McAfee and Microsoft Malicious RemovalTool scans

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I regularly scan my PC using the above scans, the McAfee one being their
online scanner.
How effective are these scanners in detecting viruses lurking on PCs,
particularly with regard to Trojans?

FB

Re: McAfee and Microsoft Malicious RemovalTool scans

On Tue, 26 Oct 2010 05:10:59 +0100, Frank Booth Snr

Quoted text here. Click to load it

The Microsoft Malicious RemovalTo doesn't claim to find all malware,
only a select small number of them.  I assume they are the ones that
are spreading the fastest, or the ones that have more than average
power to damage other computers than the one hosting them.  That is, I
don't think they are trying to protect you so much as the whole set of
people with computers and internet.

What do you mean you run it regularly?  It's sent out once a week,
maybe earlier if they think it necessary. It installs and runs by
itself next time you boot.   There is little point in running it
again, afaik, unless you think something happened before the 7 days
have gone by.

It seems to get bigger every week, from which I've deduced they add
new defiinions to it, but normally don't throw any away.

McAfee confuses me. Once I spelled it wrong and ended up in Pittsburgh
instead of Richmond.  I'm not going through that again.

Quoted text here. Click to load it


Re: McAfee and Microsoft Malicious RemovalTool scans

mm wrote:
Quoted text here. Click to load it

You can download it independently from Microsoft. You can then do a
'quick scan', 'full scan'. or a 'customised' one. You can then see it
running. It also shows a list of all malicious software that it tries to
detect. I have never received it automatically afaik.

Re: McAfee and Microsoft Malicious RemovalTool scans

On Tue, 26 Oct 2010 06:34:30 +0100, Frank Booth Snr

Quoted text here. Click to load it

Thanks for replying.  I'm glad you didn't let me mislead others.

The list is a lot shorter than other lists, isn't it.  I think one AV
program gave the number of threats it scanned for, and it was to me an
incredibly high number.

Do they offer it to you with the regular Tuesday? updates?

Re: McAfee and Microsoft Malicious RemovalTool scans

Quoted text here. Click to load it

Not as effective as a resident scanner.



Re: McAfee and Microsoft Malicious RemovalTool scans

Frank Booth Snr wrote:

Quoted text here. Click to load it

http://support.microsoft.com/kb/890830

It is an on-demand scanner.  Thus it cannot detect heuristics (behavior)
of a process to detect if it is malicious.  It just scans for signatures
of known pests (and only a limited set of them).

This tool gets its database updated monthly on the 2nd Tuesday (see
http://www.microsoft.com/security/malwareremove/default.aspx).
Obviously new pests show up at much shorter intervals.  Do you really
want to trust the health of your OS based on monthly snapshots for a
limited set of known pests that happen to qualify as "specific prevalent
malicious software" according to Microsoft's criteria?  

Once per month you use a leaf blower to clean off your driveway.  Well,
do you consider that clean enough for you to eat off your driveway,
especially on the other days of the month?

Re: McAfee and Microsoft Malicious RemovalTool scans

VanguardLH wrote:
Quoted text here. Click to load it

No. But perhaps you didn't read ny op, which wasas much about the McAfee
scan as as about the MS software removal tool. Also what about
Symantec's free online scan, while I'm about it?

Re: McAfee and Microsoft Malicious RemovalTool scans


| VanguardLH wrote:
Quoted text here. Click to load it


| No. But perhaps you didn't read ny op, which wasas much about the McAfee
| scan as as about the MS software removal tool. Also what about
| Symantec's free online scan, while I'm about it?


Here's something better.  Use my Multi-AV Scanning Tool.

It will provide you with the scanners from;  Sophos, Emsisoft, Trend Micro and
Avira.

Avira far exceeds McAfee and Symantec detection rates alone.
The URL is in my signature.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: McAfee and Microsoft Malicious RemovalTool scans

David H. Lipman wrote:
Quoted text here. Click to load it
Thanks. I'll have a look at this.

Re: McAfee and Microsoft Malicious RemovalTool scans

Frank Booth Snr wrote:

Quoted text here. Click to load it

I answered what I felt like answering.  Don't expect to get multiple
questions answered in a single thread.  Don't expect to command anyone
to do anything when responding to your post.  You get what they choose
to give.

