App Review A test of Kaspersky Virus Removal Tool

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
cruelsister
Dave Russo said:
If Kaspersky was running first before infection, would you have been able to install it without disabling or most any other AVs? and second is there a secondary scanner that can detect and remove Xores? Thanks
Click to expand...
If by that you mean if Kaspersky real time was installed, then there would have been no infection as K would have detected the original malware and deleted it. As for other AV's the detection rate is spotty (and could be made more so by manipulation of the original, making it close to zero-day).

As to other 2nd opinion scanners, next week will be the same versus NPE (actually this video is part 1 of a 4 part series- next NPE, then Fun Facts about both NPE and KVRT); probably will bore most to tears but at least they will be equally short.

But one thing I need to point out is that this malware, as also will be the case in a similar one that will be used is that on normal use they will be essentially invisible to the user. They reside in a Hidden System directory (so no joy when checking with a file manager), they persist via Scheduled Tasks (so avoiding Startup mangers that just look at registry entries), and will only be active during the pulse transmission out to malware command, so are far too ephemeral for noting in Task manager.

Stuff like these make me question the "I haven't been infected for years" comments, because one really never knows, do one?
 
  • Like
  • Applause
  • +Reputation
Reactions: Nevi, roger_m, simmerskool and 9 others
cruelsister said:
As to other 2nd opinion scanners, next week will be the same versus NPE (actually this video is part 1 of a 4 part series- next NPE, then Fun Facts about both NPE and KVRT); probably will bore most to tears but at least they will be equally short.
Click to expand...

Thank you, as this is what I was wondering about, NPE, after watching your video.
 
  • Like
Reactions: Nevi, simmerskool, brambedkar59 and 3 others
In MalwareTips Hub, during the last years, We added KVRT as a mandatory tool, BUT making a bit tweak, since We found that KVRT did not / or missed scanning all the system risky folders in default settings.

We found that adding these 2 folders, many tests with the final verdict Clean, should have been System Infected:

1705758885320.png


Probably in this so special test scenario, there won't be any difference, but...
 
  • Like
  • +Reputation
  • Thanks
Reactions: Sunshine-boy, Nevi, B-boy/StyLe/ and 15 others
cruelsister said:
Stuff like these make me question the "I haven't been infected for years" comments, because one really never knows, do one?
Click to expand...

This is my favorite quote from Joanna Rutkowska:
The inconvenient and somehow embarrassing truth for us is that there does not exist any reliable method to determine if a given system is not compromised. True, there is a number of conditions that can warn us that the system is compromised, but there is no limit on the number of checks that a system must pass in order to be deemed “clean”.

www.qubes-os.org

Compromise recovery in Qubes OS

Occasionally #####ups happen, even with Qubes (although not as often as some think). What should we – users or admins – do in such a situation? Patch, obviously. But is that really enough? What good is patching your system if it might have already been compromised a week earlier, before ...
www.qubes-os.org www.qubes-os.org

If an expert don't know whether their computer is compromised or not, how can average user know.
 
  • Like
  • Hundred Points
  • +Reputation
Reactions: Sunshine-boy, Nevi, roger_m and 15 others
WhiteMouse said:
This is my favorite quote from Joanna Rutkowska:
The inconvenient and somehow embarrassing truth for us is that there does not exist any reliable method to determine if a given system is not compromised. True, there is a number of conditions that can warn us that the system is compromised, but there is no limit on the number of checks that a system must pass in order to be deemed “clean”.

www.qubes-os.org

Compromise recovery in Qubes OS

Occasionally #####ups happen, even with Qubes (although not as often as some think). What should we – users or admins – do in such a situation? Patch, obviously. But is that really enough? What good is patching your system if it might have already been compromised a week earlier, before ...
www.qubes-os.org www.qubes-os.org

If an expert don't know whether their computer is compromised or not, how can average user know.
Click to expand...
I've found loads of complex and truely unknown malware/backdoors. Sometimes it's easy and sometimes it takes longer to find during an assessment. But we eventually come to the conclusion that what if a system file is compromised from MS end(supply chain). We can never truely know if a system is clean.

But we can ensure that all code on the machine is trusted. Every software analysed for it's purpose on that environment (abuse of legit tooling). All persistent mechanisms are checked as a part of these compromise assesments.
 
  • Like
  • Applause
  • +Reputation
Reactions: Nevi, roger_m, simmerskool and 4 others
Sandbox Breaker said:
But we can ensure that all code on the machine is trusted. Every software analysed for it's purpose on that environment (abuse of legit tooling). All persistent mechanisms are checked as a part of these compromise assesments.
Click to expand...
Even then what if the malware remains dormant for a long period of time until a trigger is activated after let's say 6 months. A week of running software under assessment won't help you then and no one is decompiling every single piece of software to find the hidden backdoor. There is a very interesting read about how you can never fully trust anything:
 
  • Like
  • Thanks
  • Hundred Points
Reactions: Nevi, roger_m, Dave Russo and 4 others
harlan4096 said:
In MalwareTips Hub, during the last years, We added KVRT as a mandatory tool, BUT making a bit tweak, since We found that KVRT did not / or missed scanning all the system risky folders in default settings.

We found that adding these 2 folders, many tests with the final verdict Clean, should have been System Infected:

View attachment 281046

Probably in this so special test scenario, there won't be any difference, but...
Click to expand...
I never noticed the settings flyout before. The contrast and colors of the UI aren't the best. Thanks. (y)
 
Last edited:
  • Like
  • Applause
Reactions: Sunshine-boy, Jonny Quest, Nevi and 7 others
brambedkar59 said:
Even then what if the malware remains dormant for a long period of time until a trigger is activated after let's say 6 months. A week of running software under assessment won't help you then and no one is decompiling every single piece of software to find the hidden backdoor. There is a very interesting read about how you can never fully trust anything:
Click to expand...
That's what I meant by supply chain attacks. Agreed.
 
  • Like
Reactions: Nevi and brambedkar59

You may also like...