Seriously, has anybody ever seen a serious virus problem in Windowswhen using AV protection?

[Char Jackson]

People I meet have many times asked me if they should shut their Windows
computers off at night, and I always say, "Yes, keep your PC off unless
you are using it."

I figure if it's off, an infected computer can do less damage.

I agree with the advice, although I don't follow it myself. To me, the
primary reason for turning a system off is to save electricity.

 

[David H. Lipman]

From: "Char Jackson" <[email protected]>

| On Tue, 23 Mar 2010 18:57:13 -0400, ToolPackinMama

| I agree with the advice, although I don't follow it myself. To me, the
| primary reason for turning a system off is to save electricity.


Actualy the quiescent temperature is better since you dont have hard drive warming
exapnsion and drive cooling contraction cycles adding tom the wear and tear factor and
aging of a hard disk.

 

[Char Jackson]

From: "Char Jackson" <[email protected]>

| On Tue, 23 Mar 2010 18:57:13 -0400, ToolPackinMama


| I agree with the advice, although I don't follow it myself. To me, the
| primary reason for turning a system off is to save electricity.


Actualy the quiescent temperature is better since you dont have hard drive warming
exapnsion and drive cooling contraction cycles adding tom the wear and tear factor and
aging of a hard disk.

Probably true, but I have no evidence, even anecdotal evidence, to
indicate that it makes an appreciable difference in equipment life.

 

[Dave Cohen]

RayLopez99 wrote:

Seriously, has anybody seen--or even heard--of a serious virus
(including rootkit or malware) problem in Windows when using
commercial antivirus protection?

Yes

One of the claims of the Linux crowd is that such problems are
legion. But talking so some of the people at alt.comp.anti-virus I
get the impression such problems are rare.

Who is more right?

So the estimate that around 30% of all windows computers are infected
is "rare problems"

[snip]

30%?

What an illogical conclusion from what was said.

It wasn't a conclusion from what was written in this thread

Are you a politician??
Same kind of logic they use.
Buffalo

Are you a Mac user? Those tend to be extremely stupid.
Or are you (even worse) a windows user?

I've been using windows for years, never had a virus. It's not that I
think windows is necessarily better, but it runs the apps I want to use.
I've no doubt others do get these things, but since I've no idea what
they are doing when they get infected I'm in no position to comment. As
to being stupid I'm too old to worry about such trivial matters.

 

[ToolPackinMama]

Probably true, but I have no evidence, even anecdotal evidence, to
indicate that it makes an appreciable difference in equipment life.

I feel constrained to point out that if they can't be bothered to keep
their PC free of malware, that it's probably better if their equipment
fails sooner.

 

[RayLopez99]

installed itself on every floppy that was used on their system, and on
mine until I disinfected every single one of the 150 floppies I used on
a regular basis. Then, a few months later I found out I'd missed one.....

OK, a great war story. But seriously John, in the modern era have you
ever had a virus? Which one? Name please? And why did it slip past
your AV shield?

Kaspersky is currently warning me of a few malware attacks each week,
mainly from websites mentioned on this newsgroup.

Sure John. And people die of AIDS from having unprotected sex. Not
to make fun of it, but it's a disease of the ignorant. Back in the
days BEFORE protection intelligent people did get AIDS--mostly gay
men, but intelligent nevertheless--however, in the "modern" era the
rate of infection amongst these (smarter) people--with exceptions that
prove the rule like some people I've read who refuse to wear
protection--has slowed.

Same with computer viruses. In our modern era John, who is getting
infected? Nobody SAVE zero-day attack victims.

So let's ask this question: have you or anybody you know ever been a
zero-day attack victim? Nope? Didn't think so.

Anybody else?

RL

 

[RayLopez99]

Just say "malware" when you want to be all inclusive about malicious
software. Viruses are in only a smallish subcategory of malware. The
terms "rootkit", "adware" and "spyware" are really neutral (some are
malware, some are not).

OK, thanks will do that.

That being said, even AV aimed at "prevention" has its achilles' heel -
and when prevention fails an attack against the AV can be launched,
which allows *everything* to circumvent it.

I see. Interesting theory.

The Linux crowd is getting more and more like the Windows crowd every
day. )


It depends on whom you ask. D

Yes, true.

