Disconcerting Avira "bug"

[Scouzer]

My dad's computer managed to contract itself a nasty case of virus. Fortunately, he had Avira installed which caught and prevented the virus from doing any damage. Unfortunately, that's all Avira could do, as it rendered the system unusable in doing so.

What would happen is as soon as the computer booted up, Avira would instantly popup 16 VIRUS DETECTED windows all for the same file/virus. I would select Quarantine, and close the window and a new window would instantly reappear, same virus. Avira couldn't remove it.

The worst part? This "bug" was documented and communicated to Avira by PC Mag in April 2009: http://www.pcmag.com/article2/0,2817,2344685,00.asp

Virus-testing labs note each product's ability to recognize thousands of static malware samples. I supplement this testing by checking whether the product can actually clean up systems infested with all kinds of malware. As soon as I got Avira installed on my test systems, I started hearing a chorus of beeps like a flock of manic spring peepers, each indicating that a piece of malware had been detected.

Avira offers an unusually large menu of choices in the pop-up window that appears when its real-time Guard module detects active malware. The default action is simply to deny access, which prevents the malware from running. But you can also move to quarantine, delete, overwrite and delete, rename, ignore, or (if it's a virus) repair the infected file. I always chose quarantining, but it didn't always work. One test system quickly stacked up 16 detection warnings (the maximum) about the same file. As soon as I clicked one away, another appeared. Clearly, the program wasn't successful at moving the file to quarantine. In order to proceed, I had to check a box titled "Note action selected for this file (dangerous)."

Let's stop a minute and consider what's going on. When this product detects malicious software, its default action is just to sit on it, preventing execution or other access. I'd feel a lot safer if it removed a serious threat. It doesn't even have to ask me first! Certainly, when I tell it to get rid of the threat, it should actually do the job. And what kind of a choice is it when the only way to stop interminable pop-ups is to select an option labeled "(dangerous)"? Before I ever launched a scan, things weren't looking great for Avira's suite

So be aware, Avira has fantastic detection rates but is very unreliable at actually removing viruses. In my case, selecting "Note action selected for this file" only succeeded in stopping the nuisance warnings, it did NOT remove the virus. It's very misleading as well, as it appeared to have removed the virus because there were no more warnings. I ultimately used Malwarebytes to remove the trojan.

 

[mechBgon]

Note that the real-time scanner of the Premium (pay-for) version of Antivir can be configured to act autonomously instead of having to ask the user what to do.

 

[Scouzer]

Originally posted by: mechBgon
Note that the real-time scanner of the Premium (pay-for) version of Antivir can be configured to act autonomously instead of having to ask the user what to do.

Fair enough, but it still wouldn't have actually removed the virus; it'd just never notify the user! That's even worse!

 

[mechBgon]

Originally posted by: Scouzer

Originally posted by: mechBgon
Note that the real-time scanner of the Premium (pay-for) version of Antivir can be configured to act autonomously instead of having to ask the user what to do.

Fair enough, but it still wouldn't have actually removed the virus; it'd just never notify the user! That's even worse!

I think your dad's AntiVir was detecting a secondary aspect of the infection, not getting to the root cause of it. That's not surprising, because antivirus software isn't infallible. Some interesting stats to ponder: http://mtc.sri.com/live_data/av_rankings/ Given a 24-hour lead time, signature-based and heuristic-based detection rates top out around 85% in their ongoing tests. For your dad, I'd suggest he try out a non-Admin user account if he hasn't already done so. An ounce of prevention is worth a pound of cure...

 

[Scouzer]

Originally posted by: mechBgon

Originally posted by: Scouzer

Originally posted by: mechBgon
Note that the real-time scanner of the Premium (pay-for) version of Antivir can be configured to act autonomously instead of having to ask the user what to do.

Fair enough, but it still wouldn't have actually removed the virus; it'd just never notify the user! That's even worse!

I think your dad's AntiVir was detecting a secondary aspect of the infection, not getting to the root cause of it. That's not surprising, because antivirus software isn't infallible. Some interesting stats to ponder: http://mtc.sri.com/live_data/av_rankings/ Given a 24-hour lead time, signature-based and heuristic-based detection rates top out around 85% in their ongoing tests. For your dad, I'd suggest he try out a non-Admin user account if he hasn't already done so. An ounce of prevention is worth a pound of cure...

