Various information on antivirus related products
I just learned of a new antivirus/malware cleanup CD/iso, with support for NTFS and more.
Trinity Rescue Kit can be obtained from here;
http://trinityhome.org/Home/index.php?wpid=1&front_id=12 or http://trinityhome.org/
It sounds like a cool CD with numerous cleanup utilities, definitely worth a visit. I for one is going to download a copy and check it out.
I have just had a few servers that somehow has failed to update their Forefront Client Security client software 🙁 The problem seem to be that Forefront cannot seem to stop the FCSAM service while updating, the service is stuck on “Stopping” and neither taskkill og any other utility seem to be able to kill it.
The errors in the eventlog go something along these lines;
Microsoft Forefront Client Security Antimalware Service Error 1921. Service 'Microsoft Forefront Client Security Antimalware Service' (FCSAM) could not be stopped.
I have tried uninstalling, rebooting and reinstalling but this did not help.
The workaround suggested is to set the service FCSAM to manual, reboot, upgrade and then setting the service back to automatically – however this only works for now and thus only postpones the problem.
I have found this article on a similar problem which I will try tomorrow, this includes some additional cleanup steps;
Eg. issuing the command; sc delete fcsam
I will also try to slipstream the installation of Forefront Client Security before I retry the re-installation, description on how to do here (mind you use the latest update and not the one the article refer to);
AV comparison, www.av-comparatives.org has made a rather interesting comparison of how much different AV products slow down your machine, besides the technical comparison they also offer some general advices on how to optimize your experience with AV products in general.. Interesting reading, get their PDF here
A summery of their findings (higher is better);
The popular Avast antivirus went amok yesterday after a bug in a definition file, it started detecting hundreds of files as infected with Win32:Delf-MZG.
For cleanup instructions and explanation go here;
http://forum.avast.com/index.php?topic=51647
When trying to get rid of a virus it often a good idea to scan using a boot CD, some viruses / rootkits bury themselves so deep that even the best antivirus cant detect them. Sadly very few CD’s are commercially available, and most often requires regular updates to always have the latest definitions.
A friend of mine Mr. Grøn, Torben pointed out that he had just stumbled across;
http://www.f-secure.com/linux-weblog/2009/09/22/rescue-cd-311/
Now this is interesting, F-Secure is an old player on the AV marked and usually makes good stuff, and it would appear this is no exception. It is a Linux boot CD that can scan NTFS partitions, and the clever part is that it actually downloads the latest definition files before it begin scanning – clever.. One minor “issue” though, it will rename file extensions to .virus if a file is infected, and this is also true for system files – thus you can ‘damage’ your windows installation and make it non bootable which can be a problem for novice users.
Other than that it offer some extra recovery utilities for pictures etc. Absolutely worth a look.
Update;
You may also want to give this a spin, I just learned about this;
http://trinityhome.org/Home/index.php?wpid=1&front_id=12
From Panda’s Cloud Antivirus blog
First of many thanks to the millions of beta testers and specifically to those who have given us feedback and helped improve the product. We think we have fixed all the issues you have reported.
If you have any of the previous versions installed (Beta1, Beta2 or Beta3) do the following:
1- Uninstall your current version.
2- Reboot your computer.
3- Download version 1.0 from http://www.cloudantivirus.com and install.
4- If you already have an account from Beta3, you can use the same one. Otherwise the installer will prompt you to create a Cloud Antivirus account.
As a reminder, don’t forget to use the Panda Cloud Antivirus Technical Support Forum for posting any issues you might experience.
Thanks again for helping us create this great free antivirus !!!
Just a quick update on my previous posting regarding “Microsoft Security Essentials”. It has been brought to my attention, that there is a minor issue during the installation process. – During the “Microsoft Security Essentials” installation the LMHost file is replaced with a new one, now most users will never notice this – but if you made additions to your LMHost file (for security or anti commercial wise) you might find this annoying and might have spend some time debugging before you found this (your original lmhost.ini is renamed to lmhost.bak btw).
Nothing major, just something to think about.
