Antimalware Software

blackbird71

blackbird71 last edited by

True enough... I should have used MB.

A Former User

A Former User last edited by

Well, Black, then how do I know if the registry is relevant or not?
They might contain a hint in their filename or may not, is it right?

Well, in the case of MSE, its pusher's name is "msseces.exe". Will it always be the same pattern or is it not necessary?

blackbird71

blackbird71 last edited by

A look at CCleaner's Data and Registry Key (especially for HKLM) columns after a scan can frequently identify the name of the product that created the problematic registry keys. A quick online search can explain some of the obscure Data filenames if the program name is not evident. Most of the time, for major-name software uninstalls that have left residue behind in the registry, the program names will be obvious in one way or another. If in doubt, leave the entry alone (unchecked) when/if cleaning. Note also that the CCleaner registry scan will only reveal registry issues of one kind or another, not normal registry entries for still-installed software (unless that software has installed something incorrectly or created registry references to subsequently update-abandoned program modules). The main categories you would be concerned about for registry cleaning after an uninstall would be Type Libraries, Applications, Application Paths, Help Files, Obsolete Software, and Run at Startup. These are the options that should be checked in CCleaner's Registry Cleaner panel.

A Former User

A Former User last edited by

Using a Microsoft Safety Scanner now. It seems to check my PF Java folder for ages now. Is it normal?

Right, I resorted to it again - the MSE "retired" again 5 days ago. I guess I'm gonna part with it soon enough...

A Former User

A Former User last edited by

So, I seem to be about to switch.
The MSE "fails" for another time now, used MSS again...

The question is - what do I do exactly?
Shall I - right away - take to uninstall the MSE or rather do some more preparations?

My idea is like the following:

1. uninstall MSE;
2. reboot the machine;
3. install the replacement...
   Well, shall I reboot before, or after? or both? If at all..?

blackbird71

blackbird71 last edited by

Normally, after any uninstallation of a program that has hooks deeply into the OS and registry such as an AV, it's wise to reboot the system before installing anything else. If you're concerned about some moments of online vulnerability with no AV in place, unplug the Internet connection before the reboot and until after the new installation has completed. However, in some cases, a newly installed AV program will right away want to go out to the Internet for any updates... so reconnect the Internet connection once the installation has appeared to succeed, and then check for updates (if the program doesn't automatically do it).

A Former User

A Former User last edited by

Done already this morning.
Rebooted BOTH.

It's UnThreat, and it appears not to be free software but it's just a free trial - 30 days.
So far it's o'k, there was a minor issue upon trying to close and other deal with its window the very first time - the thing got warped and distorted... Then I rebooted the second time, seems all right.

During the very first - quick - scan it found some. I have questions...

1. It was a Yandex toolbar (no location, no pertinence) which supposedly tracked me - I have a full report on the item.
2. 107 'tracking cookies' - all (seemed) had similar paths: ...Docs&Sets>[myaccount]-etc.. The thing suggested to delete them - I agreed: was I right?

Now to the toolbar report:

Threat Information
Threat Name:
Russian Searchbar
Threat Type:
Adware
Threat Category:
Toolbar
Risk Level:
Moderate
Traces
Registry
HKEY_USERS\S-1-5-21-989594913-985533698-406565276-1005\Software\Yandex -1
Additional Information
Description:
A Toolbar is a type of browser plug-in that adds a third-party utility bar to the web browser, usually just below or next to the browser's address bar. A Toolbar typically has a search function and provides search results for paid advertisers. It often has buttons that are links to advertisers' web pages. An advertising toolbar may track browsing and search queries in order to display contextually relevant search results and ads.
Advice:
This is a moderate risk and should be removed or quarantined as it may negatively impact your privacy and security or make unwanted changes to your computer's settings.

I accepted "automatic", and it quarantined the thing.
What do I do?

blackbird71

blackbird71 last edited by

I've never used Unthreat myself, but it most likely functions similar to most AVs in key aspects. From online reviews I read, it seems to be OK, but not necessarily the brightest star in the AV sky.

Regarding #1: Personally, I avoid browser toolbars like the plague. So I would have no problem deleting one. Tracking cookies are usually another good thing to dump, unless there's some commercial site whose tracking and prompting of possible purchases are something you really want (I don't).

