Is a single souced AV package a valid strategy

[amabutho]

My recent experiences with identifying a virus/worm/trojan on my system
has led me to question the value of AV protection using software from a
single source. I do not want to start a flame war over AV tools but
have experienced an infection that challenged identification.

A week ago a virus entered my XP system after downloading the July 30
MS XP updates. I run Symantec Norton AV (NAV) which is updated
regularly using LiveUpdate. NAV identified the virus as a variant of
"Netsky" and cleaned it up but the system still behaved as if it were
infected. Things like TaskManager and the DOS window would open an
immediately close. Running NAV in both Safe and Normal mode indicated
nothing wrong.

I then spent the next two days trying a variety of "free" virus checker
packages in both Safe and Normal mode all to no avail. Then started
looking for web based tools that might do the job. After checking out
four I uncovered the web version of BitDefender which running in
normal mode identified the culprit as the "mytob.GD" worm. From there
it was a few hours of work to get the system back to operation. Thanks
to some of the earlier messages on this group (David Lipman on July 6
2005).

Now my question is: Is it sound practice to rely on one AV package that
cannot be relied to identify each and every infection? [NAV as of
today appears not to detect the "mytob.GD" worm].

Is there any strategy to have some alternate package run on the system?
I understand there could be a number of conflicts etc but has anyone
used a scheduled web tool task to complement their loaded package?
This episode cost me 20 hours of productivity and I value that at at
least $1000, so any approach that saves me so much effort is worth
paying for.

mike

 

[Virus Guy]

A week ago a virus entered my XP system

If you want to avoid grief like this, why don't you look more
critically at why you are running XP in the first place?

Windows 98 is less risky, less vulnerable, and just as capable as XP
(from a user's point of view) in running office software, e-mail,
doesn't take Micro$oft certified PHD to administer, etc.

 

[Beauregard T. Shagnasty]

A week ago a virus entered my XP system

Do you mean it was active and running? Or just contained in an email
you received?

after downloading the July 30 MS XP updates. I run Symantec Norton
AV (NAV) which is updated regularly using LiveUpdate. NAV
identified the virus as a variant of "Netsky" and ...

After checking out four I uncovered the web version of BitDefender
which running in normal mode identified the culprit as the
"mytob.GD" worm.

Both of these viruses are transmitted via email attachments. If you
are infected, you must be opening the attachments. When one arrives,
just delete it.

Virus emails are so easily recognizable, I wonder why people open and
execute them. Or ... maybe I don't... <g>

What do you use for email?

 

[Mich]

Do you mean it was active and running? Or just contained in an email
you received?



Both of these viruses are transmitted via email attachments. If you
are infected, you must be opening the attachments. When one arrives,
just delete it.

Virus emails are so easily recognizable, I wonder why people open and
execute them. Or ... maybe I don't... <g>

What do you use for email?

I second that opinion, did you really fall for the Microsoft update via
E-mail ?

Gotta ask yourself, why why why ?
if Outlook is your E-mail choice configure it to NOT download and open
attachments automatically (Google it)

Mich...

 

[Roger Wilco]

My recent experiences with identifying a virus/worm/trojan on my system
has led me to question the value of AV protection using software from a
single source. I do not want to start a flame war over AV tools but
have experienced an infection that challenged identification.

There are some scanners that use differing engines together in one
package (so no conflict).

A week ago a virus entered my XP system after downloading the July 30
MS XP updates. I run Symantec Norton AV (NAV) which is updated
regularly using LiveUpdate. NAV identified the virus as a variant of
"Netsky" and cleaned it up but the system still behaved as if it were
infected.

NAV apparently "fixed" an inactive instance of the named worm, and is
oblivious to the other 'active' one.

Things like TaskManager and the DOS window would open an
immediately close. Running NAV in both Safe and Normal mode indicated
nothing wrong.

AV programs can only indicate 'I think I found' or 'nothing found' and
the user must take it from there.