On-demand scanners only work with signatures of pests.  Doesn't matter
whether you download the on-demand scanner, install it, and then run it
or you download and install and ActiveX control for your web browser to
run the on-demand scanner that way.  They won't and cannot monitor the
heuristics of a process to detect if it is malware.  Signatures is what
they use.

To address McAfee, yes, it's a good anti-virus product and usually rated
in the top 10 of AV products (with them all being pretty close in their
coverage of malware, like within a few percentage points).  However,
I've used McAfee before and discontinued using it when it overly
impacted the responsiveness of several of my hosts.  Not all of them but
enough to nuisance me to find something else.  I'm talking about the
*real* McAfee Anti-virus product suite, not their online scanner which
seems to be to what you refer.  Again, online scanners require something
get downloaded and ran as a client on your host.  Those are on-demand
scanners ONLY.

If you want some statistics regarding the coverage of anti-virus
products then go head over to av-comparatives.org to see their latest
test results.  Go to the Comparatives & Reviews section and look at the
Main Tests.  Look at the on-demand comparatives (the pro-active tests
checks using an old version to see how well it finds malware that wasn't
known at the time that the old version was released).  These tests do
not cover all methods used by AV products to detect malware but only
real usage and actual infection can test that.  They do give an
indication regarding the protection offered by each AV product.  If an
AV product is not in their results, it tested too low (no point in
wasting table space on poor performers) or the AV vendor requested that
their product not be tested (or that the results not be published).
They test actual AV products that you install on your host, not the
on-demand only ActiveX scanners offered from web sites.

If you have an on-access scanner running on your host, and if it wasn't
already infected before installing the AV program, then all you really
need is the on-access scanner.  The on-demand scanner is to catch
quiescent malware that somehow managed to get deposited on your host
(like you copied it there) while the AV product was disabled.  The
on-demand scan checks for these quiescent malware files (because if they
run then they would get caught by the on-access scanner - assuming the
AV product detects that particular malware).  

Note that being the best coverage in av-comparatives.org doesn't mean
you actually want to use that beast.  Symantec's offering has very good
coverage but its typical installation results in slowing your host plus
most users haven't a clue how to configure or use the software.  McAfee,
Avast, and Avira are almost identical in coverage but McAfee is more
likely to impact the responsiveness of your host.  I don't use Avira
because of an almost 4-year old defect that they have yet to address
which happens to exhibit itself on my particular host (rare few users
get hit by it but is also Avira's fault for not discerning the
difference between interrogating a device's type or its interface versus
accessing its media).

If you are only looking at using the on-demand scanners afforded by MSRT
or with the on-demand scanners at web sites then you have poor coverage.
One, you won't be checking every second of every day for every file
access if you have malware.  You'll only be checking occasionally.
Second, while MSRT uninstalls itself after running (if part of a Windows
Update), the ActiveX controls remain installed on your host even if you
decide never to use them again, and rare few (I haven't seen any) will
provide an uninstall entry in Add/Remove Programs (so your host gets
polluted with them over time unless you use an install monitor, like
Zsoft Uninstaller).  They may even go with a new AX control as their AV
client installed on your host without uninstalling their old AX control.

Re: McAfee and Microsoft Malicious RemovalTool scans


Quoted text here. Click to load it

While it's true an on demand scanner can't keep an eye on resident
processes, it can use hueristics to examine the registry and other
areas of interest for things that just don't "look right" during the
user specified scan. Signatures is an option, it's not the only one.


--
Some people are like a Slinky. Not much good for anything, but you
can't help but smile when one tumbles down the stairs.

Re: McAfee and Microsoft Malicious RemovalTool scans

Dustin wrote:

Quoted text here. Click to load it

I consider "heuristics" to be algorithms that monitor behavior.  Rules
just look at a set of registry entries to see if they might not be
kosher.  For example, MalwareBytes will use some rules to see that some
settings in the registry might be those set by malware but they also
happen to be settings the user might've set.  I remember having to redo
several user settings after using MalwareBytes because the registry
settings it thought might be altered by malware were instead altered by
me (and were just config settings, nothing to do with registry tweaks).

