[davikokar]

Hallo,

I have an executable that is identified by the symantec endprotection as a Trojan Horse. I know that the probability of a false positive is quite high (it is identified as Trojan, but it might not be a Trojan). So I decide to run it anyway. After I run it, just to be sure that I was right in my assumption, I run a full scan of the machine. The result of the scan is that there is no malware on the machine.

At this point, can I be sure that I was right in my assumption ? I mean, if an antivirus identify a malware before it is installed, does it always identify it after it is installed ? Or there is a chance that a malware is visible only before it is installed ?

Thanks for explanations

[ElfBane]

Yes, there are false positives. In order to find out if the .exe you want to use is known by Symantec to cause false positives with their software,,, then you will have to ask around at the Symantec website. Or you could Google the .exe in question to see if it is known to cause false positives.

[mjd420nova]

Davikokar: Welcome to PC World forums. All virus scans should be run from the SAFE mode. One of the big indicators of an infection is that it will prevent any virus checkers from running or completing a scan. False positives may be just a missed permission or scan when incoming files are looked at by the program.

[LiveBrianD]

Try uploading the file to virustotal.com - that scans it with 40 or so different AV engines to give a second opinion.

Note: if your AV thinks the file is malicious, you'll probably have to disable it to prevent it from getting in the way.

This post has been edited by LiveBrianD: 15 November 2012 - 09:33 AM

[davikokar]

Hi all, thanks for your answers. They were usefull, but did really answer the question, that is more theoretical than practical. My question is: if an antivirus software identifies an executable as being infected by a malware, does this means that will also identify the malware also after it is installed? Or, in other words: can it be that an antivirus can detect a malware in an executable, but then it cannot remove the threats after the executable is run because it does not fin any ?

Thanks

[ElfBane]

davikokar, on 15 November 2012 - 11:11 PM, said:

Hi all, thanks for your answers. They were usefull, but did really answer the question, that is more theoretical than practical. My question is: if an antivirus software identifies an executable as being infected by a malware, does this means that will also identify the malware also after it is installed? Or, in other words: can it be that an antivirus can detect a malware in an executable, but then it cannot remove the threats after the executable is run because it does not fin any ?

Thanks

Question 1: maybe
Question 2: yes

Some AVs won't let you run a threat unless you snooze or disable the AV. Then again, some AVs might let you override the threat alert without having to disable the AV. Depends on what you have.

If the .exe you are trying to run comes from a RELIABLE company that you DL'd LEGITIMATELY from a non-warez site, then the chances are very good that the software is harmless... and that Symantec is calling a false positive.

Since you seem to be reluctant to tell us what you are trying to run, then I'll assume you are living on-the-edge, so to speak... so there is definite risk.

Hope this helps.

[davikokar]

OK,

I see. Well, the fact is that I was requested to "clean" a PC without any AV software on it. So, first thing, I installed one. When performing a full scan, some infected executable were found and successfully removed. But I don't know if these executables were once executed (to be on the safe side I assume they were). So this is the origin of the question. So, basically, in this situation the only way to be sure is the strategy "format and reinstall everything" ?

[ElfBane]

Yes, the only way to be sure is to use the nuclear option. But the nuclear option doesn't save their settings or data.

However, you can be reasonably certain a PC is clean by;

1. removing the suspect HDD and putting it in as a slave in another PC. Then run scans on it there. If that is not an option, then...

2. run an AV and clean up what it says to.

3. run MalwareBytes AntiMalware (free version), and clean up what it says to. I would also suggest MalwareBytes Super Anti-Spyware (free version) to be run also.

4. run a rootkit detector, there are several free ones on the web...try at least two.

5. run a registry cleaner. CCleaner is free and has worked well for me, BUT BACK UP THE HDD! A REGISTRY CLEANER CAN BRICK YOUR PC!!! RUN AT YOUR OWN RISK! Delete the entries CCleaner says to.

6. now, if the PC boots up normally, doesn't hijack your homepage when you launch your web browser, doesn't have random pop-ups to fishy websites,,, then I would say you can be reasonably certain the PC is clean.

Hope this helps.

[davikokar]

Thanks for the suggestions

[Flashorn]

Hey davikokar !

Welcome to PCWorld Community.

Your situation is not unique. I have cleaned PCs that did not have AVs installed and did not
have to resort to nuking the OS BUT, you should know that a PC without adequate protection
will get infected within three to four hours of internet surfing and sometimes faster depending on
the sites visited.

With this in mind and with the help you have received from ElfBane, you should be able to decide
if you really want to continue using this PC and feel safe doing so.

IF you decide to continue using this PC the way it is, I can help with cleaning with specialized
tools.

Up to you.



FLASHORN.