Interesting chart. I'm surprised Norton is so far down the list. They seem to be in the Top 3 of nearly any test these days.

I was going to upgrade my dad from Avira Free to NIS 2010 when it releases... but maybe that's not so helpful. What do you think, worthwhile upgrade or no?

A limited account won't work... he won't understand how to bypass it when necessary and I'm not around to help him often enough.

 

[mechBgon]

Originally posted by: Scouzer

Originally posted by: mechBgon

Originally posted by: Scouzer

Originally posted by: mechBgon
Note that the real-time scanner of the Premium (pay-for) version of Antivir can be configured to act autonomously instead of having to ask the user what to do.

Fair enough, but it still wouldn't have actually removed the virus; it'd just never notify the user! That's even worse!

I think your dad's AntiVir was detecting a secondary aspect of the infection, not getting to the root cause of it. That's not surprising, because antivirus software isn't infallible. Some interesting stats to ponder: http://mtc.sri.com/live_data/av_rankings/ Given a 24-hour lead time, signature-based and heuristic-based detection rates top out around 85% in their ongoing tests. For your dad, I'd suggest he try out a non-Admin user account if he hasn't already done so. An ounce of prevention is worth a pound of cure...

Interesting chart. I'm surprised Norton is so far down the list. They seem to be in the Top 3 of nearly any test these days.

I was going to upgrade my dad from Avira Free to NIS 2010 when it releases... but maybe that's not so helpful. What do you think, worthwhile upgrade or no?

I haven't done any research on NIS 2010's capabilities, but I wouldn't expect any security software to singlehandedly keep the system secure.

A limited account won't work... he won't understand how to bypass it when necessary and I'm not around to help him often enough.

If he can't understand how to use a Limited account and then log on as an Admin when necessary, then I doubt he'd know what to do when confronted by a prompt from NIS 2010 regarding network traffic, suspicious behavioral detections, etc either. Is it really that hard to understand the loaded gun / unloaded gun idea? My elderly parents are on a WinXP system with non-Admin accounts, and they're doing fine. So are the other people I've set up that way.

The other thought I had was to upgrade him to Vista. Then he can log on as a Standard User (Vista's equivalent of a Limited account) and the UAC prompts will pave the way when Admin rights are actually needed for something. That's just one of Vista's security enhancements.

 

[Scouzer]

Well see, my dad is not computer illiterate. He has literally hundreds of computer games and installs new ones everyday. He loves his PC games. But he has many games he no longer has the discs, so I have to avoid formatting at all costs.

But I think I could teach him to understand NIS' prompts...he did what he was supposed to do with Avira, but Avira failed him.

 

[tzdk]

Im not so sure his problem is due to the bug mentioned in the review - since it was fixed long ago. Not really surprised it can go wrong anyway.

May be install WOT http://www.mywot.com/ for him, spend some time setting it up so warnings/blocks are understood. Focus on RED alerts more than yellow or green. He might not be up for evaluating the internet! Basically use it as a huge hosts file. Can easily be better protection than Avira since they use sources digging out bad domains/downloads 24/7. You will be surprised how easy it is to provoke an infection - all depending on OS setup of course but still. Especially the part of evilness concerning apparently legit programs is not covered well. Scams like that are of course targeted to people like your dad. If he needs AV because infection is likely to happen he also needs WOT.

WOT is a lot more updated and effective compared to Siteadvisor, Norton and what else there is. But more or less same thing. They just work more and has build up way better sources. WOT is not worth much if sources are slow or missing. Difference could be WOT has same relationship to the old fantastic companies as Malwarebytes and others They see where they fail - or where there is a market...

As you have found out Malwarebytes is useful. Keep it installed. Make a batch file which runs a quickscan after an update. Put it in Task Scheduler, once per day will do. Will only pop up when something is found, few FPs to be confused about. The sooner infection is discovered the better. Scans fast opposite certain other tools, wont bother him.

I would "suffer" with Avira, Avast until MSE is released. Or get it right now. Will not be perfect either but not worse than the others - and is paid for so to speak. To keep it simple is essential and MSE is definitely simple.