Re: McAfee and Microsoft Malicious RemovalTool scans

VanguardLH wrote:
Quoted text here. Click to load it

If you mean the three keys that set the way security console alerts,
you can have MBAM just ignore them.

Re: McAfee and Microsoft Malicious RemovalTool scans


Quoted text here. Click to load it

Oh.. I see, I'm dealing with another Jenn here. It helps to know the
definitions you go by. :) If you remember having to redo settings, you
must have forgot to tell malwarebytes to ignore those settings in
future scans, eh? :)





--
Some people are like a Slinky. Not much good for anything, but you
can't help but smile when one tumbles down the stairs.

Re: McAfee and Microsoft Malicious RemovalTool scans

Dustin wrote:

Quoted text here. Click to load it

You really expect everyone to define every possible concept within a
discussion before discussing it?  Those must be some mightly long
conversations you have.  Conversations ALWAYS have assumptions, just
like you don't test the concrete sidewalk will not collapse underfoot
before you take your next step.

Yep, I was wrong.  Heuristics is a trial-and-error approach (as per
definition, like at http://dictionary.reference.com/browse/heuristics ).
Heuristics require NON-algorithmic analysis.  That typically means using
rules hard-coded in a program.  Behaviorial analysis requires algorithms
to monitor the behavior.  So heuristics is just a fancy name for rules.
I had the definition wrong.  Perhaps I got led astray by the many
security products that try to confuse heuristics with algorithmic
behavior analysis because it sounds good when marketing their product
than just saying they have a set of static and hard-coded rules that
have to get updated regularly.  But I'll leave the blame on myself for
this one.  I had confused heuristics with being something more active
than rules defining trial-and-error analysis.  Thanks for prodding me to
go look up the definition rather than rely on what the security vendors
have been spewing to promote their products.  Now I know that heuristics
is just a fancy term enamored to marketers because rules just sounds too
boring and they don't want users to know those are static rules
requiring updating (because the rules could've been wrong or conditions
have changed that require different rules).

Um, how do I tell MalwareBytes not to undo my user config settings
stored in the registry until I *might* find out later when I happen to
do something with a program where I notice a change in preferential
behavior?  You think all users have memorized the registry keys and data
item names used to store their user-modifiable configuration settings to
recognize when (and if) MalwareBytes tells them it will make a change to
some registry setting?

As I recall, MalwareBytes had reset the registry key that shows the
Logoff entry in the Start menu.  That's a user config setting.  Well,
malware can change ALL of your user config settings but MalwareBytes
decided some could be "bad".  Yes, you can add those changes to an
ignore-list but only after you've been hit and later noticed the effect.
At that time, no info was provided on just what was the "pest" being
reported by MalwareBytes and I had to go do the research on this policy
setting stored in the registry.  By the way, the policy setting to show
the Logoff item in the Start menu is *not* currently in my ignore-list
in MalwareBytes and scans no longer report it as a "bad" registry
setting offering to change it back to the default, so the author decided
it was no longer a "bad" policy setting.  What was considered a
potentially bad policy before isn't bad later, so what you have in your
ignore-list may no longer apply.

It seems MalwareBytes should have a means of taking a snapshot (when the
host is considered free of malware) of the policy settings (that it
thinks are potentially "bad") so I can restore that snapshot.  There
certainly isn't any restore feature in MalwareBytes to revert the host
back to the prior state in case the situation got worse by letting
MalwareBytes make its changes.  There is no "before" snapshot so I can
restore to it afterward if needed.  I found no option to enable/disable
a System Restore snapshot before letting MalwareBytes commit its
registry changes.  Yes, I could manually save a restore point before
running MalwareBytes but then it might not discover anything "bad" so I
just created a useless restore point and had to remember to do it
beforehand and waste the time time to do it.  This isn't a failing of
just MalwareBytes but of many security products.  They move forward but
won't let you go back.  Besides changing policy settings that you really
want to keep, all have shown over time to have false positives which can
lead users astray in quarantining or deleting what they really wanted to
keep or really need to have.  Hence why I schedule daily image backups
so I can undo at that granualarity any changes made by security
products.

