News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

I need antivirus protection!

Started by NoCforMe, September 19, 2024, 03:44:52 PM

Previous topic - Next topic

sinsi

How droll  :biggrin:

It's funny how "they" want us to use IPv6 which would give each device a unique (trackable, permanent) address when we spend so much time obscuring our MAC/IPv4 addresses.
🍺🍺🍺

NoCforMe

True dat.
However, what about the danger of running out of unique addresses? Is that a real thing or just a scare tactic?
Assembly language programming should be fun. That's why I do it.

sinsi

My ISP must be doing some sort of voodoo since I have a static IPv4 address.
🍺🍺🍺

fearless

Use a boot time scanner. I think Avast has one. That should help eliminate any stuff you have picked up. Also you probably have to delete your shadow volumes, in case any system backups have backed up any infected stuff. Otherwise you will just end up restoring infected files.

Run a few av and malware tools, Malwarebytes, Emisoft, Avast etc to help with cleaning stuff up. Emisoft has an emergency kit that I think might also do a boot time scan, so no harm running all those to ensure most of the stuff is cleared.

NoCforMe

I'm happy to report that today my computer told me
QuoteI'm completely operational, and all my circuits are functioning perfectly.

Well, not really, but it's fine now. Whatever bad was causing that problem is gone.

One side effect of disabling IPv6, as noted in that Micro$oft doc, is a few extra seconds delay at startup, not a huge deal.

Total AV nags me every time I start up (I boot up daily), but I can live with that. Hey, it's free software! How much we take that for granted nowadays (of course, they say that if something is free, then you are the product).
Assembly language programming should be fun. That's why I do it.

bugthis

Quote from: NoCforMe on September 19, 2024, 03:44:52 PMI should mention that I'm running Windows 7, which of course is no longer supported, so I can't update the Defender virus definitions, so if I get infected by anything newer than what's already known to Defender I'm screwed.
You can be sure that Windows 7 has a number of unfixed security holes that will not be fixed by removing the malware from the system if you find it.
Updating to a version of Windows that is still supported by security patches would be very useful.

Windows 7 should no longer be connected to the network.
As an OS for a local computer that is never allowed to access the Internet, it may still be okay.

An alternative option would be to switch to Linux and banish Windows 7 to a VM without network access.
Then you would have a modern OS and at the same time still have access to Windows 7 via the VM.
The host system would therefore be Linux and the guest system Windows 7.


QuoteDoes anyone know of any other FREE antivirus software I can use? I guess if I can't find anything free I might be willing to pay a little dough. Probably worth it to prevent all this crap from happening. But of course it would be nicer to get a free package.


First of all, install Process Explorer from Microsoft's sysinternals suite.
Then start the Process Explorer and activate the database query at virus total in the Process Explorer.
https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer

Process Explorer will show you all the running processes and Virus Total's information will show you which process is infected with a known malware. Virus Total uses a dozen antivirus software, not just one. This improves the chances of finding something that other antivirus software doesn't know about. However, unknown malware cannot be detected this way; antivirus software is not suitable for that.

If none of this helps, the next rule applies. If in doubt, run process monitor.
https://learn.microsoft.com/en-us/sysinternals/downloads/procmon


If you want to know how to use these two tools, watch this video from Mark Russinovich.
License to Kill: Malware Hunting with the Sysinternals Tools

Switching to a new version of Windows or another operating system, such as Linux, is probably the safest way.
Remember that connecting backup hard drives to compromised systems can lead to the data on the backup hard drives also becoming infected. The better way is therefore to use a NAS, because it has its own OS and you then move the data to it. You then make backups from the NAS to backup hard drives. Because a NAS cannot replace a backup.

If you have installed a new system, I would create SHA256 checksums of alle none-private files on the backup disks before opening them and then verify these checksums on the Virus Total website.
https://www.virustotal.com/gui/home/search

NoCforMe

Thanks. Stuff on Process Explorer appreciated; I think I might already have that somewhere. Will look into it.

Other than that: I absolutely, resolutely, definitely will not be upgrading to a newer version of Windows. I absolutely hate anything beyond 7. I think I can live with whatever few, obscure security holes there are in 7.
Assembly language programming should be fun. That's why I do it.

zedd151

Quote from: NoCforMe on September 29, 2024, 06:32:35 AMI absolutely hate anything beyond 7.
I don't consider myself religious in any sense of the word, but...
Amen! To that.  :biggrin:
I do fire up Windows 10 very very occasionally to help others in a debug session. But revert to 7 immediately afterward.
Ventanas diez es el mejor.  :azn:

NoCforMe

Couple things:

Quote from: bugthis on September 29, 2024, 02:36:52 AMThen start the Process Explorer and activate the database query at virus total in the Process Explorer.

