Microworld Antivirus toolkit and escan - any good?

  • Thread starter Thread starter Moe Hair
  • Start date Start date
M

Moe Hair

Ok, just to be on the safe side I took someone's advice and downloaded the
Microworld Antivirus toolkit utility (powered by Kaspersky) in order to
scan my hard drive. Avast and Norton didn't find any viruses, but this
utility came up with the following. First of all, what does "tagged as not
a virus" mean? The utility found several viruses but next to each one
stated, "tagged as not a virus". Huh? Most of these files seem like legit
program files, so how can they possible have raised a flag?


ile C:\DELL\Drivers\SiigUSB2.0_v2.06.exe tagged as not-a-
virus:Tool.Win32.Reboot. No Action Taken.
File C:\DELL\Drivers\TB1-Eng.EXE tagged as not-a-virus:Tool.Win32.Reboot.
No Action Taken.
File C:\My Downloads\aaw.exe tagged as not-a-virus:Tool.Win32.Reboot. No
Action Taken.
File C:\My Music2\Divx Bundle.zip tagged as not-a-virus:Tool.Win32.Reboot.
No Action Taken.
File C:\My Music2\Radium MP3 Codec v1.263 - Radium.zip tagged as not-a-
virus:Tool.Win32.Reboot. No Action Taken.
File C:\My Shared Folder\Serialz.exe infected by "Backdoor.Win32.VB.ar"
Virus. Action Taken: No Action Taken.
File C:\My Shared Folder\WinXP Pro - Office XP (final) Key Generators (TEK)
(1).exe tagged as not-a-virus:Tool.Win32.Shutdown. No Action Taken.
File C:\Program Files\Corkboard\UNINSTAL.EXE tagged as not-a-
virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Games\Microsoft Pinball Arcade\Setup.EXE tagged as
not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Taxcut99\attcheck.exe tagged as not-a-
virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Taxcut99\checktc.exe tagged as not-a-
virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Taxcut99\removetc.exe tagged as not-a-
virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Taxcut99\update.exe tagged as not-a-
virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Turtle Beach\APPS\SETUP.EXE tagged as not-a-
virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Turtle Beach\OSR2GLUE.EXE tagged as not-a-
virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Voyetra\TBS Montego\ACRORUN.EXE tagged as not-a-
virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Voyetra\TBS Montego\OSR2GLUE.EXE tagged as not-a-
virus:Tool.Win32.Reboot. No Action Taken.
File C:\TB1-Eng\APPS\SETUP.EXE tagged as not-a-virus:Tool.Win32.Reboot. No
Action Taken.
File C:\TB1-Eng\OSR2GLUE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No
Action Taken.
 
Ok, just to be on the safe side I took someone's advice and downloaded the
Microworld Antivirus toolkit utility (powered by Kaspersky) in order to
scan my hard drive. Avast and Norton didn't find any viruses, but this
utility came up with the following. First of all, what does "tagged as not
a virus" mean? The utility found several viruses but next to each one
stated, "tagged as not a virus". Huh? Most of these files seem like legit
program files, so how can they possible have raised a flag?
Click to expand...

Kaspersky uses so called extended dats which are used for detecting
other kind of malware than viruses and trojans. Included are adware,
spyware, hacking tools, virus writing tools, crack progs, reboot
capable applications etc etc. So you seem to mainly have programs that
reboot the machine when installed and one keymaker etc.
http://www.kaspersky.com/extraavupdates

Jari
 
Ok, just to be on the safe side I took someone's advice and downloaded the
Microworld Antivirus toolkit utility (powered by Kaspersky) in order to
scan my hard drive. Avast and Norton didn't find any viruses, but this
utility came up with the following. First of all, what does "tagged as not
a virus" mean? The utility found several viruses but next to each one
stated, "tagged as not a virus". Huh? Most of these files seem like legit
program files, so how can they possible have raised a flag?
Click to expand...

These are programs or utiilities that can do harmful things when used
improperly (by unskilled users). They are not Trojans. They are not
malicious code. They have "good" uses and are "known" to the AV as
such.. But KAV (and McAfee and maybe some others) may alert users to
some of these commercial programs. With the McAfee command line
scanner you have to specify that you want these detections by means of
a command line switch. With KAV, there is no user selection (at least
on the versions I'm familar with).

I guess the purpose of such alerts is to warn naive users to shy away
from using the flagged programs and utilities.

Art

http://home.epix.net/~artnpeg
 
Moe said:
Ok, just to be on the safe side I took someone's advice and downloaded the
Microworld Antivirus toolkit utility (powered by Kaspersky) in order to
scan my hard drive. Avast and Norton didn't find any viruses, but this
utility came up with the following. First of all, what does "tagged as not
a virus" mean? The utility found several viruses but next to each one
stated, "tagged as not a virus". Huh? Most of these files seem like legit
program files, so how can they possible have raised a flag?
snip<
Click to expand...

The older version would have cleaned/renamed. eScan is still useful for
a identifier.
-max
 
Sorry you do have one dangerous application that is a backdoor trojan.
Delete it.
File C:\My Shared Folder\Serialz.exe infected by
"Backdoor.Win32.VB.ar"
Virus. Action Taken: No Action Taken.
Click to expand...

I deleted that one immediately before I even posted this message, although
both Avast and Norton scanned it and found nothing.
 
