Anti-virus software unable to keep up?

[miccolli]

Hi,

First of all, this is not a request for help so there is no need to suggest me to post a topic in the correct forum... This is just a bunch of general questions...

So I have some sort of virus. The Malware IP blocker keeps blocking outgoing access to a potentially dangerous site. Thats great. But why can't any anti virus software remove the actual virus? I've tried plenty, and plenty of them have found threats of some sort and claimed to remove them, but this blocked outgoing access continues. By searching the web I see many people with this sort of problem, and many of the posts are filled with fantastic suggestions, the infected have produced logs, but I don't see anybody saying that any of the suggestions actually work... they just get asked for more logs...

Why should we have to produce logs? This kind of virus seems to be around a lot, shouldn't major players in the anti-virus world be able to track these problems and implement support for immidiate and effective removal within the anti-virus software without having to supply endless lines of logs?

And why is Malware bytes unanable to present me with information on which process is trying to access the potentially dangerous site?

It seems to me that all of the latest anti-virus software is basically useless, and the only way to deal with this is to re-install the PC from scratch, download fresh drivers and install all purchased programs, keep all data (bookmarks, photos, documents etc) on a seperate drive, create a ghost image of the C drive and store it on a usb disk safely away from the PC and restore the image when infected. I don't see any point in using anti-virus software anymore, as it did not protect me from getting infected and it can't remove the virus... And I've had this virus for sometime, it's not a new virus... I've kept this PC alive because it's getting replaced for other reasons. Is the anti-virus battle just a loosing one, only being kept alive by anti-virus advertising?

Sorry for the rant, but I don't think I'm the only one that's a bit tired of this... I wouldn't mind hearing the views of anti-virus software developers and others who suggest their usage...

[exile360]

Greetings

Unfortunately the anti-malware (and anti-virus) industry is essentially a cat and mouse game. The bad guys are constantly creating new threats to attempt to bypass detection and they use techniques to make their infections increasingly difficult to remove once the infection makes its way onto a user's system.

The reason for all of the logs is for the sake of system analysis and manual removal of the threat, which often leads to capturing samples of the infections, which for us means that we get the samples and add detection for the threat to prevent users from getting infected by it in the future when possible.

And why is Malware bytes unanable to present me with information on which process is trying to access the potentially dangerous site?

It can, but only on Windows Vista and Windows 7. Windows XP unfortunately does not provide the same capabilities, so on this OS we can only show the blocked address, not the process which is attempting to make the connection to the malicious address.

[David H. Lipman]

First off you call this a "virus" thus reinforcing the concept that you don't understand malware, malicious Internet activity, etc.

You asked... "But why can't any anti virus software remove the actual virus?"

Because new malware is created by the thousands daily and it is VERY hard to catch up to the latest malware threats. You have two ways to detect malware...

1. Through direct signature based detection

2. Through heuristics.

If a given malicious file is not detected by signatures or through heuristics the "malware" gets to live on the computer. As you noted in the subject, anti malware has a difficult time catching up. as soon as it does, something new comes along. We call this process "Whack a Mole".

You have to produce log files because the examining forum technician is NOT at your house or workplace and can't peer over your shoulder. Thus investigative utilities must be used to help identify the malicious agent that was not detected through signature and heuristic detection.

You ask...

"And why is Malware bytes unanable to present me with information on which process is trying to access the potentially dangerous site?"

That's a question that is EASILY asked but much harder to answer. The possibilities are too numerous to enumerate. Thus the need for logs to narrow down the possibilities.

I "hear" your frustration. Unfortunately all the software in the world can't protect you if you don't take steps to protect yourself. several years ago we coined the phrase practicing Safe Hex. These are a series of actions and non-actions an Internet computer user has to take to keep them safe on tghe Internet. WWW does not stand for World Web Web it stands for Wild Wild West. That's how dangerous the Internet can be. So the Internet user MUST take steps to protect themselves. This includes recognizing Phishing, not clicking on every URL that they are given, not accepting email attachments from strangers, not clicking on spammed URLs, etc...

[BornSlippy]

From your desription you almost certainly have a rootkit infection. Almost all such infections derive from the actions of the user and sre very difficult to detect as they infect system files and use stealth techniques to hide from detection by AntiVirus/Antimalware security. Usually the only time they betray their prescence is by hijacking the activities of the computer eg search redirects. They are even more difficult (some argue impossible) to remove safely. If you have such an infection you were almost certainly instrumental in helping it get there. As others have commented the user bears responsility, if you drive like a nutter all the safety equipment in the world ain't going to stop you having a crash......at least for now.

[miccolli]

Thanks for your comments. They are probably more sensible than mine...

The bad guys are constantly creating new threats to attempt to bypass detection and they use techniques to make their infections increasingly difficult to remove once the infection makes its way onto a user's system.

I've had this for some time now, but still none of the software I've tried has managed to remove the source. It's not new... I remember a virus/malware I had a few years back. Explorer.exe was infected. The anti virus/malware software could all flag alarms when the registry entries from the infected explorer.exe made, but could never actually detect that explorer.exe itself was infected. A manual replacement of explorer.exe took care of it. I was a bit surprised that none of the anti-virus/software systems at the time could detect that explorer.exe was the source.

It can, but only on Windows Vista and Windows 7.

Happy to hear that. The new PC I am waiting for will have Windows 7.

First off you call this a "virus" thus reinforcing the concept that you don't understand malware, malicious Internet activity, etc.

I beg your pardon. Virus or malware, the common usage amongst normal PC users has been virus and probably always will be. But do I actually have to understand exactly what it is or anti-virus/malware software will not be able to deal with it?

As you noted in the subject, anti malware has a difficult time catching up. as soon as it does, something new comes along. We call this process "Whack a Mole".

How long does it usually take?

You have to produce log files because the examining forum technician is NOT at your house or workplace and can't peer over your shoulder.

No, but a threat that has been around for quite some time should be able to be detected as I was running up to date software at the time. If not, what's the point? Restoring an image is much easier and sending endless lines of logs that in the end do not seem to help anyway.

I do not deny the fact this my PC was "infected" by virus/malware do to my own actions. Of coarse it was something I did. But it happened while having anti-virus/malware software active. I dare I guarantee that on any PC with a Microsoft operating system there is some sort of software somewhere that has not been written by the PC's user. Drivers, browsers or other software is at some point downloaded and installed. Only from trusted sites? What sites can be trusted? If anti-malware software did not detect the instant my PC was "infected", what says that it can't have "infected" the software on these trusted sites?