Sequence Of Actions

What is the sequence of actions by Bitdefender if we select “Taking Proper Actions” in Normal Mode and Rescue Mode?

Comments

  • rootkit
    rootkit ✭✭✭

    Hello :)


    Depending on the class of malware the actions are:


    1. Disinfect


    2. Move to quarantine


    3. Delete


    4. Rename


    5. Block


    If all of these can not be applied, the user is prompted to scan the PC in Rescue Mode.


    Take care.

  • What if the file is deleted by Bitdefender when I select Take proper Actions and the detection is False Positive?

  • rootkit
    rootkit ✭✭✭

    Hello :)


    The file will be deleted if everything else falls.


    Trust me, the ones detected as heuristically won't get deleted.


    Take care.

  • What everything? But if the False +ve is the signature based?

  • rootkit
    rootkit ✭✭✭

    Hello :)


    There is no such thing.


    All files are checked multiple times before a definition in released. All False Positives are detected generically or heuristically.


    Take care.

  • Why the option "Take Proper Action" is time consuming if it takes action according to the malware type?

  • rootkit
    rootkit ✭✭✭

    Hello :)


    Welcome back!


    The engine is analyzing the malware so it can take the best decision from that list.


    Take care.

  • Hello :)


    Welcome back!


    The engine is analyzing the malware so it can take the best decision from that list.


    Take care.


    What do you mean by that? I think the engine is already analyzed/detected the malware during scanning and decide the cleaning routine for it e.g if the Bitdefender detected an infection "Application.ActualSpy.S" during scan, the action for it say quarantine should already be selected by-default for it and Bitdefender should not consider not any other such as delete, disinfect, rename etc.


    What I mean that as the signatures defining the malware type, so as the specific cleaning routine for that type should already be decided.

  • rootkit
    rootkit ✭✭✭

    Hi :)


    Bitdefender is detecting the malware instantly, but the routine runs only at the end of the scan. Not always send to quarantine is the best action for a malware. This is only useful for a False Positive. No one wants malware in their PC, even if it is inactive in and encrypted in our quarantine.


    Also, as I mentioned here, I have escalated this to our developers to see what can be made:


    http://forum.bitdefender.com/index.php?showtopic=35463


    Thank you!

  • Hi :)


    Bitdefender is detecting the malware instantly, but the routine runs only at the end of the scan. Not always send to quarantine is the best action for a malware. This is only useful for a False Positive. No one wants malware in their PC, even if it is inactive in and encrypted in our quarantine.


    Also, as I mentioned here, I have escalated this to our developers to see what can be made:


    http://forum.bitdefender.com/index.php?showtopic=35463


    Thank you!


    A question about "Take Proper Action": How the Bitdefender decide the best decision from the list?


    Also I rephrase the statement in my previous post that based on the malware malicious action, antivirus add its detection as signatures for it, i.e naming the malware. I want to say that in a similar way Bitdefender assign the action routine for it. So two things will be assigned to the malware, its name and its respective cleaning routine (disinfect, quarantine, delete, rename or block etc). So that when the option "Take Proper Action" is selected, the best decision is already defined for the malware and also present in the Virus Definitions and Bitdefender DO NOT have to analyze later. Otherwise the option "Take Proper Action" becomes Improper most of the time and is always time consuming as it has to choose one from five cleaning action.


    A detailed reply is requested.

  • rootkit
    rootkit ✭✭✭
    edited July 2012

    Hello ONT :)


    From trojans, backdoors, rootkits and all the other classes that can not be disinfected, the action will always be delete / send to quarantine because there is nothing to block/rename or disinfect and a normal user doesn't want malware in his PC.


    For file infectors, the action is disinfect and is this can not be performed, the product will delete or quarantine the file(depending on the settings).


    Since Auto Pilot was created to take care of everything without prompts, the product has to take decisions based on the malware.


    We are doing our best to avoid False Positives and as I previously mentioned here http://forum.bitdefender.com/index.php?showtopic=35463, we will find a formula to minimize the impact of the automatic actions taken by the product.


    I will get back to you when I have fresh information about this and I will post them here:


    http://forum.bitdefender.com/index.php?showtopic=35463


    Take care.

  • What about Hybrid infections?

