Other issues in this category (40)
Similar but not the same
Tuesday, April 23, 2019
When I scanned my laptop, the anti-virus found the 2a3a63.msi
file in the windows/installer folder and claimed that it was
malicious. Because I am not an experienced user, I decided to
check it with the CureIt! utility. As a result, it found nothing,
and I didn't know what to do. Just now I decided to scan the
folder again and that very same file appears to be infected.
A request received by Doctor Web's
technical support service.
Dr.Web CureIt! enjoys worldwide popularity for a reason. There even exists a myth about its superiority over the conventional Dr.Web anti-virus. Is that true? Let's do a little research.
Appearance and updating routines aside, Dr.Web CureIt! is just an ordinary Dr.Web anti-virus scanner. There are some subtleties associated with how the executables are built, but they aren't relevant for our research.
Let's open the Dr.Web scanner settings in Dr.Web Security Space and scroll to the bottom where the list of additional features (scan installers, archives, emails) is located.
Now let's take a look at the Dr.Web CureIt! settings and go to the Exclusions tab.
See the difference? Dr.Web CureIt! is not supposed to scan archives and email files.
Here is the scan log of the installed Dr.Web anti-virus:
>>C:\Windows\Installer\2a3a63.msi\stream000 is CAB archive C:\Windows\Installer\2a3a63.msi\stream000\Id0d337b6f_1f9b_4431_9d3b_acc73359f50a - Ok C:\Windows\Installer\2a3a63.msi\stream000\Id1a536904_a703_4bfa_9bb2_bee736b15982 - infected with Trojan.Siggen8.6888 C:\Windows\Installer\2a3a63.msi\stream000\Id1a536904_a703_4bfa_9bb2_bee736b15982 - infected C:\Windows\Installer\2a3a63.msi\stream000 - infected archive C:\Windows\Installer\2a3a63.msi - infected container C:\Windows\Installer\2a3a63.msi - infected container - 1258ms, 3436544 bytes
The log shows that the option to scan archives is enabled and that the msi package has been examined. A CAB archive file was discovered inside, and its contents was extracted. The contents included the malicious payload.
And here is Dr.Web CureIt! The option to scan installers (.msi is an OLE container) is enabled, while the option to scan archives hasn't been toggled on:
>>C:\Windows\Installer\2a3a63.msi\stream000 is CAB archive C:\Windows\Installer\2a3a63.msi\stream000 - Ok C:\Windows\Installer\2a3a63.msi - Ok C:\Windows\Installer\2a3a63.msi - container >C:\Windows\Installer\2a3cb.msi is OLE container
That is to say the utility extracted the contents of the .msi package but didn't do the same thing with the .CAB file found inside the package.
And here is the reply from our technical support service
That's because Dr.Web Security Space is designed to conduct thorough, in-depth system scans. And although performance is also important, scanning quality has higher priority. Meanwhile, Dr.Web CureIt! is used when users suspect that their system may be infected. The utility must quickly discover an active infection or malicious files that can be launched instantly.
The Anti-virus Times recommends
Installing a good anti-virus is not enough to keep a system secure. It must also be configured properly to deal with the latest threats. You can take advantage of our Configure Dr.Web project. If you haven't joined yet, visit the project page to learn more about scanning exceptions and set up your Dr.Web to keep your system safe from encryption ransomware and rogue miners.