Other issues in this category (67)
Thursday, August 25, 2016
Sometimes even if a user chooses to delete a malicious program, the anti-virus will keep on detecting it, rather regularly at first. On various Internet sites, as well as in queries directed to the Doctor Web technical support service, users ask why this happens. The reasons can be many. Let's start with the most common ones.
- A malicious file can reside on removable media / in folders /on hard drives that have been excluded from anti-virus scanning. To solve this problem, you need to check all disks and removable media with an anti-virus scanner or with the Dr.Web CureIt! utility, or use Dr.Web LiveDisk.
- The malicious file could reside on another computer on the local network and penetrate into the system via a directory for which it has writing permissions. If a malicious program persists on one computer, all the computers in the network neighbourhood should be scanned.
- A backup is used to automatically restore the malicious file. Windows makes use of automatic system restore; however, backups aren't checked for viruses. If a deleted malicious program has managed to infect an important system component, the operating system may try to restore it, and the malware will be detected by the anti-virus while the component is being restored. In this case, a full anti-virus system scan can solve the problem.
- Mistakes made configuring an anti-virus. As a typical example, a system may be protected by only an anti-virus scanner. In this case, cured files can get infected repeatedly while scanning is still in progress.
Computers are often re-infected by bootkits—malicious programs that can modify boot sectors. For example, Trojan.GBPBoot.1 consists of several modules. The first module modifies the master boot record (MBR) on the hard disk, and then writes — at the end of the appropriate partition (outside the file system)— the malicious installer code, the Trojan’s automatic restore module, an archive containing the explorer.exe file, and the configuration data. Then it copies the installer into a system folder, runs it, and deletes its own original file.
If for any reason the malicious service file is deleted (for example, by anti-virus software), the self-restore routine springs into action. The malicious MBR code written by the Trojan checks whether the malignant service file is present on the hard drive. If the file is not found, Trojan.GBPBoot.1 replaces the file explorer.exe with its file that incorporates the self-restoring mechanism. The file is run at Windows startup. When launched, the malicious explorer.exe again initiates an infection, and then restores and launches the original explorer.exe.
- An anti-virus detects a malicious file but can't remove it either because it doesn't have sufficient permissions (to learn why this happens, please refer to the issue A fish rots from the head down, and a smartphone from the root) or because an error occurred in the course of curing but the user ignored the corresponding notification.
Situations of this kind aren't endemic to PCs only. They occur on handhelds too. For example, Android.Loki programs place some of their code in Android system areas that are not fully accessible to an anti-virus. If any of these programs is detected on a device, the best neutralisation strategy is to reflash the device with a genuine OS image.
The Anti-virus Times recommends
- Unfortunately, an anti-virus cannot detect all (i.e., 100%) of the newest malicious programs. To reduce the risk of infection, restrict permissions for user accounts that are used in the system. If a user doesn't have administrative privileges, they will not be able to just mindlessly run programs, so vulnerability exploits will be the only means through which Trojans can infect the system. By restricting user permissions, you also reduce the risk of an infection caused by a phishing attack.
- Conduct full anti-virus system scans regularly, and install critical updates for all the programs you use (not only the anti-virus).