[Book]

Hi,

For some time now, I've been using VirusTotal (a free online service) to scan various exe files that I download from the internet. The service scans the files with (currently) 32 different AVs. The problem is that almost ALWAYS some of those AVs will report something. I know it's possible for a trojan to be encrypted and therefore undetectable by its common signature. But if I execute that trojan, could it be opening ports in my computer and sending out information, messing around with my files and all that, WITHOUT my AV and firewall even report anything?? I'm really worried about this!

Thanks

[lunarlander]

Yes, they can disable firewall and disable/evade anitvirus programs.

You need to periodically check that your security apps are still running. For firewalls, you can test with grc.com. For antivirus, you can use the eicar test virus file. Suppliment your onboard antivirus with an online scan once a month from another vendor.

'the price of security is eternal vigilance'.

[Book]

I did both of these tests and it seems that my PC is most secure, but why is it then that some exe files are reported as having some sort of virus (from virus total), and my PC still remains so secure? I mean if it was a trojan of some sort, it must have services running, for example.

If it's an encrypted virus, during the execution of that file, if it was executing some suspicious code wouldn't I be warned? If it's an encrypted virus, is there any chance that I detect it?

[Byteman]

Hi, The odds are that one of the scanners sees x file as a threat, but actually it may be a false positive, there have been many through the years, and which some of are still being found as threats.

It would help a great deal if you would post the filenames, showing the exact and full path the file(s) are located in, so we can help you better.

[Book]

It's not one particular file, it sometimes happens with many of the files I download from the internet. The files are not official executables from a company of some sort, but rather user-made and that's what makes me worry.

What I'm saying is:
OK, it may be impossible to detect a virus or a trojan by its signature (even if it's known) when it's encrypted in some file. But when I launch that file and execute the malicious code, wouldn't my AV or spybot detect the suspicious activity (rather than its signature) and block it or even notify me?

[Byteman]

Hi, Yes, a decent antivirus or other security program should alert you to any suspicious file or activity.

When you download files, the better security programs also scan them then but as you say, there may be no detection right then. Probably half or better of the infected computers we help remove malware from here, are using P2P filesharing to download.... many of those people would not end up in such bad shape, if the files themselves that do contain malware were detected as they were downloading.

There is always newer types of malware and more new ways to spread it coming out all the time, so it doesn't pay to not scan downloads- even browsing the Net will sometimes pop up an alert> there are thousands of hacked, infected websites around so it does not always take a file download to get malware in a computer.

[Book]

So if it started messing around with my files and editing stuff, it would in fact get noticed from my AV?

Weird this is that if I write in a batch file something like
del c:\windows
and maybe even make it an executable, my AV will not detect this as a virus!

[Book]

I've read in another forum that you can encrypt a trojan to make it invisible.. When executing the trojan, won't it need to get unencrypted in some temporary file, and then executed (therefore the AV will detect it)?

Why won't AV software detect malware based on their activity rather than a signature? The signature detection is so weak, that any dedicated user will be able to bypass!

[lotuseclat79]

Hi Book,

Not all AVs are signature based, i.e. NOD32 is an example of a heuristic AV based on patterns.

-- Tom

[Book]

Is there a way I can keep NOD32 with my current AV?

[Gizzy]

no you shouldn't run more than 1 av,

a better idea would be to use a behavior blocker like TheatFire it looks for viruses by it's behavior not it's signature.

[lotuseclat79]

Quote:

Originally Posted by Book

Is there a way I can keep NOD32 with my current AV?

Hi Book,

Contrarily, it is possible to have more than one AV. The point is to use one only in Safe mode to do a thorough scan of your disks, and then use the other for real-time detection when your computer is fully booted up and connected to the Internet - i.e. never run them both at the same time.

I'd recommend using NOD32 when connected to the Internet, and the other (installed AV) in Safe mode, i.e. this does not include any remote web site scanning your disks, processes, etc. over the Internet.

-- Tom

[Blackmirror]

It is always a good idea to scan any files you download from the internet
Whether you trust the source or not

There are some real nasty baddies out there waiting to be unleashed

I have noriced AVG 8 is fantastic at spotting these
My son sent me an infected mp3
AVG nabbed it as i was trying to play it

[Book]

Thanks for the link Gizzy, the program looks pretty good.

In my opinion, more AVs should be joining with the trend, not to detect threats based on signature, but on behaviour.

You say you got an infected mp3? I thought only executable files could contain a virus (exe of bat or any other executable). How could an mp3 execute code?

[lunarlander]

A virus mp3 probably embeds an exploit for a particular mp3 player and also code. So the idea is that it uses a bug in the mp3 player to insert its own code, and the mp3 player executes that code as if it were its own.