Solved Question malware found

[lokamoka820]

What if a zero-day malware sample missed by full AV (which has signatures and behavioral analysis), how is on-deman scanner will detect with only signatures?
I assume to get what slipped through an AV, I should use AV with more tools and has better implementation of those tools.

It may not detect it either, and you definitely need to use an AV as the first and primary layer of protection for your device. A second scanner is called a second scanner for a reason, just to ensure it's not being compromised.

By the way, there are some cases when malware infects a device, and you can't install an antivirus at all because the malware prevents it from installing. In this case, some second-opinion scanners can be very useful, as they can remove the malware and allow you to install the antivirus afterward and perform a full scan.

 

[Trident]

I need your opinion; what is the gain of running on-deman scanner after the AV under testing finishes, while the tester has examined the samples before testing, and is quite sure they are malicious?
Why not just say AV tested missed 5 out of 100?

No idea, I do not typically use second opinion scanners in my tests to provide me with the source of truth, neither I believe people that say “keep waiting, it will detect”.

You can see that pretty much all samples on any.run (other sandboxes like Capa are more prone to evasion) realise malicious behaviour within the 5 min timeslot. I’ve seen for every sample approximately how long it takes to establish connections, exfiltrate and so on.

If during approximately the same time (which is usually a minute) I don’t see detections (and even worse if I notice persistence hooks and files written) for me this is a miss.

The tool I developed is not second opinion scanner, it is a tool that replicates forensic analysis logics.

I’m guessing testers usually use second opinion scanners to show evidence black on white.

 

[Sorrento]

A good not infallible defence for me are backups of data & frequent images kept in my case on several external drives, I probably wouldn't clean up a PC that was infected but image back, assuming you have the images in the first place !

 

[Parkinsond]

A second scanner is called a second scanner for a reason, just to ensure it's not being compromised

Even this task the on-deman scanner cannot fulfill more than the chance it can, with limited modules, unless I was using an outdated AV.

they can remove the malware and allow you to install the antivirus afterward and perform a full scan

If the sample was executed, removing and installing a new AV is risky; you do not know exactly what was changed in your OS; re-install of Windows is the safest option.

 

[Parkinsond]

The tool I developed is not second opinion scanner, it is a tool that replicates forensic analysis logics

Your tool is what I was asking testers to use; forensic analysis, not just using limited on-demand scanner which already can miss lots of malware if used as a primary AV (one of the reasons it is not used as primary).

 

[Sorrento]

Even this task the on-deman scanner cannot fulfill more than the chance it can, with limited modules, unless I was using an outdated AV.

If the sample was executed, removing and installing a new AV is risky; you do not know exactly what was changed in your OS; re-install of Windows is the safest option.

On this PC reinstalling Windows & setting up some software can be quite tedious & can take even on a fast PC with a fast internet several days of work, I do that infrequently, this has not been reinstalled for around two years & starts in seconds & no problems, imaging back helps to achieve that, depends on how complex your install is...

EDIT: As I remember I used Norton Ghost from its first arrival, it wasn't overly easy to use but was a lifesaver even back then, in 1996 ish??

 

[Parkinsond]

backups of data

It is the best procedure, not only for malware infection, but for sudden death of drive.

 

[Parkinsond]

On this PC reinstalling Windows & setting up some software can be quite tedious & can take even on a fast PC with a fast internet several days of work, I do that infrequently, this has not been reinstalled for around two years & starts in seconds & no problems, imaging back helps to achieve that, depends on how complex your install is...

I use only few number of 3rd party programs; I can install Windows with programs every morning.

 

[classicaran]

Is it true or a myth that Kaspersky Free's real-time protection performs differently in detection and activation than the Complete Scan signature database? Even though Kaspersky Free doesn't have the malware signature database? Why did the Microsoft Defender scan detect AppData\Roaming\Secure\QtWebKit4.dll (Trojan:Win32/Wacatac.C!ml) in the Complete Scan, while Kaspersky Free and Malwarebytes Free didn't detect anything in the Complete Scan?

Is it possible to find out if the DLL file was created and active when detected by Virus Total Analysis? I uninstalled Kaspersky Free, and I lost the logs.

VirusTotal

 

[stonjean633]

One more VT report and I will come to re-install Windows for you as a gift

I guess you need to buy flight tickets now....hehe

 

[Parkinsond]

I guess you need to buy flight tickets now....hehe

I do want to help classicaran, but I do not know how to.
All the soothing advice by top experts could not reassure.
According to my personal past experience, security obession is much worse than getting infected; balance is needed between not being reckless and get infected easily, and being able to use PC or phone and enjoying your life.

 

[Jonny Quest]

I guess you need to buy flight tickets now....hehe

Should've been done 4 pages ago?

 

[Parkinsond]

Should've been done 4 pages ago?

Let's beat Comodo threads

 

[Jonny Quest]

Let's beat Comodo threads

 

[Trident]

Well at least you’ll get to see Portugal

Nice and warm there.

You will reinstall Windows and then head to the beach.

 

[stonjean633]

Airport check-in and immigration is more time consuming than reinstalling windows and copying those 250 gb files

 

[stonjean633]

Should've been done 4 pages ago?

I think Parkinsond wanna do forensics then re-image. As Trident mentioned, get flights,hotels,food reimbursements,get paid.
In short work while travelling

 

[Parkinsond]

Well at least you’ll get to see Portugal

Nice and warm there.

You will reinstall Windows and then head to the beach.

I am living into the heat most of the year; looking for visiting Germany or Scandinivia

 

[Parkinsond]

I think Parkinsond wanna do forensics

I cannot even if I want; I will not be able to interpret what the forensic analysis come with.

 

[simmerskool]

For a full audit, an on-demand scanner is the wrong tool, but for proving a specific failure, it is the perfect tool.
With that in mind, could you explain how the tests you originally cited, the ones that led you to claim the Norton Security engine was 'better' than NPE's, were methodologically sound?

fwiw lately I run MS Defender in Offline mode which reboots itself into winRE (OS) maybe once a month. Offline scan takes about 15 min for me. A different perspective...