Anti-Malware Software

A proper amount of protection
Using more than one solution

Using multiple anti-malware solutions may increase the likelihood that some software may be detected, although doing so may introduce some additional problems. The following two are the most likely of such problems:

  • The worst of symptoms may be when one anti-malware product interferes with another anti-malware product. For example, one anti-malware product may conclude that it has detected something that is likely to be a threat when the software scans a file which is meant to provide details about a threat so that a different anti-malware scanner can use those details to try to detect the same threat. When one anti-malware scanner attempts to clean up the detected “trouble”, it may interfere with the operation of another anti-malware detector. That interference may be detected by the anti-malware software which may (rather correctly) determine that such interference seems like an attack, and respond by trying to stop the attacking software. With one or both of the anti-malware software solutions trying to attack each other, anti-malware detection may not be effective. Furthermore, the consequences of such a problematic situation may cause errors beyond just anti-malware not working. For example, a real-time anti-malware scanner may alter the way that files are accessed so that every accessed file ends up being scanned by the anti-malware scanner. If that process is broken, it could lead to files being unable to be verified by the anti-malware scanner, resulting in files being unable to be accessed at all. Such scenarios can cause the computer to stop functioning in anything resembling a normal, working manner. (Example screenshot shows MSE interfering with ClamAV because of some “generic” detection resulting in MSE Trojan:Win32/Bumat!rts signature “after advanced automated analysis.”)
  • Multiple anti-malware software products may cause at least twice as much slowdown compared to what occurs when there is just one anti-malware product. Additionally, if the two pieces of software end up detecting a lot of the same malware, the safety benefits of running both pieces of software may increase protection by only a relatively small amount.

These factors have led many people familiar with such problems to recommend using only one anti-malware solution. Generally there is little trouble caused by anti-malware which only detects and alerts upon, and does not remove, threats when the anti-malware software is doing a requested or scheduled scan at a time when no other anti-malware solutions are actively protecting. Using real-time scanners tends to be far more likely to cause such problems. However, having real-time protection is considered essential when working on potentially dangerous situations such as having a computer connected to any sort of network (especially the Internet).

Living on the edge

Some people may decide not to deal with Anti-Virus software. The main reason is probably cost, followed by inconvenience. Another reason that people might not be properly running anti-virus software is ignorance about how to properly set up the software, and maybe incorrect confidence that the protection software is working well. Another reason some people might just not bother is ignorance of just how treacherous the Internet really is.

Some companies have advertised their platform's decreased likelihood of malware. For example: A Google Blog entry about Chromebooks states, “Chromebooks have many layers of security built in so there is no anti-virus software to buy and maintain. Even more importantly, you won't spend hours fighting your computer to set it up and keep it up to date.” Such statements likely help to encourage people to just not worry about malware.

Restricting native executable binaries to only being signed/authorized code is likely to be helpful in the control against malware. However, as has been shown by macros that get processed by Microsoft Word, there may be multiple attack venues that could be taken.

Some general Anti-Malware solutions (often also known as Anti-Virus)

There are multiple anti-virus solutions available to choose from. The licensing terms vary.

Having at last one real-time scanner is considered essential.

Having at least one solution which uses ClamAV's definitions is probably a good idea, even if the solution is not using real-time scanning. This is stated because the ClamAV definitions are often updated fairly quickly. One reason for this is that these definitions are used by multiple software solutions, some of which are free, and so there is a fairly high amount of support for this. A web page, WatchGuard training: Configuring Gateway AntiVirus for E-mail, says, “Due to its open licensing, ClamAV releases new definitions much more quickly than most commercial AV offerings, within hours of a new virus hitting the Internet.” Of course, that advantage in speed may be offset if the solution that uses ClamAV definitions isn't a real-time scanner, but that (admittedly biased) quote (from the company named WatchGuard) does goes to show that there is some serious effort behind the quality of these definitions.

Software meant to run on end user computers
Specialized solutions for specific hardware
WatchGuard's Gateway AntiVirus

WatchGuard's “Best Practices for Using Gateway AntiVirus for E-Mail” article says, “There are usually 2-4 updates per day on the ClamAV server from which we pull our updates. Signature updates are incremental and thus relatively small, ranging in size from 10 KB to 200KB.” WatchGuard training: Configuring Gateway AntiVirus for E-mail says, “The signature database used for Gateway AntiVirus is built on an open source application called Clam Anti-Virus. WatchGuard evaluates the signatures added to the open source database and then publishes them to our customers. Due to its open licensing, ClamAV releases new definitions much more quickly than most commercial AV offerings, within hours of a new virus hitting the Internet.”