My original point to the OP as that the on-demand scanners aren't going
to monitor the behavior of processes to detect if they may be performing
malicious behaviors.  They are only a partial (i.e., incomplete) test
regarding the health of their host.  Behaviorial analysis might catch
what signatures alone (with or without the rules, er, heuristics that
might also be employed to look at current settings) don't catch.
Signatures and rules are static and why they have to keep getting
updated to catch what wasn't catch since the last revision of those
signatures and rules.

I only use the freeware version of MalwareBytes.  It gets used as an
on-demand scanner.  If I didn't have something else to provide on-access
and/or real-time detection and to monitor behavior then this
user-initiated on-demand scanner would not be sufficient to protect my
host (and protect others from the effects of operating an infected
host).  None of the on-demand scanners would be sufficient for
protection.  Users are obviously not going to continually re-scan their
hosts everytime a file gets created or modified or the registry gets
modified.  For real-time protection, you need the payware version of
MalwareBytes or some other pay/freeware security product that affords
that real-time protection.  

According to OP's 2:29PM @ 10/27/2010 reply, he seems content with the
gross granularity of running user-initiated on-demand scans using
monthly-updated MSRT or the ActiveX controls from security web sites;
however, those AX or downloadable clients only detect the pests, not
remove them, and only at the time the user runs that scan, not when the
pest could be abusing his host and which can certainly afflict the rest
of us with spam, DDOS attacks, etc.  The Internet is rife with
irresponsible users who don't give a gnat's fart about others.  Works
for them, screw all others.  I've seen users that don't ever employ any
security on their hosts.  When it gets too bad for their own use, they
flatten and rebuild.  In the meantime, and since these aren't stand-
alone hosts, the rest of us suffer from their lack of performance to be
responsible netizens.  The OP only wants to do on-demand scans once per
week or once per month. How much you want to bet that he connects to the
Internet far more often than that?  He uses Symantec's online scan
(which is probably http://security.symantec.com/sscv6/home.asp ).  It's a
*scan*.  It doesn't remove any malware.  He's posting here so obviously
it isn't a stand-alone host where any malware he catches between his
weekly or monthly *scans* could only afflict him alone.

Re: McAfee and Microsoft Malicious RemovalTool scans


Quoted text here. Click to load it

Hehehe. Really, it's alright man. I just took a cheap shot. You had the
right idea, just using the wrong terminology.

Quoted text here. Click to load it

See :) While I might come across as an asshole, I do have good
intentions behind it. <G> Never rely on the vendor to be totally honest
with you about the abilities of the product. The vendor at the end of
the day is still trying to sell you something.
 
Quoted text here. Click to load it

Sadly, malwarebytes has no way of knowing if you intentionally set one
of those keys or something nefarious did. So it alerts you whenever
they aren't default settings. You can either uncheck them if you know
the detected changes are ok, or tell malwarebytes to ignore them and it
won't bother you again.
 
Quoted text here. Click to load it

Either the author made the decision or the research dept did. Malware
research is an evolving process. I don't think they messed up by
detecting the key prior, but they probably did cause more confusion for
some users than was necessary; and that may be why it no longer alerts
on some user configuration settings.
 
Quoted text here. Click to load it

You might want to suggest that to them. Sounds like a reasonable idea.

Quoted text here. Click to load it

Well, there is. However, it doesn't keep track of user configuration
keys. Malwarebytes can be told to restore infections; if it should mess
up with a false positive and disable some legitimate application. The
file would be restored to it's physical location as well as whatever
registry keys you selected to be restored. It's not a system snapshot
per say, but it's an undo option.

Quoted text here. Click to load it

Somewhat true. However, not all signatures are what you call static;
Some are capable of detecting entire families with one signature. I'm
not going to get into specifics or anything, but the idea of one
signature per malware sample just isn't accurate. When the sample is
sufficiently different enough from it's counterparts, that signature
may fail; so it's always going to be only as good as it's latest update
due to the sheer amount of malware found in the wild.
 
