A case from life, or the question of choosing an antivirus for home use

    Should I keep this in mind when choosing an antivirus for an ordinary user?


    In no case do not want this post to turn into another holivar.
    Exclusively information, without imposing an author's point of view.
    I believe that the information received can be of interest, both for ordinary users and for those who turn to for advice. A chronology of detection, treatment and search for a remedy against the next VB Script Trojan horse. I’m very interested in your personal experience in such situations.


    Background

    My good friends are engaged in small business - post-processing and photo printing. The specificity is that they are constantly brought source materials, mainly photos, on removable media. The number of viruses and trojans on these media makes a sad impression about the level of computer literacy of the bulk of customers.
    For this reason, the material is received on dedicated 2 computers that are not connected to the network, under the user with the most limited rights and with an antivirus updated manually before each shift.
    On Friday afternoon, the receiver discovered that the USB photos had a strange extension - .lnk, but this, unfortunately, did not alert her and mechanically started viewing (as she thought), but in fact - to run VBS hidden in a subdirectory on this medium . In the first half hour nothing happened, then the "oddities" began. On clean USB flash drives of the following customers, subdirectories began to appear in which photos were transferred, there was a constant activity of the hard drive. Etc. An hour later, an alarm was raised, the owner made a "call to a friend." I arrived 2 hours after the start of the events, right after the end of my working day at my main job.

    Exploratory survey

    Using HiJackThis, it was found that a script was launched in the user autostart by calling Wsscript.exe with a file from the% Userprofile% \ APPDATA subdirectory.
    A quick file search returned a 300-kilobyte VB Script which turned out to be processed by an obfuscator , i.e. the code was not readable.
    Killing the process, deleting this file and cleaning the contents of temporary directories gave the output of the machine, which behaved like an uninfected one. A quick search for tools that would block the infection led to a utility on Sourceforge. Previously, its use was stopped by an undesirable side effect: the creation of the Autorun.inf subdirectory at the root of each inserted media and the obsessive write error messages if the media is write-protected. In a situation where the used antivirus didn’t react at all, I had to make such sacrifices and start using this utility. By the way, she was very useful later. When the situation resolved.

    Houston, we have a problem!

    Upon arrival home, I decided that it was worth taking a closer look at the detected trojan and connecting the anti-virus vendor feedback channel to the work.
    Sending the file to Virustotal the whole day joyfully reported that there was a remedy and protection, but I was not very fun from this.
    From home I repeated the request, the result was the same . Urgently to purchase and install an antivirus that was not previously used - this was not the most correct, and most importantly - an ineffective solution. We ask for help from the audience, or rather, experts.
    A quick sketch of the list of common antiviruses we have, search for feedback forms on Google with the phrase “how to send a virus to XXX”, where XXX = the name of the antivirus.
    What happened:
    1) DrWeb
    2) Microsoft
    3) Kaspersky
    4) ESET
    5) Comodo
    6) McAfee
    7) MalwareBytes - a quick search returned a bummer, but accidentally brought it to Emsisoft
    8) Symantec

    The dispatch itself is a separate song, probably it’s worth the deal for the manufacturers to agree on a standard. Where it is required to pack the infected file using OS tools, where using ZIP, where simply by attaching the file to the form, where to send it by e-mail. A separate deadlock for me was caused by sending without entering the contract number for Symantec (I never won it). When packing into the archive, there were options: 1) any password, indicate in the letter which one, 2) infected, 3) INFECTED, 4) virus, 5) VIRUS.
    A simple shipment took almost half an hour. Many. And this is just a truncated list of recipients.
    * By the way, maybe there is a collector that, in addition to analyzing (virus total), also allows you to deliver a sample to all vendors? I would be grateful for a tip to a similar service in the comments.

    First results

    After 40 minutes (!), A message arrived from McAfee with the attachment of the Extra.dat file, and a link to instructions on how to use this add-on to the main virus database. Options not to miss Saturday for receiving photos from customers have become a reality.
    Until the morning, in addition to confirmation of employment by DrWeb ([drweb.com # 4467210] Created by: SUBMITTED VIRUS), Kaspersky Lab ([VirLabSRF] [Malicious file analysis] [M: 1] [LN: RU] [L: 0] [KLAN-1284347345]), ESET (your access is registered under number 863467) and Microsoft (letter with a link ) no more replies have been received.
    In the morning, before I went to buy McAfee, I checked my mail again and found confirmation from Microsoft about solving the problem and including medication (and therefore real-time protection) in the anti-virus databases for their family of anti-virus products. The letter emphasized that the new database so far is only in Prerelease state, and a link was indicated from where it can be downloaded.
    Half an hour before the opening, I called a friend and said that his most profitable day of the week is not canceled? and went to see how the update will work. Updating the databases with a regular mechanism did not lead to a positive result; updating from the repository of preliminary versions of anti-virus databases closed the problem. The virus on an infected machine specially for this was destroyed, USB media that were previously affected by the virus were cleaned when accessed. The conversion of files and folders from “hidden and system” on media to ordinary ones was shown to receivers, but it turned out to be easier to teach them to press one button in USB-Guard than to achieve automatism in pressing the right mouse button and selecting the necessary items in the file and folder properties menu . :-)
    Work has begun, satisfied customers have begun to submit photos to print.

    Afterword

    An hour after the start of the acceptance work, I once again regularly updated the antivirus built into Windows 8.1 on my laptop, checked the current version of the databases on it and on the working machine, made sure that the version number was higher than the one sent by the support, checked the remaining sample and left without a sample. (Joke. The sample in the encrypted archive has not gone away) The treatment worked properly and using public databases. The alarm is that on Monday I will see at work a bunch of infected machines finally gone.
    To complete the picture, I repeated the request for VirusTotal in the evening. The result puzzled me. On the one hand, McAfee was the first to give the medicine (I didn’t put Sophos into the virtual machine for verification, the purchase option was no longer needed, and their one-time cleaning utility requested 6 hours for a one-time system check - I did not wait. This is an overkill. On the other hand, there was no cure for the record-breakers in terms of reaction speed in public. The remaining working protection options: from Trend Micro House Call - a one-time utility. It does not save from a new infection, it is not a solution in my case. I did not check from Emsisoft. Yes difficulty with acquisition. They could not sell our computer “store across the road”.

    Total: a day after the sample was provided, only those who use the built-in (or free-to-install) anti-virus protection from the OS manufacturer were protected without any additional efforts on the part of the user.

    Questions to the community:


    I was very surprised by the speed of reaction to the appeal and the sequence I saw of the threat getting into the list in the anti-virus vendor databases.
    • Is this typical or in this case did I observe a rare exception due to the exotic nature of the trojan?
    • Would something fundamentally change if the appeal were posted 1) not on Saturday night 2) from a registered user?
    • If it has changed, is it normal, knowing about the potential threat not to provide a cure for it during such a time to everyone, including food buyers?

    PS Please refrain from comments like “use Linux / Mac / etc.” - the cost of training personnel and / or the cost of equipment, the cost of ownership is a topic for another discussion. Choosing Windows financially showed satisfying business results.
    PS2 For the sake of clarity, I did not indicate when I contacted that I am a registered corporate user for no product. 1) I was still a day left, so if something happens to use this channel 2) I was interested in the reaction of anti-virus vendors to treatment "by»
    the PS3 collector virusscan.jotti.org/ru/scanresult/079f5a1684e57a806447af9109b00b1d19311f15 , as it turned out issues checking condition with a very late update of anti-virus databases.
    Beautiful, but very inoperative
    imageBut "one screen breaks in" :-)

    PS4 The Trojan was not so simple. List of side effects and activities

    Also popular now: