Antimalware Software

A Former User

Some use "heuristics" which are behavioral analysis of how a file works; others use signature analysis of a file's bit patterns; and so on.

There is some "heuristics" there in - whatever it's called, no "signature" it seems...

Does it make this one more trustworthy than that one?

blackbird71

blackbird71

I posted a reply earlier, but it's currently being held for moderation. ;_; Sometimes dodging around the spam filters in these forums is like running through a shooting gallery... most shots miss, but every once in a while you get nailed - for reasons you're never quite sure about.

blackbird71

blackbird71

It's not just the filename that matters. After all, one can name any file with any name, but that doesn't mean it's actually that pretended file. What matters as much as the name is where it is located. If a system-name file is sitting off in some abnormal or unrelated folder, that's a warning signal. In this case, the normal location for the win32k.sys file is the \windows\system32 folder... or perhaps in the uninstall folder for a KB update that modified the normal file once upon a time. If it were located anywhere else, you could be looking at an imposter. I'm only guessing, but I believe that's kind of what your AV did... it found the win32k file in a place it didn't expect and isolated it, not realizing that it could legitimately also be in a KB uninstall folder.

As you might now realize, none of this is necessarily an exact science. It involves digging, logic, and a sense of what ought to be where. Searching the Internet can help supply information to aid the analysis process in cases like win32k.sys, but the user still needs to check multiple references and cross-compare what they say to assemble a clearer picture. One could always hope that an AV might be perfect in detecting all threats and never giving a false alarm or false positive. But there simply is no such animal. The more automatic and comprehensive the AV engine, the more likely of a false positive trashing a system - and there are numbers of such stories where exactly that happened. The more the user himself gets involved in the final determination of a questionable file, the better his chances of avoiding his system being trashed, but the more work and analysis ends up in his lap.

As far as how long to wait before emptying out the quarantine folder, there is no magic answer. In fact, if you have hard-drive space, there's no reason to empty it at all - the files trapped there are indeed trapped and neutralized from breaking out. My own tendency is to leave them there for several months or more. Frankly, my AV typically only traps a file every so many months anyhow. At some point in the near future, yours ought to do the same. However, YMMV.

Most modern AVs use a combination of signatures and heuristics, with a few also adding in some crowd-voting features for filename reputation. My own opinion is that relying on heuristics alone isn't the safest approach, but others might disagree. Admittedly, signature detection can be misled by encrypting or obfuscating elements of a malware file to alter its signature(s), but signature-detection still acts to weed out much of the universe of malware that doesn't apply such hiding techniques. Heuristics are behavioral analysis of a file... but behavior can be obfuscated too, if the code writer is smart enough. At the end of the day, I advocate using layered security: a good firewall (especially outgoing traffic), a decent AV (meaning one that scores reasonably high in a reputable independent AV testing lab report, available free online), occasional system security scans using alternative tools (like Malwarebytes, AdwCleaner, etc), keeping the system and its apps fully patched, and safe hex. The last element is perhaps the most critical, though typically the most under-rated. If one browses constantly in "harm's way", then the odds of running into something both nasty and hard-to-detect increase considerably. Safe hex also means scanning ANY downloaded file before ever running it on the system - even supposed graphics files.

A Former User

After all, one can name any file with any name, but that doesn't mean it's actually that pretended file. What matters as much as the name is where it is located. If a system-name file is sitting off in some abnormal or unrelated folder, that's a warning signal. In this case, the normal location for the win32k.sys file is the \windows\system32 folder... or perhaps in the uninstall folder for a KB update that modified the normal file once upon a time. If it were located anywhere else, you could be looking at an imposter.

One shall see which folder it is (was?) in.
One could try finding the same name file in the PROPER folder (should the name be the same?). If there IS one, that other, detected one is an impostor (right?).

Do I think in the right direction?

A Former User

...and safe hex.

What the heck is that?

Safe hex also means scanning ANY downloaded file before ever running it on the system - even supposed graphics files.

I do.

...a good firewall (especially outgoing traffic)...

Why outgoing?

A Former User

As far as how long to wait before emptying out the quarantine folder, there is no magic answer. In fact, if you have hard-drive space, there's no reason to empty it at all - the files trapped there are indeed trapped and neutralized from breaking out. My own tendency is to leave them there for several months or more. Frankly, my AV typically only traps a file every so many months anyhow. At some point in the near future, yours ought to do the same. However, YMMV.

Well, my limitations are that the trial ends not further than in a month - then it's definitely uncertain.

What's YMMV?

blackbird71

blackbird71

Yes, you're thinking in the right direction, although sometimes a system file may be in more than one legitimate place, depending on the nature of the file. If that's the case, usually the search-result websites that explain things will note the various places it might legitimately appear. However, as you've seen, in the case of files altered by Windows updates, pre-update versions of those files may appear in some of the update uninstall folders as well, and most of the time, the reference websites won't mention that. As I've noted, the unavoidable uncertainty in some of this is a key reason to quarantine rather than immediately delete.

