Microworld Antivirus toolkit and escan - any good?

Discussion in 'Anti-Virus' started by Moe Hair, Feb 24, 2005.

  1. Moe Hair

    Moe Hair Guest

    Ok, just to be on the safe side I took someone's advice and downloaded the
    Microworld Antivirus toolkit utility (powered by Kaspersky) in order to
    scan my hard drive. Avast and Norton didn't find any viruses, but this
    utility came up with the following. First of all, what does "tagged as not
    a virus" mean? The utility found several viruses but next to each one
    stated, "tagged as not a virus". Huh? Most of these files seem like legit
    program files, so how can they possible have raised a flag?


    ile C:\DELL\Drivers\SiigUSB2.0_v2.06.exe tagged as not-a-
    virus:Tool.Win32.Reboot. No Action Taken.
    File C:\DELL\Drivers\TB1-Eng.EXE tagged as not-a-virus:Tool.Win32.Reboot.
    No Action Taken.
    File C:\My Downloads\aaw.exe tagged as not-a-virus:Tool.Win32.Reboot. No
    Action Taken.
    File C:\My Music2\Divx Bundle.zip tagged as not-a-virus:Tool.Win32.Reboot.
    No Action Taken.
    File C:\My Music2\Radium MP3 Codec v1.263 - Radium.zip tagged as not-a-
    virus:Tool.Win32.Reboot. No Action Taken.
    File C:\My Shared Folder\Serialz.exe infected by "Backdoor.Win32.VB.ar"
    Virus. Action Taken: No Action Taken.
    File C:\My Shared Folder\WinXP Pro - Office XP (final) Key Generators (TEK)
    (1).exe tagged as not-a-virus:Tool.Win32.Shutdown. No Action Taken.
    File C:\Program Files\Corkboard\UNINSTAL.EXE tagged as not-a-
    virus:Tool.Win32.Reboot. No Action Taken.
    File C:\Program Files\Games\Microsoft Pinball Arcade\Setup.EXE tagged as
    not-a-virus:Tool.Win32.Reboot. No Action Taken.
    File C:\Program Files\Taxcut99\attcheck.exe tagged as not-a-
    virus:Tool.Win32.Reboot. No Action Taken.
    File C:\Program Files\Taxcut99\checktc.exe tagged as not-a-
    virus:Tool.Win32.Reboot. No Action Taken.
    File C:\Program Files\Taxcut99\removetc.exe tagged as not-a-
    virus:Tool.Win32.Reboot. No Action Taken.
    File C:\Program Files\Taxcut99\update.exe tagged as not-a-
    virus:Tool.Win32.Reboot. No Action Taken.
    File C:\Program Files\Turtle Beach\APPS\SETUP.EXE tagged as not-a-
    virus:Tool.Win32.Reboot. No Action Taken.
    File C:\Program Files\Turtle Beach\OSR2GLUE.EXE tagged as not-a-
    virus:Tool.Win32.Reboot. No Action Taken.
    File C:\Program Files\Voyetra\TBS Montego\ACRORUN.EXE tagged as not-a-
    virus:Tool.Win32.Reboot. No Action Taken.
    File C:\Program Files\Voyetra\TBS Montego\OSR2GLUE.EXE tagged as not-a-
    virus:Tool.Win32.Reboot. No Action Taken.
    File C:\TB1-Eng\APPS\SETUP.EXE tagged as not-a-virus:Tool.Win32.Reboot. No
    Action Taken.
    File C:\TB1-Eng\OSR2GLUE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No
    Action Taken.
     
    Moe Hair, Feb 24, 2005
    #1
    1. Advertisements

  2. Kaspersky uses so called extended dats which are used for detecting
    other kind of malware than viruses and trojans. Included are adware,
    spyware, hacking tools, virus writing tools, crack progs, reboot
    capable applications etc etc. So you seem to mainly have programs that
    reboot the machine when installed and one keymaker etc.
    http://www.kaspersky.com/extraavupdates

    Jari
     
    Jari Lehtonen, Feb 24, 2005
    #2
    1. Advertisements

  3. Sorry you do have one dangerous application that is a backdoor trojan.
    Delete it.
    File C:\My Shared Folder\Serialz.exe infected by
    "Backdoor.Win32.VB.ar"
    Virus. Action Taken: No Action Taken.