  • What happen if after 3 hours scan bitdefender showing error and exit from scanning without taking any action to detected threats. Why should I waste another 3 hours for the same task.. It is better take action which is decided = disinfect , quarantine. at the time of scanning. sincere request No.1 in detection is not enough product should be stable and user friendly.

    post-90135-1341770751_thumb.png

  • What happen if after 3 hours scan bitdefender showing error and exit from scanning without taking any action to detected threats. Why should I waste another 3 hours for the same task.. It is better take action which is decided = disinfect , quarantine. at the time of scanning. sincere request No.1 in detection is not enough product should be stable and user friendly.


    What you said has been discussing in this post "Dealing With Infection"

  • rootkit
    rootkit ✭✭✭

    Hello everyone :)


    For polymorphic malware or those that have more than one component you can always use the Rescue CD or Rescue Mode.


    @ bms


    Please reboot and rerun the scan. It should run properly and it will clean those infections.


    Take care.

  • Hello :)


    The file will be deleted if everything else falls.


    Trust me, the ones detected as heuristically won't get deleted.


    Take care.


    Kindly see the attachment. I did contextual scan of the folder and select "Take Proper Actions" at the end of the scan and both the files are deleted, also the one which is detected heuristically "Gen:Trojan.Heur.Hype.fm3@au0FVfei".


    Also the "Take Proper Actions" takes about 4-5 mins to take action which was selected "delete" by the cleaning routine. That is why I was asking in the posts 9 and 11 in this topic.

    /applications/core/interface/file/attachment.php?id=10111" data-fileid="10111" rel="">1345218484_1_02.xml

  • rootkit
    rootkit ✭✭✭
    edited August 2012

    Hello :)


    Could you please send me the samples via PM so I can take a look?


    Thank you!

  • PM sent.

  • rootkit
    rootkit ✭✭✭

    Hello :)


    I will use the samples for the situations described in those topics.


    Tank you very much.


    Take care.

  • KSkairo
    KSkairo ✭✭✭

    Dude, all antivirus softwares do false scan in some way. So don't be lazy and select "ask user always", and turn off the auto-pilet, if you are good enough to handle virus.

  • rootkit
    rootkit ✭✭✭

    Hello :)


    In this case, that sample is correctly detected by the product, the file is infected.


    Thank you!

  • Hello :)


    In this case, that sample is correctly detected by the product, the file is infected.


    Thank you!


    Thats true, but neither I talked about False +ve nor incorrect detection, rather my concern was as you said in one of your posts that "Trust me, the ones detected as heuristically won't get deleted." but one of the samples was detected heuristically as shown in the detection name (bold text) "Gen:Trojan.Heur.Hype.fm3@au0FVfei" and deleted when I select "Take Proper Action". Is this normal behavior?

  • rootkit
    rootkit ✭✭✭

    Hello :)


    I will be able to answer this after I finish all the test with the provided samples. I going to take some time, I will let you know when I will finish and I will be able to provide you some answers.


    Take care.

  • Hello :)


    I will be able to answer this after I finish all the test with the provided samples. I going to take some time, I will let you know when I will finish and I will be able to provide you some answers.


    Take care.


    Did you finished your tests? Kindly update.

  • Hello :)


    I will update all your topics soon.


    Have a great week!

  • coolcool1227
    coolcool1227 ✭✭✭
    edited September 2012
    Hello :)


    I will be able to answer this after I finish all the test with the provided samples. I going to take some time, I will let you know when I will finish and I will be able to provide you some answers.


    Take care.


    What are your findings now? I am keen to know about what is going wrong with the "Take Proper Action" option for the heuristics detections. Kindly note that I checked the said issue with Bitdefender 2013 version.

  • rootkit
    rootkit ✭✭✭

    Hello :)


    We have introduced this in Bitdefender 2013:


    http://forum.bitdefender.com/index.php?showtopic=38212


    In this way you can avoid all the False Positives and you can recover all the files.


    The system works in both Auto Pilot and User Mode.


    Take care.

  • coolcool1227
    coolcool1227 ✭✭✭
    edited October 2012

    I want to know what was happened to the previous false detection (discussed earlier) and by the way I am not talking about the possible infection or false positive recovery here.

  • rootkit
    rootkit ✭✭✭
    edited November 2012

    Hello :)


    For now, no changes will be made for Bitdefender 2012 or earlier versions.


    We are working to improve the Automatic actions and also User mode will be redesigned in the future.


    Windows 8 is out now and some major changes will be made to all our products.


    Please open a new topic about this subject here:


    http://forum.bitdefender.com/index.php?showforum=324


    Thank you!

This discussion has been closed.