communication with AVG re updating problems

[polly tito]

How could AVG fail "on access" and still have had the
ability to detect successfully with the plug-in? Aside from
the uncertainty principle, shouldn't they perform equally
well when scanning a file?


Disturbing...how does this happen?

quite simple really, you get an AVG update on the 14th (if you're lucky that
is!) a new virus spreads on the 15th, Grisoft incorporate it's signature
into their database on the 16th, their minging little CZ update server fails
until the 17th. That's 3 days in which you are exposed to a possible virus
which your AV cannot detect and neutralise. These days anything half-baked
can disable most AV processes if it is not caught at the front door

polly

 

[FromTheRafters]

The voice of "FromTheRafters" drifted in on the cyber-winds,
from the sea of virtual chaos...


Every process on a computer has a certain priority level, and given
Grisoft's unwillingness to slow a system down with its Resident Shield,
it's probably set to a low priority.

Even so, shouldn't there be interprocess communication
mechanisms so that programs aren't allowed to run unless
the AV has first checked them? I can see this happening
with regard to threading and child processes because each
process has its own time slice and if the first code is an AV
killer then the AV hasn't got a chance. But if the scanning
is done by hooking the file system's access to files, then
it doesn't make sense to me that it could miss something
that the frontier (e-mail) scan would have detected.

When OE is running it has a
higher priority then AVG, allowing the possibility that something
executed in OE could get a higher priority then the Resident Shield
(depending on OS).

This would be a silly way to design an AV program.

Now, if various exploits in OE are left un-patched, or if our intrepid
user is click happy... BANG, infected before AVG can check.

Doesn't active content get saved out as a file prior to it being
interpreted or executed by the OS? Wouldn't the on access
component intervene once the file is accessed by the filesystem

True it's a fine margin, a few seconds at best...
But it's still a possibility.

Fortunately if the virus fails to close AVG it's RS will find it and
alert the user that they're infected.

The idea would be to prevent execution, not to "almost"
prevent execution.

But would you conceder it a
failed by then, since the virus has "installed" itself on your HD?

I would consider it a failure if known malware were allowed to
execute (outside of emulation). A malware file being saved to
disk isn't as much of a threat as one being opened for execution.
If your on access AV isn't looking at file creation, then it should
at the very least be looking at file open.

Many current viral variants will try to shut down certain running
processes in an attempt to prevent detection.

Yes, but they must be already executing to do so. The idea
is to not execute the malware to begin with, and the purpose
of AV software is to help you to determine which ones you
definitely *don't* want to execute.

Although I do believe that some do slip by, I don't agree
that they do so for the reasons that you mention. Could
you point me to a reference by any chance?

It's almost common practice in the latest ones... As well as
shutting down some of the competition...

Yes, all too common these days.

 

[FromTheRafters]

quite simple really, you get an AVG update on the 14th (if you're lucky that
is!) a new virus spreads on the 15th, Grisoft incorporate it's signature
into their database on the 16th, their minging little CZ update server fails
until the 17th. That's 3 days in which you are exposed to a possible virus
which your AV cannot detect and neutralise. These days anything half-baked
can disable most AV processes if it is not caught at the front door

Update addiction and 'day zero' paranoia...

You seem to have missed my point, I am assuming that the
malware is both known to the scanner *and* is implemented
properly because Tech Zero has stipulated that the e-mail
scan *would* have caught out what the active scanner might
miss. While I do agree that one should not depend on active
scanning to 'save the day', I am doubtful that what Tech Zero
says is true about how AVG's active component works.

 

[Baruch]

|>Bad |>
|>Of course I promptly uninstalled AVAST and went back to AVG.
|>
|>So I'll leave AVAST to you folks who understand such things. I need
|>something simpler with a more integrated design anyway. To be truthful, I
|>didn't like the AVAST appearance or design from the very first, but
|>attempted to keep an open mind and give it a fair tryout anyway.
|>

I had a similar experience. I uninstalled AVG and installed Avast,
registered it, etc.. This was relatively painless. However, I found
that it kept creating popups telling me all about what files it was
checking. That wasn't acceptable. I wasn't able to find any help
information about this, nor could I identify a way to stop the
messages.

I uninstalled Avast, but it left my registry corrupted. I was able to
save the registry, but that sort of thing makes me nervous. I like
programs that let me get rid of them gracefully...

 

[Herbert West]

Yep it's a shame you had a problem with Avast. I only had an issue the
1st time I installed Avast on the 1st PC, I just stopped AVG, but after

<snip>

Thanks for the reply. I guess I really need to give it another
chance, taking my time and testing it thoroughly. I am going to set
up a sandbox system and try AVAST under controlled conditions using
several real viruses and trojans, as well as a retest using the EICAR
test file.

AVAST looks like a good piece of AV software if I cold be *sure* there
are no holes that might allow a user to accidently run a virus. (I'm
planning to deploy on a company network with mostly non-technical
users. I'm just curious (and suspicious) due to the way it handled
EICAR.

