Saturday, February 21, 2015

First (or Second) Pass AV/AM Scanner Tools

This past week at the church house, one of the secretaries reported some slowness on her system.

We did some troubleshooting and fixed a number of obvious issues, however the slowness persisted.

It was running Symantec AV and it had quarantined a few things. Those were deleted and removed, but time did not allow a second pass with a different AV/AM tool.

A few days later (and a few new SAV update packages) Symantec reported some more items were detected and quarantined.

I wasn’t able to get back to the system but another IT administrator at the church house did. This time Symantec reported finding a possible threat called “Kaeria Dust Remover”.

The core file name was “mvsbtej.exe” and here is some limited information on I was able to uncover:

To be sure things were cleaned, he installed (alongside Symantec) the 30-day trial of Kaspersky AV and kicked off a scan.

The user did report that once that malware was pulled off, the system performance returned to normal and things were so much better again.

While I don’t usually recommend installing more than one AV/AM product on a system at the same time (Malwarebytes excepted), if you aren’t planning on “nuking” a system (zero-out the drive, and reinstall the OS from source disks) it always is good to run a second or third AV scan from a different AV/AM vendor on a system.

There are some “standalone\light-install” and “cloud” based AV/AM scanners that can be used independently of the primary AV/AM software installed on a Windows system. I find these provide the perfect solution to getting a second/third opinion of a system’s post-infection status. Download or copy over to a system from a USB drive. Most do a temporary unpacking of the core scan engine files, may download the latest DAT files, and scan away. They typically quarantine anything they find, then you can delete the files once everything is done. 

Some other products pack the DAT files together with the scan engine. This can be handy if you don’t have a network connection either due to the attack or because you don’t want to place the system back on your network until you are sure it is remediated.

Then there are the cloud-based solutions than you can run and will upload the scan results to the vendor’s cloud server and match the files looking for issues. These may have a benefit of using the newest signature detection patterns available.

And by being “standalone\light-install” tools, the impact/conflict with an already-installed AV/AM product might be minimized.

And here are some “cloud-based” AV/AM scanners. They typically still download some components to the local system before doing the threat-analysis work in the cloud.

For a deeper look


--Claus Valca

1 comment:

Chump2010 said...

I like Hitman Pro - Kaspersky and Bitdefender in built.

Scan is for free, and the first clean up is free too. Great tool just to check all is good.