AV/AT cleanup - lets have a discussion.

[Kobra]

After having a discussion with TDS-3, and Ewido guys, I’ve found some interesting things….  Differences between company philosophies, etc.

For one, Ewido will *ONLY* add a Trojan to his database if his product can *Fully* clean it from your system without destroying your OS.  I submitted over 80 trojans to him in the last week, and he only added a small selection of these to his database. The reason?  A few of them were file infectors, difficult, if not impossible to clean once they infect your system.. One of the threats I sent him was Parite-B.

http://home.arcor.de/antivirus/parite.html

Ewido’s reponse was:

“Kobra, thanks for the incredible submissions you sent us. Unfortunately we currently won't add many of them to our database because some of these are trojans which infect other executables very rapidly. Our Clean-Engine isn't capable of cleaning infections like these yet (and few to none are). We could easily detect them and remove the whole file but that's not what the user wants, it may remain his system in an unbootable state (infected system files that have been deleted and not correctly cleaned etc.). TDS-3 also can't clean them and just deletes the file. This let's me think that they just added these detections to get better results in tests and we don't want to do that –ewido networks”

Now, the interesting part is.. TDS-3 detects this already, but to clean it, it destroys your system, rendering it unable to boot depending on the level of the infection – which is usually deep and fast.  

So the point is, I want this to spur a discussion on the realities of an AV and limitations of traditional AV products?  If a product finds this, and deletes it, your system is fried, or would you rather just have it infected, then re-format at your leasure?  Ewido has nearly 50,000 Trojan threats in its database, and each and every threat in its database is *FULLY* cleanable by Ewido, since he refuses to add anything in he cannot guarantee a cleanup with.  Is this a superior product than TDS or many AV’s?  Which simply add in signatures to their database, with or without the ability to clean?

I mean its not a question in my mind that most AT/AV products SUCK at cleanup.  Avast has a great solution, keeping a VRDB (full backup of important files) in an encrypted file, so when you tell Avast to clean, it cleans, and doesn’t pull any crazy stuff.  Many people say AV/AT’s offer “Generic” cleaning with their products, but ive found this to be misleading to say the least.  What do you consider generic?  The fact it can run through your system randomly deleting things the virus attacked, destroying your OS?  The fact that Avast had the foresight to put in place a system to allow full recovery, to me, indicates a superior product.

I mean so what XYZ Antivirus software can detect 400,000 threats, if it does find them, it blows up your box trying to clean them right?  Pointless?  Hmm, i'm beginning to think so.  When people talk smack about Avast, I think they are neglecting many important things, the least of which, is the ability to CLEANUP without destroying your box.  How many other AV's can make that claim with assurances?  None?  The VRDB isn't perfect, but it *IS* a solution for right now, not tomorrow - like others promise.

Its all fine and good to brag that your " Virus Laboratory Deep in the heart of XYZ Country" recieves 1500 samples per day.  Is it ignorant to brag that you can run an automated MD5 scripter on 1500 samples and push them into your definition base without regard of the consequence a user of your product might face if they hit the "Clean" button when infected?   I'm inclinced to say yes...

Discuss?

[whocares]

1)
For one, Ewido will *ONLY* add a Trojan to his database if his product can *Fully* clean it from your system without destroying your OS.

2)
Avast has a great solution, keeping a VRDB (full backup of important files) in an encrypted file, so when you tell Avast to clean, it cleans, and doesn’t pull any crazy stuff.  

Hi Kobra,

@1)
interesting.. thx for the info..
didn't really know this, although one could've guessed it, as ewido is not targeted at classic viruses, but rather trojans, worms, dialers etc.. (which usually DON'T "infect")
I do see their point in this case, though..:
Of course if an AV detected EVERY malware on intrusion/before spreading, cleaning wouldn't be needed, but
- this is quite impossible &
- ewido free is on-Demand-only so that question is irrelevant -> ewido can only be used as a second backup scanner

@2) BS-EDIT as to chest/VRDB:

VRDB is
..\Avast4\Data\integ\avast.int, right ?
--> 7.5 MB on my PC ..
sure this can't be every infectable file ?


avast sure IS pretty good against infections/on cleaning..
although recently I've seen some glitches here in the BBS when after a cleaning no programs would run..-> EXE-settings corrupted..

