11-29-2011 07:17 AM
Running virus detction locally, from the cloud, booting a standalone solution....there are several choices available. I'd like to get some feedback on what you think the best way might be, understanding there are different types / viruses that behave differently etc.
Solved! Go to Solution.
11-29-2011 07:38 AM
I would suggest that the customer start with an updated full system scan of their onboard antivirus software. I would follow that with a shutdown/restart and then scan with a second scan, which could be either or both an online or cloud scan.
In the event of a serious infection, a boot scan is advisable, however, a system with a rootkit or backdoor trojan is best off with a clean install. In such situations, there is no guarantee that the system can be trusted.
11-29-2011 10:27 AM - edited 11-29-2011 10:34 AM
I'd like to comment on the current state of cloud based antivirus solutions. I think they are a very bad idea, or at least one that is ill conceived at the moment. Why, you ask? Particularly since that form of antivirus can rapidly respond to new threats? My response is simple. What do you do if the malware destroys your ability to connect to the Internet? Or, if it is a DNS redirector which prevents you from reaching the IP of the cloud? Basically, you are out of luck and will have to seek another solution for removing the malware. That may not be very easy in either of those two situations.
Or, another example, the malware redirects you to a cloned, malware provided, duplicate of the cloud that detects everything but cannot detect their specific malware and responds with a false negative? Do you go away happy because you think your, to that point, dependable cloud antivirus solution has protected you and that your system is clean?
No, at this point in time a cloud solution that sounds like "gee wiz Star Trek" technology wonderful, without having an onboard scanner and current definition set, is not a good idea. That's not to say that the future doesn't hold a solution to these situations; but, today, no, it isn't recommended in my book. It's flashy, it's appealing, it uses the current magic word "cloud", but there are too many holes in the logic for my tastes.
Now, as to your original question, seek competent help. Today's generations of malware are not easy to deal with. If your security can't deal with it, you need help to find and remove the malware.; Don't try to do it yourself, you will likely fail and simply make the job tougher for one of us who spends full time volunteering at a recognized site removing malware and training new volunteers.
11-29-2011 11:23 AM
Cloud based scanning is not just a fad, it has become a practical necessity. With the explosive growth of definitions, and the use of file reputation and whitelisting instead of classic blacklisting, it is unfeasible and impractical to have all the definitions required to detect malware on the local machine; it takes too much disk space, uses too much memory, and consumes too much bandwidth.
That said, you are right, an internet connection is required, and there is the risk of a broken internet connection, or a man-in-the-middle type attack against the network traffic. The tools you use for cloud scanning must be able to restore network connectivity, be resilient to network connectivity problems, and network traffic interception attacks.
In certain infection cases, specifically with rootkit infections, it is not possible to run the scanning tool on the host OS, and you need to boot from a clean OS such as WinPE. WinPE may give you a clean OS, but it also has drawbacks as it does not support WiFi, and you may have to add the drivers required for your hardware.
11-29-2011 01:18 PM - edited 11-29-2011 01:19 PM
If your customer's antivirus program is not detecting anytyhing but the symptoms of a malware infection is still present on his computer, you can use an online scanner (given that his computer can still access the Internet without problems) so that to get a "second opinion".
There's an available online scanner that is called Housecall. You can try to use that one first.
Regarding the conversation about what security protection to use (cloud-based, pattern-based, etc.) my suggestion is to install a local security software that can do the following (but not limited to):
Traditional antivirus programs are not enough to protect your computers nowadays. You need to have a complete package since threats are becoming more intelligent as well.
Hope these help.
11-29-2011 05:22 PM
Just to add to PieterV's excellent reply, these days, pretty much all anti-malware programs resort to using some sort of technology hosted in the cloud, whether its looking up sites to see if they are malicious before allowing a connection, checking the "reputation" of downloaded software by its age and prevalance, and so forth.
Symantec had a great presentation at VB2009 called "Using the wisdom of crowds toadress the malware long tail" which explains hows a reputation system works, with a follow-up on its effectiveness presented at VB2010. This year at VB2011, there was a very interesting presentation from Trend Micro called "File-fraction reputation based on digest of high granularity" that showed how a cloud-based system could be used to used to detect recurring segments of malicious code to detect newer malware.
That said, I think it's important to use a mixture of techniques for detection of malicious code, both online and offline. As PCBruiser noted, if your Internet connection is unavailable or, even worse, compromised, then you cannot rely on a service based solely on having a "known good clean and working" Internet connection.
11-29-2011 08:16 PM
Just to reiterate my concerns, virtually all malware we see these days includes some type of DNS redirector, and/or blocks access to the most common security solutions and tools; and, from time to time, HIPS-like whitelisting and blacklisting of specific processes. Until such time as cloud security solutions are immune, or at least resistant, to that kind of interference, my concerns for that solution stand. Is it a bad solution? No, not by any means. Is it a vulnerable one? Yes, and that's the issue. As I said earlier in another topic - it is up to the user to become educated to the plusses and minuses of various security solutions, and make their choices whether any particular solution meets their needs or not.
11-30-2011 04:23 AM
As I said earlier in another topic - it is up to the user to become educated to the plusses and minuses of various security solutions, and make their choices whether any particular solution meets their needs or not.
Agreed. There is no one-size-fits-all.
In helping folks understand, I often compare computers to people, and remind them that a medical treatment that may work for one person, will not necessarily work in the same way for another. There are many variables to consider and no two systems are the same. Beginning with a comprehensive diagnosis, just as a doctor does, we can then work from there.
If you find a post helpful and it answers your question, please click the "Accept As Solution" button.
Microsoft MVP - Consumer Security
Member of Alliance of Security Analysis Professionals