Malware Scanning Multible Users

Bios Computers

Bios Computers

New Member
Reaction score
0
Location
West Coast, Canada
I am sure that somewhere deep within the forums this may have been prevously discussed, but I could not find it. I am curious about the consenses on scanning a clients computer that is definately contaminated and has multible users.

I have heard two sides to this story ... A) you only need to scan one user to remove all infections or .... B) You must scan all users to remove all infections.

I personally follow the "B" camp and charge appropriately..... If you have any thoughts on this subject, please let us all know and what your reasoning is for your answer would also be great.

Tman
 
Bios Computers said:
I am sure that somewhere deep within the forums this may have been prevously discussed, but I could not find it. I am curious about the consenses on scanning a clients computer that is definately contaminated and has multible users.

I have heard two sides to this story ... A) you only need to scan one user to remove all infections or .... B) You must scan all users to remove all infections.

I personally follow the "B" camp and charge appropriately..... If you have any thoughts on this subject, please let us all know and what your reasoning is for your answer would also be great.

Tman
Click to expand...

B. You should "scan" all user accounts, and by scan I mean investigate and check for malware.

Now if the question is, do you run your anti-whatever scanner on each individual user account, then my answer is that depends on what "scanner" you are talking about (does it already scan each user registry/profile directory when run on only one user account, or does it not?)
 
"Multiple."


We check each user after we're done removing problems, but generally our malware removal process addresses problems in each user account without logging in, scanning, and repeating.
 
Ok, Lets take it a step further .. as far as I know there are only two ways to remove malware that I have come across ... manually or with software. I am sure most of us use software to Automate the process and possibly jump in with manual correction as required. I am also sure most of us use the same or similar software for malware scanning and most likely we all have our favorites.

I was not however aware that some scanning software will automatically scan all users. I must wonder that if any given user profile is not running at the time of the scan of a diffferent user, will scanning software detect malware that is attached to that user profile, because the profile is not running amd most likley the malware for that profile is also not running. So that begs the question will the scanning software detect and remove such malware. I would be interested to know which malware scanning software scans all user at the same time ..

Tman
 
I've seen Malwarebytes scan other user profiles that aren't currently logged in and even accounts that are private and not accessible to windows explorer.
 
I was working on a computer a couple of days ago that I had scanned with MWB and SAS under one profile, between them they picked up over 1600 viruses/malware/spyware. I ran CCleaner under the same profile(forgot about the other) and cleared temp folders etc. I install Kaspersky Anti Virus and that picked up viruses in the other profile temp folder. I then logged in under the other profile and ran CCleaner there.
 
Bios Computers said:
I was not however aware that some scanning software will automatically scan all users.
Click to expand...

I honestly don't keep up with it anymore. I'm mostly a manual removal kinda guy and I only use scanners to pick up the leftovers after the threats are neutralized. I guess what I'm saying is, I don't bother to run scanners on each user profile when I'm done, I only bother with the main account or the one where the infection originated in. I used to back in the Ad-Aware/Spybot days, but not really anymore. Honestly I figured most apps were actually scanning other user profiles by now.

I know I've seen Hitman Pro search other user registry hives... I'm unsure about SAS or MBAM... It's definitely worth looking into, maybe doing some testing, though!

I know that Spybot S&D was the first major app to start scanning all user profiles, but you had to use a /allusers command line parameter or something similar. I remember it (like D7) searches for other user registry hives and loads them into the registry with a special name, and scans that way. I don't know if you still need to use the switch or if it does it automatically now...
 
Last edited:
I run a full scan on the main user who got the virus then I'll run a quick scan only on the other accounts if they were used after the infection. Other than that I will do a quick manuall check each account after I think its gone to double check.
 
I think the important question, for those who scan all users (be it quick or full) is:

A. What are you scanning with that you suspect isn't scanning additional user accounts during the first scan?

and

B. Do you ever actually see any additional threats turn up during these scans on subsequent user accounts?

Of course, I mean actual THREATS not just the occasional policy setting restriction or load of cookies...
 
