Avast Doesn't Block XP Defender malware (ave.exe)
in [Anti-Virus]
|
From: ~BD~ on 4 Apr 2010 02:47 David Kaye wrote: > ~BD~<BoaterDave(a)hotmail.co.uk> wrote: >> The Real Truth MVP wrote: >>> Yes, all kidding aside it could be a new variant and he also only posted >>> the program version number not virus definition version which is 100403-1 >>> >>> >> >> Maybe he'll check if he reads my reply to you! > > I did and I checked and it's 100403-1. I let Avast automatically update both > the program and the definition files. > > It looks like this may be a trend. I walked a customer through a registry > rollback (luckily the malware didn't take over safe mode) and had her set it > back 3 days. Again, like me, she has Avast on her computer, and likely has > the current definition file. I know she has the same program version I do. > > Funny thing is that in quick scan mode, MBam didn't see anything at all. On > my computer it saw ave.exe. > > Thank goodness it was merely a matter of rolling back the registry and not > something more serious like boot sector injections, etc. Still, she still has > the malware on her computer; it's just the registry doen't know about it. > Next time I visit her I'll have to check and get rid of it. > Perhaps try Microsoft Security Essentials! http://www.microsoft.com/security_essentials/?mkt=en-us I'm using it on two machines and it seems to work just fine! You have obviously found this experience somewhat disconcerting, David, and I can just feel your frustration. For me, though, it has been most interesting, especially your posting times being ahead of others who are also using Eternal-September. Might you approach Ray Banana about this? I've found him very helpful. I wish you a very Happy Easter. Dave BD An afterthought! Assume you had a pristine machine (new or with a new hard disk) - not connected to the Internet - upon which you had loaded Malwarebytes from a memory stick. If you ran a full scan it should of course report no infections. With all the skill you have acquired, would you be able to tell if changes had been made to your machine by MBAM which might, perhaps, enable remote access to it when connected to the Internet?
From: David Kaye on 4 Apr 2010 05:25 "The Central Scrutinizer" <gcisko(a)hotmail.com> wrote: >Let's say what you mention here is true. If that is the case, why would he >not >know that users running as local admin is for sure asking for problems? He >said he is running that way as all of his clients do as well! WHAT!!!! I have been fixing malware problems fulltime since 2002. That's 8 years. When I remove malware, turn off unnecessary services, remove unneeded startups, and put in a rudimentary anti-malware program (Avast lately), I seldom get repeat calls from my customers for malware problems. When they do call me back it's to fix something unrelated or to refer a new customer. So, I feel fairly confident that XP is just fine in the default user mode, which has admin privileges. Oh, I suppose I could set them up with limited accounts but do you know how sloppy that is? Some programs simply won't work, while others get flaky. Quickbooks is a perfect example. It will not run properly (and sometimes not at all) on a limited account.
From: FromTheRafters on 4 Apr 2010 07:05 "David Kaye" <sfdavidkaye2(a)yahoo.com> wrote in message news:hp95j8$ekl$6(a)news.eternal-september.org... [...] > This is where heuristic scanning comes in and why MBam can catch > nearly > everything. I had the impression, reading from Avast's documentation > and > various postings from people that Avast also had similar heuristic > scanning. > Apparently not. [...] From my reading, Avast! only uses its heuristic's for its e-mail scanner.
From: FromTheRafters on 4 Apr 2010 07:31 "David Kaye" <sfdavidkaye2(a)yahoo.com> wrote in message news:hp85v4$ua4$3(a)news.eternal-september.org... > "FromTheRafters" <erratic(a)nomail.afraid.org> wrote: > >> >>Were you running as administrator at the time of the "attack"? > > Running XP Pro with a default user with admin privileges. > >>It is possible, while browsing to a legitimate site, to get redirected >>to a site that launches several browser exploits aimed at executing a >>rogue application on your machine. > > Using OpenDNS as the DNS. Using Windows Firewall and Avast. I > checked > filedates in various directories and didn't see much other than > ave.exe and > its entries in the registry. It was actually fairly simple to get rid > of, > having dealt with it before on customer machines. Yeah, some are easy enough to remove, and even easier to avoid *having* to remove. :o) >>(server-side) to avoid detection by your antimalware component. >>Similar >>to the way a virus can be self-polymorphic - a downloaded program file >>can take many forms. > > What's eating me is that the program launched with a window that was > clearly > detectable in Task Manager as ave.exe, and yet while Avast was running > it > simply didn't see the program. Some stuff will get past detectors. With admin rights, what gets past may well attack the detector itself. After that, even well known and reliably detectable malware can get past. > After rolling back the registry 5 days manually (booting up with > BART-PE) I > then ran XP in regular mode and scanned with MalwareBytes. MB > immediately saw > it. (I'm using the freebie MB, so it does no realtime scanning). > Avast > still didn't see it even after I ran the drive scan option. And I > have the > latest Avast update. The best thing to know would be exactly what was on the exploit riddled website. ....as a side note, I read somewhere, about a month ago, that 80% of the most popular legitimate websites had served up malware within that one week period. IIRC it was mostly through advertisements that they had hosted.
From: FromTheRafters on 4 Apr 2010 07:44
"David Kaye" <sfdavidkaye2(a)yahoo.com> wrote in message news:hp9idk$lsu$1(a)news.eternal-september.org... [...] > When I remove malware, turn off unnecessary services, remove unneeded > startups, and put in a rudimentary anti-malware program (Avast > lately), [...] Avast! is an antivirus program. As you apparently already know, it is good to have an antimalware program as well. It looks like soon enough the two will completely merge because it is becoming more and more important for AV (formerly heavy on the more preventative content scanning) to adopt context scanning for post infestation identification and clean-up. ....still, if a detector program is virus capable, I suspect it will still be called an antivirus even if it is a comprehensive antimalware as well (since viruses are a special case). |