How do I do that? Not seeing any menu options that look like what you described.

2. A problem: when I click VirusTotal.com under the Options menu, a web page opens that has a "Start Free" button. When I click that I'm directed to a Google Cloud sign-up page. This I will not do; I assiduously avoid all that Google bullshit. Don't know if this is a show-stopper for using VirusTotal or not.

The Process Explorer user interface is quite complex, therefore quite confusing. I'll have to poke around in it a bit more, I guess.
Assembly language programming should be fun. That's why I do it.

NoCforMe

Another question: PE has identified several processes that apparently contain viruses. When I click on the link ("1/77") it takes me to VirusTotal's web site, where it shows a description of the infection.

Fine: now what do I do? I can kill these processes, but that'll leave my system partially crippled. Is there some way to fix these from PE? or do I need to do a (Control Panel) system restore?

Time to do an AV scan (with Total AV) ...
Assembly language programming should be fun. That's why I do it.

bugthis

Quote from: NoCforMe on September 29, 2024, 06:32:35 AMOther than that: I absolutely, resolutely, definitely will not be upgrading to a newer version of Windows. I absolutely hate anything beyond 7. I think I can live with whatever few, obscure security holes there are in 7.
No problem. But in this case i highly recommend to put Windows 7 inside a VM without network access and use Linux as a host system or use Windows 7 only on a machine, that is never connected to the Internet.

You might also put the Windows 7 machine inside a private VLAN and protect that VLAN with a linux router and its firewall.


Quote from: NoCforMe on September 29, 2024, 06:45:14 AMCouple things:

Quote from: bugthis on September 29, 2024, 02:36:52 AMThen start the Process Explorer and activate the database query at virus total in the Process Explorer.

How do I do that? Not seeing any menu options that look like what you described.
In the Options menu. There click on VirusTotal.COM and then select Check VirusTotal.Com
This will activate a new column in your process explorer view. It will take a little bit to check the hashes. Just wait.
You have to set this option only once.

Quote2. A problem: when I click VirusTotal.com under the Options menu, a web page opens that has a "Start Free" button. When I click that I'm directed to a Google Cloud sign-up page. This I will not do; I assiduously avoid all that Google bullshit. Don't know if this is a show-stopper for using VirusTotal or not.
It's been a while since I last did this. But i think you have to only click on the empty field left to the VirusTital.Com menu entry. You don't have to register to use that service.


QuoteThe Process Explorer user interface is quite complex, therefore quite confusing. I'll have to poke around in it a bit more, I guess.
No, you better watch the video with Mark Russinovich mentioned above. It is highly recommended. If you ever want to get the most out of these two tools, you should definitely watch the video.


Quote from: NoCforMe on September 29, 2024, 07:09:39 AMAnother question: PE has identified several processes that apparently contain viruses. When I click on the link ("1/77") it takes me to VirusTotal's web site, where it shows a description of the infection.

Fine: now what do I do? I can kill these processes, but that'll leave my system partially crippled. Is there some way to fix these from PE? or do I need to do a (Control Panel) system restore?
If only one of the 77 virus scanners complains, it may mean that it is just a false positive.
In this case, I would repeat the check later or rely on the information from the virus scanners that have the best reputation.
If a handful of virus scanners react, especially those with a good reputation, all alarm clocks should go off.

If a process actually has a virus, then you must either try to remove the virus from the affected file or replace it with a clean file.

NoCforMe

Quote from: bugthis on September 29, 2024, 07:58:45 AMIf only one of the 77 virus scanners complains, it may mean that it is just a false positive.

OK, it helps to know that 1/77 means one scanner out of 77; that wasn't clear. So it could well be a false positive. (I'm running a TotalAV full scan which so far hasn't found anything.)

False positives, just like we get for our own MASM32-created programs ...
Assembly language programming should be fun. That's why I do it.

NoCforMe

Heh; the complete scan I did yesterday found several "threats". Guess what? all of them were in GoAsm components (GoAsm.exe, GoLink.exe, GoRC.exe). I let it "fix" these things that I have never used and probably never will use.
Assembly language programming should be fun. That's why I do it.