Virus Scanners for Remote support.

F

Feist Computers

Member
Reaction score
0
Location
Bismarck, ND
Wondering if any of the experienced tech doing remote support could suggest a few virus scanners for doing remote support. Right now I'm using hitman-combofix- malwarebytes. But combo kills connection and with teamviewer can't get back on. Any suggestions for alternative scanners.
Thanks All.
 
Feist Computers said:
Thanks, i'm looking into that, with D7 I could eliminate Combo fix. And never lose the connection. Sweet
Click to expand...

Thanks for the purchase btw Dave, and for the plug Upright!

Just saw this and thought I would drop in to ask how your remote software connects. As in....

Can you just launch the EXE and get connected? IF so I can code in a solution for this.

or better yet...

Can you install it as a service so it comes back after reboot? IF so, the fix is already IN D7! Reason being, I have achieved a sort of homeostasis with D7 and Combofix - in that D7 can install itself as a system service configured to constantly restart in the event that Combofix terminates it. The trick comes in that when Combofix is fully completed and has generated its log file, D7 will then automatically copy the log file to its report directory, close Combofix, and reboot the PC - restarting itself after the PC starts back up. It seems to work 99% of the time, though I have had the service fail to restart for some reason in my testing on a really fubar'd PC...

So basically if your remote support software installs itself as a system service so you can reconnect after reboot - then D7 has got you covered.

EDIT: Just re-read your OP, and yes you can have Teamviewer install itself as a system service after the initial connection, as far as I recall correct me if I'm wrong. But if so, then you should be able to successfully run Combofix on remote sessions without having to call the customer to get reconnected... I personally use Instant Housecall for remote support and I know it works with that.
 
Last edited:
uprighttech said:
We always run TDSSKiller to check for rootkits. Only takes about 1 min. We also use D7 a lot on remote sessions.
Click to expand...

I'd be careful about getting comfortable with TDSS killer. It still does not detect the $recyclebin version of 0A. And I've seen more of this version of rootkit than any other in the last 2-3 months. In fact, I've totally stopped using TDSS killer in favor of MBAR because of this.

From testing, I've found that MBAR does the best removal (see link below), but you will still need to manually restore the 8 services that 0A kills and manually fix the BFE and SharedAccess permissions. MBAR, MBAM, MSE, MS Safety Scanner, KVRT and NPE all detect and kill 0A, but from my tests MBAR does the most complete removal (I have not tested HMP). Here's the link to the various MBAR log files after attempting 0A removal with the above tools:

https://dl.dropboxusercontent.com/u/47644676/mbar%20log.txt

FYI, MS claims that MSE and MS Safety Scanner will automatically repair the affected services and permissions to default settings, but I haven't tested this (last paragraph at the bottom of the page):

http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fSirefef
 
Bubbajoe said:
I'd be careful about getting comfortable with TDSS killer. It still does not detect the $recyclebin version of 0A. And I've seen more of this version of rootkit than any other in the last 2-3 months. In fact, I've totally stopped using TDSS killer in favor of MBAR because of this.

From testing, I've found that MBAR does the best removal (see link below), but you will still need to manually restore the 8 services that 0A kills and manually fix the BFE and SharedAccess permissions. MBAR, MBAM, MSE, MS Safety Scanner, KVRT and NPE all detect and kill 0A, but from my tests MBAR does the most complete removal (I have not tested HMP). Here's the link to the various MBAR log files after attempting 0A removal with the above tools:

https://dl.dropboxusercontent.com/u/47644676/mbar%20log.txt

FYI, MS claims that MSE and MS Safety Scanner will automatically repair the affected services and permissions to default settings, but I haven't tested this (last paragraph at the bottom of the page):

http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fSirefef
Click to expand...

We don't only use TDSSKiller. We almost always use D7 which runs KillZA, and we have begun testing out MBAR too. We don't trust any one tool to do it all.

Thanks for the heads up about MSE and MSS possibly repairing ZA damage. I was not aware of that.
 
D7 didnt detect the newest zero access cases I had but i believe they may have been partial infections since av/mbam caught some aspects of it. I'm sure killza would still clear it if its actually forced executed. I just mean for detection can't really rely on tdsskiller or D7's startup detection of zeroaccess. the new malware bytes antirootkit seems to be doing rather well with it though.
 
ComputerRepairTech said:
D7 didnt detect the newest zero access cases I had but i believe they may have been partial infections since av/mbam caught some aspects of it. I'm sure killza would still clear it if its actually forced executed. I just mean for detection can't really rely on tdsskiller or D7's startup detection of zeroaccess. the new malware bytes antirootkit seems to be doing rather well with it though.
Click to expand...

Would love to get a live sample of the latest infections if you can find a dropper, so I can update KillZA... I may go hunting over in the usual locations later on, just been so busy lately.
 
That would be difficult for me to get my hands on but what detection method are you using?

Are you checking for that wbem registry entry? thats what I was doing with a script but it hasnt been working lately. What check methods have you deployed?
 
From testing, I've found that MBAR does the best removal (see link below), but you will still need to manually restore the 8 services that 0A kills and manually fix the BFE and SharedAccess permissions. MBAR, MBAM, MSE, MS Safety Scanner, KVRT and NPE all detect and kill 0A, but from my tests MBAR does the most complete removal (I have not tested HMP). Here's the link to the various MBAR log files after attempting 0A removal with the above tools:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access
Windows Update
Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit located within the ‘Plugins’ folder and reboot.
 
Porthos said:
If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access
Windows Update
Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit located within the ‘Plugins’ folder and reboot.
Click to expand...
Thanks for just copy and pasting from the MBAR page. That was oh so helpful.
http://www.malwarebytes.org/products/mbar/
 
FoolishTech said:
Would love to get a live sample of the latest infections if you can find a dropper, so I can update KillZA... I may go hunting over in the usual locations later on, just been so busy lately.
Click to expand...

Nick,

FYI, the dropper I sent you back in October was the $RecyleBin version of 0A. Not sure if the latest droppers have changed anything, although I've noticed that MBAR is now detecting additional files in the assembly\GAC_64 folder. I'll send you a link to a more recent 0A dropper. It's the dropper I used when running my MBAR comparison tests mentioned in my earlier post.

I need to run a comparison of MBAR vs KillZA but just haven't had the time. Maybe I'll get around to it this week.
 
Porthos said:
From testing, I've found that MBAR does the best removal (see link below), but you will still need to manually restore the 8 services that 0A kills and manually fix the BFE and SharedAccess permissions. MBAR, MBAM, MSE, MS Safety Scanner, KVRT and NPE all detect and kill 0A, but from my tests MBAR does the most complete removal (I have not tested HMP). Here's the link to the various MBAR log files after attempting 0A removal with the above tools:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access
Windows Update
Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit located within the ‘Plugins’ folder and reboot.
Click to expand...

Thanks for the info.

Just starting to use this tool and was still unaware of the "fixdamage" tool.

Appreciate anything I can learn.
 
You must log in or register to reply here.

Similar threads

LordX
ONE Windows 11 computer will NOT connect to shared folders (other win11 systems in same office will!)
Replies
4
Views
890
YeOldeStonecat
YeOldeStonecat
mmerry
Ubiquiti issue
Replies
16
Views
5K
NETWizz
NETWizz
BulletSponge
Techsuite vs. Malwarebytes TechBench
Replies
10
Views
3K
AlexCa
AlexCa
bertie40
Support for Android Mobile Phones ?
Replies
2
Views
889
britechguy
britechguy
callthatgirl
GoDaddy Microsoft 365 Pros and Cons
Replies
9
Views
8K
Your PCMD
Your PCMD
Back
Top