Could be a user's fault though: I wonder if avast internal Cleaner only repairs registry changes when you click REPAIR (even when it's a worm/trojan, where the file itself CAN'T be repaired, but just deleted..)
or also when you click delete ??


-->  ?? IGOR, PAVEL, boardies ??
What say you to this matter of repairing the registry ..?
And is this different for Main-Scanner, Quick-Scan & resident shield ?
Can't/won't check it, obviously    


But my opinion to cleaning:
ANY Malware-scanner that also includes "real" file-infecting viruses as target/in its definitions SHOULD be able to FULLY clean infected files, IF they ARE fully Cleanable (which is not the case with overwriting infectors etc..)

On the other hand ->
lots of users:
- don't care to inform themselves about proper removal and take the wrong action on a (virus) alert, e.g. DELETION is ALWAYS wrong if you don't know what you're doing..
- even format their PC when they have easily cleanable malware because the are to lazy to get information.. (see above..)
you won't help those, no mattr how good your AV is..

Just my 0.02 €

 

[Kobra]

Those files in your chest are not the VRDB, they are a few special systems files it stores there incase. =)  VRDB is different.

You are correct about preventing the infection, but reality is, nothing is going to be 100%.  Even advanced AI engines for on-access protection like MKS aren't going to be as good as a VRDB type of system are they?  Surely AI may let something nothing, nothings perfect.
Ideally though, yes, infections will be stopped at the doorstep, but thats NOT reality. Especially with the many variants out there, and varied ways of rebasing them to launch, etc.

Ewido is specific against only Trojans/Worms/Malware, and doesn't offer realtime protection until the pro-version is launched, so you have zero front-end protection with it.  Its simply a nice backup scanner right now.

The problem for me is, I *CRAVE* Avast to have an on-access engine with seriously advanced heuristics like MKS, but then I crave for MKS to have a VRDB system like Avast!  So i'm at a lose-lose stalemate between AV's here!  One has most of what I want, the other has other things I want.  I guess in theory, I could run MKS on-access, and Avast for everything else, but thats less than ideal.

Any suggestions? LOL!

[whocares]

[OT]

Those files in your chest are not the VRDB, they are a few special systems files it stores there incase. =)  VRDB is different.

you're right there (I DID know this sometime )

But:
VRDB is
..\Avast4\Data\integ\avast.int, right ?
--> 7.5 MB on my PC ..
sure this can't be every infectable (system/important) EXE file ?
or are these the absolutely vital ones that get the PC up to the desktop ?

a bit OT, and I guess an extensive board-search would give me some answers.. forgive me..
 
[/OT]

[Straight Shooter]

Kobra, You're looking for "The Perfect AV" LOL...
Here is what I would say is the "Perfect AV"...

1. The detection of KAV...
2. The speedy updates of KAV...
3. The Virus Encyclopedia of KAV and NAV..
4. The support of KAV and Avast!
5. The forum support of KAV and Avast!
6. The VDRB of Avast!
7. The Virus Bulletin record of NOD32...
8. The popularity of NAV...
9. The dual engine design of AVK Pro...
10. The quick on demand scan of NOD32, Avast is very fast on my system...
11. The heuristics of
12. The cool skins and look of Avast!

Now you see what my problem is, right?

[RejZoR]

Consider a VRDB as a storage facility or files "DNA" samples.
If some file is infected,avast! checks the record for infected files "DNA" record. If its found it probably checks what has changed comparing infected samples "DNA" and "DNA" stored in VRDB.
Data that doesn't belong there(in the file) is wiped and you have clean file again. This is just theory,Alwil team probably knows/understands this better

[igor]

Cleanup... not an easy question, I must say.

Well, the only 100% reliable method working in 100% of cases is restoring the files from backup. That's the fact... and I dare say this was avast! philosophy for most of the time.
When avast! Virus Cleaner was created, it has changed a little... but still the main priority is the detection, not cleaning. If the user never gets infected, it's not necessary to clean the virus. Therefore, I find the idea of not including the unable-to-clean viruses into the database VERY bad - the antivirus protection is not just about cleaning, it should prevent the virus from entering the computer at first! (which it won't, if the samples aren't in database - and it doesn't matter that the scanner is on-demand only; you use it to scan the file before you start it, don't you?). Buf of course, it's a matter of opinion.