I then spent the next two days trying a variety of "free" virus checker
packages in both Safe and Normal mode all to no avail. Then started
looking for web based tools that might do the job. After checking out
four I uncovered the web version of BitDefender which running in
normal mode identified the culprit as the "mytob.GD" worm. From there
it was a few hours of work to get the system back to operation. Thanks
to some of the earlier messages on this group (David Lipman on July 6
2005).

Now my question is: Is it sound practice to rely on one AV package that
cannot be relied to identify each and every infection?

No AV should be 'relied upon' - you should rely upon safe practices of
which AV is only a part.

[NAV as of
today appears not to detect the "mytob.GD" worm].

Is there any strategy to have some alternate package run on the

system?

As above, there are multiple engine offerings. Plus, safe practices
(like deleting things you get in e-mail) drastically reduce the need to
scan things.

I understand there could be a number of conflicts etc but has anyone
used a scheduled web tool task to complement their loaded package?

The 'loaded package' can still interfere with an on-demand scheduled
task. I suppose you could write a script to disable the active scanner
and run the task. The main point is that all scanners will miss some
malware, and if your usual practice is to allow the active scanner to
scan everything that comes along you will sooner or later have to deal
with that failure rate. Best thing to do is to limit what the AV has to
do by placing your safe practice regimen before the AV - if your AV now
only has to deal with maybe 5 percent of what comes along, its 1 percent
failure rate (made up that stat BTW) it is now 1 % of 5% which is a far
cry better than a whole 5 %.

This episode cost me 20 hours of productivity and I value that at at
least $1000, so any approach that saves me so much effort is worth
paying for.

Google "safe hex", "best practices", and "safe computing practices" to
get some idea of how to increase knowledge of your role in keeping your
computer clean - it is cheaper and better in the long run.

 

[Guest]

My recent experiences with identifying a virus/worm/trojan on my system
has led me to question the value of AV protection using software from a
single source. I do not want to start a flame war over AV tools but
have experienced an infection that challenged identification.

A week ago a virus entered my XP system after downloading the July 30
MS XP updates. I run Symantec Norton AV (NAV) which is updated
regularly using LiveUpdate. NAV identified the virus as a variant of
"Netsky" and cleaned it up but the system still behaved as if it were
infected. Things like TaskManager and the DOS window would open an
immediately close. Running NAV in both Safe and Normal mode indicated
nothing wrong.

I then spent the next two days trying a variety of "free" virus checker
packages in both Safe and Normal mode all to no avail. Then started
looking for web based tools that might do the job. After checking out
four I uncovered the web version of BitDefender which running in
normal mode identified the culprit as the "mytob.GD" worm. From there
it was a few hours of work to get the system back to operation. Thanks
to some of the earlier messages on this group (David Lipman on July 6
2005).

Now my question is: Is it sound practice to rely on one AV package that
cannot be relied to identify each and every infection? [NAV as of
today appears not to detect the "mytob.GD" worm].

Is there any strategy to have some alternate package run on the system?
I understand there could be a number of conflicts etc but has anyone
used a scheduled web tool task to complement their loaded package?
This episode cost me 20 hours of productivity and I value that at at
least $1000, so any approach that saves me so much effort is worth
paying for.

mike

From what you say, it would have been cheaper to throw out your PC and
upgrade to a new one! Seriously, I've heard of a trend to do this.
-Pete

 

[kurt wismer]

My recent experiences with identifying a virus/worm/trojan on my system
has led me to question the value of AV protection using software from a
single source. I do not want to start a flame war over AV tools but
have experienced an infection that challenged identification.

and if you wait long enough you probably will again... no anti-virus (or
combination of anti-viruses) is perfect - something will always get
through...

[snip]

Now my question is: Is it sound practice to rely on one AV package that
cannot be relied to identify each and every infection? [NAV as of
today appears not to detect the "mytob.GD" worm].

*"rely"*? no... you should be relying on yourself... an anti-virus is
just a tool...