[#webmltav]: Multi-engine web scanners

Some web pages may report the results of searches performed by multiple different pieces of anti-malware software. These may include:

Configuring anti-malware software

The first thing is to make sure that the anti-malware software is being properly updated. This will prevent old problems from continuing to be problems.

Make sure there is some way to be informed of malware. This could involve writing information to an operating system log, as done by Microsoft Security Essentials, or E-Mailing an end user, such as ClamWin.

In general, it will be safest to quarantine any threats. This should prevent the malware's malicious acts as effectively as deleting files, and it can allow restoring much easier. The exception may be if the system uses some sort of method to restore the operating system.

There may be some cases where it is desirable not to quarantine certain software. For instance, a virtual machine's hard disk image should probably not be quarantined by the computer that is running the virtual machine software. If the computer running the virtual machine software had anti-virus software try to quarantine a detected threat by moving the hard drive image of a running virtual machine, this could cause substantial negative impacts for the virtual machine. If the virtual machine's “hard drive&rdquoq; image file contained a small amount of malicious code, then a large amount of safe data may be affected by the process. This may be a preventable disaster, especially if the detected malware is just some sort of signature files used by anti-malware software that is installed/running on the virtual machine. Instead of quarantining the entire hard drive image on the computer that is running the virtual machine, consider just using clean-up software on the virtual machine to just remove the offending file that is stored in the virtual machine's drive. If the virtual machine is still trustworthy (despite malicious data being stored on its hard drive), cleaning the malicious software from within the virtual machine may be a much more narrowed-down, focused approach.

Handling malware alerts

Determine what file is infected.

If possible, determine how that file got onto the system. Logs may be helpful.

Possible threats of unknown nature

Determine if the file is really malicious. It could be that it is a false positive. If uncertain, then getting another opinion could be helpful. Before submitting the file for further analysis, try to at least determine whether the file may have information that needs to be kept confidential. If that does not appear to be an issue, then a fast way to get some additional opinions may be to use one or more of the multi-AV web scanners.

Determine the classification

Malware scanners tend to have a broad categorization assigned to every threat. For example, the software might:

  • believe that the infected file is a “polymorphic virus”
  • detect a recognized signature of a program known to use a “trojan horse”-style attack
  • report that the file is spyware
  • report that the file is adware
  • say that the reported “threat” is a known example

Additionally, each threat is typically also given a name/code that describes the specific threat, or a fairly specific category for the threat. This name can be used to help look up additional information about the threat. (Note that the name of the threat is often fairly unique to the anti-malware database that is used, so other anti-virus software may use a similar or very different-looking name for the same threat.)

Specific threat details

The maintainers of the anti-virus definitions may provide a public web page to help learn more about the specific threat. (If this text has any further details about software-specific information that is publicly available, then that information will be in the section about the vendor of that public database, and/or a section about software by the same vendor.)

Such research may provide a lot of valuable details, like a description of what the malware does and precisely what kinds of threats the malware poses. If the Anti-Virus software cannot automatically fix or at least contain a threat, then published instructions may provide specific steps that can be taken to handle the threat.

Just because some anti-virus software has detected a threat does not mean that detailed results of extensive research have already been publicly published. This sort of detailed information can take some time to create. As noted elsewhere, a company named WatchGuard has provided training that states that ClamAV databases may get updated more quickly than some other databases. While that sounds positive, people may respond to alerts by trying to locate published results of research about the specific threat. If the anti-virus software is capable of detecting a problem and alerting people about the problem before other experts have published their detailed results, then people may not be able to find detailed published results until a later time.

If information from the anti-malware vendor doesn't seem to sufficiently explain the threat (due to being too sparse, or perhaps due to not being found), another option may be to open up a search engine to look for the name of the threat. If the threat is a recent false positive, then chances are that others are experiencing the same thing. Many times, such affected people will post a question on an online forum, and then the forum may have an answer by someone else who has knowledge, or even by the same person after the person obtained some further information. (Note, however, that such forums may also have false information, so carefully consider any information that is read.)

False positives

If the file is a false positive, there are two things to do. One is to restore the file, so that the file may be properly functional again, and its purpose may be served.

The other item that can be worth doing is to determine whether the incident should be reported. Determine if the file has any information that needs to be kept confidential (e.g. info that should only being viewed by whomever owns the computer). If not, submit the file. At very least, submit the file to the maintainer of the anti-malware definitions that were used when the false detection occurred. (For instance, if using ClamWin, submit to the people running the anti-virus database known as ClamDB.) Details may be included in the guides for software released by the same organizations who maintain the databases.