As for the cleaning methods: avast! Virus Cleaner is capable of cleaning some file infectors (inluding Parite). I don't know if you'd call the method "generic", I'd rather call it "virus specific", but I think it's the usual method. The program simply has a special piece of code for every virus; this code "reverses" the changes done by the virus (which may not be very trivial; the virus may protect the original data by various scrambling methods).
One of the disadvantages of this method is that in general, it won't guarantee that the repaired file is exactly the same as the original. The viruses often overwrite some "unimportant" part of the infected file - and this information is simply lost. The cleaning program, not having the original information, is unable to turn the file back to its original state. Sure, the lost info is usually not important (maybe just some kind of timestamp), so the file is "successfully" repaired and it works... in 99.9% of the cases. But it's important to realize that it's not 100%. Some programs may behave strangely after infected and repaired (such as Notepad after Elkern infection; you won't notice until you start 2 instances of it... because the section properties were changed to "shared"). Or, you may have a copy-protected program that checks the checksum of its own executable... and will trigger some kind of anti-pirate protection measures if you run the repaired exacutable.
That's why such kind of healing is questionable... strange problems may appear later as a consequence. Restoring the files / system from backup is certainly time consuming, but avoids such kind of troubles.

VRDB is certainly nice... but it's got also limitations. First, the information about the original files has to be stored in the database, i.e. installing the antivirus on a computer that's already infected won't be very helpful. Second, VRDB stores "important" parts of the executables. While it may have been very successful in DOS times, Windows executables have much more potential virus targets. So, there certainly are viruses whose infection VRDB won't be able to fix, because the target file part is not stored in the database. Of course, it's possible to store some more info in VRDB... but it's simple not possible to store everything - that would require duplicate all the executable files on your disk, and I guess you don't want VRDB to occupy gigabytes.

As I said, I'll try to improve the VRDB for the future release (store more information without increasing the size much). I have already started, but I'm not sure if it will be finished soon enough to make it to avast! 4.5; well, if not, it will simply be included in the following update. I believe it will be much better, but don't expect miracles

As for the Cleaner included in avast!, the connection is currently very simple. When a Cleaner-supported virus is found, avast! offers you to "Remove the virus completely from the system". If you select this choice, the usual Cleaner window pops up and starts its scan. That's it - there's no connection to the "Repair" button (yet). You may find it strange, but it's the safest method. avast! Virus Cleaner tries to remove all the possible traces of the worm/virus from the system - and to do that, it simply has to scan the whole system: memory, drives, registry. Passing it a single filename, detected by avast!, is often not an option. I will try to extend the interface somehow (such that the Cleaner is used when you press the "Repair" button), but it will probably be limited somehow.

[RejZoR]

Don't rush with VRDB and other features. Better late then sorry
Could you make that Clean button is selectable only if file is possible to repair (if the entry is in the VRDB). Otherwise peoples just get confused when they press Clean and they get back an error (ofcourse there should be a quick discription on why it cannot be repaired and what is the best secondary option).
Oh and a type description should be there too (i.e. Worm,Trojan,Virus,Spyware,Joke etc.) so users wont use the word "virus" for every and each file even if it is a trojan. It would be much easier to analyse user problems too.

[bob3160]

RejZoR
I don't consider myself a complete novice but, there are times when it's hard to decide what to do if a virus is found.
Also, if I select clean and then get the message back that it can't, then I always wonder what next?
So I fully support your opinion on the selection method.
Thanks

[Max M.Wachtel III]

Hey everyone!
Would't the best option for cleaning would be to restore the offending file from the orignal installation disk or the backup of registry that you have made?
-max

[.: Mac :.]

11. The heuristics of  

Command or F-Secure

[Staind]

I thought NOD32 had really good heuristics.   I'm just curious though, why has Avast! never considered developing heuristics for the main scanning engine?

[.: Mac :.]

NOD32, well it may have them but i have no first hand  experience with them. its GUI is split into diffrent sections and I avoid programs like that. (Norman Virus Control has a Code Emulation Engine that they call sandbox but their GUI is split so I only used that program for the 30 day trial)