Re: Anti Virus scans hang my PC
From: cquirke (MVP Windows shell/user) (cquirkenews_at_nospam.mvps.org)
Date: 03/13/05
- Next message: riverdogs05: "Re: gcasDServHolder -what is it?"
- Previous message: David H. Lipman: "Re: PRVDI.exe"
- In reply to: Gary Armstrong: "Re: Anti Virus scans hang my PC"
- Next in thread: Gary Armstrong: "Re: Anti Virus scans hang my PC"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 13 Mar 2005 05:49:40 +0200
On Sat, 12 Mar 2005 15:47:15 -0800, "Gary Armstrong"
>"cquirke (MVP Windows shell/user)" <cquirkenews@nospam.mvps.org>
>message news:tig6311f0ttjqkhg4ksp61aqmf0ldoqsqk@4ax.com...
>> On Fri, 11 Mar 2005 16:58:15 -0800, "Gary Armstrong"
>>>When I try doing a virus scan of any size, my PC hangs. I normally run NAV
>>>2002, but have downloaded and tried Housecall and AVG. I've also tried two
>>>online scans and all have hung.
>> These are informal scans, thus succeptable to counter-attack by active
>> malware. OTOH, the process of scanning the contents of all files
>> could appear to hang if one of those files contains a bad sector.
>> So, first exclude bad sectors, as you appear to have done (when you
>> say ChkDsk /R completes fine). Use a detailed SMART reporting tool,
>> e.g. AIDA32, to see what sectors have already been hidden as bad by
>> the HD's firmware, Event Viewer to see if AutoChk/ChkDsk has done the
>> same, and a HD vendor's surface checking tool to look for new bads.
>The disk is from WD. The Life Guard tool appeared to have SMART reporting
>which they called their "quick test". It reported several metrics and
>evetually declared a "pass". Their extended test appears to be a surface
>test which they also declare a "pass". If all the disk checking tools
>complete whithout hang don't I get to dismiss hardware as the problem?
HD vendor SMART reporting tends to dummy down the detail. Remember,
if the HD vendor's tool fails the HD, the vendor's liable to accept
and replace the HD under warranty. Do you think that motivates them
to report every failure, or gloss over "mild" errors?
The full test actually tests the surface - and yes, you are quite
correct when you note that no lockups pretty well excludes the bad
sector aspect as a cause of av lockups.
>In other words doesn't NTFS take care of moving data off bad disk areas?
NTFS just adds yet another layer of deception, really. Like the HD's
own firmware, it attempts to copy bad data from failing areas (in this
case, using the more granular clusters than raw sectors) to good
areas, and then mark the bad areas so they aren't used.
The "deception" aspect is that you are not likely to be alerted that
your HD surface has started to die - something worth knowing, IMO.
>I'm not sure WD's tool reported which sectors were bad.
There shouldn't be any bad sectors.
>> Suspect bad HD if the lockup pattern is like this:
>> - mouse pointer stops
>> - keystrokes ignored
>> - HD activity LED is stuck On
>> - may clear spontaneously after several minutes
>Mouse stops, keystrokes gone, can't see the LED, I let it hang over night
>once. It doesn't come back.
How do you mean "can't see the LED"? If the HD LED is off (assuming
it usually works, of course) then that points away from a HD-related
hang, and (in this context) towards an in-memory logic bomb.
>> OK. Once you're sure it's not a bad disk, then chase up malware
>> that's smart enough to booby-trap or ambush informal av. I'd start
>> with a Bart PE boot with write-protected USB stick in place, then copy
>> Trend's SysClean and data file from USB stick to HD and run it from
>> there, and when done, do a FC (File Compare) of the SysClea,com and
>> data file against those on the write-protected stick.
>I'm not sure what a "Bart PE" is but I think I understand what you're
>suggesting. I don't have a USB stick. Can I substitute CD? I can build the
>CD on a different PC.
Bart's PE does what MS should have offered you since NTFS was created;
the ability to build a compatible OS that will boot off CDR instead of
HD. That means the boot process runs no code off the ?infected HD, so
you know that any malware that may be there will not be running.
Because you'd want fresh copies of SysClean.com, the relevant data
file, Stinger, Avast's cleaner, AVG's cleaner etc. it's more practical
to store these on a write-protected USB stick than a CDR(W). In
theory, you could have these on CDR(W), but in practice, the Bart OS
is likely to bomb if you remove the OS CDR to read the other CDR(W).