Safe hex is a slang term that describes the habitual user practice of employing safe techniques in one's use of computers, especially when online or downloading. (Hex refers to the hexadecimal numerical representation usually used in computer files.) It means using caution and common sense when exposing a computer to outside data, being careful not to browse much, if at all, at questionable websites of the type known to be infested with malicious exploits (porn, warez, and so on). It means being extremely careful before opening downloaded files, being sure to first scan them with onboard AV and/or other tools, and perhaps even sending them up for evaluation by VirusTotal or something similar. It means not clicking on whatever pops up when accessing some website without a good understanding of what is going on. It also means USING layers of security protection on the system and local network (if any), not just having such protection installed but unused. The biggest problem with safe hex is consistently applying it... human nature it to continually make exceptions, such that the secure habits can easily become riddled with dangerous exception habits.

YMMV is an advertising disclaimer from automobile ads that make all sorts of fuel economy promises, but conclude by saying "your mileage may vary". It has come to mean that end results may be somewhat different for different people and situations, depending on variable factors unique to how they do things compared with others.

A Former User

One shall see which folder it is (was?) in.

One could try finding the same name file in the PROPER folder (should the name be the same?). If there IS one, that other, detected one is an impostor (right?).

Do I think in the right direction?

Yes, you're thinking in the right direction, although sometimes a system file may be in more than one legitimate place, depending on the nature of the file. If that's the case, usually the search-result websites that explain things will note the various places it might legitimately appear. However, as you've seen, in the case of files altered by Windows updates, pre-update versions of those files may appear in some of the update uninstall folders as well, and most of the time, the reference websites won't mention that. As I've noted, the unavoidable uncertainty in some of this is a key reason to quarantine rather than immediately delete.

So, to copy its - path or filename? And go search by it in order to find out what/which folder(s) it's o'k for it to appear. Etc.
Right?

blackbird71

blackbird71

Depending on how your AV works, the win32k.sys file should be directly restorable to its original location via a user quarantine control somewhere in the AV panel itself. The original AV message was that the file's original path was C:\WINDOWS$NtUninstallKB2808735$\win32k.sys, but it would have been moved by the AV to an AV-owned quarantine folder and converted to a special AV binary format to keep the malware disabled, even if directly copied out of the quarantine folder. This is an anti-malware practice of most AVs. For the file to be restored, the AV itself must be used to reverse the special quarantine format and put the file back where it came from. The whole purpose of "quarantine" is to isolate, but not delete, a potentially malicious file until further determination of its nature and its fate can be made.

As a note of caution, if there are any quarantined files you want to restore, be sure and do it before your trial version either expires or is uninstalled. It alone holds the keys to restoring its own quarantined files, since not all AVs use the same quarantine format.

FYI, the latest Tuesday Windows patches (9 June) contain another update for WinXP computers involving win32k.sys:
KB3057839 kernel-mode drivers. This may or may not cause a repeat of the AV quarantining of the previous win32k.sys file from whatever uninstallation backup the new KB creates.

A Former User

What is this folder - C:\WINDOWS\$NtUninstallKB2808735$? Do the dollar characters mean something? Like it's hidden?

FYI, the latest Tuesday Windows patches contain another update for WinXP computers involving win32k.sys:
KB3057839 kernel-mode drivers. This may or may not cause a repeat of the AV quarantining of the win32k.sys file from whatever uninstallation backup the new KB creates.

Yeah, I noticed that update.
And it is very useful: I guess if it finds that 'threat' again, I'll be likely to consider the case "false positive".
Do you think the update must've replaced that missing file and the already captured one could be left to demise or not?
And a question stays - how do you usually whitelist stuff? Shall I input the exact, whole path to whatever it is?
In the presumed case of not restoring the previous, quarantined file, I guess I could simply allow the new one - should/when it occurs in the next sweep?

A Former User

As a note of caution, if there are any quarantined files you want to restore, be sure and do it before your trial version either expires or is uninstalled. It alone holds the keys to restoring its own quarantined files, since not all AVs use the same quarantine format.

Thanks, I'll bear it in mind**

blackbird71

blackbird71

The "$NtUninstall..." file name prefix tells the system that it's a backup folder containing the original files changed by the associated Windows update. There are corresponding links in the registry to direct where each of those files actually came from, so that uninstalling the update puts the original files back in the right places. It's been a while since I've explored this, but the $NtUninstall folders might indeed be hidden folders. I keep all my systems set to always show all the hidden stuff, and I don't recall whether these were in that category.

