Advice Request What antivirus is best for offline scanning?

Please provide comments and solutions that are helpful to the author of this topic.

pxxb1

Level 9
Verified
Well-known
Jan 17, 2018
436
just wondering about this as I ran into some malware and a few trojans in a usb. neither gdata nor norton could disinfect it without internet connections . It troubled me somehow.
Do you think there would be a good paid antivirus which is capable of somehow trying to disinfect viruses or other malware?

If you have no internet connection AT ALL then it would be with an already installed Av that has a local database of malware definitions.
BD is one of those; Bitdefender Scan Engines
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
Best Antivirus for Offline scanning
i think ESET and AVG.
I Use Bitdefender
This one is the latest one:
 
F

ForgottenSeer 89360

This one is the latest one:
These results are not inaccurate, but some of these products can be set to increase detection. Kaspersky for example has heuristics sensitivity at “low” by default and there are 2 higher levels.
Avira, Norton and AVG/Avast have one level higher than the default.
Eset’s ML settings are like a matrix and can all be increased.

Users looking to remove active malware on an infected system can tweak these settings to achieve better detection and removal.
Other products like Bitdefender have higher detection on this test, but they are not configurable, so in the end you might get worse results.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
These results are not inaccurate, but some of these products can be set to increase detection. Kaspersky for example has heuristics sensitivity at “low” by default and there are 2 higher levels.
Avira, Norton and AVG/Avast have one level higher than the default.
Eset’s ML settings are like a matrix and can all be increased.

Users looking to remove active malware on an infected system can tweak these settings to achieve better detection and removal.
Other products like Bitdefender have higher detection on this test, but they are not configurable, so in the end you might get worse results.
You're right. But we are not going too deep here. To remove malware from an already infected system, it's better to use tools that are specially made for doing that like Kaspersky Virus Removal Tool.
 
F

ForgottenSeer 89360

By offline scanning, I understand removing malware from a heavily infected system. If your aim is to work always offline, no product will actually work, as they all need updates/cloud connection or both. Even behavioural blocking relies on cloud or at least local profiles that need to be updated.

So for malware removal, might be best to do a Rescue USB. There are plenty of products that offer these.
If your aim is to be offline for reason unknown, you need a product with portable definitions so at least you can update them from time to time.
Bitdefender and Avast/AVG offer standalone updaters (others may be doing it too).
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
By offline scanning, I understand removing malware from a heavily infected system. If your aim is to work always offline, no product will actually work, as they all need updates/cloud connection or both. Even behavioural blocking relies on cloud or at least local profiles that need to be updated.

So for malware removal, might be best to do a Rescue USB. There are plenty of products that offer these.
If your aim is to be offline for reason unknown, you need a product with portable definitions so at least you can update them from time to time.
Bitdefender and Avast/AVG offer standalone updaters (others may be doing it too).
I agree.
The number of AV still providing standalone signature update is rare nowadays. There is Avast and Bitdefender like you said. Then we also have Windows Defender, Trend Micro, Vipre and some others maybe. Avira also has kind of have this. They have a separate tools that download latest updates.
 
F

ForgottenSeer 89360

I agree.
The number of AV still providing standalone signature update is rare nowadays. There is Avast and Bitdefender like you said. Then we also have Windows Defender, Trend Micro, Vipre and some others maybe. Avira also has kind of have this. They have a separate tools that download latest updates.
I believe Norton still has a way of downloading them... haven’t checked recently.
Trend Micro’s signatures are a bit useless so it’s not the best choice, even if definitions are updatable offline.
Didn’t know about Defender.

Bitdefender, Microsoft Defender and AVG/Avast offer boot scans that launch before the system is fully loaded, with Direct Disk Access. If you are looking to disinfect, this can bypass rootkits and other forms of stealthy malware.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
I believe Norton still has a way of downloading them... haven’t checked recently.
Trend Micro’s signatures are a bit useless so it’s not the best choice, even if definitions are updatable offline.
Didn’t know about Defender.

Bitdefender, Microsoft Defender and AVG/Avast offer boot scans that launch before the system is fully loaded, with Direct Disk Access. If you are looking to disinfect, this can bypass rootkits and other forms of stealthy malware.
Bitdefender release standalone definition weekly but Windows Defender release multiple times a day. Though it's not the best at offline signatures, it's a lot better than Trend Micro. Any users using Windows 10 already have WD, so I guess it deserves an honorable mention for this thread. Here's the download link:

 

