Virus missed during scan

Contradiction in your own statements
Yes! real-time scan cannot catch all…etc.
And real-time we are talking about - that is the unneeded option.
That is what we are disabling
Exactly! It cannot add any additional security. It does the same as post-checking, but it can cause lockings/access denied/ other conflicts… if enabled
“We need e-mail scanning”. Yes! That’s what we are Not disabling and that’s what we all have with onAccess / onExecute (if script) and so on. That’s what several users already told here.
After we received emails, which are silently sitting in in-box and not causing any harm,
we are clicking on “this” email that is scanned immediately when AV Guard is active and all its HTML checked. We are opening attachment - that is scanned
What else do we need? We click inside and if there is something malicious is going to be executed Defense+ and other behavioral guards are catching if they can (currently)
What else?
Even in corporate server environment there are special procedures with time-outs and other settings in order to “let it go” without interruptions… then, when portion of e-mails were delivered; placed in temporary locations; scanned and then spread between client in-boxes.

I hope it’s clear enough now about what we are calling real-time (scan during download)… unless you know the way to execute “HTML, MHTML,Java script etc” or whatever terms you place here during download

Thanks

Please, NO insulting and potential flaming, people.
Keep the tone at a social and reasonable level.
Thank you.

Hi everyone,

I think this thread was started with the intention to improve, not to argue.
I do agree with Mr John Buchanan that we should keep the tone at social and reasonable level - you know, discussion is fun, and it helps the moderators be aware of what are the things at hand thus in turn helps to improve the service level.

As an end-user, I do agree on the point made by Creasy of having an Email scanner, after all it does gives general people (like me) a peace of mind.
However other experience people here does have their points too, if email scanner does cause more problem in the end, it should be excluded.

Although NOD32 and majority others did have it, it may / may not indicate they are right.
Take the QWERTY keyboard for example. For hundreds of years, people thought QWERTY keyboard is design with Speed in mind. Guess what? It’s not, but people still uses it. IBM, Dell and others major PC producer still includes it as the standard package.

Nono, Creasy, I am not saying that we are wrong to ask for email scanner. In fact, it is kinda interesting if some other seniors out there might pop in and discuss about this along our direction too.

By the way, Outlook Express (.dbx) is not longer available in Vista onwards. They are using Windows Mail which is not using .dbx extension. What about Thunderbird, will email scanner corrupt thunderbird and other email program too ? :a0

Greetings all,

Hi bestfreeav,

I think this thread was started with the intention to improve, not to argue

You are absolutely right – the intention to improve. As for arguing that may occur and nothing wrong with that itself. But the tone of discussion has to be civilized. I never was rude here in this forum and never will. At the same time a have to apologize to you as to original poster if you think that the discussion went Offtopic. In my recent PM to one of the members of this society I actually wrote that I personally don’t like when that happens. So I hope that you will excuse me.

As for your last question since you asked about it anyway

By the way, Outlook Express (.dbx) is not longer available in Vista onwards. They are using Windows Mail which is not using .dbx extension. What about Thunderbird, will email scanner corrupt thunderbird and other email program too ?

The answer is - yes you have the same chance of corruption with any e-mail client having any AV, where real-time mail scanning during receiving mails implemented, because of nature of [b]when[/b] that’s happening. As it was quoted above, one of the experts stated: “…the newer Windows Live Mail is more resistant to corruption from aggressive antivirus programs…”… just “more resistant” probably… ??? - that’s all.

I will not go Offtopic again but just remind you another discussion in the forum, where most participants mainly agreed that real-time scanning of archives is just a waste of time. Malware sitting inside archive is harmful. Archives must be scanned but after being downloaded. They will be scanned, as soon you will open archive or scan it on-demand. Use your main AV and in addition as many others scanners as you want and have.
With emails situation we have complete analogy.
The thing to remember we do have and we are not loosing e-mail scanning since we have “onAccess” of our AV.
Finally, well… if real-time scanning implemented in any given AV and if Comodo developers will make a decision to do so, it is just a matter of personal choice. Those, who understand what can happen and that the said feature itself does not bring extra security - will disable it, others can use it at their own risk.
Easy and no fighting.

The point was: more users are aware of situation more they just will dig; read; learn and make their own decision

Cheers! :■■■■

If its not opened, it doesn’t matter. 1’s and 0’s on a disk aren’t malicious. 1’s and 0’s, as executable code, loaded into memory can be.

Ewen

Ahh yes yes… somehow it went off topic.

Nevermind, it brings more insight into things too. I will use it as a suggestion to my manager then.
In the mean time, let us come back to my very 1st post.

If you went back and read again, you will see that Comodo missed a virus (that was my thread title too).
It was not that Comodo cannot scan that area, it did and it caught all but one. And this one is somehow missed. A pity, I cannot submit this virus up as NOD32 cleansed it for me …
(I was using NOD32 to test as suggested by Creasy)

In any case, I will try it one more time.
(By the way, I wonder does it catch and cleanse Antivirus 2009 virus?)

Ewen.

I’m talking about the code in the mail which is based on HTML stuffs not binary files.

Let me tell you something.
2 days ago, there was a hacking incident at the government network here.
The hacker took data from their PC via the OUTLOOK EXPRESS.
The hacker sent an e-mail including malicious code inside of the HTML+javascript.
One of the staff opened it. There was nothing happened in the screen.
He saw only some sentences on the screen.
Yes, it was just like normal e-mail,NO file attached.
(Not a binary file, please don’t confuse it)
Sure there was Antivirus tools.
Sure there was server side scanning tool.
But it happened.

funny right?

bestfreeav.
Nice to see you again.
Some people who think CAV is the best don’t trust what we were talking about.

(By the way, I wonder does it catch and cleanse Antivirus 2009 virus?)

Which one?
CAV or NOD32?

This is probably a outlook express flaw because it is allowing scripts to run outside it’s intended scope, by having access to the computer.

So my question, is this a job for a anti-virus/malware or it is a security flaw of the program?

First, program
(we can’t say it’s a security flaw of the program/ Humans always pursuit the convenience, that’s the problem.)

• to prevent it, using plain text(there is the option)

Second, user problem.

• better education needed for the staffs.

Third, anti-virus/malware.
-be more powerful

etc.

thank you.

[at] Panic

You win as usual your message is correct as always and the shortest, shorter then my paragraph about “text files” and “executable” code inside. Needles to say about the verbosity of other stuff. Thanks

[at] bestfreeav

First, sure I did reread the initial post. Honestly it is very hard to recreate what happened just because you are talking about some detections picked up by different scanners. No names no locations, no submissions to the vendor. You can call it malware only if you are absolutely sure yourself. If not only the confirmation by developers of the particular security can tell. Could be FPs.
If Avira picked up something but CAV did not does not mean Avira was right CAV missed
You should submit files to Avira as FPs (for investigation) and to CAV as “new” malware, meaning – you think that CAV missed
In this case you will get an answer from both vendors.
And sure the submission done by the rules (I see edited post) passworded archive has to be attached to e-mail.
What CAV picked up was in the Restore point. And it happened at the moment another scanner was checking the same file. The “onAccess” of CAV woke up.
Well, unless you are conducting such experiment deliberately usually you disable another active Guard. That is different story why, but that is not a big mistake.

The mistake was not submitting A0047918.exe file too. Interestingly enough that sometimes when you have real of FP detection in Restore you may not have the initial file in your system present for a long time already.

Then I don’t know how you removed file by Nod32. Did you have auto-healing enabled?
If so that is another big mistake. First now you don’t know the truth.
Secondly, having auto-quarantine and auto-healing enable is highly unrecommended – that is dangerous. You should leave notification only.
You may render your OS inoperable if FP flagging was for some vital system files. And actually it really could be the case. Since now something flagged in Restore it means that original file was one of those which system is monitoring. And that can be say Explorer; Scvchost; tcpIP.sys, and so on. How many times those were falsely flagged and what happened after auto-healing – just don’t ask. Sometimes users do that themselves – anything detected by AV – goes into quarantine – the result - Blue/Black & other colored screens –no system.

Unfortunately we cannot tell a lot about the specifics of what was detected because there is not enough information as I see it.
One more thing to say

…you should change folder access authority. After then you and antivirus software can access that folder. Then remove infected file by yourself or let antivirus delete it.

Well, as I said above about submitting file from Sys Restore area you have to temporarily uncheck “Protect system files” copy the file somewhere for further archiving with password and then set Protection back. But “antivirus software can access that folder” only after user “changes folder access authority” himself, as suggested, you'd rather throw away such Antivirus :) Sure you should not do that. Actually your image shows how two security scanners are accessing files in there without your help.

[at] Creasy

The hacker sent an e-mail including malicious code inside of the HTML+javascript. One of the staff opened it. There was nothing happened in the screen. He saw only some sentences on the screen. Yes, it was just like normal e-mail,NO file attached. (Not a binary file, please don't confuse it) Sure there was Antivirus tools. Sure there was server side scanning tool. But it happened.

And? Sure nothing happened.