Regarding #2: The Yandex toolbar (Russian Searchbar) is considered by most malware experts to be a Potentially Unwanted Program. It isn't malicious itself, but adds nothing of value to a user's browsing. Moreover, it exists solely to generate revenue by promoting marketing techniques that too often involve questionable products, and it is therefore considered by many experts as presenting security and privacy threats especially to uninformed users. Getting it out of the browsers is the correct thing to do.

Quarantining in most AV products essentially gets the targeted malware files off the active system and into an isolation folder where they cannot function, but in most cases could be restored if the user so desires. If you find the quarantining of the toolbar doesn't break something somewhere on the system, you might as well go ahead and delete the toolbar files entirely from the quarantine folder. The advantage to initially quarantining malware is if that process "breaks the system", the files can always be put back. This would be of real value in cases where the AV mis-identified a legitimate file as being malicious and thereby broke some system functionality as a result... you could simply restore the file from quarantine to its original location and functionality. (Such mis-identification indeed can happen from time to time with AVs).

A Former User

A Former User last edited by

Thank you.

Day 1: feels quite neat.
Haven't customised any settings yet, apart from the quarantine period (a trifle) - due to some uncertainty about the issue in question and alike. I'll update you how it's going (won't forget asking questions).

A Former User

A Former User last edited by

I'll update you how it's going (won't forget asking questions).

No full reports today - I was just playing with that "Copy to clipboard" & Co. for the first time, etc.
However, I'll cite every item.

Did a full scan last night.
Started early, late night yesterday - for MSE performed full scan for hours and hours and hours (sorry, my disk space is populated).
Surpisingly (as I only learned late in the morning), the AV spent only couple of hours and counted items scanned manifold less than MSE. However, it found 8 threats (some of them seem very likely to have sat there o'k in the MSE days) - of medium and high risk this time.

They were of two types, ordered in 6 lines.

The first group was adware:
the names were 1) Adware.Agent, 2) Installerex/WebPick (fs), 3) Click run software (v) and 4) Iminent (fs)
-
just in case somebody knows something about this stuff.
They were assessed as of 2/5 risk level and quarantined.

The second group was named Trojans.
There were three (or four?) items, their names seemed being the same - "Trojan.Win32.Generic!BT".
I'd like to extend on this now...
Yes, this first one was deleted, I'd obtained it myself from some video site perhaps in case I needed it, never started though: its path (containing file name) was C:\Documents and Settings[myaccount]\{My Docs}\...)\iLividSetupV1.exe.
The second (or third?) one's path was C:\WINDOWS\$NtUninstallKB2808735$\win32k.sys, and I'd like to hear your word about it.
The last (or something) one's path was to my other logical disk where I'd stored some archives: D:\Software\SoftonicDownloader7179.exe. The strange thing is that I remember obtaining and using it myself to download and install my first Opera browser** And I can't remember any trouble following or deriving from that/since that... The thing, if I remember it all right, sat there for years (quite literally), etc...
No idea.
Anybody?

Yes, these second group items (seem all) were of a high risk level, however by default, the lines had "quarantine" suggestions, IIRC.
Strange thing - maybe a glitch: IIRC, I changed ALL the flags to "Delete", but deleted did definitely appear only one, first item in that group - the others got quarantined...
Well, I'll see about this supposed glitch further, if I have an occasion.

That's all for now.
Thanks for your reading this*:)*

blackbird71

blackbird71 last edited by

The win32k.sys file is almost certainly a legitimate file, since it was part of the KB2808735 Windows security update issued in April 2013 (KB2808735). Your AV found it in the normal KB uninstaller folder for that update, and most likely mis-identified it because it's a KB-removal restoration file and thus not located in the place the normal, in-use win32k.sys file version is found (c:\windows\system32\win32k.sys). The normal win32k.sys file is a critical Windows driver file, and is noted in the MS13-036 bulletin as having been modified in the KB2808735 update - so it's normal for a copy to appear in that update's uninstall folder. However, there is malware (ZeroAcess rootkit) that has been known to copy the file's name to obscure its payload, but that fake file is usually found in some web-accessible or user-account folder. My best guess is that your AV simply found the legitimate KB restoration file copy in a non-system32 folder and flagged it. In other words, it was a false positive. You probably should restore the file and mark it to be skipped by future scans in case you ever need to remove the KB update for some reason.

