wodering about this

Discussion in 'other anti-virus software' started by randydom, Apr 2, 2009.

Thread Status:
Not open for further replies.
  1. randydom

    randydom Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    3
    Location:
    NYC
    Hi , i'm really wondering about this :

    When a Critical Process is Infected or Injected by a Malware ( Let's suppose the Winlogon.exe , How can an AV react .

    I mean should it ( AV ) stop the Running Process ( in our case the Winlogon.exe ) and all its loaded Modules , if Yes how could it be possible as long as this Process is among other critical Processes , and if it will be placed into the Queue until next reboot ( with Delete , Quarantine ... actions ) how it's possible to replace it with a clean Process .

    i sum up my question : how does an AV react when a Running Process is Infected or Injected ( especially with Critical Process )

    Many thanks .

    Randy
     
    Last edited: Apr 3, 2009
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Randydom,

    My game is more HIPS and sandboxes, but from what AV's I have tried (Norton in its early days, last years only frewares like Antivir, Avast, AVG, Rising etc), I think you are talking about file infectors.

    The only one that comes to my mind is Avast, it has the option to build a database with executables (up to 3 generations) to restore them after a file infector has changed them. Avast also has a re-boot into safe mode option to replace the infected file from its data base (to tackle rootkits and OS protected file infections).

    Hope someone with more understanding of AV's provide you an accurate answer. Try PM Rezjor he knows a lot about Avast amongst others.

    Regards Kees
     
  3. zen_usuario

    zen_usuario Registered Member

    Joined:
    Dec 7, 2008
    Posts:
    153
    Me too, for the same reasons explained by Kees1958
     
  4. randydom

    randydom Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    3
    Location:
    NYC
    Thank you Kees1958 , But how many times and Sizes should Avast build this Database , and sure this will take more & more Space from my ( as an Vast user ) machine ( so my Privacy - My HDD space is my Privacy too -is about to be ...... ).

    Could any one explain This please.


    Yours Randy
     
  5. Vladimyr

    Vladimyr Registered Member

    Joined:
    Feb 11, 2009
    Posts:
    461
    Location:
    Australia
    Excerpt from avast! 4.8 help file:

    avast! - help: VRDB

    VRDB stands for "Virus Recovery Database"; it was known as "Integrity Database" in previous avast! versions. The aim of VRDB is to help when, despite all the security measures, a virus gets inside the computer and the files are infected. With the help of VRDB, it is possible to repair many infected files (return them exactly to their original state). VRDB is announced by an icon with the letter "i" in the system tray (next to the clock). If the icon is animated, the database is being created right now.

    VRDB PRINCIPLE

    avast! creates an integrity database, i.e. it stores information about the actual state of the files, doing it three versions back for each file. The database creation/maintenance is performed either when the computer is idle, or when the screen-saver is running (any screen-saver, not only the avast! one). This database, once it is created, is updated each three weeks (this value may be changed by editing avast4.ini).
    If a file is infected by a virus, it may be possible to repair it using the information stored in VRDB, i.e. turn it to its original state. If there are multiple versions of the file in the database, you can choose which version you want to restore.

    Copyright © 1988-2009 ALWIL Software.
    All Rights Reserved.


    On my 32GB-partition XP SP3, the VRDB file is currently 27MB.

    Although still useful, avast! VRDB is an old idea that will probably be supplanted by newer techniques in future. There are already issues with Vista in terms of generating VRDB when PC is idle, i.e. Vista's enhanced security means that avast! VRDB generator's ability to determine PC idle state is blocked.
     
    Last edited: Apr 6, 2009
  6. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    VRDB database is completely a local thing and it also doesn't backup entire files so it's not a privacy issue of any kind.
     
Loading...
Similar Threads
  1. jjc225
    Replies:
    2
    Views:
    399
Thread Status:
Not open for further replies.