Your browser is obsolete!

The page may not load correctly.

Unexpected guests

Незваные гости

Other issues in this category (70)
  • add to favourites
    Add to Bookmarks

The symptoms and the diagnosis

Read: 8877 Comments: 2 Rating: 10

Friday, March 30, 2018

People ask our support service to help them solve all kinds of problems. For example:

When I access a site on my computer, the CPU load spikes to 100%. I am the site’s owner, and I use the computer to manage its content. If I go to the site from a different computer that has DRWEB running on it, the anti-virus blocks my access to the site and displays a message saying that it detected Trojan Tool.BtcMine.1051. However, on my computer, the site doesn't get blocked, and no threats are detected during scanning.

Let's try to guess what’s happening here. We'll try to factor in all the possibilities.

Explanation №1. The user hasn't updated their anti-virus or their license has expired. Can this happen? Definitely! Sometimes users ignore changes in the anti-virus icon's appearance and Dr.Web's notifications. If the virus databases are outdated, naturally brand new malware won't be detected.

Explanation №2. The user's computer is infected, and a malicious process is preventing the anti-virus from downloading updates and/or is using evasion techniques to disguise itself. Is that possible? Probably not: most rogue mining applications don't try too hard to conceal their presence. But over time, mining applications evolve. They are learning to keep a low profile—some people are already calling them stealth miners—and are trying to keep anti-viruses from doing their job (by terminating running processes and blocking access to various sites and servers).

Explanation №3. What anti-virus are we talking about? The user referred to it as "DRWEB". But that’s not the name of a product, and we have no way of knowing what protection components it includes (and whether they are running or not). The user is clearly experiencing problems involving downloading content from a certain site, which at a minimum should be scanned by the HTTP monitor SpIDer Gate. But we don't know whether this component is available in the product in question.

Explanation №4. Let's assume that the user purchased and installed Dr.Web Security Space and is regularly updating it. Is that enough to keep the system secure? Well, that depends… During installation, users may choose not to install some of the components. If SpIDer Gate hasn't been installed, the files being loaded by browsers aren't scanned. They aren't saved on the disk, and that means they don't get examined by the Dr.Web SpIDer Guard file monitor (unless for some reason the browser does save files onto a disk).

We’ll discard the notion that a certain module has permanently been disabled. Modules stay disabled only until the next system restart. However, if the system hasn't been shut down or rebooted, a module can remain disabled for quite some time.

Explanation №5. Exceptions. We’ve warned users so many time about this, you would think they’d have gotten the message, but alas:

The anti-virus log indicates that drives C:, D: and E: were added onto the exceptions list in their entirety as were the pathnames C:\Windows\Temp and C:\Windows\System32, i.e., anti-virus disk monitoring with SpIDer Guard was disabled completely.

An anti-virus is installed, and all the programs are running smoothly…

Explanation №6. The computer was compromised, and the anti-virus settings were altered.

Because only a user with local administrator permissions could do that, only two options remain: a system vulnerability was exploited remotely to acquire administrator credentials, or the administrator account login and password ended up in the hands of a third party. An attacker gained access to the server and deployed the file on the disk (manually) and made sure that it would be launched automatically.

Explanation №7. Different users use different settings. As the program's name indicates, Tool.BtcMine.1051 belongs to a category of potentially dangerous programs. Anti-viruses may not handle programs of this kind the same way they handle infected objects. It’s entirely possible that the anti-virus on the user's end is set to ignore programs from this category because the user ran another potentially dangerous utility, such as a VPN client application, in the system sometime in the past.

These are just possible scenarios that quickly come to mind—sooner or later all these incidents find their way into our technical support service’s “in box”. With regards to the incident we've been examining here, the problem emerged because the HTTP monitor SpIDer Gate was not installed in the user’s system.

#Dr.Web_settings #support

The Anti-virus Times recommends

If, when you were installing the anti-virus, you chose not to install some of its components, you can always install them later. Go to Control Panel → Programs and Features; find Dr.Web on the list of installed applications, and select Modify. Then follow the Installation Wizard’s instructions to install the components.

If you’re using a Dr.Web Anti-virus that doesn't include certain security features, you can always upgrade it to the comprehensive security solution Dr.Web Security Space.

And if you contact our technical support service, we urge you to specify the exact name of the product you’re using, and don’t forget to attach the anti-virus's log file to your request. This will save us a lot of time and energy.


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.