Softonic down-loader files have a bad reputation for bundling 3rd-party, sometimes-nasty crapware along with the desired download. My guess is that your AV flags such down-loaders almost automatically by name because of the crap they occasionally carry along with them. I'd personally dump anything Softonic-related simply on general principles .

I'd be careful about simply letting the AV immediately delete any files, but especially system-name files (like win32k.sys); in fact, some AVs will only ever quarantine system-name files because of the serious consequences of mis-identifying and destroying a legitimate and critical Windows file. In the case of win32K, for example, that would be true since removing the active version of the file in the system32 folder would probably lead quickly to a blue-screen failure. The best practice is always to set the AV to simply quarantine problematic files wherever possible, so that you can restore them if the system breaks somehow after their removal. Only after manually analyzing a quarantined file name and where it was found will I go on to delete it from the quarantine folder. Your search engine is your friend for this. If in doubt, leave it quarantined rather than deleting it. Some system or apps breakages may only show up after several hours or more of usage.

A Former User

A Former User last edited by

The last (or something) one's path was to my other logical disk where I'd stored some archives: D:\Software\SoftonicDownloader7179.exe. The strange thing is that I remember obtaining and using it myself to download and install my first Opera browser And I can't remember any trouble following or deriving from that/since that... The thing, if I remember it all right, sat there for years (quite literally), etc...
No idea.
Anybody?

I knew I had that 'SoftonicDownloader' somewhere on my USB drives too, back-ups.

It seems I've got a guess about the situation with it.
It might be that it's a sorta container for "something else" - namely Opera setup, which is deemed "irrelevant" by the AV - thus tricky/roguish, right?
Hence it might be the file is no threat - especially that it sat for years while the AV came the other day.

Now a question.
The AV suggested to quarantine that file on that USB too - and I accepted: I got curious - HOW ON EARTH can a piece of software handle isolation of a file which is obviously not on the system most of the time?

---

Now to your recent comment, Blackbird.

You probably should restore the file and mark it to be skipped by future scans in case you ever need to remove the KB update for some reason.

How do I do that exactly?
List the file's path in exceptions?

The best practice is always to set the AV to simply quarantine problematic files wherever possible, so that you can restore them if the system breaks somehow after their removal.

That's right. I'll adjust the settings...

Only after manually analyzing a quarantined file name and where it was found will I go on to delete it from the quarantine folder. Your search engine is your friend for this. If in doubt, leave it quarantined rather than deleting it. Some system or apps breakages may only show up after several hours or more of usage.

So far so good.
But how do I do that analysing? Where do I start? What should I look for?

A Former User

A Former User last edited by

I have a guess...
Maybe that MSE knew what it was doing? Maybe it knew it was a good file - while the new, "third party" AV does not?

blackbird71

blackbird71 last edited by

Different AVs will work in different ways. Some use "heuristics" which are behavioral analysis of how a file works; others use signature analysis of a file's bit patterns; and so on. Probably MSE didn't analyze things quite as intensively as your current AV does, or didn't look at things the same way. That's why the AV testing labs (like AV Comparatives) get different detection results and different false-positive results for different AV products.

In many cases, AVs will let you un-quarantine a detected file, in which case you would restore it to its original place using the AV. If not, I'm not sure how you proceed using that particular AV to get it out of quarantine.

As far as analysing a questionable file using a search engine, I usually search first for just the filename itself and see what's out there. If it has a legitimate use, then I try searching for the filename plus a word like "virus" or "malware" and see what comes up. Ideally, you want results from places like bleepingcomputer, sevenforums, wilders, malwarebytes, or something equally reputable.

A Former User

A Former User last edited by

As far as analysing a questionable file using a search engine, I usually search first for just the filename itself and see what's out there. If it has a legitimate use, then I try searching for the filename plus a word like "virus" or "malware" and see what comes up. Ideally, you want results from places like bleepingcomputer, sevenforums, wilders, malwarebytes, or something equally reputable.

But if its filename is the same either way - how do you know if your PARTICULAR file is good or bad?
Or aren't they the same? Just similar?