First. panic is not confusing anything.
Text / HTML whatever file are binary files too as a matter of fact - “zeros and ones”.
And where is execution? Who is the host? You can read that file as I said in one of previous posts already.
The malicious host hast to be picked up. Yes. sometimes some sequence inside html, etc can be interpreted as malicious (in most cases those are FPs), but the main point of the discussion you returned to is that real-time scan will not add anything to that detection.
If you are expecting your antivirus to raise alarm in situation you described that probably should’ve happened when user opened e-mail and that AV did not catch it as you said. But that is different topic.

Usually scripts are not flagged. Batch files are not flagged. Those can be malicious too. You cannot disable/flag batches “because they can”. There are a lot of batches working in the background.
Therefore the behavioral layer needed to interpret and catch malicious [b]execution sequence

My regards

What’s your problem?

I understood what bestfreeav was talking about.
bestfreeav understood what I was talking about.

But you didn’t understand what we were talking about.
You did reread? then what?
You are still swimming in your own pool.

Guess, what do bestfreeav and I want to tell?
You will say something from the MARS.
I think there will be useless talking again between us.

thank you.

I see.
You mean autoexecuting code in memory, not on disk.
The bits that would be picked up by the HIPS or AV if it tried to do stuff.

All Comodo have done is make a design decision to not scan attachments in emails. If a HTML formatted message contains auto-executing code, the real-time components of CIS and D+ would monitor the codes actions upon execution.

Same with attachments. They would be monitored upon execution, as this is when they can affect/alter/damage the system.

Ewen

Hi Creasy ,

That is not the way to a talk.

I don’t have a problem(s).

you didn't understand what we were talking about

you are not explaining and I am not expecting that... That part of my post was for bestfreeav , but he haven't replied yet.

I may ask you not to quote whole post.
I answered to panic to bestfreeav and to you
If you have some points to make and comment on each answer please do that.
Otherwise users just compelled to scroll.

If you think that user needs to set permissions to Restore Point manually in order to allow Antivirus to access it, which I think was incorrect and noted answering to bestfreeav - please say so. You did not comment anything else from there too.

Even answering to you I was trying to elaborate on what Ewen said.
Your answer was about… MARS.

Mainly nothing was commented in your reply. I really don’t see why the whole quote of my “saying from MARS” was placed there.

Thank you

All Comodo have done is make a design decision to not scan attachments in emails.

Hi Ewen,

I didn’t know that about CAV & attachments. Thanks you for pointing that out.
Other thing are understandable.

As a mater of fact some anti-malware like a-squared have “onExecution” checking only when guard is active. Sure there is a scanner as well with two engines.
Some like to have “onAccess” guarding too and disagree, but EMSI has a point implementing it that way.

My regards

Thank you SiberLynx for your comments.

Yes, it is my first time using NOD32 and i did not toggle any options. When it finished scanning, the infections has been healed. That is what had happened.

Thank you for reply, bestfreeav.

It’s a bit sad since you wanted to find out what was the alleged infection and what was missed. But we all learn this way and making mistakes. Those “auto-healing” or “auto-quarantine” options are first to be switched Off and has to be reset to Notification as soon as new AV is installed.
Thing is that in many AV I’ve tested those a spread al over option settings.
Few in scannings (e.g. “whole PC”; Shell Extension; “specific files and folders”…) / resident Guard /etc.
It would be nice to have Global one. Probably that can go into CAV’s wish list, if not implemented already. I cannot tell since I’m not using it yet.

But the following question is: how is your PC? Is it working fine? That’s most important thing.
Nobody needs malware suspects (except testers ) but I am sure you will have a chance to conduct some successful experiment(s) if you have opportunity.

Cheers

Again though, the attachment is scanned when it is accessed. So it is scanning the attachments, just not on receipt or when sent.

Again though, the attachment is scanned when it is accessed. So it is scanning the attachments, just not on receipt or when sent.

Hi HeffeD,

Thanks you for reply. I know that and I am fine with that.

Actually I am expecting it’s working like that. I just wanted the confirmation.
The discussion at that stage was not about scanning during receipt from Server. That is disabled.
Now we are opening e-mail locally in our client. Some AV will scan attachment (locally) at this stage and that is not problematic at all compare to real-time.
I am Ok when checking and alerting, if necessary, will occur upon opening attachment / decompressing it / etc. That’s how AVG works, for example. That is sufficient enough.

I thanked panic for letting me know that CAV behaves the same way before my conversion to CAV

Cheers!

Thank you all.

I had learned quite an amount from all of your inputs. ;D