The long awaited “Microsoft Security Essentials” is released 🙂 and as the beta looked promising and the company I work for has been using “Forefront Client Security” (the corporate version) for a year now, I was looking forward to trying this out…
I fired up my browser and went to “http://www.microsoft.com/security_essentials/“, however as I live in Denmark I was met by this message;
Not available in your country or region
You appear to be in a country or region where
Microsoft Security Essentials is not available.
Thank you for your interest in Microsoft Security Essentials.
Shown in 9 languages (of cause not in Danish), well bummer… However as I have access to a US proxy I just changed the proxy settings and things brightened up 🙂 So I am now the happy ‘owner’ of “Microsoft Security Essentials”, the thing about this is it’s free 😀
Should you want to check this product out, just direct your browser to; http://www.microsoft.com/security_essentials/
And should you get the same annoying message stating that it is ‘Not available in your country’, then you might want to take a look at; www.torproject.org TorProject is mostly an anonymity solution that allows you to browse without being tracked by IP etc, however they also offer the possibility to select which breakout/proxy you wish to use, and here you can select a US breakout and you can fool the MS server into letting you download all the same – you may also need to modify your IE settings to show a US regional code etc. but it should all be possible..
Want more details and maybe a review?
Visit here; http://www.winsupersite.com/win7/mse.asp
Enjoy.
Update!
You may be able to download MSE from here even if you are not in the US 🙂
If you are using Forefronturing Client Security you know that it is not big in the corporate configuration department, much can however be done using GPO’s and general AD management.. Yes I also prefer having these options in a management console, but atlas it is still possible..
Read this article to get the low down.
Every Anti-Virus has a mechanism called tamper protection that helps administrator keep users from mishandling there antivirus settings and services. Forefront Client Security only offers basic control over what the user can or cannot do with the FCS Client Console on his client machine. What the FCS System doesn’t provide is a built-in mechanism to protect FCS services from being stopped or prevent FCS from being removed by the user.
It’s true that some of these are possible to prevent by not giving administrative privileges on the client workstation, but some of us don’t have that luxury.
Windows Group Policy has built-in settings that allow you both protect your services and disable removal by unauthorized users. This is how it’s done.
If you experience problems with Forefront Client Security (or Windows Defender) and likely also the new free Microsoft antivirus, here are some tips for debugging it;
Look for the file called;
MpCmdRun.exe
On Forefront Client Security this is found in;
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware
If you go to a command prompt and run this command with a -? you will get a bunch of debugging commands, there are among others restore commands that will reset the configuration of the client etc etc..
One likely useful command to debug performance issues is;
MpCmdRun.exe -trace
However I have been unable to determine how to decode the .bin file created!? So if you have any suggestions please let me know!? However if you look in the .log file in the same directory you will get some historic information which may prove useful. Also, there is still the good old utils from Sysinternals (eg filemon) to assist you.
All very useful..
Here are the switches for Forefront Client Security;
-Scan [-ScanType]
0 Default, according to your configuration 1 Quick scan 2 Full system scan
-Trace [-Grouping] [-Level]
Begins tracing Microsoft Forefront Client Security's actions. You can specify the components for which tracing is enabled and
how much information is recorded. If no component is specified, all the components will be logged. If no level is specified, the Error, Warning and Informational levels will be logged. The data will be stored in the support directory as a file having the current timestamp in its name and bearing the extension BIN.
[-Grouping] 0x1 Service 0x2 Malware Protection Engine 0x4 User Interface 0x8 Real-Time Protection 0x10 Scheduled actions
[-Level] 0x1 Errors 0x2 Warnings 0x4 Informational messages 0x8 Function calls 0x10 Assertions
-GetFiles Gathers the following log files and packages them together in a compressed file in the support directory - Any trace files from Microsoft Forefront Client Security - The Windows Update history log - All FCSAM or FCSAMRtp events from the System and Application event log - All relevant Microsoft Forefront Client Security registry locations - All software information from Software Explorer
-RemoveDefinitions Restores the last set of signature definitions
-RemoveDefinitions -All Rolls the signature definitions back to the default signature set and removes any installed signature and engine files.Use this option if you have difficulties trying to update signatures.
-RestoreDefaults Resets all configuration options to their default values; this is the equivalent of running Microsoft Forefront Client Security setup unattended.
-GetSWE Exports the contents of Software Explorer into a file named MPSWE.txt in the support directory