No Undetected means it did not trigger enough alerts on all monitored items, this does not mean it’s not malware, it means CIMA has not enough triggers to determine if it’s really clean or not, this file needs manual inspection to determine if it’s really “clean” or that CIMA needs to be tuned to automatically detect it.
Suspicious is highly likely malware and if it is malware it will also rate it as Suspicious even if you upload an known virus to a database, it won’t report that it found virus X because as far as i know it doesn’t use an AV scan before analysis.
Well i think i was trying to say the same, except that it’s an automated system so if some sort of malware uses anti Virtual techniques and or uses timed triggers long enough to “fool” the system it will still say “undetected”
Automated systems can always be fooled and there is only a limited set of parameters it monitors, feed it something fancy something new and it could be marked as undetected, but is it really clean?
No it means CIMA was unable to detect anything “suspicious” about it but then again maybe I’m to paranoid 88)
There are guy’s out there doing all day testing against those “online scanners” to see if they get detected and how they can hide… for them it’s a big money game…
Ah…I get it, and to think that I was depending on CIMA for on-demand scanning. I never knew that online scanners were “limited” in what and how they scan.
Every scanner is no matter if it’s make x/y/z they all “can be bypassed” somehow, they will catch the majority of the baddies, but nothing is 100% perfect… if someone tries hard enough you can circumvent them.
If you run a online scan with let’s say housecall and you have a good rootkit active it will also not report the rootkit, to be more safe of those you need to do “offline” scanning with an other boot device like Ultimate boot cd for windows etc…
I thought that “sandboxed” based scanning was more effective than signature based or heuristics based as of resident, offline scanners. I had the conception that it is easier to recognize malicious activity by observing what an executable-file does (as is the case with sandbox-type scanning), than if the file itself was simply scanned(signature-based/heur-based scanning).
But I didn’t know about the limitations of “online” sandboxes which are limited by a set of defined parameters.
I don’t have a real-time scanner running on my system because that extra ram usage and the constant updates will amount to nothing the day I am hit by a malware that my scanner will not be able to detect.
I’d rather use an imaging software to restore my system as I find backup softwares to be more reliable than anti-viruses.
I use online scanners to purely to check whether I should let the file run or not. But since you are saying that online scanners are very limited and easily circumventable, I’ll have to turn towards the option of having a on-demand scanner on my system.
Well there is no need to fear, i didn’t mean to say they are less effective, it’s just different.
For AV it’s simple it either detects it or not based on a signature, next to that there is the “heuristic” this looks suspicious alert.
These scanners do work fine for most malware, I’m just trying to say that it’s not impossible to circumvent these as well. Some malware is known for their sandbox detection skills at it will show completely different behavior once it detects a sandbox, it could terminate, it could use a time trigger to jump to an encrypted part of the code that will only get loaded after let’s say 15 or 30 minutes, then it would fool these online CIMA/threatexperts etc because they are not going to wait for 15 or 30 minutes…
As with encryption they will always try to break it, same with AV and likes they will always be looking for holes in those new detection features, most of the malware is “to stupid” for this but it will never be 100% secure you need multiple layers of security to detect and prevent.
But I didn't know about the limitations of "online" sandboxes which are limited by a set of defined parameters.
It's a computer program, that's always as good as it's coded (no judgment on anybody just in general).
I don't have a real-time scanner running on my system because that extra ram usage and the constant updates will amount to nothing the day I am hit by a malware that my scanner will not be able to detect.
I’d rather use an imaging software to restore my system as I find backup softwares to be more reliable than anti-viruses.
Well if you know how to use CIS with FW and D+ they your safe to go, I’m only running the AV because i like to see how it behaves and evolves, not to stay clean, that’s what i have D+ for
I use online scanners to purely to check whether I should let the file run or not. But since you are saying that online scanners are very limited and easily circumventable, I'll have to turn towards the option of having a on-demand scanner on my system.
I'm not saying that they are very limited they will detect probably roughly 95% of all baddies out there, but there will be always the possibility that something slips... again multiple layers of security provide better chances of staying clean.
I did a inspection of an infected laptop yesterday on my job and only very few scanners detected these baddies, it also used anti-forensics to make the traceback more difficult…
I too depend on the firewall and Defense+ for protection, but I am not yet fullyl knowledgeable on how HIPS softwares work. But that is besides the point which is that no default-deny approach will save you when you have decided to run a file which might be malicious.
And that is where traditional scanning comes in.
Well, anyway, I have added CIMA back to my bookmarks since you say that it is not that weak.
but then again maybe I’m to paranoid 88)