Re: Strange behaviour - some text and e-mails disappeared

From: "cquirke (MVP Windows shell/user)" <cquirkenews@xxxxxxxxxxxxxxx>
Date: Sat, 24 Mar 2007 10:21:33 +0200

On Fri, 23 Mar 2007 14:54:34 +0200, "cquirke (MVP Windows shell/user)"

On Wed, 21 Mar 2007 21:03:43 -0000, "Martin" <vdp3r@xxxxxxxxxxx>

Quite. Scans done from within infected OS are non-exclusionary.

I guess I should clarify that, as it implies scans from outside an
infected OS are exclusionary, which isn't always the case!

From outside the OS, you can rely on the scanner detecting everything

it can detect (and missing everything it can't detect). My using
multiple scanners, you can reduce the % of missed stuff, pushing it
towards exclusion until the odds are prolly similar to the chances of
a wiped-and-rebuilt PC staying clean when reconnected to the world.

From inside the OS, a scanner may be unable to overcome malware that

is known to it, or may fail to find anything at all if an active
malware manages to disable or confound it. Malware A that it could
normally handle in its sleep may be protected as a side-effect of
malware B, so even past experience may not be reliable.

The risks increase when you go from attempted detection to attempted
removal. The short straw in the pack might be a malware that reacts
punitively when it detects such attempts, killing the system or data.

This "poison pill" outcome is less likely today, not because there are
factors making it more difficult for malware to hatch a destructive
payload, but because most malware activity is directed to financial
ends. There may be as many traditional "virus" malcontents, but
swamped by the quick-buckers, or there may be fewer malcontents now
that at least some have become contented (paid) malware coders.

Malware will be missed by scanners if:
- it's not considered malware by the scanner vendor
- it's not known to the scanner vendor, either because:
- it's too new
- it is not widely circulated
- the malware vendor hasn't yet figured how to detect it

If you're scanning formally, then the above are the only reasons
malware will be missed, but these reasons can account for a lot of
stuff, especially when there is a human element involved.

The best way to counter the "too new" problem is to keep the system
isolated (off all networks, including the various wireless accesses)
for as many days as you can afford, then formally scan it whilst still
in this isolated state.

That means no online scanners, else an old and detectable malware may
win a race with the online scanner by finding and downloading a "too
new" replacement for itself before the online scanner finds and fixes
it. The active malware has one big highway to the outside world that
is easy to find; the online scanner's trudging through files and
processes one at a time ("Is it Aaron? No, Is it Aardvark? No. Is
it Abby? No..."). I know where I'd place my bets.

Human hackers may not be limited to commonly-encountered off-the-peg
tools that are known to malware vendors. Then can use specialist or
custom tools (or just a common tool that's been kinked and
recompiled), and they can use legit software to do what's needed..

They won't be bothered about licensing (as if anyone's going to get
bust for "illegal use", it will be you, as it's on your system). Some
scanning tools will alert on such software, but many won't.

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

-------------------- ----- ---- --- -- - - - -

Follow-Ups:
- Re: Strange behaviour - some text and e-mails disappeared
  - From: Martin

References:
- Strange behaviour - some text and e-mails disappeared
  - From: Martin
- Re: Strange behaviour - some text and e-mails disappeared
  - From: cquirke (MVP Windows shell/user)

Prev by Date: Re: rasautou.exe error
Next by Date: I have a virus that uses "anti virus software" downloads as a cover up
Previous by thread: Re: Strange behaviour - some text and e-mails disappeared
Next by thread: Re: Strange behaviour - some text and e-mails disappeared
Index(es):
- Date
- Thread

Relevant Pages

Re: Spy Sweeper vs. Spybot Search and Destroy
... Real-time AV applications - for viral malware. ... Disable the e-mail scanning function during installation (Custom ... Why You Don't Need Your Anti-Virus Program to Scan Your E-Mail ... (add them to your arsenal and use them as a "second opinion" av scanner). ...
(microsoft.public.windowsxp.general)
Re: Stinger
... but that won't hit the spot Stinger is designed for. ... I think the poster is looking for an after-the-fact av scanner to look ... That you suspect active malware means this has already failed. ... In theory, you can use a CDR-bootable Linux, such as Knoppix (oh, the ...
(microsoft.public.security.virus)
Re: SpyBot infected?
... the new malware arrives, but may not run ... the resident av is updated, ... you use a different on-demand scanner, ... reasons, and when that happens, you get "new" detections. ...
(microsoft.public.security.virus)
Re: SpyBot infected?
... the resident av doesn't recognise a new malware ... the new malware arrives, but may not run ... you use a different on-demand scanner, ... reasons, and when that happens, you get "new" detections. ...
(microsoft.public.security.virus)
Re: Strange behaviour - some text and e-mails disappeared
... you can rely on the scanner detecting everything ... malware manages to disable or confound it. ... it's not known to the scanner vendor, ... new" replacement for itself before the online scanner finds and fixes ...
(microsoft.public.security.virus)