Moe Hair said:
Ok, just to be on the safe side I took someone's advice and downloaded
the
Microworld Antivirus toolkit utility (powered by Kaspersky) in order
to
scan my hard drive. Avast and Norton didn't find any viruses, but
this
utility came up with the following. First of all, what does "tagged
as not
a virus" mean? The utility found several viruses but next to each one
stated, "tagged as not a virus". Huh? Most of these files seem like
legit
program files, so how can they possible have raised a flag?


ile C:\DELL\Drivers\SiigUSB2.0_v2.06.exe tagged as not-a-
virus:Tool.Win32.Reboot. No Action Taken.
File C:\DELL\Drivers\TB1-Eng.EXE tagged as
not-a-virus:Tool.Win32.Reboot.
No Action Taken.
File C:\My Downloads\aaw.exe tagged as not-a-virus:Tool.Win32.Reboot.
No
Action Taken.
File C:\My Music2\Divx Bundle.zip tagged as
not-a-virus:Tool.Win32.Reboot.
No Action Taken.
File C:\My Music2\Radium MP3 Codec v1.263 - Radium.zip tagged as
not-a-
virus:Tool.Win32.Reboot. No Action Taken.
File C:\My Shared Folder\Serialz.exe infected by
"Backdoor.Win32.VB.ar"
Virus. Action Taken: No Action Taken.
File C:\My Shared Folder\WinXP Pro - Office XP (final) Key Generators
(TEK)
(1).exe tagged as not-a-virus:Tool.Win32.Shutdown. No Action Taken.
File C:\Program Files\Corkboard\UNINSTAL.EXE tagged as not-a-
virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Games\Microsoft Pinball Arcade\Setup.EXE tagged
as
not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Taxcut99\attcheck.exe tagged as not-a-
virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Taxcut99\checktc.exe tagged as not-a-
virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Taxcut99\removetc.exe tagged as not-a-
virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Taxcut99\update.exe tagged as not-a-
virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Turtle Beach\APPS\SETUP.EXE tagged as not-a-
virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Turtle Beach\OSR2GLUE.EXE tagged as not-a-
virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Voyetra\TBS Montego\ACRORUN.EXE tagged as not-a-
virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Voyetra\TBS Montego\OSR2GLUE.EXE tagged as
not-a-
virus:Tool.Win32.Reboot. No Action Taken.
File C:\TB1-Eng\APPS\SETUP.EXE tagged as
not-a-virus:Tool.Win32.Reboot. No
Action Taken.
File C:\TB1-Eng\OSR2GLUE.EXE tagged as not-a-virus:Tool.Win32.Reboot.
No
Action Taken.
Click to expand...


Kaspersky used to use ADS (alternate data streams) on files. This only
works under NTFS which allows more than one data stream for a file.
Normally you only see the primary data stream, like the one you would
see with Notepad when editing a file. The Resource Kit and SysInternals
have tools to let you look at the ADS of files. Kaspersky used to use
the ADS to mark a file as already scanned, saved a hash code (so it knew
that the file was already scanned and had not been modified since the
last scan), and probably stored some status in the ADS. The tool you
are using might be checkingt the ADS and seeing that the Kaspersky
engine already created an ADS and marked that file with its hash code
and also noted that it wasn't infected. This hash value (to know the
file hasn't been changed since the last scan) and noting it wasn't
infected allows Kaspersky to run faster. Rather than scan the entire
file again, it just checks the ADS so it can skip checking that file.

At one time, I was looking at getting Kaspersky but do not like its use
of ADS. Only recently have anti-malware products started to scan the
ADS of files (Ad-Aware scans the ADS but Spybot does not). If you
uninstall Kaspersky, it doesn't bother to remove all the ADS'es that it
added to the files. ADS is an advanced feature of NTFS but Microsoft
didn't bother empowering users to interrogate it. By adding an
alternate data stream, you could make a 1KB file actually 1GB in size
and the user won't understand why they have problems copying the file
due to "insufficient free space" for what gets reported by Explorer or
'dir' as a tiny 1KB file. Malware could even bloat out your files to
consume all free disk space although everything you use says the files
consume space far less than the capacity of your drive.

It makes a convenient place to secrete a virus or trojan because
anti-virus programs won't scan the alternate data stream of a file. The
on-demand file scanner of the anti-virus program won't discover the
virus hiding in an ADS. However, something has to extract the virus
from the ADS, load it in memory, and execute it so the on-access scanner
for the anti-virus program should catch it then (but then it is a virus
in memory and no longer in the file so the virus never does get truly
eradicated).

Some articles on ADS:
http://www.ntfs.com/ntfs-multiple.htm
http://www.auditmypc.com/freescan/readingroom/ntfsstreams.asp
http://www.heysoft.de/nt/ntfs-ads.htm

Some utilities for ADS:
SysInternals' stream
LADS
CrucialADS
Win2000 Resource Kit (forget what the utility is called)

It isn't just Microsoft's NTFS that uses alternate data streams. "The
Mac OS uses alternate streams called resource forks on the Mac's
Hierarchical File System (HFS) to store application metadata such as
icons"
(http://www.windowsitpro.com/Windows/Article/ArticleID/19878/19878.html).
ADS have been around as long as NTFS yet it is the rare Windows user
that has even heard of it.

Well, at least Ad-Aware SE will now scan alternate data streams but
that's just one safeguard product. I wish the on-demand scanners for
anti-virus programs also scanned the ADS. I believe one of the
anti-trojan products, maybe TDS-3, also scans the ADS.
 
Back
Top