To summarise. Prevention is better than the cure...

muf

 

Hmm whether a file is locked by the system shouldn't have anything to do with the antivirus's unpacking ability.

I also think there is some value in making a distinction between file archivers (zip) and packers (Upx). Not being able to handle file archives is IMHO less dangerous than not handing packers....

 

What were the 12 files downloaded into a folder? It looks like the anti-spyware apps (SAS, SpySweeper, Ewido, etc.) got all of the actual files. Did you execute the files or were they dormant?

AntiVirus apps tend to look for code patterns, script patterns, etc. inside PDF's, HTML, JavaScript files, etc. I am curious as to what items were located by NOD32 - was this a completely infected machine?

Nick Skrepetos
SUPERAntiSpyware.com
http://www.superantispyware.com

 

Nick;

Here's shot of the DIR that I scanned. These are all legit apps and/or downloads, text files - nothing infected. I just wondered why the varied scanners reported such widely diff. number of files scanned. And, yes, I agree with the one poster: I'd rather know before hand that a file may be bad, not when I start to install it.

SG1 (Pat)

 

If you only told NOD32, etc. only to scan that folder, only that number of files (12) should have been reported. Were the other products scanning in-memory also?

Nick Skrepetos
SUPERAntiSpyware.com
http://www.superantispyware.com

 

Nick;

Good question, & I have to say, dunno' off-hand as I don't recall if the two AVs by default or user settings hop right into mem. scan first and then onto actual files to be examined.

Just did the usual right-click context scan choice, before opening any downloads; hence, I wondered why AVs seem to always come up with the higher nos. involved. Right or wrong, I assumed an .exe file or .zip file may hold many components/files within, to comprise ultimate actual app that one has, when it has installed.

Then I thought (again, right or wrong), that perhaps AVs by their nature really burrowed down into all the guts of a file, and that other security programs may take a diff. approach to things. Being a non-programmer, I have no idea on how scanners have a go at a file or files.

Speaking of which: did I miss it, or does SAS not have that choice to add it into the right click context menu?

 

Different scanners will report differently. Two scanners may scan the same number of files within a Zip file (for example), but one will report the number of files inside the zip file while the other will just report that it scanned the (one) zip file. It's just a matter of how each decides to count. I think that's likely all you're seeing, although packers and filetypes will likely come into play to make the differences between some of the ones that count the number of files within a compressed/packed file.

 

We are adding that option in an upcoming release, as it is a convenient and useful feature.

Nick Skrepetos
SUPERAntiSpyware.com
http://www.superantispyware.com