Is there any strategy to have some alternate package run on the system?

you shouldn't run more than one anti-virus at the same time, but there's
nothing wrong with running them one after the other... i think you'll
find, however, that the increase in detection capability will be
marginal (look at how many different products you had to go through in
order to find the cause of your problem)... if you think you have a
virus your scanner can't detect then there's certainly nothing wrong
with trying to get a second opinion, but that's the only situation under
which i'd suggest using multiple scanners...

I understand there could be a number of conflicts etc but has anyone
used a scheduled web tool task to complement their loaded package?
This episode cost me 20 hours of productivity and I value that at at
least $1000, so any approach that saves me so much effort is worth
paying for.

$1000 seems like a lot of money but you're looking at it on a per
incident basis - how much money do you lose in productivity over a year,
on average?

what it boils down to is this: a scanner is a detection tool used to
implement a preventative control but it's prevention comes in the form
of mitigating your risks... a more thorough approach would also look at
*reducing* your exposure to risk (safe hex) as well as means of
detecting when preventative controls have failed (using more generic
technologies) and improving recovery procedures so that they're
simpler/cheaper/easier to implement...

 

[amabutho]

Maybe I could do that but I make extensive use of a package that only
runs on XP so there is little choice.

Would the Windows 98 system have been easier to diagnose or repair
without knowing the specific virus?

mike

 

[amabutho]

Yes I believe the two virus infections came in e-mail from what I
considered a trusted source (no longer trusted). I had expected an
attachment and that was why the file was opened.

In this system I use Outlook Express.

mike

 

[amabutho]

N the attachement was from a client and I treated it as a "trusted
source".

I do not have my mail system automatically open attachments.

mike

 

[Beauregard T. Shagnasty]

Yes I believe the two virus infections came in e-mail from what I
considered a trusted source (no longer trusted). I had expected an
attachment and that was why the file was opened.

Nevertheless, it is always a good practice to save and scan
attachments even from trusted sources. I always do, saving them to a
folder I named "/suspect" before ever opening them.

In this system I use Outlook Express.

Perhaps a modern email client would be a wise option? Newer ones are
generally more secure. (Not that this would prevent you from executing
an infected attachment.)

If you are going to continue to use Google Groups, find the option to
include quoted text, so readers of your posts will know what you are
replying to, as I have done here. There's supposed to be a
less-than-obvious Reply button that will place this text in your post.
Or ... find a good news server and use a real news reader.

 

[Roger Wilco]

Yes I believe the two virus infections came in e-mail from what I
considered a trusted source (no longer trusted). I had expected an
attachment and that was why the file was opened.

Just as a general point to ponder, it is the executable programs from
trusted sources that should be scanned (after a 'cooling off' period if
feasable) and the executable programs from untrusted sources should be
deleted outright.

 

[kurt wismer]

Maybe I could do that but I make extensive use of a package that only
runs on XP so there is little choice.

Would the Windows 98 system have been easier to diagnose or repair
without knowing the specific virus?

diagnosis (thorough knowledge) generally implies knowing which specific
virus it is...

 

[kurt wismer]

N the attachement was from a client and I treated it as a "trusted
source".

well, that was a mistake... since practically the beginning of modern
day email worms they've been using victim's address books to find new
targets - that means that often the malware will come from someone you
know and seem like it has a 'trusted source'...

I do not have my mail system automatically open attachments.

do you use an email client made by microsoft? if so you may not need to
configure it to automatically open attachments...

 

[amabutho]

Nevertheless, it is always a good practice to save and scan
attachments even from trusted sources. I always do, saving them to a
folder I named "/suspect" before ever opening them.

How does this help prevent the incusion of a virus to the system if
your AV software cannot identify the bug?

Perhaps a modern email client would be a wise option? Newer ones are
generally more secure. (Not that this would prevent you from executing
an infected attachment.)

If you are going to continue to use Google Groups, find the option to
include quoted text, so readers of your posts will know what you are
replying to, as I have done here. There's supposed to be a
less-than-obvious Reply button that will place this text in your post.
Or ... find a good news server and use a real news reader.

