I’ve got a new review on one interasting tool called MultiAV Scanning Tool (This tool to me was recomended by polonius). This is Command Line On-Demand Virus Scanner Tool which incorporates few best AV scanning engines on the market. They are:
[]Sophos
[]McAfee
[]Kaspersky
[]Trend Micro
I’ve tested only Sophos & McAfee, because I’m already using Kaspersky’s OnLine Scanner & Trend Micros’s HouseCall and I was not going to double my files.
To the point:
[*]Sophos
The scanning of my hard disks lasted for two hours (20GB of 80GB free). No unusual false positives except for this:
Virus fragment ‘W95/MrKlunky-A’ found in file d:\Programs_AntiVirus\PandaAntiVirusTitanium2006\PandaAntiVirusTitanium2006.exe\SfxArchiveData\data1.cab\ICAB:00250187
Virus fragment ‘W95/Whog-878b’ found in file d:\Programs_AntiVirus\PandaAntiVirusTitanium2006\PandaAntiVirusTitanium2006.exe\SfxArchiveData\Files/SAFEDISK.IMG
Removal successful
Virus fragment ‘W95/MrKlunky-A’ found in file d:\Programs_AntiVirus\PandaAntiVirusTitanium2006\PandaAntiVirusTitanium2006Unregistered.exe\SfxArchiveData\data1.cab\ICAB:00250187
Removal successful
Virus fragment ‘W95/CIH-10xx’ found in file d:\Programs_AntiVirus\PandaTruPreventPersonal2005\PandaTruPreventPersonal2005.rar\PandaTruPreventPersonal2005.exe\SfxArchiveData\data1.cab\ICAB:000d3ab3
Removal successful
As you can see, Panda, Panda, Panda!!! Now I have lost all three installation files, which I migh add: took ages to download with dial-up. Well, If this is how they work I don’t need them any way. So, beside those false positive and long scan time Sophos AV Scan is a plus for protection you must have.
[*]McAfee
Scan lasted for 45 minutes. Results:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll\00017b68.EXE … Found potentially unwanted program Downloader-AGT.
The file or process has been deleted.
The archive has been deleted.
C:\Program Files\Ewido\Security Suite\guard.sys … Found trojan or variant New Malware.z !!!
Please send a copy of the file to McAfee
The file or process has been deleted.
C:\Program Files\ICQToolbar\toolbaru.inf … Found potentially unwanted program Adware-Softomate.
The file or process has been deleted.
These are no Malware! False positives all around! Beware of McAfee Scan, cause who knows what software will recognize as dangerous and delete some modules.
Thanks for the review, but I would not recommend a scanner that goes on
deleting false positives. I would like online scanning only if I had an option
as what to do with the results. If I use DrWebCureIt, it gives me results,
I can decide not to do anything with it, update the suspect to Jotti or
Virustotal and see if it is real, then decide what to do finally.
False positives can be a pain in the neck, when they are really false
positives for important data on a computer. That is why a computer
with important data on it should not be connected.
If the software came with the option to do with the results as one pleases
my opinion of it would be milder, and one could use it say once a month
for a so-called garage stop.
Yes unfortunatelly this program does that, but none the less idea about multiple scanner engines is good and the program is quite simple to use. The only thing you need is some recovery program after running the program to restore all false positives that has been deleted Any way, you saw the list yourself…
I think the polonus is right about this thing, so this scanner remains pending untill the author puts the option to decide what to do with the files after the scan!
In fact I’ll mail him to see what are his plans and get back to you when he answers.
I found this info on the net:
Service (registry key): ewido security suite driver
Display name: ewido security suite driver
Image path: ??\C:\Program Files\ewido\security suite\guard.sys
Image size: 3072
Anyone has Ewido? Did you experience something similar? Is there any other option else then reinstall?
I think the guard.sys relates to the resident part of ewido, so if you are using the free version (that after the trial period disables the resident part) it shouldn’t have any adverse effect.
I don’t know to what depth the removal process goes, e.g. does it also delete any registry entry related to guard.sys?
If not then it would be possible to just replace the guard.sys file (IM me your email address and I will send it to you) in the C:\Program Files\ewido\security suite folder.
However, if it also deleted registry entries you may need to reinstall.
Edit: Just renamed guard.sys and did an update and a small scan no issues.
I have the paid version, it proved itself like a very reliable one in preventing many trojan atacks! Yes it is a driver for Ewido guard (resident part). This file was cleaned:
C:\Program Files\Ewido\Security Suite\guard.sys
Could AV remove some registry entries and not report about it? I can reinstall, but I was just curious if this was fixable ( :)) on some other way.
Some AVs may go to the effort to remove registry entries, but I can’t say that for sure.
You could check by using regedit to search for guard.sys, if it exists then replacing the file may work - you should be able to tell of the resident element is working after replacement and a reboot.
This actually means that scanning could be a risky business. And that prior to scanning one should backup the registry or even better set a restore point with a restore program in case of loss through false positives. So before doing something with a suspicious file, one should always seek a founded opinion to now the infection at hand is real, especially when heuristical scanning is involved.
The above also is true for spyware scanning with online scanners and full removal is not possible or it fails, before scanning set a restore point and backup the registry. I know good online scanners provide these possibilities and ask Windows to do this.
This actually means that scanning could be a risky business.
Yes and even more so when using multiple on-line scanners when you don't know what it is going to do upon detection. Since the AV program isn't installed on your system, I would guess reversal/restoration of files and registry entries of FPs would be even more difficult.
I received a mail from the author of Multi_AV tool after mailing him about my False Positives:
On 22 Jan 2006, at 04:40, Zagor wrote:
Since the tool does not have the option to deal with the infected files after the scan has found them,
The tool will attempt disinfection and delete the infected object if this disinfection is not possible. This process happens on the fly during the scan. This applies to sophos, mcafee and kaspersky engines. Currently we do not have an option to leave the files if a disinfection is not possible.
I’m interested do you plan on integrating this feature! And if you do, when?
We don’t believe there is any reason to change this at the moment. The tool is set up to deal with virus infiltration’s.
Same for me here too, thumbs down for a program like this,
sign for the folks here to stay away from that MultiAV tool.
Better to have the BitDefender 9 on occasion or download DrWebCureIt or run a full ClamWin once in a while, where you have all options open still after something is found up.
And Zagor thanks again for the bold testing. We owe you.