    Jari
     
    Jari Lehtonen, Feb 24, 2005
    #3
  4. Moe Hair

    null Guest

    These are programs or utiilities that can do harmful things when used
    improperly (by unskilled users). They are not Trojans. They are not
    malicious code. They have "good" uses and are "known" to the AV as
    such.. But KAV (and McAfee and maybe some others) may alert users to
    some of these commercial programs. With the McAfee command line
    scanner you have to specify that you want these detections by means of
    a command line switch. With KAV, there is no user selection (at least
    on the versions I'm familar with).

    I guess the purpose of such alerts is to warn naive users to shy away
    from using the flagged programs and utilities.

    Art

    http://home.epix.net/~artnpeg
     
    null, Feb 24, 2005
    #4
  5. Moe Hair

    Moe Hair Guest

    I deleted that one immediately before I even posted this message, although
    both Avast and Norton scanned it and found nothing.
     
    Moe Hair, Feb 24, 2005
    #5
  6. Moe Hair

    Vanguard Guest


    Kaspersky used to use ADS (alternate data streams) on files. This only
    works under NTFS which allows more than one data stream for a file.
    Normally you only see the primary data stream, like the one you would
    see with Notepad when editing a file. The Resource Kit and SysInternals
    have tools to let you look at the ADS of files. Kaspersky used to use
    the ADS to mark a file as already scanned, saved a hash code (so it knew
    that the file was already scanned and had not been modified since the
    last scan), and probably stored some status in the ADS. The tool you
    are using might be checkingt the ADS and seeing that the Kaspersky
    engine already created an ADS and marked that file with its hash code
    and also noted that it wasn't infected. This hash value (to know the
    file hasn't been changed since the last scan) and noting it wasn't
    infected allows Kaspersky to run faster. Rather than scan the entire
    file again, it just checks the ADS so it can skip checking that file.

    At one time, I was looking at getting Kaspersky but do not like its use
    of ADS. Only recently have anti-malware products started to scan the
    ADS of files (Ad-Aware scans the ADS but Spybot does not). If you
    uninstall Kaspersky, it doesn't bother to remove all the ADS'es that it
    added to the files. ADS is an advanced feature of NTFS but Microsoft
    didn't bother empowering users to interrogate it. By adding an
    alternate data stream, you could make a 1KB file actually 1GB in size
    and the user won't understand why they have problems copying the file
    due to "insufficient free space" for what gets reported by Explorer or
    'dir' as a tiny 1KB file. Malware could even bloat out your files to
    consume all free disk space although everything you use says the files
    consume space far less than the capacity of your drive.

    It makes a convenient place to secrete a virus or trojan because
    anti-virus programs won't scan the alternate data stream of a file. The
    on-demand file scanner of the anti-virus program won't discover the
    virus hiding in an ADS. However, something has to extract the virus
    from the ADS, load it in memory, and execute it so the on-access scanner
    for the anti-virus program should catch it then (but then it is a virus
    in memory and no longer in the file so the virus never does get truly
    eradicated).

    Some articles on ADS:
    http://www.ntfs.com/ntfs-multiple.htm
    http://www.auditmypc.com/freescan/readingroom/ntfsstreams.asp
    http://www.heysoft.de/nt/ntfs-ads.htm

    Some utilities for ADS:
    SysInternals' stream
    LADS
    CrucialADS
    Win2000 Resource Kit (forget what the utility is called)

    It isn't just Microsoft's NTFS that uses alternate data streams. "The
    Mac OS uses alternate streams called resource forks on the Mac's
    Hierarchical File System (HFS) to store application metadata such as
    icons"
    (http://www.windowsitpro.com/Windows/Article/ArticleID/19878/19878.html).
    ADS have been around as long as NTFS yet it is the rare Windows user
    that has even heard of it.

    Well, at least Ad-Aware SE will now scan alternate data streams but
    that's just one safeguard product. I wish the on-demand scanners for
    anti-virus programs also scanned the ADS. I believe one of the
    anti-trojan products, maybe TDS-3, also scans the ADS.
     
    Vanguard, Feb 24, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.