To really help the world out, see if any other anti-malware software is also misdetecting the file. An easy way to do this may be to use multi-AV web scanner. If other databases are also not detecting things right, also submit information to the maintainers of other databases.

Correct detections

If the file has been detected, and the threat has been sufficiently quarantined, then protection technology has successfully worked. If it is known how the malware got onto the system, and if such activity is rather risky, inform the end user so that the end user may be less likely to repeat such actions. If the end user does not know how the malware got onto the system (or if it isn't known whether or not the end user knows that), see if the logs provide answers. For instance, some anti-virus software that integrates with a web browser may know that the malware came from a specific URL that downloads the malicious code, and may know what web page included the reference to that URL.

If such nice and easy logs are not presented, and if this matter really seems worth pursuing further, then comparing to other logs (like logs of outgoing web-based communications, E-Mail checks, or logs showing when the system rebooted) might help to establish some more details about the activity that occurred. (For instance, if the system rebooted seven minutes earlier, that sort of detail might help the end user remember what the end user was doing on the computer at the time.)

In case the software does not perform clean-up, then manual clean-up may be a possibility. For instance, some details for the Microsoft Windows platform are covered in the section about Anti-Virus solutions meant for the Microsoft Windows platform.

Anti-Spyware
[#spatispy]: SUPERAntiSpyware

SUPERAntiSpyware has been known to be a strong detector, meaning that it can do a pretty good job of detecting some threats that other software may ignore. Note that its removal process has, at times, been so aggressive that it may cause some problems. So, plan how the system may be recovered before just proceeding with any removal process within this software. However, even if this software's removal functionality isn't used, having it point to potential problems may help with whatever manual removal efforts may be taken. Also, if the scan comes up clean then that may be a fairly good indication that the software is working.

There seem to be at least three different licenses. The SUPERAntiSpyware.com download page states, “SUPERAntiSpyware Free Edition is 100% Free”. The SUPERAntiSpyare Portable Scanner page says, “The SUPERAntiSpyware Portable Scan is free for personal use. If you are a computer technician, IT person or would like to run the SUPERAntiSpyware Portable Scanner in your corporate environment,” then a license is sought. Finally, there is the paid release.

[#fixmalwr]: Additional clean-up software

This section is designed to point people to some various software. For directions about how to approach cleaning a system, possibly without even needing to use any added software, check out the guide to cleaning software (which does, at some point, reference this section).

If software was detected by anti-malware software, then often that anti-malware software will have an ability to remove the software. This may not always be the case, but one step that may be worth checking into is seeing what capabilities are built into anti-malware software that a computer typically uses.

If anti-malware software detects a problem but does not have a fix for the problem, then check if there is a solution provided by the software vendor who makes the anti-malware software. Sometimes, vendors create a custom piece of cleaning software that is designed to handle a specific, known threat. For whatever reason, such software-based cleaning might not be part of the software that is used for detecting malware (and fixing some types of malware). In other cases, the vendor may be seeking additional information to create or improve a solution for cleaning the software. Check the vendor's website to see what information is available, especially if the vendor was paid for that anti-malware software.

Following are some additional specific software tools. In addition, consider checking SecTools.org: software tagged as Anti-Malware.

SuperAntiSpyware

Since this software is primarily marketed as Anit-Spyware, the software is described further in that section. See: SUPERAntiSpyware info.

Malwarebytes Anti-Malware (“MBAM”)

MalwareBytes Anti-Malware Free (“MBRAM” Free), Free Version download provides an executable file. Further information about the software product, including a version that can be purchased, is available from the Malwarebytes home page. Purchasing a license for the Malwarebytes Anti-Malware (“MBAM”) Premium version, at least at the time of this writing, comes with a 1-year license and permission to use the software on 3 computers.

ComboFix

The following review is based on an individual report by a heavy user of the software. This software may be slightly intrusive, by installing Microsoft's Recovery Mode onto the computer (whether that is really desired, or not). This may start introducing an option, to the end user, about how to boot. If that isn't desired, then the change may need to be reversed (after ComboFix is done making whatever changes it may make). This software may also not be the fastest thing. (Perhaps it also involves downloading other updates?)

However, this software often gets broken computers into working order, even when other clean-up software may be less successful at doing so. Because of certain drawbacks (like speed and boot altering), some people may decide to only using this software as an option to fallback onto when other options fail. Even if the software is only used in those sorts of circumstances, this software may be quite useful in those types of cases.

CCleaner

For actually removing problems, this has been recommended by a reliable source.