Context Analysis Without Deep And Rootkit Search

hello a few month ago i make a warning to the french and english technical services after a virus attack at this time i'm using currently the contextual analysis after this mess i'm searching if a make a fault of configuration in fact i discover than the context analysis does not cover deep virus search


i'm tired to be sure than no virus come to have


to OPEN the PARAMETERS of bd and have go to "new task" all the time


to be sure to have a full and deep search inside a rar file or not open files by exemple


this operation save me a few time if not i was infected


WHY ISS DOES NOT CHANGE THE SPECS OF THIS ANALYSE IN BD I TRUELLY NOT UNDERSTAND


I MAKE THIS SUGGESTION DO NOT USE RIGHT CLICK ANALYSE UNTIL ISS CHANGE THE SPECS OF INTERNET SECURITY

Comments

  • alexcrist
    alexcrist
    edited August 2008

    The only differences between Contextual scan and Deep Scan are that Deep Scan scans for rootkits, scans boot_s sectors, memory, registry and cookies. There is nothing to be changed in the Contextual scan, because when you scan a new file, none of the features implemented in Deep Scan helps.


    For instance:


    • Rootkit files are files which are hidden (usually using a malware driver). Rootkits are present in a system only after an infection (so after the malware driver, which hides the files, is installed). BitDefender scans for these hidden files.


      But when, let's say, you download an archive, or a file, it cannot be a hidden file (rootkit), because that file hasn't been run yet, so even if it contains a rootkit, it will be detected using normal detection methods. There's no need to use advanced rootkit detection since no driver could have been installed.


      Also, rootkit scan scans all HDD, not just one file (for the same reason as above).

    • It's useless to scan boot sectors, when you only want to scan a file. Boot sectors are that part of the HDD partitions which contain the booting information for that partition. Boot sectors are not modified by just downloading files.
    • Memory scan (actually, a scan of running processes) is also useless, since you want to scan a file that you just downloaded and which is not yet running.
    • Registry scan is also useless, since the file/archive hasn't yet been opened. There are no "registries" in an archive, so I have no idea why you want to scan all Windows Registry when you want to scan a simple file/archive.
    • Cookies are a part of internet browsing. They are placed in a special folder in Windows. Again, it's completely useless to scan cookies when you use contextual scan to scan a single file/folder/archive/whatever.


    Deep Scan is a scan task to scan the system. Individual files are scanned in the exact same way, whatever scanning task you use, and all functions that are missing from one task are simply useless for that task, and for what it was designed to do.


    Cris.

  • bkf93800@yahoo.fr
    edited August 2008

    i disagree totaly about the fact rootkit have to be executed to be dangerous they're be dangerous (and other virus)


    at the decompression of the archive it's clear than if the contextual scan does not make a deep scan of the ARCHIVE FILES


    we sould be in danger


    i have a simple exemple récently i receive a archive i'm making a double analysis like all my receiving files


    by right click like none by deep scan file found a trojan:wub:


    iss should find a solution to deep scan all archive analyzed manually or automatic

  • alexcrist
    alexcrist
    edited August 2008

    I repreat: There is NO "deep scan archives"! Deep scan is a system scan, not a file scan. Files are scanned in the same identical way, whatever task you run (contextual, deep, or otherwise).


    Please attach the archive you are talking about, in a password-protected ZIP (password: infected). We'll review the case of that file.


    Also, I stand by the fact that no files can be hidden (rootkits) before any malware driver is installed. The infection process involves installing and loading the driver, and only after that the files become "hidden". Downloaded archives can contain rootkits, but they will not contain hidden files (and the "Rootkit scan" only scans for hidden files...the rest of the rootkit components are detected regardless if you enabled that option or not).


    Cris.

  • Please understand that in order to be infected by a rootkit, some file must be executed to install the malware. If BitDefender can detect the rootkit, it should be detected at some time before the actual hiding of data has taken place. Rootkit detection techniques are used to detect malware that was installed before BitDefender or that came in contact with the computer at a time detection for it was not available.


    If, for whatever reason, you see BitDefender is unable to scan inside an archive on scan, you should scan the content after you unpack the files yourself(using 7-Zip or some other unpacker).


    Please note that by default the contextual scanner has detection set to maximum and should be able to unpack just as much as any other task, including Deep Scan.

  • Please understand that in order to be infected by a rootkit, some file must be executed to install the malware. If BitDefender can detect the rootkit, it should be detected at some time before the actual hiding of data has taken place. Rootkit detection techniques are used to detect malware that was installed before BitDefender or that came in contact with the computer at a time detection for it was not available.


    If, for whatever reason, you see BitDefender is unable to scan inside an archive on scan, you should scan the content after you unpack the files yourself(using 7-Zip or some other unpacker).


    Please note that by default the contextual scanner has detection set to maximum and should be able to unpack just as much as any other task, including Deep Scan.


    after my bad experiences i stay on the same statement bdis stay (for me) the best combo antivirus-firewall


    but stay incomplete for the contextual analyse


    iss labs should reenforce the scan