The bottom line is that antivirus and antimalware programs only detect
*some* of what they try to detect. The best approach is to limit the
amount of malware that you expose those programs to. Adhering to best
practices may result in avoiding 95% (just a guess) of malware out
there. The rest will be worms (i.e. exploit based autoworms) and viruses
(downloaded from *reputable* sources).

OK, that 5% interests me. But as a scientist I believe in
verification. Anybody get infected by that 5%, and by what, did it
have a name? The only thing I can think of is: (1) unnamed viruses
not get discovered by Kaspersky or whoever, and, (2) zero-day attacks
by new viruses (or variants of old) that Kaspersky sends out the patch
but a day late.

RL

 

[RayLopez99]

Did you know that Peter is a Windows user? its true. He's a closed
source Windows programmer. In other words he is responsible for a lot of
the "brain dead" applications that run on Windows. Amazing isn't it? So
is his lickspittle "mini me" Chris Ahlstrom.

LOL. But Hadron you assume Peter's code is actually being used. More
likely he is part of a team and as a junior programmer his work is
redone (and done right) by a senior programmer. The senior programmer
would have fired Peter by now, but doesn't want to rock the boat and
besides, it gives the senior guy something to do: debugging Peter's
code. I've seen this arrangement in practice.

RL

 

[RayLopez99]

The question was about the subset of all Windows computers that are
"protected" by commercial AV, not the entire set of Windows computers
estimated (by you?) to be infested. I can guess that greater than that
30% of all Windows computers are completely unprotected (after their
bundled AV runs out).

Thanks. I just realized that by including two newsgroups in addition
to comp.os.linux.advocacy, namely alt.comp.anti-virus,
alt.comp.hardware.pc-homebuilt, you get smarter answers.

Perhaps it's right what people first told me about COLA: it's just a
place for flaming, not serious advocacy. Shame really, as I do think
Linux does a few things better than Window (the virtual directory
scheme of Unix comes to mind).

RL

 

[RayLopez99]

RayLopez99 wrote:

Woosh!

Sorry this obscure cultural idiosyncracy escaped me--maybe you mean
"swoosh", meaning you scored a point in basketball (basket as it's
called here)? Or you calling me a "wush"? Whatever.

Do you actually bother to read what other people write? This was an extract
from the Kaspersky log on MY PC. The Viruses came free with something I
downloaded. I didn't say they became active, Kaspersky stopped that.

OK, you lost. You just VERIFIED (do you bother to read what people
write?) what I had said: the virus was accidentally installed by the
victim, and, further, Kaspersky worked to stop said virus.

WOOSH!

Seriously, anybody ever been infected by a virus in Windows with AV
software running? Anybody?

RL

 

[RayLopez99]

Detecting zoo viruses will skew results. The ability to detect them adds
no protection at all, since you won't be exposed to them. There is much
discussion about this in the AV community. I hold with those that would
ban zoo viruses from "test sets" except for showing that the technology
is there to detect them if they do ever make the ITW list.

Keep the technology that allows the detection of difficult viruses, even
if no viruses of that type are ITW, but exclude them from comparative
tests because to have no real world impact.

Excellent point. Shows me you know your stuff.

If you care to share whether you've ever seen basically the only way a
properly protected Windows system will ever be infected, save user
negligence (installing a virus), that is, a zero-day attack, feel free
to share.

So, let me rephrase the question as it's becoming clearer by the post
what the real issue is:

aside from historical stories back in the days of the SneakerNet,
aside from sorority sisters who don't practice Safe Hex and don't use
AV programs, aside from negligent or stupid users who accidentally or
otherwise install viruses or malware, has anybody seen the one and
only way a properly configured Windows machine can ever be infected by
viruses or malware, namely, a zero-day attack?

RL

 

[RayLopez99]

Yes.  I had to clean up a Windows laptop last year despite things
being kept up to date and AV installed.  The AV was bloody hopeless at
setecting it despite being kept up to date.

Urban Legend? I think you are sincere, but if it's not too much of a
bother if you can recall the name of the virus (if it had a name) that
would be great, unless giving away this name would identify the
customer/client/victim of the malware. In other words, how could the
malware infect the laptop--unless it was a zero-day attack or the user
installed it by mistake?

In short, as I code, I know that computers are very predictable. If
your AV program is configured to catch virus "X" then it will catch
it--and you will not be infected. As for the 30-70% of malware that
are not caught (see the PDF in this thread), this could be "zoo" type
malware that is included in the figure but in practice is never seen
'in the wild'.

