That's the virginity lost

[sassenach]

I've just had my first virus to deal with - PC Cleaner Pro 2012

I think I've got it all out now but am running a Kaspersky full scan at the moment.

It got past a paid up version of Kaspersky somehow, but I have a feeling that it would have been a user initiated bypass as the lady admits to being a total technophobe who just uses the laptop for emails and skype.

The satisfaction meter is running quite high now

 

[ComputerRepairTech]

I think theres a legit (well...semi legit lol) program by that name as well as a malware version. You might just find it under add/remove: http://www.pccleanerpro.com/uninstall/

 

[iisjman07]

We've sold Kaspersky for the last year or so and we've yet to see a customer come back (assuming they won't online enough that it could update)

 

[NYJimbo]

I have seen ALL licensed virus programs with viruses, including Kaspersky.

If a virus comes out today and you "catch it" and it doesn't get into a virus programs database until 3 or 4 days from now, your computer WILL become infected.

After it is infected, the computer may not be able to clean itself once the virus pattern/fix is in the virus database, because either the A/V becomes disabled OR the virus has found a way to hide itself or is no longer "visible" by the A/V because it is now buried in the O/S.

 

[cooltech]

Hence, That is why you would build your own linux box from scratch. gentoo or linux from scratch. Just my 2 cents.

I have seen ALL licensed virus programs with viruses, including Kaspersky.

If a virus comes out today and you "catch it" and it doesn't get into a virus programs database until 3 or 4 days from now, your computer WILL become infected.

After it is infected, the computer may not be able to clean itself once the virus pattern/fix is in the virus database, because either the A/V becomes disabled OR the virus has found a way to hide itself or is no longer "visible" by the A/V because it is now buried in the O/S.

 

[NYJimbo]

Hence, That is why you would build your own linux box from scratch. gentoo or linux from scratch. Just my 2 cents.

Ok, but what if I want to run windows and its applications ?

ps - I use BSD, not linux.

 

[cooltech]

vm players or proxmox based on debian to run differant os

What would be a good BSD os?

Ok, but what if I want to run windows and its applications ?

ps - I use BSD, not linux.

 

[NYJimbo]

What would be a good BSD os?

FreeBSD, but I do not recommend it to anyone unless they have a need for it. It is much harder to learn and work with than the other *nix's.

 

[cooltech]

good for a server?

pfsense then.

FreeBSD, but I do not recommend it to anyone unless they have a need for it. It is much harder to learn and work with than the other *nix's.

 

[NYJimbo]

good for a server?

pfsense then.

Fantastic for a server. Right out of the box it's brilliant. But if you are only familiar with Linux then you have a lot of new things to learn. Even the syntax of common programs is very different. That's why I do not recommend it to anyone as a new O/S.

Even for hosting, Cpanel, the leader in control panels, has dropped it as it's too different from Linux and most people will just abandon it as it requires a lot more low level understanding of the operating system.

 

[Xander]

If a virus comes out today and you "catch it" and it doesn't get into a virus programs database until 3 or 4 days from now, your computer WILL become infected.

Precisely why I tell customers that they will "never be protected against a today's virus, only yesterday's."

There's very little protection against a zero-day infection that uses new tactics.

 

[Larry Sabo]

If a virus comes out today and you "catch it" and it doesn't get into a virus programs database until 3 or 4 days from now, your computer WILL become infected.

Not if the AV program has good heuristic detection (depending on what you mean by "catch it"). Here are the test results ranking A-V Comparatives reported 2011-11 on some AVs of interest:

Retrospective (Detection+FP) Rank (2011-11)
02. G Data Antivirus 2012
03. AVIRA Antivir Premium
04. ESET NOD32 Antivirus 5.0
06. Kaspersky Anti-Virus 2012
10. Microsoft Security Essentials 2.1
11. AVAST Free Antivirus 7.0
NA. AVG Anti-Virus 2012​

AVIRA AntiVir Premium detected 62.4% and Kaspersky 60.1% of the malware thrown at them 90 after their last definitions updates, IIRC. See AV-comparatives.org for details. So, a good heuristics engine coupled with good detection and low false-positives (amongs other factors) are what I go by when deciding what to use/recommend/sell.