I know of no case where you have to scan any account other than the one(s) that caught the virus. Of course, how do you know which one? Sometimes that's clear and sometimes not. All the scanners that I know of, including MWB, will catch virused files in other profiles but they won't fix registry problems in that user's personal registry entries. So, if your virus diddled with the user's ability to open Task Manager and you don't run MWB from his/her profile, you won't catch the problem. You can also get a case where the user logs in and the virus is still listed in his/her start-up files and you end up with an error message (because MWB deleted the virus file but not the reference).
 
shamrin said:
All the scanners that I know of, including MWB, will catch virused files in other profiles but they won't fix registry problems in that user's personal registry entries.
Click to expand...

I mentioned earlier, Spybot S&D has been doing this for ages, with a special command line parameter at least. I don't know about now, or other apps...

shamrin said:
So, if your virus diddled with the user's ability to open Task Manager and you don't run MWB from his/her profile, you won't catch the problem. You can also get a case where the user logs in and the virus is still listed in his/her start-up files and you end up with an error message (because MWB deleted the virus file but not the reference).
Click to expand...

I don't have either of those problems. Of course, I don't rely on MWB either...

The main issue when I programmed D7 was to make sure it didn't focus on the current user alone, but loaded all user registry hives for examination in Malware Scan and for action with functions like Clear Policy Settings - both of which address your concerns. It is simply inexcusable, as easy as it is, for an app to not do that. But that's just IMHO...

You can't tell me that one of the other more current malware fighting apps (as in, more current than Spybot S&D) doesn't bother to scan other user profiles?? Oh wait, you can't. I just remembered as I also mentioned earlier HitmanPro does this too.
 
Hi,

Just to add some fuel to the fire, I contacted Hitman Pro via email ( there name was mentioned in a earlier post that suggested that their software may scan all users effectively. I posed the same questions to them as I did here originally and this was their reply ... Start Quote:

" Jon,

File are only infected files (malware) when they are active. So when a bad file is on the non-active user account, they are not malware. Until they become active, they are not a threat.

For example, a car that never starts, moves, drives and so on, could never hit someone. It is non-active, so no threat on the road.

I hope you understand what I mean. As soon as the threat gets active, Hitman Pro will detect it, that’s why we advise to scan daily or at least weekly.

Please feel free to contact me again.

Best regards,
Lisa Turkenburg

Support & Office Manager "

End Quote: ...

So it would appear that this company is stating that all users can be individualy infected and that as long as these users profiles are not running these threats WILL NOT or MAY NOT be detected and that we as technicians must consider the premis that if one user has malware, most likely the rest of the users may also be infected and should be scanned on an individual basis to guarantee that are clients are free of infections that can be detected.

Thoughts ?

Jon:cool:
 
That's interesting. I've seen HMP specifically read proxy settings from other user profiles... That doesn't jive with that guy's philosophy. I wonder if I've been overestimating them all along.
 
the answer from Surfright doesn't make sense and imho sounds a bit like a politician avoiding a question that they don't know the answer to

a bad file is still malware whether it's active or not

it's like saying that a car isn't a car unless it's being driven
 
You must log in or register to reply here.

Similar threads

phaZed
Apple's security is a joke, basic issues not fixed 3x in a row.
Replies
0
Views
798
phaZed
phaZed
Kitten Kong
A sincere note from the bottom of my heart.
2
Replies
21
Views
4K
ohio_grad_06
O
GTP
Scanning ancient backups.
Replies
10
Views
1K
Altster
Altster
therealcrazy8
Web Server Malware
Replies
7
Views
1K
therealcrazy8
therealcrazy8
S
Strange!! HP Pavillion G6 2000, first BIOS crash, then motherboard dead ??
Replies
19
Views
3K
serious_electron
S
Back
Top