Beyond X wrote:
> Recently Norton Internet Security turned up several malware, mostly
> Trojan Horses. When I searched the files exposed by Norton using
> Explorer\Search, it failed find any of them. Are those malware files
> invisible to Explorer? How can Norton find them and identify their
> names and locations?
Well, did you configure Norton to automatically delete or quarantine the
files? Or did you configure Norton to prompt you for what action to
take? If configured to prompt, what did you select?
Did Norton find the malware in memory or when it scanned a file?
Programs can unroll other files out of their own files and load those.
That's how some game protection crap works. The file containing the
load gets run but it unrolls another file out of itself, loads that, and
runs it and it is the temporary file that is detected. The signature
for the bad file doesn't exist until it gets unrolled to get exposed.
Once the carrier is identified with a signature then it will be
detected, too, but only if Norton actually scans that file. So did you
make sure to update Norton? Afterward did you do a FULL scan of your
host's drives - all of them - and include all files and have it drill
into EVERY archive filetype, not just executables or what might be in
some "common" filetypes?
Does Norton let you do a boot-time scan? If a rootkit got delivered as
a file I/O handler then it can mask files out of the file system. They
are there but you won't see them using normal end-user tools that query
the file system through standard system calls. A boot-time scan can
catch these pests although it can still fail to detect and running a
bootable CD or flash drive from where you run the anti-virus program
(and not from within the OS itself that is infected, or even inside a
partial load of it with a boot-time scan) is the only way to detect the
pest *if* a signature is known for it (since heuristics cannot be used
when scanning a quiescent OS). Booting a different OS from CD, flash
drive, or a loader that usurps the MBR bootstrap code to let you run the
AV program before the OS can load can make sure that no rootkit is
active when you are trying to detect it. Avast has a boot-time scan
(loads early in Windows startup but after kernel loads). Microsoft
Security Essentials and many other AV products don't have a boot-time
scan.
Did this just happen right before you posted here? Zero day attacks can
happen and why signature-based scanners won't catch them. Could be
Norton detected the pest based on heuristics but we do not (and you seem
to not) know how Norton is configured as to what action it takes and
what action you committed when prompted.
I haven't used anything Norton in about a decade. Symantec has its own
contact web form and (back when I used Norton) it only took 1 to 3 days
for them to respond. Of course, I had a paid license and not an expired
or pirated copy of their work. I took a very short peek at their site
and they certainly don't make it easy to find a web form to submit tech
support questions or even list a contact page for tech support where
you'll pay them to answer if you haven't already consumed whatever
support ticket count, if any, is included i in a retail version of
whatever Norton product you have (no support is included it is an OEM
version you bought or some bloatware pre-installed on a branded host
since that is an OEM version). I used their Contact Link (light grey at
bottom of their web pages), Top Tech Issues, selected a product (might
not be what you have), clicked on a topic, and then answered No. They
want you wasting time in their online FAQs before they give you contact
info. By saying "No, it didn't help" then they give you a web page with
a Chat button and others to list e-mail and phone support options.
You could ask in their forums but you'll have to give a lot more details
than you gave here, like how Norton was configured for what actions it
takes, what action you selected when prompted, what version of what
Norton product (Norton is a brand name, NOT a product name), if you
updated it, if you ran a manual and full scan, your OS and version and
service pack level, just WHAT malware was reported, and any other
details you can remember.
(
http://community.norton.com/norton/?category.id=nis)
Did you even configure Windows Explorer to show hidden and system files?
The file search in Windows XP got screwed up. In Windows 2000, the file
search looked for all files by the name you specified. In Windows XP,
its search will omit files for which no handler is defined (that can
load and use/view that file). So you can see a file listed in a DOS
shell using 'dir' commands but it won't show up in a file search even if
you explicitly specify that filename (i.e., don't use wildcards). To
overcome that **** up, you need a 3rd party file search program, like
Agent Ransack (free version of File Locator) which didn't crippled by
Microsoft's bad choices. If you installed Windows Search, Google
Desktop, Copernic, or some other file indexing program and are using it
for searching files, not all files may be listed by them, either. Use
Agent Ransack or a better search tool. But, at least, make sure you
configured Windows Explorer to show all files. Yet that may still not
work. Windows Explorer is configured to ignore many "system" folders,
like IE's TIF folder. Even if you enter the path to it in Window
Explorer's address bar, it still hides subfolders. Same for subfolders
under the Recycle Bin (and where a file search might not look but where
a deleted copy of the infected file might reside). That's why I use
Agent Ransack because it isn't crippled by some bad decisions by
Microsoft; however, those decisions were an attempt to keep users from
shooting themselves in their own foot and screwing up their OS or its
expected and wanted behaviors.
Also remember that it is possible that the infected file got deleted by
Norton (or you depending on what action you elected) but still reside in
the restore points for System Restore. You need to shut off that
service so it deletes its restore points and starts anew (after you are
sure the pest isn't there anymore). Backups can similarly contain
infected files, so restoring from them could re-infect you.
Similar Threads
Linear Mode