AVAST warned me when I attempted t copy the EICAR to another drive,
but copied it anyway! Worse, it allowed me to double-click on EICAR
and *without any sort of warning* let EICAR run!

AVG, by default, will flash its warning screen and stop everything
until the user *explicitly* tells it what to do next. AVG does this
even upon attmpting to open a folder with malware in it. IMO, thats
the way AV software should work by default, protecting even the most
inexperienced user.

If it takes special set-up directives to ensure even the most basic
protection, I can't use it. I need something that can be quickly
installed at a workstation, even by a non-techie user, and by default,
protect the workstation against the user double-clicking on malware.

We'll see after I can scrape a sandbox machine together out of the
spare parts under my workbench. <g>

Regards

herb


--
Boy, do I long for the days when all I needed was F-Prot and/or Mcafee
Scan. No macro viruses or network-hijacking trojans, just simple
file-appending / multipartite / boot-sector infecting viruses and
hard-drive formatting trojans... Oh well, life goes on and things
become more complex. <sigh>

 

[Trog Dog]

[Note to aa: No, I don't have the Outlook Express 5 plugin activated
in AVG because it kills my smart mouse pointer, which ordinarly jumps
to the most likely button to click on popup dialogs. That's worth a
LOT to me, saves me a lot of effort & time, and I wouldn't be without
it.]

I uninstalled AVG, then installed AVAST, and spent several hours
trying to figure it out before I went online. Their Help has a lot of
excess verbiage and I encountered a learning curve. It is written in
fairly good English, but written by someone for whom English is not
their 1st language, so it lacks clarity. I would advise them to
condense their Help to no more than 25% of the current size, and
simplify the design of their software accordingly. Their "skin" also
wasn't easy to understand. I had no idea what it was when it first
appeared, and it took a long time to figure it out. I eventually
discovered that there were popups over each icon/graphic in the skin,
if I hovered the mouse pointer for several seconds (they were very
slow to appear). Setting up the AVAST file recovery database took a
long time (maybe an hour? - I went outside to do some yard work, so
don't know exactly) and it used about 30% of the processor during
that process. So I wouldn't want to do it very often. I then tried
running my primary application and didn't notice a slowdown, as I had
feared. I didn't get quite over newbie learning curve hump, but went
online anyway to see what would happen...

Bad I intended to register as one of the first things, so clicked on the
first popup that had a registration link and...my computer froze. It
was dead as a dodo bird. Nothing worked. The taskbar was dead.
Ctrl-Alt-Delete didn't work. Even my computer clock stopped. As best
I can recall I have not encountered that phenomenon since I stopped
using W98se last summer and bought this new computer with Windows XP
Home. I waited about a half hour, but it wouldn't resolve itself.
There was only one possible way to recover - turn off the computer
power. Of course that risks trashing the disk, but insofar as I can
tell so far, I was lucky. No apparent damage, although it will take
quite awhile to know for sure.

Of course I promptly uninstalled AVAST and went back to AVG.

So I'll leave AVAST to you folks who understand such things. I need
something simpler with a more integrated design anyway. To be
truthful, I didn't like the AVAST appearance or design from the very
first, but attempted to keep an open mind and give it a fair tryout
anyway.

I don't really want to deal with a bunch of separate modules and make
a lot of decisions, and I don't really want to learn anything new. I
just want the darned thing to block viruses, and remain unobstrusive
otherwise. -E

Give AntiVir PE a try - yes they too had problems with update server
availability not too long ago, but they've fixed that.

 

[Euclid]

[snip]
Give AntiVir PE a try - yes they too had problems with update server
availability not too long ago, but they've fixed that.

--
Fix OE top posting bug
http://home.in.tum.de/~jain/software/oe-quotefix/

__________________

Someone else here recommended AntiVir and I'm currently trying it. So far,
so good. I definitely like the design better than AVAST. I encountered a bit
of frustration at first, because their Help in the context menu of the
systray icon didn't explain things sufficiently explicit for a newbie re
how/where to find the options to change the scanner settings. I was looking
in the main AntiVir program, but apparently it can't be accessed from there.
However after pulling my hair out for awhile, I discovered that it's in the
context menu of the icon in systray, named simply "Configuration". Brevity
is nice but in this case it should be called something more descriptive such
as "Scanner Configuration". That was important to me, and I'm happy to note
that they include an option (filters) to exclude certain processes from the
anti-virus scanning process, important with my primary application which
does a lot of file accesses. Perhaps that will prevent system performance
problems with that app, which has plenty of such problems already due to
99%+ constant processor usage! I'm hoping for the best. Surely AntiVir must
work right with "Luke Filewalker" in control of things...
-E

 

[BF]

..atl.earthlink.net...

I've read some other threads here and you both seem to be promoting AVAST.
Do you have any connection with their company?

A month ago I didn't know AVAST existed. I have used AVG for years
until the update problem started. I don't see any slow down so far
with AVAST. The thing I like is that it has found over ten email
viruses in a couple days and I was able to delete them before they
even got to my computer. AVG could only notify you when you tried to
open the email with the virus.