Avast WEBforum
Other => General Topics => Topic started by: Zagor on January 21, 2006, 09:41:22 PM
-
Hello my virtual forum friends!
I've got a new review on one interasting tool called MultiAV Scanning Tool (This tool to me was recomended by polonius). This is Command Line On-Demand Virus Scanner Tool which incorporates few best AV scanning engines on the market. They are:
- Sophos
- McAfee
- Kaspersky
- Trend Micro
I've tested only Sophos & McAfee, because I'm already using Kaspersky's OnLine Scanner & Trend Micros's HouseCall and I was not going to double my files.
To the point:
The scanning of my hard disks lasted for two hours (20GB of 80GB free). No unusual false positives except for this:
>>> Virus fragment 'W95/MrKlunky-A' found in file d:\Programs\_AntiVirus\PandaAntiVirusTitanium2006\PandaAntiVirusTitanium2006.exe\SfxArchiveData\data1.cab\ICAB:00250187
>>> Virus fragment 'W95/Whog-878b' found in file d:\Programs\_AntiVirus\PandaAntiVirusTitanium2006\PandaAntiVirusTitanium2006.exe\SfxArchiveData\Files/SAFEDISK.IMG
Removal successful
>>> Virus fragment 'W95/MrKlunky-A' found in file d:\Programs\_AntiVirus\PandaAntiVirusTitanium2006\PandaAntiVirusTitanium2006Unregistered.exe\SfxArchiveData\data1.cab\ICAB:00250187
Removal successful
>>> Virus fragment 'W95/CIH-10xx' found in file d:\Programs\_AntiVirus\PandaTruPreventPersonal2005\PandaTruPreventPersonal2005.rar\PandaTruPreventPersonal2005.exe\SfxArchiveData\data1.cab\ICAB:000d3ab3
Removal successful
As you can see, Panda, Panda, Panda!!! Now I have lost all three installation files, which I migh add: took ages to download with dial-up. Well, If this is how they work I don't need them any way. So, beside those false positive and long scan time Sophos AV Scan is a plus for protection you must have.
Scan lasted for 45 minutes. Results:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll\00017b68.EXE ... Found potentially unwanted program Downloader-AGT.
The file or process has been deleted.
The archive has been deleted.
C:\Program Files\Ewido\Security Suite\guard.sys ... Found trojan or variant New Malware.z !!!
Please send a copy of the file to McAfee
The file or process has been deleted.
C:\Program Files\ICQToolbar\toolbaru.inf ... Found potentially unwanted program Adware-Softomate.
The file or process has been deleted.
These are no Malware! False positives all around! Beware of McAfee Scan, cause who knows what software will recognize as dangerous and delete some modules.
-
This is the download address:
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
This is manual on hot to use it (in few steps):
1. Execute & Unzip in this folder -> c:\AV-CLS\
2. Double-click on C:\AV-CLS\StartMenu.BAT
3. Choose the number in the Start Menu for starting the AV Vendor
4. Connect to the Internet & the files will be downloaded
5. Choose all harddisks or other location for scanning
-
Hi Marko,
Thanks for the review, but I would not recommend a scanner that goes on
deleting false positives. I would like online scanning only if I had an option
as what to do with the results. If I use DrWebCureIt, it gives me results,
I can decide not to do anything with it, update the suspect to Jotti or
Virustotal and see if it is real, then decide what to do finally.
False positives can be a pain in the neck, when they are really false
positives for important data on a computer. That is why a computer
with important data on it should not be connected.
If the software came with the option to do with the results as one pleases
my opinion of it would be milder, and one could use it say once a month
for a so-called garage stop.
your friend polonus
-
So does this program automatically deletes the infections it finds?
This is a little off the topic but i sometimes feel all my PC does is scan for malware all the time(when it's in windows ofcourse)....
P.S:One of the reasons i like avast! so much is that it produces very few FP's ;)
Cheers,
Mikey
-
Hi, Mickey
Yes unfortunatelly this program does that, but none the less idea about multiple scanner engines is good and the program is quite simple to use. The only thing you need is some recovery program after running the program to restore all false positives that has been deleted :( Any way, you saw the list yourself...
I think the polonus is right about this thing, so this scanner remains pending untill the author puts the option to decide what to do with the files after the scan!
In fact I'll mail him to see what are his plans and get back to you when he answers.
Greets
-
Does anyone knows something about the file that I lost as false positive in the scann earlier mentioned?
C:\Program Files\Ewido\Security Suite\guard.sys
I found this info on the net:
Service (registry key): ewido security suite driver
Display name: ewido security suite driver
Image path: \??\C:\Program Files\ewido\security suite\guard.sys
Image size: 3072
Anyone has Ewido? Did you experience something similar? Is there any other option else then reinstall?
-
Hi Zagor,
This may help you with your predicament:
http://www.911cd.net/forums/lofiversion/index.php/t15202.html
So you can fix it,
Polonus aka Damian
-
And Zagor always remember to BACKUP before testing new programs ;)
-
I'm afraid in this case that opportunity has come and gone my friend :-\
-
Does anyone knows something about the file that I lost as false positive in the scann earlier mentioned?
