Your browser is obsolete!

The page may not load correctly.

Configure it!


Other issues in this category (40)
  • add to favourites
    Add to Bookmarks

Similar but not the same

Read: 17750 Comments: 2 Rating: 7

Tuesday, April 23, 2019

When I scanned my laptop, the anti-virus found the 2a3a63.msi
file in the windows/installer folder and claimed that it was
malicious. Because I am not an experienced user, I decided to
check it with the CureIt! utility. As a result, it found nothing,
and I didn't know what to do. Just now I decided to scan the
folder again and that very same file appears to be infected.

A request received by Doctor Web's
technical support service.

Dr.Web CureIt! enjoys worldwide popularity for a reason. There even exists a myth about its superiority over the conventional Dr.Web anti-virus. Is that true? Let's do a little research.

Appearance and updating routines aside, Dr.Web CureIt! is just an ordinary Dr.Web anti-virus scanner. There are some subtleties associated with how the executables are built, but they aren't relevant for our research.

Let's open the Dr.Web scanner settings in Dr.Web Security Space and scroll to the bottom where the list of additional features (scan installers, archives, emails) is located.


Now let's take a look at the Dr.Web CureIt! settings and go to the Exclusions tab.


See the difference? Dr.Web CureIt! is not supposed to scan archives and email files.

Here is the scan log of the installed Dr.Web anti-virus:

>>C:\Windows\Installer\2a3a63.msi\stream000 is CAB archive
C:\Windows\Installer\2a3a63.msi\stream000\Id0d337b6f_1f9b_4431_9d3b_acc73359f50a - Ok
C:\Windows\Installer\2a3a63.msi\stream000\Id1a536904_a703_4bfa_9bb2_bee736b15982 - infected with Trojan.Siggen8.6888
C:\Windows\Installer\2a3a63.msi\stream000\Id1a536904_a703_4bfa_9bb2_bee736b15982 - infected
C:\Windows\Installer\2a3a63.msi\stream000 - infected archive
C:\Windows\Installer\2a3a63.msi - infected container
C:\Windows\Installer\2a3a63.msi - infected container - 1258ms, 3436544 bytes

The log shows that the option to scan archives is enabled and that the msi package has been examined. A CAB archive file was discovered inside, and its contents was extracted. The contents included the malicious payload.

And here is Dr.Web CureIt! The option to scan installers (.msi is an OLE container) is enabled, while the option to scan archives hasn't been toggled on:

>>C:\Windows\Installer\2a3a63.msi\stream000 is CAB archive
C:\Windows\Installer\2a3a63.msi\stream000 - Ok
C:\Windows\Installer\2a3a63.msi - Ok
C:\Windows\Installer\2a3a63.msi - container
>C:\Windows\Installer\2a3cb.msi is OLE container

That is to say the utility extracted the contents of the .msi package but didn't do the same thing with the .CAB file found inside the package.

And here is the reply from our technical support service

That's because Dr.Web Security Space is designed to conduct thorough, in-depth system scans. And although performance is also important, scanning quality has higher priority. Meanwhile, Dr.Web CureIt! is used when users suspect that their system may be infected. The utility must quickly discover an active infection or malicious files that can be launched instantly.

#Dr.Web_CureIt! #anti-virus_scan #Dr.Web_settings #myth

The Anti-virus Times recommends

Installing a good anti-virus is not enough to keep a system secure. It must also be configured properly to deal with the latest threats. You can take advantage of our Configure Dr.Web project. If you haven't joined yet, visit the project page to learn more about scanning exceptions and set up your Dr.Web to keep your system safe from encryption ransomware and rogue miners.


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.