The Anti-virus Times

Friday, March 30, 2018

People ask our support service to help them solve all kinds of problems. For example:

Let's try to guess what’s happening here. We'll try to factor in all the possibilities.

Explanation №1. The user hasn't updated their anti-virus or their license has expired. Can this happen? Definitely! Sometimes users ignore changes in the anti-virus icon's appearance and Dr.Web's notifications. If the virus databases are outdated, naturally brand new malware won't be detected.

Explanation №2. The user's computer is infected, and a malicious process is preventing the anti-virus from downloading updates and/or is using evasion techniques to disguise itself. Is that possible? Probably not: most rogue mining applications don't try too hard to conceal their presence. But over time, mining applications evolve. They are learning to keep a low profile—some people are already calling them stealth miners—and are trying to keep anti-viruses from doing their job (by terminating running processes and blocking access to various sites and servers).

Explanation №3. What anti-virus are we talking about? The user referred to it as "DRWEB". But that’s not the name of a product, and we have no way of knowing what protection components it includes (and whether they are running or not). The user is clearly experiencing problems involving downloading content from a certain site, which at a minimum should be scanned by the HTTP monitor SpIDer Gate. But we don't know whether this component is available in the product in question.

Explanation №4. Let's assume that the user purchased and installed Dr.Web Security Space and is regularly updating it. Is that enough to keep the system secure? Well, that depends… During installation, users may choose not to install some of the components. If SpIDer Gate hasn't been installed, the files being loaded by browsers aren't scanned. They aren't saved on the disk, and that means they don't get examined by the Dr.Web SpIDer Guard file monitor (unless for some reason the browser does save files onto a disk).

We’ll discard the notion that a certain module has permanently been disabled. Modules stay disabled only until the next system restart. However, if the system hasn't been shut down or rebooted, a module can remain disabled for quite some time.

Explanation №5. Exceptions. We’ve warned users so many time about this, you would think they’d have gotten the message, but alas:

An anti-virus is installed, and all the programs are running smoothly…

Explanation №6. The computer was compromised, and the anti-virus settings were altered.

Because only a user with local administrator permissions could do that, only two options remain: a system vulnerability was exploited remotely to acquire administrator credentials, or the administrator account login and password ended up in the hands of a third party. An attacker gained access to the server and deployed the file on the disk (manually) and made sure that it would be launched automatically.

Explanation №7. Different users use different settings. As the program's name indicates, Tool.BtcMine.1051 belongs to a category of potentially dangerous programs. Anti-viruses may not handle programs of this kind the same way they handle infected objects. It’s entirely possible that the anti-virus on the user's end is set to ignore programs from this category because the user ran another potentially dangerous utility, such as a VPN client application, in the system sometime in the past.

These are just possible scenarios that quickly come to mind—sooner or later all these incidents find their way into our technical support service’s “in box”. With regards to the incident we've been examining here, the problem emerged because the HTTP monitor SpIDer Gate was not installed in the user’s system.