If in doubt, leave it quarantined rather than deleting it. Some system or apps breakages may only show up after several hours or more of usage.

How long a period should it take tops to await a possible failure?

A Former User

A Former User last edited by

Some use "heuristics" which are behavioral analysis of how a file works; others use signature analysis of a file's bit patterns; and so on.

There is some "heuristics" there in - whatever it's called, no "signature" it seems...

Does it make this one more trustworthy than that one?

blackbird71

blackbird71 last edited by

I posted a reply earlier, but it's currently being held for moderation. ;_; Sometimes dodging around the spam filters in these forums is like running through a shooting gallery... most shots miss, but every once in a while you get nailed - for reasons you're never quite sure about.

blackbird71

blackbird71 last edited by

It's not just the filename that matters. After all, one can name any file with any name, but that doesn't mean it's actually that pretended file. What matters as much as the name is where it is located. If a system-name file is sitting off in some abnormal or unrelated folder, that's a warning signal. In this case, the normal location for the win32k.sys file is the \windows\system32 folder... or perhaps in the uninstall folder for a KB update that modified the normal file once upon a time. If it were located anywhere else, you could be looking at an imposter. I'm only guessing, but I believe that's kind of what your AV did... it found the win32k file in a place it didn't expect and isolated it, not realizing that it could legitimately also be in a KB uninstall folder.

As you might now realize, none of this is necessarily an exact science. It involves digging, logic, and a sense of what ought to be where. Searching the Internet can help supply information to aid the analysis process in cases like win32k.sys, but the user still needs to check multiple references and cross-compare what they say to assemble a clearer picture. One could always hope that an AV might be perfect in detecting all threats and never giving a false alarm or false positive. But there simply is no such animal. The more automatic and comprehensive the AV engine, the more likely of a false positive trashing a system - and there are numbers of such stories where exactly that happened. The more the user himself gets involved in the final determination of a questionable file, the better his chances of avoiding his system being trashed, but the more work and analysis ends up in his lap.

As far as how long to wait before emptying out the quarantine folder, there is no magic answer. In fact, if you have hard-drive space, there's no reason to empty it at all - the files trapped there are indeed trapped and neutralized from breaking out. My own tendency is to leave them there for several months or more. Frankly, my AV typically only traps a file every so many months anyhow. At some point in the near future, yours ought to do the same. However, YMMV.

Most modern AVs use a combination of signatures and heuristics, with a few also adding in some crowd-voting features for filename reputation. My own opinion is that relying on heuristics alone isn't the safest approach, but others might disagree. Admittedly, signature detection can be misled by encrypting or obfuscating elements of a malware file to alter its signature(s), but signature-detection still acts to weed out much of the universe of malware that doesn't apply such hiding techniques. Heuristics are behavioral analysis of a file... but behavior can be obfuscated too, if the code writer is smart enough. At the end of the day, I advocate using layered security: a good firewall (especially outgoing traffic), a decent AV (meaning one that scores reasonably high in a reputable independent AV testing lab report, available free online), occasional system security scans using alternative tools (like Malwarebytes, AdwCleaner, etc), keeping the system and its apps fully patched, and safe hex. The last element is perhaps the most critical, though typically the most under-rated. If one browses constantly in "harm's way", then the odds of running into something both nasty and hard-to-detect increase considerably. Safe hex also means scanning ANY downloaded file before ever running it on the system - even supposed graphics files.

A Former User

A Former User last edited by

After all, one can name any file with any name, but that doesn't mean it's actually that pretended file. What matters as much as the name is where it is located. If a system-name file is sitting off in some abnormal or unrelated folder, that's a warning signal. In this case, the normal location for the win32k.sys file is the \windows\system32 folder... or perhaps in the uninstall folder for a KB update that modified the normal file once upon a time. If it were located anywhere else, you could be looking at an imposter.

1. One shall see which folder it is (was?) in.
2. One could try finding the same name file in the PROPER folder (should the name be the same?). If there IS one, that other, detected one is an impostor (right?).

Do I think in the right direction?

A Former User

A Former User last edited by

...and safe hex.

What the heck is that?

Safe hex also means scanning ANY downloaded file before ever running it on the system - even supposed graphics files.

I do.

...a good firewall (especially outgoing traffic)...

Why outgoing?