Kaseya Community

Resident Shield (Real-time) not detecting virus

  • We have hefty amount of machines that resident shield is not detecting known virus. All machines are running AVG 9.0 with the latest updates. In our profile we have Resident Shield enabled with scan all filed selected. Also, we have Scan for Tracking Cookies, Scan Potentially Unwanted Programs and Spyware threats, and Use Heuristics enabled. Is AVG resident shield detecting virus for anyone else?

    Legacy Forum Name: Resident Shield (Real-time) not detecting virus,
    Legacy Posted By Username: jmbball87
  • This seems to be a continuation of this thread and one other that I started but didn't gain the same momentum...



    I use the following snippet to test real time scanning



    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* 




    save as a txt or com file.

    Legacy Forum Name: KES,
    Legacy Posted By Username: thirteentwenty
  • I have been using the same snippet to test real scan and AVG does not detect at all. Other A/V solutions do detect the file and quarantine immediately. I saw the other thread but it start to go away from the main subject, AVG real-time scanning.

    Legacy Forum Name: KES,
    Legacy Posted By Username: jmbball87
  • thirteentwenty
    This seems to be a continuation of this thread and one other that I started but didn't gain the same momentum...



    I use the following snippet to test real time scanning



    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* 




    save as a txt or com file.




    fyi... I copied & pasted these characters into Notepad, and saved as a txt file on my desktop. I could open and save and close the file with no warnings or AV interaction.



    Then, I renamed that file from text.txt to test.com. Immediately, the file icon disappeared from the desktop, and a popup message from AVG in the system tray showed Redident Shield, Threat Detected.

    Legacy Forum Name: KES,
    Legacy Posted By Username: lwolf
  • We have machines been hit with this Fake AV program virus and KES does not detect it at all - not even if you run a full scan. really worrying.

    Legacy Forum Name: KES,
    Legacy Posted By Username: mmartin
  • mmartin
    We have machines been hit with this Fake AV program virus and KES does not detect it at all - not even if you run a full scan. really worrying.


    We've been seeing the same thing. However we also see it on our sites that use Symantec so it seems no major AV solutions are catching it.

    Legacy Forum Name: KES,
    Legacy Posted By Username: jasonp
  • Let me know if you find an antivirus software that can stop the Fake Antivirus 2009. We have been looking at web security software for our clients.



    Here is a good discussion: http://community.kaseya.com/xsp/f/132/t/6813.aspx

    Legacy Forum Name: KES,
    Legacy Posted By Username: GDRBrian
  • We had a computer get infected with vundo that had AVG9.0 with up to date defs Confused

    Legacy Forum Name: KES,
    Legacy Posted By Username: cnwicsurrett
  • We have also had a number of systems infected recently that were running either KES/AVG 8.5 or 9.x with up-to-date signatures and still got infected. We even have webshield enabled but some stuff that seems obvious is still getting through more often that we'd expect.

    Legacy Forum Name: KES,
    Legacy Posted By Username: kentschu
  • Depending on AV to provide full protection is a losing proposition these days.

    Think about a multi-faceted defence strategy:

    • AV
    • Web URL filtering

      • Firewall
      • DNS - OpenDNS or other

    • Malware Removal tools run on a schedule (Additional $$$ for licenses)

      • Malwarebytes
      • SuperAntiSpyware
      • ComboFix
      • others

    • Take away local admin if feasible
    • Try to get budget for moving to Windows 7 and again run as standard users
    • Ongoing education of users on using the web and email to avoid malware
    I'm sure others can add to this.

    But thinking that your AV is going to keep things safe is going to result in continuing infections.

    Legacy Forum Name: KES,
    Legacy Posted By Username: smbtechnology
  • I've seen a lot of machines with the fave AV programs, they do a good job of interfering with existing AV programs. Used to make lots of break-fix money at a local repair shop from these.

    The best way to remove them is to format and reload the OS.

    The next best way is to disinfect the drive from another OS. Specifically, remove the drive, connect it to another computer (hold Shift when it's mounting!!! better yet, disable autorun/autoplay), and clean it using that machine's AV software. Alternatively (and somewhat preferred), use a live CD (or USB equivalent, I've used HBCD on USB in the past) to boot the machine and clean from there.
    At that point, it's just a matter of cleaning out all the startup errors and restoring the desktop. SFF/MBAM is a good combo that sometimes works from safe mode, but the best results usually come from external mounting.

    Legacy Forum Name: KES,
    Legacy Posted By Username: dwujcik
  • The original post was back in 2010 and I can say, being 2012 now, we have the same problem.

    We have had a client get infected with a virus, even though they had KAM and KES installed on their machine. They want to know how this could have happened. So we got a copy of the executable and copied it to my desktop.

    When I extracted the zip file, the trojan virus was sitting on my desktop as a .exe file, yet AVG didn't find it. I checked and AVG Resident Shield is enabled - both in KES as well as AVG on my computer (screenshot attached)

     

    The thing is, if I right mouse click the file and choose "Scan with AVG", it does get detected as a Trojan.

    So it tells me definitions are working properly and knows it's a Trojan. However, my concern is, why is REAL TIME SCAN NOT detecting it in the zip file or as a single .exe sitting on my desktop and removing it automatically before the user tries to execute it?



    [edited by: binh.tang at 4:46 PM (GMT -7) on 2 Aug 2012] Added attachments
  • We too have been having way too many virus infections even with kes and kam installed.