Secret to Nortons success has much to with being friendly to Grandmas (opposite of Avira which can be weird by design), probably also why some dont like it! Not much geekyness over Norton. Today it even looks ok in the few reliable tests, runs smoothly too. I like it a lot, but have fun testing output from malware domains

 

[Scouzer]

Maybe I'll get him NIS2010 + WOT Plugin Firefox + Adblock Plus.

That'd probably be a pretty safe setup for a layman.

I don't really want to try MSE on him as it's new and unproven, even though initial previews seem positive.

 

[KeithP]

You might try running the Microsoft Malicious Software Removal Tool manually and see if that helps.

Personally, once a system is reported infected and it is confirmed, I would back up data and do a format/reinstall. I don't trust any tool to completely remove malware.

-KeithP

 

[tzdk]

One problem with NIS and other payware is they often disable Windows Defender. Some Vista users have already done that on their own for various reasons - XP people can just ignore the offer. So what is "best" or least bad, NIS or Avira/Avast/AVG free plus WD? Is WD overlapped by NIS?

Some infections almost require reinstall, like those attaching themself to exe-files. Can be hopeless to restore if not discovered soon after attack. But most are not that destructive. Malwarebytes probably did an ok job but you should know details of infection so you can find documentation on AV/Security sites (Google). Confirm log from Malwarebytes fit what you dig up. I would also scan with other tools, even more important if not sure what went wrong. There could be more. Try SuperAntiSpyware. Slow and kind of annoying but if you disable a few items in preferences it can run along Malwarebytes and whatever without being visible. Also note Repairs tab - happens Windows functions are damaged by infection and needs to be restored. Can make people reformat because not that easy to find out if infection is unknown. If safe boot is disabled you know why.

Also try another AV, may be an online scanner like ESETS http://www.eset.com/onlinescan/ set it up so it does not throw out FPs or not critical errros - and definitely not remove anything. Settings New version is very good http://www.eset.com/onlinescan...p.php?page=newfeatures safe with that new quarantine but all you want is confirmation, to start with at least. Kasperskys online thing cant remove anything so safe to run.

Aviras linux based rescue cd would probably have done a better job at removal than the one you had running. Sometimes rescue/live cds are better - or needed when infection disable/mess up normal AV. Can be tough to do much in Windows. Linux scanning also an option.

Or post on a malware removal forum and ask them to check.

Remember to delete old system restore points - might be something in there. A full scan with Avira will detect? Cant do much about it though - http://support.microsoft.com/kb/263455/en-us

 

[n0cmonkey]

The unworkable situation. *sigh*

 

[Scouzer]

I got him NIS 2009 + Superantispyware + Malwarebytes + Firefox 3.5.2 + Mywot + Adblockplus

I think that's about all I can do for a layman.

 

[tzdk]

Except for having to pay up that seems like good protection - can avoid too much explaining of defense layers and forced change of user behavoir. He dont have to care

May be you have to explain WOT a bit though, dig in to settings, check support pages - not sure how many if any features of Nortons "web protection" you should disable because of WOT. Can make it so WOT is blocking red sites, warn fully yellow and more or less ignore others. To each his own with WOT - plugin is flexible. Ive seen some not liking it, saying there are too many false positives. I know there are attempts at spamming and all that, but they are aware/fight back with putting dif. weight to userratings - some users have more to say than others, you cant sign up and change the way world look at a bad domain. Anyway, if focus is on blocking the obvious I think it has much value.

If interested in running a daily/weekly or whenever scan with Malwarebytes paste few lines into a batchfile, place it in program folder and make a new entry in Task Scheduler. Think it still works. Only pops up if something is detected or program itself is updated - press OK button type of request. Tell him to contact you if he see anything alarming - and lets hope Malwarebytes cool it with false positives. You can probably find better batchfiles at their forum or Google.

@echo off
start /WAIT mbam.exe /runupdate
start mbam.exe /minimized /quickscanterminate
exit

Forgot about OpenDNS - also invisible and easily manageable "layer". Dont know how much it adds to phishing filters in Firefox/IE8, about zero to what WOT handle that is for sure. OpenDNS still talk about blocking malware, not much is actually done. Some other benefits perhaps.