Is this the sort of response you want?

mike

 

[Beauregard T. Shagnasty]

How does this help prevent the incusion of a virus to the system if
your AV software cannot identify the bug?

Hopefully, you are not first on the list. <g> Many will say it is
wise to leave an attachment sit for up to a week before testing and
opening it. I'm not that paranoid, my a-v updates daily, so I'll test
it and if clean, open it. I don't normally get executable files,
though, usually just word documents, databases, or pictures.

Always check the full file name as well. You don't want to open one
with a name full of spaces like:

mypicture.jpg .exe

Is this the sort of response you want?

Very good, thanks for that.

 

[Roger Wilco]

How does this help prevent the incusion of a virus to the system if
your AV software cannot identify the bug?

It won't prevent it if the AV can't detect it. Deleting outright the
non-trusted will expose the AV to less chances of failing to detect. As
for identifying, this is only really needed if repairs are to be
attempted or as a reference for further investigation for the curious.

 

[Norman L. DeForest]

Hopefully, you are not first on the list. <g> Many will say it is
wise to leave an attachment sit for up to a week before testing and
opening it. I'm not that paranoid, my a-v updates daily, so I'll test
it and if clean, open it. I don't normally get executable files,
though, usually just word documents, databases, or pictures.

Always check the full file name as well. You don't want to open one
with a name full of spaces like:

mypicture.jpg .exe

Also, don't forget that Windows will default to hiding some extensions
even if you turn off the "hide known file extensions" feature. The most
dangerous of those is the ".pif" extension. What looks like this:
mypicture.jpg
could also be this:
mypicture.jpg.pif


I have a series of screenshots and an HTML file to display them that
show the steps needed to edit the Windows registry to unhide those special
extensions. It's available at:
http://www.chebucto.ns.ca/~af380/unhide.zip
The zip file is large (577KB) as it has a large number of screen shots.
Ignore the horrible blue colour. My display used a light tan at that time
but Paint, in its infinite wisdom[1], decided to change the colours on me
when I saved the images in *.gif format.

[1] Has anyone seen where I put my supply of <sarcasm>...</sarcasm> tags?

 

[What's in a Name?]

My recent experiences with identifying a virus/worm/trojan on my
system has led me to question the value of AV protection using
software from a single source. I do not want to start a flame war
over AV tools but have experienced an infection that challenged
identification.

A week ago a virus entered my XP system after downloading the July
30 MS XP updates. I run Symantec Norton AV (NAV) which is updated
regularly using LiveUpdate. NAV identified the virus as a variant
of "Netsky" and cleaned it up but the system still behaved as if
it were infected. Things like TaskManager and the DOS window
would open an immediately close. Running NAV in both Safe and
Normal mode indicated nothing wrong.

I then spent the next two days trying a variety of "free" virus
checker packages in both Safe and Normal mode all to no avail.
Then started looking for web based tools that might do the job.
After checking out four I uncovered the web version of
BitDefender which running in normal mode identified the culprit as
the "mytob.GD" worm. From there it was a few hours of work to get
the system back to operation. Thanks to some of the earlier
messages on this group (David Lipman on July 6 2005).

Now my question is: Is it sound practice to rely on one AV package
that cannot be relied to identify each and every infection? [NAV
as of today appears not to detect the "mytob.GD" worm].

Is there any strategy to have some alternate package run on the
system?
I understand there could be a number of conflicts etc but has
anyone
used a scheduled web tool task to complement their loaded package?
This episode cost me 20 hours of productivity and I value that at
at least $1000, so any approach that saves me so much effort is
worth paying for.

mike

I am trying out using multiple scanners. I have eTrust(which is my
main one),AVG free and AntiVir free running with real-time scanning
turned on.Also BitDifender free,ClamWin for backup.
I always use Thunderbird for mail and Firefox as browser.
Plus Spybot with resident running,MSAS running with real-time
scanning,PestPatrol with active protection running and 2 script
blockers(script defender/script sentry)running.
So far just a minimum slow down in loading programs(I am using an
older P2 450mz/512mb win2000pro)
-max