Antimalware Software

A Former User

A Former User last edited by

What trial, Magaretz?

A Former User

A Former User last edited by

Does every regular AV allow to (temporarily) shut themselves down?
Or is there maybe a system control for that?

A Former User

A Former User last edited by

My 360 doesn't seem to like Google Chrome very much: frequently doubting chrome files, now it's even deleted Chrome's updater file...

A Former User

A Former User last edited by

Well, it appears that my 360, in settings, has something for Bitdefender, but I can't clearly understand what it is and what it is for: .

Who knows what it is?
Does it mean 360 is ready to fight Bitdefender or does it mean that 360 is ready to cooperate with Bitdefender?

blackbird71

blackbird71 last edited by

360 has the capability of using multiple local scanning engines as well as its cloud engine, one of which is BitDefender AV - or at least 360 had that capability in 2013: <http://www.wilderssecurity.com/threads/360-internet-security-free-triple-antivirus-engine-bitdefender-included.348585/ > The panel you show looks like one that allows the alternate local engines to be controlled from within 360. Otherwise, be careful when BitDefender is mentioned somewhere, since many or most references are to its more widely-known AV product, not its Adware Removal Tool product. That was the trap I fell into a few posts back.

Most AVs have a setting allowing them to be at least temporarily disabled, often accessible through the icon in Windows Tool Tray. I don't know about 360, though.

A Former User

A Former User last edited by

Most AVs have a setting allowing them to be at least temporarily disabled, often accessible through the icon in Windows Tool Tray. I don't know about 360, though.

Yeah, the two items at the very bottom are called "Enter Silent Mode" and "Exit" (the latter's after a hr).
I don't know about the "Silent mode", but the other might be it.

blackbird71

blackbird71 last edited by

'Silent mode' usually means the AV continues doing its thing, but it shuts off its normal alert messages along the way. That is, it quarantines or removes files or whatever 'silently'. In terms of avoiding conflicts with other anti-malware, it's doubtful that 'silent mode' will provide any relief. What one needs is some control like 'pause', 'temporarily suspend', etc. Otherwise, you'll have to Google a term like '360 AV turn off' or similar to find out what other users may have done.

A Former User

A Former User last edited by

It takes 360 some ages to scan my archives... :wait:

The question is, can malware insert itself into already existing archives?
There are three types of archives I've come to think of:

1. programs' archived files, including that of the system;
2. the user's own archived files (presumably s/he checked them at some point before archiving already);
3. "ready" downloaded archives.
   I can think that number 3 might be of risk, but I always check all downloaded files immediately - even if I had uploaded them myself or from "trusted sites".
   What about numbers 1 & 2? Can those be of risk?

Does some antimalware software allow for "trusting", skipping scanning some existing files on system? Will it be of sense to apply such "trusting"/skipping?

blackbird71

blackbird71 last edited by

There are a number of factors influencing what malware can and cannot do on a computer. In general and unless otherwise blocked, malware can insert its own payload files among the various legitimate files collected on drives or within folders - though which drives or folders are more easily accessible for infection is greatly affected by the access compartmenting that occurs when employing the OS's limited user accounts or group-policies for files and folders. In some cases, some legitimate files can even be replaced by similarly-named malicious file versions. However, malware is usually not able to directly and effectively alter the contents of existing complex files without causing corruption that renders the infected file unusable - thus the risk of infection in that manner is considered minimal.

If one is archiving files using an imaging program like TrueImage, Paragon, or similar to create an archive backup file of a drive or a folder of files, malware will only ever appear within that archive if it was already present on the system at the time the archive was created. The malware can't normally infect such an existing archive after it's created. But it can independently infect the drive on which the archive is stored, as noted below. If one is archiving files by directly copying them to a backup drive or flash-stick, then again, the backups should be clean of malware if the original source folders were clean - except in that case where malware independently infects the drive on which the archive is stored.