Note that both Bart CDR and Knoppix (Linux) CDR OSs will not see a USB
stick that's inserted after the OS has booted - the stick must be in
place at the time the relevant OS boots.
Bart supports networking, so you could use that way of accessing extra
material (I'd disable admin shares and use a small read-only share for
the infected Bart-booted PC to read). I haven't used Bart LAN myself.
>> You can also use free av-killers from Avast, AVG and McAfee's Stinger
>> in a similar way. These run faster than SysClean, and may detect
>> fewer things (especially Stinger).
>
>> If XP SP2, I'd try booting it with NX support disabled.
>Got me again. What is NX?
NX is No eXecute, a technology introduced by AMD, with Intel playing
catch-up. It's a return to the old DOS days of clue that separated
code from data in memory; specifically, it disallows the running of
code in areas of memory that are supposed to be for data.
This mitigates against several buffer overrun exploits, which are a
large part of raw code exploits that give rise to insane (i.e.
impossible to risk-manage via rational settings, etc.) autorunning of
(malware) code. XP SP2 supports NX, but there can be compatibility
issues; some av have fallen foul of this. So suspect this if your av
used to scan properly before you installed SP2, but now fails.
>> I'd also do an ADS scan from Bart's or Safe Cmd Only, using ADS Spy.
>> It may be there are insane ADS seeded about to prang av scanners that
>> are ADS-aware. Dropped insane .ZIP and .RAR could have a similar
>> effect, so try disabling "scan in archives" before retrying your av.
>Did try excluding .ZIP didn't think of .RAR.
Instead of excluding archives by .ext, rather look for a setting that
disables scanning in archives. The latter will cover (deep breath)
.ZIP, .RAR, .ARJ, .CAB, self-extracting .EXE, other archive formats,
and arbitrary files that the av may recognise as archives via DDE info
>> Finally, consider rootkit-detection tools, preferably run formally
>> (e.g. from Bart's PE CDR boot) as well as the usual manual integration
>> listers; HiJackThis, ShellExtensionViewer, and the "system explorers"
>> within MS's Anti-Spyware beta.
>I've run disk checks and passed. Does that equal NTFS is ok. Could the
>filesystem be the problem and what utility checks that?
File system errors could do this, yes, and NTFS has poor tools to
manage these. There's basically ChkDsk and AutoChk, both of which are
non-interactive "trust me" tools. What they fix is liable to be
broken, but at least appears OK to the file system logic. What they
don't fix - e.g. insane or duplicate file names - stays broken.
>I guess the Silver Lining is, I'm gonna learn a lot.
>Thanks cquirke. What you've suggested will keep me busy a bit.
:-)
>I do have 2 other pieces of info. I didn't mention them initially, because I
>felt they'd confuse the issue.
>First - I initially tried a defrag. The first hung after doing most of it's
>work. It's now finishes so quick it no longer hangs.
Defrag's a great way to make a healthy system run faster, but it can
kill data if the HD or file system is sick. Think of it as an
hour-long hard gym session; not something you'd want to do if you were
recovering from a recent heart attack.
>Second - Turbo Tax live update consistently hangs. (This is what clued me
>into a problem) Very strange because I've done a lot of downloads and
>definition updates without any problems.
What does Turbo Tax need to "update live"? Code defects, or does it
pull in business info of some kind? I have to have a very good reason
to allow software to pull data in, and "we write such buggy code we
have to fix it all the time" is IMO a better reason to chuck the app.
Are you on an always-on Internet connection? If so, does the av scan
work if you cut that connection?
Thinking if malware IP-spoofs both Tubbo Tax and av updates, that may
be a common factor in both cases.
>---------------- ----- ---- --- -- - - - -
Cats have 9 lives, which makes them
ideal for experimentation!
>---------------- ----- ---- --- -- - - - -
- Next message: riverdogs05: "Re: gcasDServHolder -what is it?"
- Previous message: David H. Lipman: "Re: PRVDI.exe"
- In reply to: Gary Armstrong: "Re: Anti Virus scans hang my PC"
- Next in thread: Gary Armstrong: "Re: Anti Virus scans hang my PC"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
