Various information on antivirus related products

Forefront Client Security & Windows Defender debugging

If you experience problems with Forefront Client Security (or Windows Defender) and likely also the new free Microsoft antivirus, here are some tips for debugging it;

Look for the file called;

MpCmdRun.exe

On Forefront Client Security this is found in;

C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware

If you go to a command prompt and run this command with a -? you will get a bunch of debugging commands, there are among others restore commands that will reset the configuration of the client etc etc..

One likely useful command to debug performance issues is;

MpCmdRun.exe -trace

However I have been unable to determine how to decode the .bin file created!?  So if you have any suggestions please let me know!?  However if you look in the .log file in the same directory you will get some historic information which may prove useful.  Also, there is still the good old utils from Sysinternals (eg filemon) to assist you.

All very useful..

Here are the switches for Forefront Client Security;

   -Scan [-ScanType]
        0  Default, according to your configuration
        1  Quick scan
        2  Full system scan
   -Trace [-Grouping] [-Level]
        Begins tracing Microsoft Forefront Client Security's actions.
        You can specify the components for which tracing is enabled and
        how much information is recorded.
        If no component is specified, all the components will be logged.
        If no level is specified, the Error, Warning and Informational levels
        will be logged. The data will be stored in the support directory
        as a file having the current timestamp in its name and bearing
        the extension BIN.
        [-Grouping]
        0x1    Service
        0x2    Malware Protection Engine
        0x4    User Interface
        0x8    Real-Time Protection
        0x10   Scheduled actions
        [-Level]
        0x1    Errors
        0x2    Warnings
        0x4    Informational messages
        0x8    Function calls
        0x10   Assertions
   -GetFiles
        Gathers the following log files and packages them together in a
        compressed file in the support directory
        - Any trace files from Microsoft Forefront Client Security
        - The Windows Update history log
        - All FCSAM or FCSAMRtp events from the
          System and Application event log
        - All relevant Microsoft Forefront Client Security registry locations
        - All software information from Software Explorer
   -RemoveDefinitions
        Restores the last set of signature definitions
   -RemoveDefinitions -All
        Rolls the signature definitions back to the default signature set
        and removes any installed signature and engine files.Use this
        option if you have difficulties trying to update signatures.
   -RestoreDefaults
        Resets all configuration options to their default values; this is the
        equivalent of running Microsoft Forefront Client Security setup
        unattended.
   -GetSWE
        Exports the contents of Software Explorer into a file named MPSWE.txt
        in the support directory
/by

VistaPE a replacement for BartPE?

, ,

I just stumbled across a blog post from Claus Valca  refering to VistaPE, as I could judge this is more or less a replacement for BartPE which has been dead in the water since 2006.

VistaPE should allow you to create a bootable CD/DVD with the Vista kernal (much as BartPE did with the XP kernal), this is useful as a recovery tool/image tool/repair tool/virus cleanup tool etc.  I have previously created antivirus cleanup cd’s using BartPE, but maybe VistaPE could offer better compatibility with the later hardware models.

I will add this to my “I have to look into this list” (which sadly has become quite long)..

/by

Virus Total Uploader

, , ,

en_virustotal-uploaderYou may recall me mentioning Virus Total, this is a priceless service that allow you to upload a file and have it checked by many different antivirus engines within seconds. Excellent if you are suspicious about a file, or just if you want to be sure that the file you just downloaded is clean.

Well I did not mention another neat feature from Virus Total, a “send to” addition to Windows right click options. Once this is installed you can right click on ANY file and have it uploaded to Virus Total for analysis easy and painless.

VirusTotal Uploader

/by

MRT – the shortcut to Malicious Software Removal Tool

, , ,

MRT1 So you would like to run MSRT manually (the Microsoft Malicious Software Removal Tool, the one that comes once a month from Microsoft via Windows Updates and cleans different infections from your pc), well as written in an earlier post https://readmydamnblog.com/?p=463 you can download a version straight from Microsoft, however it turns out there is an even easier method, simply go to your “start menu”, select “Run” and enter “MRT” and hit enter..

There is even the option to launch it with parameters so you could schedule it to run at regular intervals if you would like.

.

/by

MSRT – Microsoft Malicious Software Removal Tool

,

2009-01-12_0924As you may have noticed then Microsoft monthly ships you a new version of something called MSRT (Microsoft Malicious Software Removal Tool), this comes via Windows updates.

What does it do?  Well its a very basic cleanup utility for certain mal/spyware, once Microsoft deems that a mal/spyware is widespread enough it is added to their MSRT and is thus cleaned from all machines that run their Windows Updates.  It is NOT a malware/spyware scanner as such as it only cleans known and targeted mal/spyware and it offer no realtime protection, it runs – cleans and exits.

As mentioned all this happens behind the scenes about once a month, should you however want to do the scan again (you may be infected with mal/spyware 2 minutes after the MSRT are run, and then it will be an entire month before the scan is performed again) then you can download and run the MSRT scanner yourself (or rather a GUI version of it, the original run 100% behind the scenes).

Download it from here;
http://www.microsoft.com/security/malwareremove/default.mspx
or here (I am not 100% the latter is updated regularly)
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=ad724ae0-e72d-4f54-9ab3-75b8eb148356

UPDATE January 26th 2009;
It’s even easier than this, see;
https://readmydamnblog.com/?p=574

/by

Antivirus 2009 – removal

, , ,

So a friend of mine got infected by this Antivirus 2009 (that is irony for you, infected by an Antivirus), anyway I will be visiting him shortly to try and disinfect that darn thing.

From what I can figure out I will get the best results by using the tools from;
http://www.malwarebytes.org/

Should be safe to use acording to;
http://www.siteadvisor.com/sites/malwarebytes.org

I will update this post with the results of my efford, should you however have better tips let me know..

UPDATE JAN 7th
Malwarebytes malware scanner worked like a charm, big thumbs up.

/by

AVG Antivirus joins the not so popular club.

AVG Antivirus has joined the not so popular club of antivirus vendors, that has released faulty definitions for their virus scanner.  In this case it caused AVG to wrongly detect a virus in a vital Windows OS file, which in worst case (if you followed AVG’s advice) could lead to a crashed Windows installation.

From the AVG forum here is a possible solution that do not require re-installation;

PC crash after AVG update 9 Nov 2008

Posted by: pa3bar (IP Logged)
Date: November 9, 2008 04:45PM

Many PC’s crashed after todays’s update of AVG. The update destines user32.dll as a virus: PSW. banker4.APSA.
Valid for Win XP SP2 and SP3 with AVG7.5 and AVG 8.
This is not a virus, but an essential part of your windows programme.

prevention:
before you start up your PC, unplug the internet cable. Boot your PC and disable in your firewall the access to internet for the AVG update manager. Reconnect the internet cable. In this way your PC stays safe from the maliceous AVG update.

solution:
if you happen to believe the AVG programme (like I did) when it shows you the virus alert, and have choosen “heal”or quarantine””your PC will no longer restart. It shows a blue screen at start up and tells you it cannot find winsvr, error c0000135. System recovery has no effect. Don’t panic (like I did) but:

-restart your PC in safe mode (press F8 during windows start up)
-open the AVG control centre by clicking the logo or via start-programs-AVG
-go to the virus vault, select user32.dll and click restore.
-empty the virus vault
-close AVG
-now unistall the whole AVG program: start-programs-AVG-uninstall
-reboot the PC and it is fine.

/by

The omnibus experience – Hilarious

, , ,

If you are at all interested in IT-Security then YOU NEED to get a load of this, Paul Craig’s omnibus experience (a podcast from Kiwicon) brought to you by Patrick Gray http://www.it-radio.com.au/, its awesome and extremely funny.

Paul Craig is a security consultant whom in his Omnibus experience explain how he created 1) A kiosk attack tool 2) Hacked a botnet (and got a lot of interesting and funny information) 3) Wrote his own WMI trojan (yes he actually utilized WMI for this one – scary – PLUS it will verbally insult you, you really MUST hear the podcast its so funny).

Makes you think, hmm WMI very usefull but maybe a bit overlooked in regard to security.

Links;
http://itradio.com.au/security/?p=98
http://ha.cked.net/projects.html
http://www.mls.id.au/

/by

Windows update / Forefront update error codes

,

Have you ever had Windows Update or Forefront Antivirus fail to update, and then mock you with one of those very informative errorcodes like 0×80244015?  Well guess what, you are not a totally lost, there is actually a “cheat-sheet” http://inetexplorer.mvps.org/answers/63.html for decoding these 😀

Now why these translated error codes are not not displayed as opposed to those interesting 0×80244015 number codes… well your guess is a good as mine..

/by

McAfee Virus Scan 8.7 Enterprise

,

McAfee has released a new version of their enterprise antivirus.  I would advocate that it is indeed a good idea to make sure to upgrade your antivirus regularly, not only the definitions files mind you – newer version or patches for existing versions as well.  More than once I have seen that upgrading an existing installation revealed malware or other infections.

McAfee’s Enterprise Virusscan is in my opinion on of the better products on the marked, its fast – only informs you when there is something to inform about – and its highly tweakable.  That said, then most antivirus products are quite similar today – so I guess its a lot up to personal preference.

Hmm, from what I can see it looks more like a beta, but I may be wrong..

/by