C:\Program Files\Ewido\Security Suite\guard.sys
I think the guard.sys relates to the resident part of ewido, so if you are using the free version (that after the trial period disables the resident part) it shouldn't have any adverse effect.
I don't know to what depth the removal process goes, e.g. does it also delete any registry entry related to guard.sys?
If not then it would be possible to just replace the guard.sys file (IM me your email address and I will send it to you) in the C:\Program Files\ewido\security suite folder.
However, if it also deleted registry entries you may need to reinstall.
Edit: Just renamed guard.sys and did an update and a small scan no issues.
-
I think the guard.sys relates to the resident part of ewido, so if you are using the free version (that after the trial period disables the resident part) it shouldn't have any adverse effect.
I don't know to what depth the removal process goes, e.g. does it also delete any registry entry related to guard.sys?
If not then it would be possible to just replace the guard.sys file (IM me your email address and I will send it to you) in the C:\Program Files\ewido\security suite folder.
However, if it also deleted registry entries you may need to reinstall.
I have the paid version, it proved itself like a very reliable one in preventing many trojan atacks! Yes it is a driver for Ewido guard (resident part). This file was cleaned:
C:\Program Files\Ewido\Security Suite\guard.sys
Could AV remove some registry entries and not report about it? I can reinstall, but I was just curious if this was fixable ( :)) on some other way.
-
Some AVs may go to the effort to remove registry entries, but I can't say that for sure.
You could check by using regedit to search for guard.sys, if it exists then replacing the file may work - you should be able to tell of the resident element is working after replacement and a reboot.
-
Thank you David,
Couldn't find it in registry, so I used the old way: reinstall, boot! Now it purrs like a kitten in my tray waiting for Trojans...
EWIDO THE SEQUEL
-
Your welcome, now you know some AVs not only remove the file but the entries in registry.
-
Hi DavidR,
This actually means that scanning could be a risky business. And that prior to scanning one should backup the registry or even better set a restore point with a restore program in case of loss through false positives. So before doing something with a suspicious file, one should always seek a founded opinion to now the infection at hand is real, especially when heuristical scanning is involved.
The above also is true for spyware scanning with online scanners and full removal is not possible or it fails, before scanning set a restore point and backup the registry. I know good online scanners provide these possibilities and ask Windows to do this.
polonus
-
This actually means that scanning could be a risky business.
Yes and even more so when using multiple on-line scanners when you don't know what it is going to do upon detection. Since the AV program isn't installed on your system, I would guess reversal/restoration of files and registry entries of FPs would be even more difficult.
So a good backup/recovery strategy is essential.
-
This is one of the instances where it's nice to have GoBack or something similar.... :) :)
-
I received a mail from the author of Multi_AV tool after mailing him about my False Positives:
On 22 Jan 2006, at 04:40, Zagor wrote:
> Since the tool does not have the option to deal with the infected files after the scan has found them,
The tool will attempt disinfection and delete the infected object if this disinfection is not possible. This process happens on the fly during the scan. This applies to sophos, mcafee and kaspersky engines. Currently we do not have an option to leave the files if a disinfection is not possible.
> I'm interested do you plan on integrating this feature! And if you do, when?
We don't believe there is any reason to change this at the moment. The tool is set up to deal with virus infiltration's.
Regards,
Ian Kenefick.
-
I know i will stay away from this program guys.....
-
Zagor and ReVaN,
Same for me here too, thumbs down for a program like this,
sign for the folks here to stay away from that MultiAV tool.
Better to have the BitDefender 9 on occasion or download DrWebCureIt or run a full ClamWin once in a while, where you have all options open still after something is found up.
And Zagor thanks again for the bold testing. We owe you.
Polonus
-
Well, it was my pleasure... 8)
Couple minutes ago I received response on my new mail:
> Thank you very much for such a quick reply.
You are welcome.
> I didn't explained the reason for my request in the first mail. McAfee and Sophos found many false positives
Please give me an example of these false positives. Are you sure they are not just potentially unwanted programs?
> which were imeddiately deleted after the scan has finished and left me with no choice except than to use system restore and get the system in it's previous state. So this option is a must for safe usage of your program.
I think we could include an option for 'safe-usage' where no heuristics would be used - maybe in new version. I think that a false positive with sophos might be an issue here though. Sophos doesn't use heuristics so it's a problem with signatures. Can you send me the log?
> I did post my testing of your program on some security forums and when people heared that there is no option for stoping the false positives to be removed, they caracterized this tool as a "stay away from it-tool"
:) I guess they might not have a use for it. This is a great tool in my view. It works very well to remove malware.
> and it is a shame because this is a very handy, easy to use program.
> Please consider this as a friendly remark from the user.
Appreciated :-D
Regards,
Ian Kenefick.
-
Well friend Zagor,
You did your bit, now wait until they have their act together, furthermore it stays a tool we cannot support in this form. Agreed?
polonus
-
Absolutely!
But I couldn't do much without you guys, so... ;)
-
I have contacted the author of the program again and this time he was interasted in my proposal to include the option for dealing with scan results. He asked me to send him false positives from my testing so he can study them.
Maybe after all he will decide to change his mind and listen to us :) Anyway, as polonus said, we did our job, now it's time to wait...