Minimalist

Level 9
Verified
Well-known
Oct 2, 2020
439
Bitdefender, ESET, Emsisoft for sure, not Kaspersky.
Now let me explain why Kaspersky should not be on this list.
What I have seen, Kaspersky often doesn't push all types of signatures via updates to the device. They keep a lot of it in the cloud only. They also constantly cleanup local signatures in favor of cloud-based detection to save disk space and improve performance I assume. I'm talking about Kaspersky AV, not their removal tools.
A few days ago I sent a sample to Kaspersky through @harlan4096 because malware analysts always reply back to him. It was a malware that was in a Firefox cache file which contained an HTML page and that page contained a Hoax/Scam script. Kaspersky wasn't detecting it while I did a right-click scan but Virustotal shows detection and if I try to upload the file in a browser then Kaspersky was detecting it. Harlan told me that some files get detected by WebAV components instead of FileAV and that's why it wasn't getting detected probably. He still submitted to Kaspersky and got a similar reply. Later after knowing from Harlan that Kaspersky now replies to everyone if you're logged into their opentip submission portal, I submitted the file again to get even a more detailed answer and this is the reply I got.
View attachment 250778
So anything that Kaspersky thinks is not necessary to be detected by FileAV will be detected by WebAV only and static scans don't use WebAV components. It is fair and the reasoning is understandable from Kaspersky's point of view.
But since we're talking about offline detection through the static scan, Kaspersky's high reliance on the cloud and the separation from FileAV to WebAV makes it not the best one for this category. Bitdefender and ESET rarely rely on cloud for signature based detection, and don't have such FileAV vs WebAV separation for signatures.
BTW, Emsisoft has their Emsisoft Emergency Kit by which you can get the benefit of full Bitdefender's local signature + Emisoft's.
I came to similar conclusion about Kaspersky - they are IMO moving detections to cloud. I followed AV-C Malware Protection Tests from 2017 and those are Kaspersky's results for offline detection:
96,0 - 94,1 - 94,5 - 99,2 - 97,4 - 96,0 - 81,9 - 85,7

So to me it seems clear that they are moving detections to cloud. Of course that doesn't say much about efficacy of their offline tool KVRT.
 

fabiobr

Level 12
Verified
Top Poster
Well-known
Mar 28, 2019
561
Bitdefender, ESET, Emsisoft for sure, not Kaspersky
Bitdefender and ESET rarely rely on cloud for signature based detection, and don't have such FileAV vs WebAV separation for signatures.
BTW, Emsisoft has their Emsisoft Emergency Kit by which you can get the benefit of full Bitdefender's local signature + Emisoft's.
Bitdefender comes with script analysis turned off by default on fileAV.
 

mlnevese

Level 26
Verified
Top Poster
Well-known
May 3, 2015
1,531
I think that for a computer that won't be online frequently, the best choice would be ESET. It is often the first one to update signatures and is really good in detecting new variants based on existing signatures. Also the signature updates are small so if you are in a place where connections are really bad it will be the easiest to update.
 
F

ForgottenSeer 89360

I think that for a computer that won't be online frequently, the best choice would be ESET. It is often the first one to update signatures and is really good in detecting new variants based on existing signatures. Also the signature updates are small so if you are in a place where connections are really bad it will be the easiest to update.
But if you are offline how will you get these frequent signature updates? It also has almost non-existent behavioural blocker. It will be best to get something like WiseVector that is both effective and requires minimum updates.
 

mlnevese

Level 26
Verified
Top Poster
Well-known
May 3, 2015
1,531
But if you are offline how will you get these frequent signature updates? It also has almost non-existent behavioural blocker. It will be best to get something like WiseVector that is both effective and requires minimum updates.

Behavior blockers are not a miracle and will often miss bad behavior as the tests made right here in the forum have proved over and over, resulting in encryption of files and infection.

For a situation you can't connect, strong signatures + properly configurated HIPS acting as a default deny to key system locations is far superior. These rules are easy to find both in ESET's knowledge base and in forums like this. The user clearly have access at some point to download the software and should prepare everything for when the system is taken offline.

Also notice that the Author never said the system will never connect.

Technically speaking, in a bad connection or no connection situation, a default deny software is a better solution as it requires no connection at all. But it's a more expensive solution and requires technical knowledge from the user that must know what to allow and what to deny.

I often say that all top products offer similar protection and to just use whatever you like, but that´s true only in a normal situation where the products have full access to their clouds. Being offline cuts a lot of protection from most products.
 
Last edited:

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
Technically speaking, in a bad connection or no connection situation, a default deny software is a better solution as it requires no connection at all. But it's a more expensive solution and requires technical knowledge from the user that must know what to allow and what to deny.

I often say that all top products offer similar protection and to just use whatever you like, but that´s true only in a normal situation where the products have full access to their clouds. Being offline cuts a lot of protection from most products.
I completely agree with @mlnevese point of view. i am already using similar setup on my personal laptop right now even before reading @SeriousHoax reply in which he explaining the new approach of kaspersky to migrate part of the signature updates to their cloud and separate their definitions according to type/category of infection. i am using simple combo "kaspersky cloud free + vodoo shield in smart mode + Adguard". i think using KS+vodooshield i.e "Cloud based + default deny solution" would be suitable.
the protection scenario which is the best in my opinion:
  1. in case internet connection is available, you could put vodooshield in smart mode and depend on kaspersky as your first line of defense.
  2. in case no internet connection, just keep kaspersky active and put in vodooshield in "always on mode "but need more technical user .
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top