When one is archiving files to another drive, either via an image file or directly copying the data files over, existing malware on a system can, in principle, infect that other drive the moment it's connected to the computer. In this regard, a lot depends on how the specific malware is designed; not all malware has the capability, but some does. The deeper the malware hooks into the kernel code of the operating system, the more readily it can replicate itself onto other drives or flash-sticks. If one is storing backups (or even an image file) to another drive, some malware has the capability of infecting that drive directly before the archive file(s) are ever copied onto it. If a persisting stub file from the malware is then somehow able to point back to that instance of itself on the backup drive, it can re-infect the main system as soon as that backup drive is accessed. In the case of malware that infects a disk's MBR, unless that infected drive is deep-reformatted, that malware will survive a mere light-formatting process and potentially call out to its stored instance on the backup drive to reinfect the supposedly-cleaned system all over again as soon as that drive is connected.

However, the most common cause of reinfection for most malware victims is that they discover malware on their system, go to great lengths to clean it all up, then later have other problems requiring a system restore or restoration from a backup set, whereupon the earlier-removed malware suddenly reappears from within the file collection of the archive. This is one of the major reasons it's important to try to figure out how and when any infection has occurred, and to delete any archives or system restore points that occurred between the infection time-point and the point of cleanup. Otherwise, reinfection from the backup set(s) will occur. Obviously, the more backups routinely made and the more careful the system observations by the user, the more quickly he will recognize an infection and be able to minimize the look-back period that has to be discarded before restoring.

Most antimalware allows 'whitelisting' of both files and folders which skips them when scanning. Ordinarily, it's wise to avoid whitelising a folder unless you really, really have to since it gives a sanctuary for malware to hide. In cases where a folder has to be whitelisted, one should use access controls to govern very tightly which user accounts can alter the folder's contents.

A Former User

A Former User last edited by

I was talking about archived files, Professor - like zips, rars and such.

Some such files the system or a programs creates itself in its folder(s), some such files may be downloaded by the user, some such files can be created by the user from files already on the system.
The last case is in question - can some malware insert itself into such an existing file? Can it replace such a file seamlessly with a similarly looking one of the same format?
Can malware mess with archived files created by the system and/or other legitimate software on the system?
I'm ruling freshly downloaded such files out - assuming the regular antimalware program manages it prompted by the user.

blackbird71

blackbird71 last edited by

It's a bit tricky theorizing what malware can or can't do - as soon as one nails down a limitation, along comes a creative exploit that breaks through that limitation. Nevertheless, malware usually only starts by inserting its files directly into a system's file structures along side what's already there, though sometimes with names that mimic legitimate file names. The worst problems arise when the malware executes and starts running. At that point, what malware can and cannot do depends on the depth of its infection. Rootkits that deeply hook the OS kernel code can mask all sorts of illicit activities they carry out, they can redirect user inquiries about files and names, hide entire folders, and do all sorts of other things. Conversely, 'mild' adware may only append a few bits of URL code to a browser shortcut command. Arrayed in between those extremes are all the various other kinds of malware.

A complex, sophisticated malware program could likely do many, if not all, the things you describe - think in terms of Stuxnet-grade malware. But generally speaking, most 'normal' malware doesn't mess with altering existing files on a system - or at least, generally doesn't succeed if it tries. While some malware can delete a non-'system' legitimate file and replace it with a same-named version supporting or containing parts of the malware, usually the route taken is to sprinkle reasonable-sounding or randomly-structured filenames in various places on a system and then call up those files as needed from a central, running malware process.

Put another way, worrying about malware altering contents of an existing file is essentially worrying about the 0.1% segment of all the malware that's out there. The one exception is where the malware might take control of an app like a browser and use it to write things of its choosing into the browser files, but those are extremely specialized data files that usually affect nothing else.

A Former User

A Former User last edited by

It's a bit tricky theorizing what malware can or can't do - as soon as one nails down a limitation, along comes a creative exploit that breaks through that limitation.

That's right, I had that in mind.

blackbird71

blackbird71 last edited by

It's a bit tricky theorizing what malware can or can't do - as soon as one nails down a limitation, along comes a creative exploit that breaks through that limitation.

That's right, I had that in mind.

This is why 'layered' security is so important - multiple security techniques like using a decent antivirus, keeping a system full patched from a security standpoint, using limited user accounts (to limit the penetration depth of malware), a good firewall that applies outgoing filtering, and consistency in applying 'safe hex' (extreme care in what is downloaded, not clicking on pop-ups or opening eMailed links, care in what sites are visited, etc). The more layers present, the harder for new malware to find or exploit an opening.