Re: Multi AV ???
- From: "cquirke (MVP Windows shell/user)" <cquirkenews@xxxxxxxxxxxxxxx>
- Date: Sat, 30 Sep 2006 00:32:54 +0200
On Fri, 29 Sep 2006 07:07:02 -0700, Old Rebel
I am more interested in the advantages/disadvantages of running a
command line AV scan as opposed to one with a UI.
CLI are great for frontier and post-infection scanning.
Firstly, CLI usually allows you to control exactly what the scanner
will do, through a rich parameter set that would be too complex to
render via a GUI. Many av apps will dump a list odf possible
parameters if run with the /? or -? parameter.
Secondly, CLI scanners are often quite skeletal, and work without
having to be formally installed, which makes them ideal for formal use
from Bart boot CDRs, MS Win PE, DOS mode, etc.
Thirdly, CLI allows you to strap together multiple scanners as a
single on-demand tool, or abstract the parameters themselves.
For example, you can create shortcuts and other UI hooks (e.g. Send
To, or non-default actions for Directory and Drive) that point to a
generic VirScan.bat, and code the specific CLI engine(s) and
parameters within the batch file. Now you can swap, add, or tailor
your av engines in one place, instead of each UI integration point.
Much post-infection advice involves managing explicit integration
points from Safe Mode, e.g. HiJackThis. This approach may fail if the
malware is active in Safe Mode.
It will also fail if the malware requires no explicit integration,
either because it is embedded within the core code set (e.g.
intra-file code infectors such as Magistr, CIH, etc.) or (rarely, as
at September 2006) because it exploits an internal surface.
This is where simple CLI av scanners, used formally, become a vital
part of post-infection malware management. Unless you have and
maintain a comprehensive code whitelist backed by integrity data that
detects internal changes, traditional av is the only way you can
detect intra-file infections. It may also be useful in generically
detecting material shaped to exploit internal risk surfaces.
Frontier scanning also provides an opportunity to tackle malware while
it is inactive; in this case, before it is allowed to become active.
In the old days, systems were often too slow to bear the overhead of
resident av scanners, and there were fewer ways into the system. So
using pure on-demand av scanning was practical, and often all that was
required for reasonably savvy users.
Today, there are so many ways that material can enter the system
(either by design or via exploit, with little or no user control) that
we're obliged to run resident av. But you can only run one resident
av, and these days, no single av catches anything even if it is old
enough to be covered by your most recent av update.
So once again, the need for on-demand frontier scanning arises. If
you structure your system with this in mind (control over paths,
choice of email apps that don't hide attachments in mailboxes), you
can apply multiple av scanners on an on-demand basis for all material
that enters the system in ways that are under your control.
-------------------- ----- ---- --- -- - - - -Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
-------------------- ----- ---- --- -- - - - -.
- Re: Multi AV ???
- From: Dan
- Re: Multi AV ???