cancel
Showing results for 
Search instead for 
Did you mean: 

Re: recommend a good, preferably free "second opinion" scanner?

Then i would like to recommed SARDU

You can download all ISO antivirus from various antivirus -> http://www.sarducd.it/antivirus.html vendor and put it in USB or ISO burn to DVD using SARDU -> http://www.sarducd.it/downloads.html

SARDU have update feature and Multiple Antivirus Vendor that release free downloadeable ISO.. when you boot to this antivirus some of it has update feature as well.. the drawback is you can only choose one.. at one time

Antivirus Download page
AOSSAlt. Oper. System Scanner
AVGAVG Rescue CD
AviraAvira Antivir Rescue System
Bit DefenderBit Defender Rescue CD
Dr. WebMin Dr Web Live CD
F-Securef-secure rescue cd
GDataGData 2011
KasperskyKav Rescue 2010
Panda SecurityPanda Safe CD
VirusBlokAdaVBA Rescue

You tweak and  incorporate secure2k boot cd as well in it https://community.mcafee.com/thread/6923

Message was edited by: obelicks on 10/14/10 10:02:47 AM MYT
jmcleish
Level 13
Report Inappropriate Content
Message 12 of 18

Re: recommend a good, preferably free "second opinion" scanner?

Scanning the c drive remotely won't pick up threats in memory and may well reduce performance considerably

If you setup a memory scan to scan periodically during the day, then have a query on your dashboard to show all detections via memory scan for the last day.

That will give you good information.

You can use various tools to clean machines: such as starting off with rkill, tdsskiller, rootkit revealer/gmer/backlight, malwarebytes, superantispyware etc etc - run from safe mode.

Let face it- if machines get infected users are going to get interrupted. Or you backup the data and reimage the machine, depending on which takes less time and resources.

on 14/10/10 03:35:13 CDT
Regis
Level 12
Report Inappropriate Content
Message 13 of 18

Re: recommend a good, preferably free "second opinion" scanner?

All:   decided to license a few workstations worth of Trend's workstation antivirus and do the remote file scanning for this second opinion use.  Thanks for all the feedback!

@obelicks - thanks for the link to Sardu--that does look like an excellent resource for standalone machines to run and map a drive remotely for scanning or when you can reboot to a CD image.  I'll definitely check that out.

jmcleish, thanks for the response as well.  Totally agreed that such scanning misses memory which can definitely be the only harbinger to infection for threats that don't touch the disk for any persistence.  In my use case here, we'd already have run mcafee including  a memory scan on the machine, and it'd have been reboot since prior detections.  Just having something remote to check out the disk's contents therefore is the thought.

But I'd never thought of scheduling on-demand scans of "memory for rootkits" and "running processes" only during the day... that actually sounds like a hell of a good idea.  What schedule do you use in your environment and how many nodes?  Is there a noticeable performance impact to users or is it pretty transparent?

Highlighted

Re: recommend a good, preferably free "second opinion" scanner?

Hello,

Maybe you could approach this from a different angle and build a process on how to deal with suspicious behaviour on a target system. In my opinion, scanning using tools from different AV vendors, especially for new threats, will always return either nothing or falses using generic/behaviour drivers.

The process to deal with suspicious activity on particular system is different depending on what's been reported. Here is a list of tools to help you dig for malicious code in most cases:

- Process Explorer

- Process Monitor

- TCPView

- HiJackThis

- McAfee CommandLine Scanner v6

- WireShark

...the list goes on.

Each tool serves a different purpose. In most cases they should be combined to help you get that malicious EXE, DLL..etc. You can either submit the file(s) to virustotal.com then AVERT Lab for further analysis. In the intervening time, make use of Access Protection rules to contain the threat.

With regards to systems being never the same after infection and cleaning, it's a result of damage done by the malware. If a virus or trojan corrupt certain part of the system, most cleaning logics include restoring deleted registry keys, modified files...etc, but some don't. In some cases, the damage is far greater for an AV to recover and becomes part of data recovery - where a good backup can be used.

In cases where infection has persisted for a long time with threats such as FakeAlert or a bot, my advise is to re-image the system because you will never know what's been left behind or may not be worth your time to investigate. Luckly, it's not that bad most of the time.

HTH,

Redouane

Regis
Level 12
Report Inappropriate Content
Message 15 of 18

Re: recommend a good, preferably free "second opinion" scanner?

All good advice, and part of what we'll do on certain hosts I'm happy to report.  The variable is time, of course.  🙂  so, I wouldn't look at that as a different angle so much as a complementary one.

In many cases, you get one detection or two that looks like it got handled, a followup VSE scan comes back clean, but you still have some suspicions.  Being able to remotely scan a machine out of band with another scanner would be another due diligence feather in the cap that both doesn't require much technician time, and is a highly repeatable automated process.

The more I think about this, the more I want to stand up a dedicated virtual machine that does nothing but get used to remotely mount drives of suspect systems and scan them with a competitor's product.

mjmurra
Level 12
Report Inappropriate Content
Message 16 of 18

Re: recommend a good, preferably free "second opinion" scanner?

Also have a look at GetSusp https://community.mcafee.com/groups/getsusp30-beta-feedback

It's still in Beta, but is very promising. I have been able to find some active threats using the tool.

Re: recommend a good, preferably free "second opinion" scanner?

@Regis: You might want to check Multi-AV which can be obtained here -> http://www.pctipp.ch/downloads/sicherheit/35905/multi_av_scanning_tool.html (Scroll down, the link is at the very end of the page)

Cheers,

Markus

Message was edited by: mikesierra on 10/13/10 9:06:54 AM CDT
Regis
Level 12
Report Inappropriate Content
Message 18 of 18

Re: recommend a good, preferably free "second opinion" scanner?

Hi Mike, thanks for the response.  David Lippman's multi_av.exe is something I've used in the past on personal boxes, and is actually somewhat the motivation for the question (what a great concept -- 4 command line scanners built into one!).  On the downside though, its trustworthiness is an issue (the source code's never been published as far as I know), and its legality with respect to copyright and licensing is unfortunately specious at best.  There has never been a terribly stable home for that tool over the many years I've been following it, and I suspect that may be mostly due to copyright infringement and cease and desist activity.  It's now hosted in  Switzerland.   But, boy do  I wish there was a tool like that that was legit, vetted and useful in a corp environment.

But I may need to revisit the most current version on a test box and attach an http proxy to it and see what it's grabbing and from where, since as I recall, it's just pulling down the latest versions of several free command line scanners.   Potentially grabbing one of those 4 scanners and using that as my 2nd opinion command line scanner might do the trick.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community