RL

 

[RayLopez99]

Yes, while using XP. I clicked on a site from a cigar NG that sold torch
lighters. Got shot to some chinese site and my "free" CA AV program lit up
like a xmas tree. It warned me of the infection and supposedly deleted it..
But it wasn't gone. It eventually took over the whole machine and ended up
doing a reformat to regain control. Needless to say that was the end of my
using CA products...whatever the price.

Great story,and believable. Shows CA (which I think at one point I
even had, if it goes by the name "Sammy" and had an icon of a troll
like figure that was supposedly protecting your machine) is no good.
Switch to Microsoft's AV offering (see the report), or Avant?! (or the
other one that starts with an 'A'), which were #2 and #1 on the list,
or Kaspersky (top 33%) or even Webroot's Sophos AV engine offering,
which I use on this XP machine (it was slightly below average on the
list, but like I say I've not had any problems and I surf porn
sites). Don't use the stuff like CA ranked at the bottom or not even
on the list.

But all this does not refute the main point thread...

Anybody else?

RL

 

[RayLopez99]

RL, you seem to be a combative personality type based on your posts.

Projection noted.

Many people that do REAL work use IM all over the planet, many
development teams, support teams, etc...

I suppose if you are in sales. Development teams? Why? Except for
group online meetings, and even, then (Skype video is better) I would
think email is better...but perhaps you're right.

What you seem to be missing is the concept of how malware is spread on
windows machines - exploits and social engineering as well as drive-by
web attacks. Like many malware spread via IM, Facebook, email, they all
appear to be legit attachments, files, links, until you inspect them and
for most people that's too late.

Fine. THEORY. Give me a real work EXAMPLE Leythos.

I've already proven

HA HA HA. A comedian. A combative comedian. Andrew Dice Clay your
show name?

that having an Antivirus solution doesn't protect
you in all cases. We've all, at least those of us that run IT companies,
have seen exploits get past "Local User" accounts, such as the SQL
injection ones....

BU LL S H IT. Now you've become the "Rex Ballard" of C.O.L.A. SQL
injection attacks are ancient history and obsolete, due to the way
commands are entered, parametrically, in ADO.NET (Windows database
language). I know, as I code. Any other falsehoods you care to
share?

So, running as a local user, with any version of anti-virus software
from any vendor, all patches installed from MS, I've seen, first hand,
hundreds of Windows WP and now Vista/Win 7 computers compromised.

Nope. You have not seen. What you've seen (and I've seen this too) is
a corporation get infected because a user installed a virus by
mistake, and sent it around to co-workers (typically via email) who
did not have the latest AV patches installed on their machines.
Corporations use old hardware and software and are often behind the
times in Safe Hex.

Oh, and most of those computers were not using IM, didn't even have it
installed.

Oh, really? Oh. Doubtful. How did they get infected then?

RL

 

[RayLopez99]

HA HA HA - and yet it just about shutdown internet use for days in many
locations.

You really didn't look very long or hard, it's one of the largest events
in the history of the internet.

http://en.wikipedia.org/wiki/SQL_slammer_(computer_worm)

Proves my point: a zero day attack and when did this happen? 05:30
UTC on January 25, 2003.

Ancient history, like your name.

Goodbye Leythos (sounds Greek to me!)

RL

 

[SteveH]

Sorry this obscure cultural idiosyncracy escaped me--maybe you mean
"swoosh", meaning you scored a point in basketball (basket as it's
called here)? Or you calling me a "wush"? Whatever.

No, as in over your trolling little head. As in implying what you do in
front of your PC while looking at your 3 favourite porn sites.

OK, you lost. You just VERIFIED (do you bother to read what people
write?) what I had said: the virus was accidentally installed by the
victim, and, further, Kaspersky worked to stop said virus.

Learn to read and comprehend tosser. The virus/malware was not 'installed'
at all. Kaspersky never stopped it, it detected it /before/ it got that far
and dumped it.

I suggest you go back to your porn. Pictures will be so much easier for you.

 

[Lusotec]

Proves my point: a zero day attack and when did this happen? 05:30
UTC on January 25, 2003.