The Windows update would have replaced the original win32k.sys file in the Windows system folder with an updated file version, and moved the original win32k file into the $NtUninstall file, plus creating registry links showing what it had done. Apparently your AV found the file there, pulled it out, and quarantined it into its own AV folder, probably because the AV didn't expect to find a win32k.sys file copy outside of the normal system folder. Since the now-quarantined copy was simply the old or earlier version of the win32k.sys file, it would only be of value if you needed to uninstall that particular update which replaced it in the first place. But if you install the just-posted 3057839 update, that update will replace whatever win32k.sys version is currently in the Windows system folder with a still-newer version of win32k.sys. So reverting all the way back to the file copy the AV pulled out of the $NtUninstall folder is unlikely to ever happen, hence it probably doesn't matter whether you un-quarantine it or not.

The details of how you whitelist a file depends on the AV you're using. But I think it's going to be very hard to whitelist for a future file that has yet to be moved by some future Windows update into an as-yet-not-named uninstall folder. There simply are too many important files that can be replaced by updates, and there are an infinite combination of update numbers that might be used to construct the uninstall folder name. Given that WinXP updates are "going away" due to the obsolesence of the OS, probably the entire issue of the AV quarantining Windows update uninstall file elements will also fade away, as long as you're still using XP.

A Former User

Apparently your AV found the file there, pulled it out, and quarantined it into its own AV folder, probably because the AV didn't expect to find a win32k.sys file copy outside of the normal system folder.

Isn't C:\WINDOWS\ a normal system folder?

But I think it's going to be very hard to whitelist for a future file that has yet to be moved by some future Windows update into an as-yet-not-named uninstall folder. There simply are too many important files that can be replaced by updates, and there are an infinite combination of update numbers that might be used to construct the uninstall folder name.

Perhaps I'll just allow the file this next time, and see what happens*:)*

Given that WinXP updates are "going away" due to the obsolesence of the OS, probably the entire issue of the AV quarantining Windows update uninstall file elements will also fade away, as long as you're still using XP.

Right. Plus the potential "obsolescence" of the AV itself...
Besides, I think I might consider moving away when (if?) IT fades away right?

blackbird71

blackbird71

Yes, but what I was referring to was the \system32 sub-folder underneath the Windows folder. It can be confusing when writing about this stuff because of terminology overlap. That \system32 folder's the place where OS drivers and similar programs normally are found, and as such, that folder is supposed to be better protected against malware writing itself into it. Hence, a system file like win32k.sys found in some other folder may be malware masquerading as a system file, because that other folder was write-accessible to the malware infector file. Though in your situation, a legitimate copy of win32k.sys was legitimately placed in the update uninstall folder elsewhere. So, as usual, the scenario will always be the same, except when it isn't. O.O :rolleyes:

Actually, I ran a Win98 First Edition (vintage 1998) system online until late 2010, long after it had been declared officially obsolete and was no longer being updated by MS. What ultimately kills the use of an old OS is typically the inability to find any software that's rated for use on the old OS - in my case specifically, antivirus programs. The system still is in use for local computing, in large part because it's still compatible with some antique 16-bit software that I occasionally need to run. But online, it would be a sitting duck for malware, either at dodgy sites or in some drive-by infector in an ad on a legitimate site. Its AV hasn't been able to be updated in 5 years. :rip:

A Former User

Its AV hasn't been able to be updated in 5 years.

Write one.

Definitely it must be Windows' developers' (no names uttered!;)) blurp to allow for such file placing.

blackbird71

blackbird71

I have a different approach for that system. It's called "unplugging the Ethernet cable". :whistle:

A Former User

I have a different approach for that system. It's called "unplugging the Ethernet cable".

Searched for Ethernet - didn't get your metaphor.

en.wikipedia.org/wiki/Metaphor :whistle:

blackbird71

blackbird71

Hmmm. The ethernet definition is out there: https://en.wikipedia.org/wiki/Ethernet

It's the cable (CAT-5) connection from the computer to the router/modem. Pull the cable from the computer, and no more Internet (and no more malware from that source).

A Former User

I'm lost.

blackbird71

blackbird71

OK, let's see if we can get you "found". Back to basics: to get online functionality, your computer has to have a wired connection to your ISP via a dial-up phone wire or an ethernet cable to a modem/router connected to a DSL-capable phone line or a cable-company's dedicated line. Otherwise, the computer must use a wireless (radio) connection to a wifi "hotspot" in the vicinity, whether connected to your ISP's modem or provided by a public hotspot within range of your computer.

Back in the pre-wifi days when the only option was a wired connection, the easiest way to protect an old system from Internet-based malware was to simply "pull the cable" out of the computer and break the Internet connection. Of course, that meant no online capability, but it did work to avoid Internet-sourced malware. Hence my earlier humorous (?) statement/metaphor about unplugging the Ethernet cable as a means to deal with my inability to find an AV that would work to keep my Win98 system safe.

Unfortunately, whatever humor might have been embedded in my cable-pulling statement is now long gone... :faint: