When Can You (Afford Not to) Trust Your Anti-Virus Program?

***layna61524*** · 02-20-2019, 07:10 AM

WHEN CAN YOU AFFORD (NOT) TO TRUST
YOUR ANTI-VIRUS PROGRAM?

What would YOU do if you finally found a download link for that special software or program you've been searching everywhere for ...?

And you quickly transferred it to your computer and did the cursory virus check ... only to be scared out of your socks by a screeching alarm from your A-V program?!!!

Do you delete the offending program to save your computer?

Or do you take your chances?

Well, despite popular advice don't delete that program --- at least, not yet.

You need to understand, firstly, how anti-virus programs work. You don't need to be a nerd or whiz either (I know I'm not).

Anti-virus programs make 'informed decisions' using a database of known viruses and potential threats as comparisons. They routinely get new info on the latest threats to add to its arsenal.

Which is why you should always keep your A-V program updated.

As exploits become more dangerous and hackers become more sophisticated to thwart the best protection efforts, you need to keep up with changing technology.

You also need to understand more about high-risk files. And black-hat files especially.

And why your anti-virus program might not play nicely with some of the files they contain.

Black hat files can often contain a patch or crack file designed to make a software operate as it should without the need to "call home" for authentication or updates.

Or it could contain a keygen or key generator (a type of license code creator) that provides license keys that mimic actual ones.

Patches and cracks and keygens --- oh, my! They can sound scary but should we really be worried?

C'MON --- HOW BAD CAN THIS BE?

It all depends. Not all exploits are created equally. You can click on a download link and be re-directed to a site that appears to hijack your browser until you call a number and send money for 'the virus' to be removed. By the way, if that ever happens to YOU, despite the voice's stern warnings NOT to restart your computer' -- just click the Ctrl + Alt + Del buttons and click your Task Manager. Find the open internet connection (the browser icon) and END the session by right-clicking and choosing CLOSE or END. Your computer window will then close and you can then click your browser to resume your work. It helps to run a virus scan though, before you restart your system).

A suspicious file lurking in a download could install one of any number of things that behave differently.

You can get adware, which is software that displays unwanted ad messages when you're browsing online.

Then there's malware, which is software designed to damage, disrupt or allow unauthorized access to your computer system.

These files contain code or scripts (some malicious), designed to upset the normal operation of your system and breach security; some sneaky enough to bypass 'conventional' antivirus programs alone.

A malicious program file can wreak havoc with your computer. Some file types can alter your computer's registry settings (and affect the way it operates). Others can install a key-logger (a type of spyware that logs --- or records and reports --- your keystrokes).

A keylogger is especially dangerous because this program documents everything you do online. So when you log into your bank (or other financial) accounts or purchase online, it has your numbers (so to speak).

Everything from the addresses to the sites you visit to your account numbers to the alpha-numeric passwords you use to email addresses and the messages you type in them are all detectable and available to someone, somewhere, to exploit. It could be someone halfway around the world or two houses down the street --- but by the time you find out, it's too late. The damage is done and you're left to face a nightmare of trying to right this wrong and restore what's left of your life.

I've read just about every horror story you can think of --- from people's bank accounts being wiped out and bills they THOUGHT they'd paid becoming overdue, to others incurring tens of thousands in unauthorized credit card charges, to blatant identity theft.

On a news program not long ago, one person told of being bombarded with Amazon emails confirming purchases she knew she hadn't made. It was the beginning of a battle that began when her young son downloaded and installed a program that had compromised her computer.

These are real threats that can be a nightmare.

But just because your download is suspicious, doesn't mean you should panic.

HIGH-STRUNG A-V PROGRAMS CAN
RETURN FALSE POSITIVES

In most cases, your A-V program could be over sensitive and while it deems a file suspicious, there just isn't enough real data for it to make a judgment call and it errs on the side of caution.

So, when can you afford NOT to trust your anti-virus program?

There are times when you definitely should --- otherwise, there would not be a feature built in to EXCLUDE a file. But do it after you've looked into it further.

HERE'S AN EXAMPLE --- TO ILLUSTRATE
WHEN YOU SHOULD EXCLUDE A FILE

Here's my story. I finally found Prezi Pro on FilePursuit. I Googled the program name and version number to read more about it.

I was very happy to learn about all the exciting features of this version of the software so I decided to download it. I knew downloading from bitdownload.ir (a Persian site) came with some need for caution. It's a site where you can get pirated software, thus the crack and patch and keygen files I just mentioned.

By the way, here is a screen-shot of the download link on FilePursuit, just in case you want grab Prezi Pro yourself ...

NOTE: If you download the file from bitdownload.ir, you will need to use that site name as the password (and you will be asked for a password).

Next, I ran a cursory virus scan and my Avast program went berserk --- on both the Prezi Pro install as well as the patch file (both executables)!

Avast said it detected a Win32 Malware.Gen. So I went to Google and typed that in.

One of the first articles I read was from Techwalla.com. It explained why an anti-virus might react to a Generic Threat (files that appear suspicious but do not match any known threat). I learned that's what the Gen in my Win32 Malware.Gen meant.

That article also told me files that can contain malware include executable (program) files and files that contain scripts, such as screen savers, Word or Excel files, PDFs or web pages.

(I've said it before but, again --- while not common, yes, PDFs can contain malware!)

This includes files from high-risk sites (ex: adult, pirating, torrents, etc.).

You can read the full Techwalla article here...

WHAT IS WIN32 MALWARE.GEN?

Magic Button :

After Avast ran its diagnostics on the files here is what I got...

So, is my Avast contradicting itself? Can I even trust it?

Do I keep and install my Prezi Pro ... or delete the file and let it go?

Since no two downloads are alike (my Avast might react to a file whereas your A-V program may not) I suggest you do your own due diligence.

Here's how ...

1. Go to Google and type in the name of the suspicious file along with any additional information your anti-virus program provides. When you get the first page of results, look at the source before you click. You want to read articles and blog posts from sites related to ANTI-VIRUS PROGRAMS and COMPUTER TECH resources. Otherwise, you can waste a lot of precious time reading forum posts where one person asks for help but the only responses are from people adding on about their own computer virus issues or mere opinion postings.

2. Next. if your research says the threat is real, you should delete the download from your computer ASAP. Be sure to delete it from your Control Panel and check the box that deletes all traces, if that applies. Run a virus scan and then restart the computer.

Alternately, if your research suggests the threat is a false positive, you should exclude the program in your anti-virus software's user interface. In most cases, this is as easy as clicking a tiny box that tells your anti-virus program to ignore the it and you will not get further feedback on it. Do this only AFTER you've allowed the A-V program to run its diagnostics and the file comes up OK (as in my Avast image above).

I know Malwarebytes makes it easy to EXCLUDE a file. Look in the SETTINGS area of your A-V program or do a search online for your particular program for instructions on excluding a file or registering it as an exception.

Knowledge is power. Arm yourself with information from your A-V program and get more details so you can make an informed decision.

For the most part, you can rely on a good (and updated) anti-virus program to do its job in protecting your computer and your security.

But there are a few cases (ex: generic threats) where you could ... and should be the deciding authority.

The two absolute smartest things you can do as a black-hatter is to keep your anti-virus program updated and running at all times and use it regularly to scan your downloaded files.

Layna61524

***Lumos*** · 02-20-2019, 05:12 PM

Great write up from our Wonderful Layna !!!

I would add a single bit of info here:
AV things are also made intentionally to flag certain w*rez and especially keygens and patchers.
(This is simply because they participate in the profit protection racket behind software sales.)

***layna61524*** · 02-21-2019, 02:33 AM

Hi, smithnowt! Thanks

Thanks for your insightful post. I couldn't help but notice that you, too, had trouble getting the word 'w*rez' to show up in your post. It took me nearly 5 minutes of tweaking because it kept showing up in my post as the word: DOWNLOAD ... go figure!

I should have used an asterisk as a 'wildcard' (like you did) but I gave up in utter frustration and gave in to the next appropriate synonym (torrents) instead.

As good as this forum is, it can use some tweaks.

Layna61524

***Lumos*** · 02-21-2019, 01:49 PM

Always a pleasure Miss Layna !!

Just FYI, most forums (even before they are customized) have banned word lists - so I actually always assume that in THAT word the asterisk is mandatory and put it there to start with.
(Some forums even have bans on mentions of keygens and patchers !!)

A great example of draconian rules and measures can be seen at the portableapps.com forum, which is run by a man with a truly iron fist.

We've got it really good here, for sure !!!