It was *not* a zero day attack. The vulnerability was known and a patch was
available a good number of months prior to the attack. Learn the terminology
before posting.

Any way, for a virus to stop these kinds of attacks (remote buffer overruns)
it would have to filter the network traffic, and that is impractical for any
server with significant traffic.

Regards.

 

[Lusotec]

BU LL S H IT. Now you've become the "Rex Ballard" of C.O.L.A. SQL
injection attacks are ancient history and obsolete, due to the way
commands are entered, parametrically, in ADO.NET (Windows database
language). I know, as I code. Any other falsehoods you care to
share?

SQL injection vulnerabilities (and attacks) are very common, very current,
and will continue to be for the foreseeable future, much like other kinds of
vulnerabilities.

Do you really think that just by using ADO.NET you have eliminated the
possibility for SQL injection vulnerabilities? Are you that clueless?!

Just because a database access framework like ADO.NET allows for
parametrized queries does not mean that everyone uses them correctly all the
time, or uses them at all.

Regards.

 

[Peter]

I thought you might..


'We' don't buy it, who the feck do you think you are trollboy?
Why do you think people have to answer to you?

but if you insist:

19/03/2010 23:01:54 Deleted Trojan program Trojan.Win32.Chifrax.d P:\System
Volume
Information\_restore{4F779BDD-1E8F-43A5-A7E1-5110978EEAFE}\RP17\A0000682.exe
High
19/03/2010 23:01:54 Deleted Trojan program Trojan.Win32.TDSS.amjc P:\System
Volume
Information\_restore{4F779BDD-1E8F-43A5-A7E1-5110978EEAFE}\RP17\A0000682.exe//data0002
High
19/03/2010 23:01:54 Deleted Trojan program Trojan.Win32.TDSS.amjc P:\System
Volume
Information\_restore{4F779BDD-1E8F-43A5-A7E1-5110978EEAFE}\RP17\A0000682.exe//data0002//data0003
High
19/03/2010 23:01:54 Deleted Trojan program Trojan-Downloader.Win32.Small.kdj
P:\System Volume
Information\_restore{4F779BDD-1E8F-43A5-A7E1-5110978EEAFE}\RP17\A0000682.exe//data0002//data0004
High
19/03/2010 23:01:54 Deleted Trojan program Trojan-Downloader.Win32.Small.kdj
P:\System Volume
Information\_restore{4F779BDD-1E8F-43A5-A7E1-5110978EEAFE}\RP17\A0000682.exe//data0002//data0004//PE-Crypt.Eta
High
19/03/2010 23:01:54 Deleted Trojan program Trojan.Win32.FraudPack.pto
P:\System Volume
Information\_restore{4F779BDD-1E8F-43A5-A7E1-5110978EEAFE}\RP17\A0000682.exe//data0002//data0005
High
19/03/2010 23:01:54 Deleted Trojan program Trojan.Win32.Chifrax.d P:\System
Volume
Information\_restore{4F779BDD-1E8F-43A5-A7E1-5110978EEAFE}\RP17\A0000682.exe//data0003
High

Part of my Kaspersky log.

But how many of those are genuine and how many are false positives?
Those ones found in the system restore folder give no indication of the
original filename and I don't have the time to start rooting around in
there to find out if the file is genuine or not, I don't know about you.

Recently, I was given a computer from a friend which had XP on it and my
AVG was fine until yesterday, when it found what it said was spyware (a
genuine file from bt called btwebcontrol.dll). Nothing wrong with it.
They used to have BT broadband. It also found a file in the system
restore which it categorised under the same virus name, which I am
presuming is the exact same file, except it's just called A0000462.dll.

2 false positives. It seems these days AVG is finding files in system
restore which it didn't have a problem with previously and I am happy to
accept are genuine files and not any kind of virus. Your logs seem to
indicate the same habit from Kaspersky.

 

[Leythos]

Please, guys and gals, urge your friends and customers to turn the
computers off when they are not using them... unless there is a
compelling reason to do otherwise.

You mean like maintenance that happens after the users are done using
the computer?

You mean like AV scans that happen at night so that they don't impact
the user during the normal use hours?

You mean like windows updates between 3AM and 4AM?

You mean like remotely connecting to the computer to work?

In 30+ years of working with computers I've had exactly 1 malware on a
computer I own/control and my own computers as well as most of the
computers at our customers sites run 24/7.