Edit: Be sure to see the AV-Comparatives report, as performance may not be significantly different for products of different but close ranking, e.g., between AVIRA, ESET and Kaspersly.

 

[sassenach]

It was definitely the fake one. Thanks to Foolish for D7 and the rest of you who have freely given tips in the past, it made my work plan easy to follow even if getting rid of all traces was a bit harder.

 

[NYJimbo]

Not if the AV program has good heuristic detection

Quantify "good heuristic detection". One virus getting through an A/V is 100% failure.

 

[ComputerRepairTech]

heuristics help but typically if you run into a true 0 day (which is pretty rare) its not going to be detected. I have seen 0 days detected by Heuristics before but not the original file only aspects of what it was doing through other processes.

If AV Comparatives has it for testing then it's probably not a 0 day.

 

[Mr.Mike]

heuristics help but typically if you run into a true 0 day (which is pretty rare) its not going to be detected. I have seen 0 days detected by Heuristics before but not the original file only aspects of what it was doing through other processes.

If AV Comparatives has it for testing then it's probably not a 0 day.

I have to agree with you CRT and also with what Xander implies that there really is no sure-fire way to protect against truly stealthy infections like these as you are only able to "pick up the pieces" only after the damage has been done. That's signature evidence you have had a zero infection. I have had to deal with what I believe to be zero variants exactly twice, and only on one occasion was I able to rescue any useful data before having to N&P.

 

[Larry Sabo]

Quantify "good heuristic detection". One virus getting through an A/V is 100% failure.

I don't know what qualifies as "good" heuristic detection. In the case of Avira, maybe the fact that 62.4% of infections were detected for new malware found 90 days after the last definitions update? That's a lot better than zero, which is what would be detected relying on signatures alone.

(A) [heuristics help but typically if you run into a true 0 day (which is pretty rare) its not going to be detected.] (B) [I have seen 0 days detected by Heuristics] before but not the original file only aspects of what it was doing through other processes.

If AV Comparatives has it for testing then it's probably not a 0 day.

A and B in your post seem contradictory to me. The malware they used for testing was new at the time of testing, so there couldn't have been signatures for them, yet they were detected based on their behaviour or characteristics.

...there really is no sure-fire way to protect against truly stealthy infections like these as you are only able to "pick up the pieces" only after the damage has been done.

Nobody said heuristics were sure-fire (infallible). The ones you cleaned up after were obviously not caught before doing some damage, but I believe some will have been caught before they could do any/much damage. To me, 62.4% protection is better than zero percent protection from malware that cannot be detected by signatures alone. So, picking an AV based on signature detection ability alone and ignoring heuristic detection ability, is rather short-sighted I think.

 

[ComputerRepairTech]

A and B in your post seem contradictory to me. The malware they used for testing was new at the time of testing, so there couldn't have been signatures for them, yet they were detected based on their behaviour or characteristics.

A. Is referring to the actual true 0 day file where as B. im referring to secondary processes that may have branched off the 0 day. So you've detected something to indicate hey you got a virus but it doesn't necessarily point you to the zero day.

Unless AV Comparatives has started their own malware production they probably use spiders just like other AV companies. Majority of the undetected malware they find through spiders will be variants not really what I would consider a true 0 day.

 

[Mr.Mike]

So, picking an AV based on signature detection ability alone and ignoring heuristic detection ability, is rather short-sighted I think.

No argument here. Heuristics definitely has its place.

Please help me to understand this then about root kits. Isn't applying heuristics most successfull with non-rootkit type varients? And, that by their nature, root kits like Zero Access are not detectable (and therefore not preventable) no matter what you throw at them from a heuristics based approach?

 

[ComputerRepairTech]

No argument here. Heuristics definitely has its place.

Please help me to understand this then about root kits. Isn't applying heuristics most successfull with non-rootkit type varients? And, that by their nature, root kits like Zero Access are not detectable (and therefore not preventable) no matter what you throw at them from a heuristics based approach?

Rootkit would still be detectable on initial infection through heuristics but tdss, zero access, etc these are created by talented teams that will take the time to make big changes between varients.