Quoted text here. Click to load it

Well, they have to be able to pay the individuals responsible for
research, analysis and engineering. :). The on demand scanner can be
used to clean you up should something bad happen, but yes, they can't
give you the whole cow for free. In a utopia like world, free would be
reasonable, everyone just helping each other because it's the right
thing to do. Unfortunatly, our world doesn't work like the net yet.
People still gotta eat and pay rent/mortgages.
 
Quoted text here. Click to load it

I completely agree with you here. Speaking of DDoS attacks, have you
seen the latest gem? Low Orbit Ion Cannon (I have no idea where the
names come from). I've used it several times on the LAN to stress test
her against ddos attacks on specific servers... Useful diagnostic tool,
and no, my LAN didn't like it. :) I found the tool the other week when
I was reading up on riaa articles. 4chan initiated an attack on them
and suggested it.

If your into networking tools/utils, check it out.


 



--
Some people are like a Slinky. Not much good for anything, but you
can't help but smile when one tumbles down the stairs.

Re: McAfee and Microsoft Malicious RemovalTool scans

Quoted text here. Click to load it
[...]

Quoted text here. Click to load it

:oD

Quoted text here. Click to load it

I think that your definition of "on-demand" may be different too,
especially if you think an on-demand scan will *only* do file content
scanning. There's no reason a local on-demand scanner can't look at data
structures and other things not in "files" - where the "online" AV
scanners are basically just automated file submission scanners and can
only do content scanning, something like MSRT or an on-demand local
scanner might not be that limited.

From my days playing Chess, my conception of heuristics is they are a
somewhat less accurate, but much more expedient way of arriving at an
answer. A file scanner can still employ heuristics to arrive at a
detection and an alert, but must rely on a signature for any hope of
identification (where said identification allows removal, a detection
*only* might not be able to). A *local* "on-demand" scanner can make use
of context.

As I mentioned in another post, the dichotomy you're trying to express
between those types of scanners is probably just along the lines of
content vs. context scanning, *not* on-demand vs. active scanning.

[...]

Quoted text here. Click to load it

Right, content scanners are usually more for preventative measures
(don't execute this program file). Behavior based detection *requires*
that you execute the malware; it cant behave at all if it's not running
(it is more for identification and removal than it is for prevention).

[...]





Re: McAfee and Microsoft Malicious RemovalTool scans

FromTheRafters wrote:

Quoted text here. Click to load it

As I explained in correcting my understanding of what were heuristics,
there is nothing to obviate the use of static rules (heuristics) that
need updating within the on-demand scanners to, say, look for certain
registry settings to have values that might indicate the presence of
malware.  It appears your "content" scanner is what I say is an
on-demand scanner (with or without rules/heuristics checking).  You
"context" checker is probably what I call behavioral monitoring which
requires real-time checking.

Re: McAfee and Microsoft Malicious RemovalTool scans

Quoted text here. Click to load it

Yes, that's it in a nutshell. Nothing exists in a vacuum they say, and
"content" scanning basically ignores that fact and attempts to find
reasons to suspect a program file is malicious based only upon its
content (heuristics based or not) - which can include emulation of an
environment in which to run the files program to observe its behavior in
the manner which you consider to be not "on-demand" capable. A content
scanner isn't going to care about the registry or whether or not the
machine is rootkitted - its only concern is the file's content and it
doesn't need *your* environment's particulars to do its work (think
prevention rather than identification/removal).



Re: McAfee and Microsoft Malicious RemovalTool scans

On Tue, 26 Oct 2010 19:57:18 +0100, Frank Booth Snr

Quoted text here. Click to load it

I guess I didn't read it carefully enough.

Quoted text here. Click to load it

Because I thought you meant all of McAfee.

With all the free products available, why would you limit yourself to
on-damand scanning?  Are you going to do a Mcafee free online scan
after every email you get, after every webpage you visit?  Surely it's
more effective, easier, and even quicker, takes fewer CPU cycles, to
only scan new things, as they arrive.  New files, new email, new files
attached to email.  That's what real-time protection is for, that why
people want it, that's why they use it, that's why a smaller group of
people wrote it.  You can always do on-demand scans too.

Site Timeline