I intentionally downloaded something questionable on the Internet because I thought it might be a useful program.
First, let me say that I don’t encounter too many destructive viruses any more. Not since infecting computers became profitable have I personally seen any viruses that simply delete your hard drive or corrupt your master boot record or anything like that.
I planned to run the questionable application on my laptop. I hadn’t yet installed any antivirus software on my laptop, so I installed McAfee’s antivirus and firewall. After the shields were up, I scanned the EXE. Nothing was detected by McAfee, so I ran it. The program seemed to do nothing. Yet, even more suspcious than the program not doing what was expected–the program actually deleted itself.
Just because your antivirus doesn’t detect a problem doesn’t mean there isn’t a problem.
It turned out to be a Trojan backdoor program, which also installed some Internet Explorer ActiveX add-ons. Interestingly, when I disabled one of the add-ons through IE, it re-enabled itself before I shut down IE. Make sure you manage IE’s add-ons through Internet Options in control panel rather than through the Tools menu in IE.
Also, I couldn’t delete the DLLs that were part of the malware because they were loaded by winlogon.exe. I tried killing the threads and handles using Windows SysInternals Process Explorer. That didn’t seem to let me delete the DLLs, even though they were killed.
I’ve had good experiences with Avast Antivirus in the past, so I installed that. To anounce a virus, Avast uses an audio alert, like the ship’s computer on Star Trek, which appeals to me. Avast also has a simple user interface and a no-hassle install and no-hassle updates.
Avast has a pre-boot scan which can delete viruses before they’re loaded by Windows. Unfortunately, Avast didn’t even detect the malware DLLs, however it did detect the original EXE, which I tested by re-downloading it.
So, I did some research. I found an article that actually compared the effectiveness of antivirus programs. The program that was rated #1 for accuracy was a program called Avira.
Avira has a painless install, an easy user interface, and it detected not only the original EXE, but also each individual malware program that was delivered as payload by the EXE.
When Avira detected the DLLs, it asked what I wanted to do. I said, “Move to quarantine”, but the files remained, which made sense because they were in use. But after a reboot, the malware was effectively moved to the quarantine.
My favorite part about Avira’s user interface is that an open umbrella icon in your system tray means you’re protected, and a closed umbrella means you’re not–simple.
So, now I have three anti-viruses installed on my laptop, but they seem to get along. Avira is free for personal use, like Avast. However, Avira does nag you to upgrade with a pop-up, which may seem almost as bad as those Internet Explorer add-ons.
Antiviruses should be more clear by always giving an answer. They should report one of the following: “infected”, “possibly infected (heuristics)”, and “unknown”.
Unfortunately, there is no way for an antivirus to report a program as “safe” unless the program has been digitally signed by a trusted author. A digital signature identifies where a program came from, and it’s up to you to trust or not trust the program based on that. It would be nice if an antivirus actually reported “safe”, not just “nothing detected”.