Scanners - results (?)

Discussion in 'other anti-malware software' started by SG1, Sep 4, 2006.

Thread Status:
Not open for further replies.
  1. SG1

    SG1 Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    430
    * This covers anti-malware & anti-virus apps; I wasn't quite sure where to post it. Move this post to another area, if you wish. *

    I had 12 files in a net download DIR., (a mix of .hta and .txt and .log and .pdf and .exe files) and I scanned this DIR with 7 security apps. Results were:

    TrojanHunter - gave no file count.
    SuperAntiSpyware - 12 files,
    A-Squared - 12 files,
    Ewido - 12 files,
    SpySweeper - 18 files,
    DrWeb - 209 files,
    Nod32 - 213 files.

    My point here, or what I'd like to ask, is this:

    while the two AVs looked deeper than other apps, were I doing a full hard drive scan NOD32 and TrojanHunter are the same ones that most often can't open/peer into or unpack this or that... "a file's locked, in use, packed by this or that..." which to my mind seemingly defeats the stated purpose of a security app (and I may be wrong about that, as to how these apps go about their actual work).

    I think someone in these forums mentioned that KAV products can
    open or unpack or check or otherwise peer into almost anything. That true? If so, I don't know if that alone would make KAV products vastly superior but somehow I always find it a bit vexing watching long lists scroll by, and the app saying it can't check file A or B, due to it being packed by this or that.

    If the app can't check file or files before hand then we're all banking on
    or assuming that one or more of our apps'd catch something, as it unpacks/uncloaks, to do its work if a file did in fact harbor something not in our best interests? Is it assumed that said file is not "bad" just by virtue of landing on our PCs, until/unless it reveals its true colors of ill will?

    And given scan results above: are AVs made to dig deeper, or
    conversely, do the anti-spy/malware apps not have to look as deeply perhaps, in order to do their work?
     
  2. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    I think a file that contains something 'bad' is bad whether it's packed deep down inside an archive, or whether it's sat on your desktop called "Hello_i'm_a_bad_file.exe". The thing is that it's not actually doing anything 'bad' to you while it's in this state. Now some people like to be able to detect bad files before they execute. Some people are only interested in them 'revealing' themselves once 'unpacked'. And i suppose there are some that enjoy watching there security app spring into action and 'NAIL THAT SUCKER!". A sort of perverse way of watching a bullfight waiting to see the 'kill'. My personal choice is that it's detected before it can launch. But some malware is very deep rooted, an archive within and archive within yet another archive etc. So it can be near impossible to get inside that, especially if it's password protected. The thing is though that no matter whether you use KAV which is best at seeing inside archives, or something else, the malware needs to be in the said application's database. Everything else may as well be redundant. If it's not in it's database and you are left relying on heursitics then you may be in trouble. So some vendors concentrate on 'adding' malware and worrying less about their ability to 'see inside' a packed file. As long as it's in their database then once it 'reveals' itself then it can pounce. And you can sit their and get that 'perverse' feeling of enjoyment that some so covet, and watch your app take out the malware.

    To summarise. Prevention is better than the cure...

    muf
     
  3. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Hmm whether a file is locked by the system shouldn't have anything to do with the antivirus's unpacking ability.

    I also think there is some value in making a distinction between file archivers (zip) and packers (Upx). Not being able to handle file archives is IMHO less dangerous than not handing packers....
     
  4. SUPERAntiSpy

    SUPERAntiSpy Developer

    Joined:
    Mar 21, 2006
    Posts:
    1,088
    What were the 12 files downloaded into a folder? It looks like the anti-spyware apps (SAS, SpySweeper, Ewido, etc.) got all of the actual files. Did you execute the files or were they dormant?

    AntiVirus apps tend to look for code patterns, script patterns, etc. inside PDF's, HTML, JavaScript files, etc. I am curious as to what items were located by NOD32 - was this a completely infected machine?

    Nick Skrepetos
    SUPERAntiSpyware.com
    http://www.superantispyware.com
     
  5. SG1

    SG1 Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    430
    Nick;

    Here's shot of the DIR that I scanned. These are all legit apps and/or downloads, text files - nothing infected. I just wondered why the varied scanners reported such widely diff. number of files scanned. And, yes, I agree with the one poster: I'd rather know before hand that a file may be bad, not when I start to install it.

    SG1 (Pat)
     

    Attached Files:

  6. SUPERAntiSpy

    SUPERAntiSpy Developer

    Joined:
    Mar 21, 2006
    Posts:
    1,088
    If you only told NOD32, etc. only to scan that folder, only that number of files (12) should have been reported. Were the other products scanning in-memory also?

    Nick Skrepetos
    SUPERAntiSpyware.com
    http://www.superantispyware.com
     
  7. SG1

    SG1 Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    430
    Nick;

    Good question, & I have to say, dunno' off-hand as I don't recall if the two AVs by default or user settings hop right into mem. scan first and then onto actual files to be examined.

    Just did the usual right-click context scan choice, before opening any downloads; hence, I wondered why AVs seem to always come up with the higher nos. involved. Right or wrong, I assumed an .exe file or .zip file may hold many components/files within, to comprise ultimate actual app that one has, when it has installed.

    Then I thought (again, right or wrong), that perhaps AVs by their nature really burrowed down into all the guts of a file, and that other security programs may take a diff. approach to things. Being a non-programmer, I have no idea on how scanners have a go at a file or files.

    Speaking of which: did I miss it, or does SAS not have that choice to add it into the right click context menu?
     
  8. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Different scanners will report differently. Two scanners may scan the same number of files within a Zip file (for example), but one will report the number of files inside the zip file while the other will just report that it scanned the (one) zip file. It's just a matter of how each decides to count. I think that's likely all you're seeing, although packers and filetypes will likely come into play to make the differences between some of the ones that count the number of files within a compressed/packed file.
     
  9. SUPERAntiSpy

    SUPERAntiSpy Developer

    Joined:
    Mar 21, 2006
    Posts:
    1,088
    We are adding that option in an upcoming release, as it is a convenient and useful feature. :)

    Nick Skrepetos
    SUPERAntiSpyware.com
    http://www.superantispyware.com
     
Loading...
Thread Status:
Not open for further replies.