yProxy™ Blog

I intentionally downloaded something questionable on the Internet because I thought it might be a useful program.

First, let me say that I don’t encounter too many destructive viruses any more.  Not since infecting computers became profitable have I personally seen any viruses that simply delete your hard drive or corrupt your master boot record or anything like that.

I planned to run the questionable application on my laptop.  I hadn’t yet installed any antivirus software on my laptop, so I installed McAfee’s antivirus and firewall.  After the shields were up, I scanned the .EXE.  Nothing was detected by McAfee, so I ran it.  The program seemed to do nothing.  Yet, even more suspcious than the program not doing what was expected–the program actually deleted itself.

It turned out to be a Trojan backdoor program, which also installed some Internet Explorer ActiveX add-ons.  Interestingly, when I disabled one of the add-ons through IE, it re-enabled itself before I shut down IE.  Make sure you manage IE’s add-ons through Internet Options in control panel rather than through the Tools menu in IE.

Also, I couldn’t delete the .DLLs that were part of the malware because they were loaded by winlogon.exe.  I tried killing the threads and handles using Windows SysInternals Process Explorer.  That didn’t seem to let me delete the .DLLs, even though they were killed.

I’ve had good experiences with Avast Antivirus in the past, so I installed that.  To anounce a virus, Avast uses an audio alert, like the ship’s computer on Star Trek, which appeals to me.  Avast also has a simple user interface and a no-hassle install and no-hassle updates.

Avast has a pre-boot scan which can delete viruses before they’re loaded by Windows.  Unfortunately, Avast didn’t even detect the malware .DLLs, however it did detect the original .EXE, which I tested by re-downloading it.

So, I did some research.  I found an article that actually compared the effectiveness of antivirus programs.  The program that was rated #1 for accuracy was a program called Avira.

Avira has a painless install, an easy user interface, and it detected not only the original .EXE, but also each individual malware program that was delivered as payload by the .EXE.

When Avira detected the .DLLs, it asked what I wanted to do.  I said, “Move to quarantine”, but the files remained, which made sense because they were in use.   But after a reboot, the malware was effectively moved to the quarantine.

My favorite part about Avira’s user interface is that an open umbrella icon in your system tray means you’re protected, and a closed umbrella means you’re not–simple.

So, now I have three anti-viruses installed on my laptop, but they seem to get along.  Avira is free for personal use, like Avast.  However, Avira does nag you to upgrade with a pop-up, which may seem almost as bad as those Internet Explorer add-ons.

Antiviruses should be more clear by always giving an answer.  They should report one of the following: “infected”, “possibly infected (heuristics)”, and “unknown”.

Unfortunately, there is no way for an antivirus to report a program as “safe” unless the makers of the antivirus wrote the program that is being scanned themselves.  That’s what digital signatures are for.  A digital signature identifies where a program came from, and it’s up to you to trust or not trust the program based on that.  Still, it would be cool if they tried.  It would be nice if an antivirus actually reported “safe”.

Tags: Avast, Avira, malware, McAfee, Trojan, Virus

This entry was posted on Monday, July 14th, 2008 at 10:14 pm and is filed under Security, Software Development. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.