Bitdefender Protection During Scan Options

[ONT]

1) How do Bitdefender protect infected items from spreading which are detected during scan, since it takes action at the end of Scan?

2) Sometimes Bitdefender displays pop-up window upon detection of threat something like this “that Bitdefender has detected a threat and Bitdefender has blocked access to it or the access to it is denied” .What action (Clean, Quarantine or Delete) does Bitdefender perform on such infected files?

3) What is the purpose of “Quarantine” the infected files and why they can’t be deleted directly as one can also manually delete these infected files from “Quarantine”?

4) How do Bitdefender protects its installation if the system is already infected badly?

[ONT]

Any reply to above asked queries?

[Cris]

1) How do Bitdefender protect infected items from spreading which are detected during scan, since it takes action at the end of Scan?

None. OnDemand scans are targeted at detecting and removing inactive threats. If a certain infected file is active, or it's accessed by another (clean or malware) process, then BitDefender Realtime Protection will react, in which case an active prevention method will be started in order to block that request.

2) Sometimes Bitdefender displays pop-up window upon detection of threat something like this "that Bitdefender has detected a threat and Bitdefender has blocked access to it or the access to it is denied" .What action (Clean, Quarantine or Delete) does Bitdefender perform on such infected files?

It depends on the Realtime protection settings, which can be changed from BitDefender Security Center. By default, BitDefender will try to disinfect infected files and move to quarantine suspected files.

Also, when BitDefender notifies you about a detected threat, the popup also contains information about taken actions.

3) What is the purpose of "Quarantine" the infected files and why they can't be deleted directly as one can also manually delete these infected files from "Quarantine"?

Because automatic deletion is a very bad idea. In case of any false positive (which WILL happen, since no heuristic detection engine can be made 100% accurate), suspected files will be removed on sight. Which, of course, is not desired.

It is recommended to leave the action set to:

• novice users, or users who don't want/like to involve too much: "Disinfect" (the disinfection procedure depends on the type of malware detected, and might be anything from automatic deletion, moving to quarantine, file disinfection, or simply blocking access to file)
• medium users, or users who want a little bit more control over the taken actions: "Move to quarantine" (the file will be removed from it's location, but can be recovered very easily, either manually, either automatically, because BitDefender is set to re-scan quarantined items. In case a detection for a certain file is removed (because it was a false positive), clean quarantined files are automatically restored to their original locations)
• advanced users: "Deny access and continue" (the file will be blocked on the spot, no other actions taken. All access to that file will be blocked, so the infection can't spread. Then the suer can take manual action, by scanning that particular file, searching the web for a solution, or asking BitDefender support for advice)
• totally NOT recommended: "Delete" (this action should be set only in extreme cases and should NOT, under any circumstances, be left permanently)

4) How do Bitdefender protects its installation if the system is already infected badly?

If BitDefender installer detects that the installation cannot be performed correctly, the installation is aborted and you are offered the choice of scanning online with BitDefender Online Scanner. This scanner is not as powerful as a complete version of BitDefender installed locally, but it's the best you can do from within an already compromised system. Alternatively, you can use the BitDefender Rescue Disc to scan the system from outside Windows, or contact BitDefender Support for advice. Every infection is different, so there is no unique and ultimate solution/answer to this question. Specific action should be taken for specific infections.

Cris.

[ONT]

Hello Cris


Why Bitdefender sometimes quarantine "autorun.inf" files as they have very few chances to be False Positive and declared as clean in future and also how can I protect my PC from autorun.inf if Bitdefender don't its signature.?

[Cris]

That is the generic case. As a user, you are absolutely free to set the product as you like and as you see fit for your purpose. What I said above are my recommendations.

Those files are probably moved to quarantine, either because the disinfection routine for that infection states that infected files should be quarantined, either because the primary action fails and you have set the secondary action to ”move to quarantine”. As long as the system remains clean, the purpose of the antivirus has been met.

Cris.

[ONT]

Hello Cris

How can I protect my PC from autorun.inf if Bitdefender don't have its signature, as Bitdefender has no option to block removable media from autorun? I've some autorun.inf files not detected by Bitdefender.How may I send you these?

[Neo-The DarK]

@ONT and All People..........

Actually "autorun.inf" files are not the virus. The main Virus executable file is always Hidden. The function of "autorun.inf" file is to Initiate the startup of the Main Virus Executable File when you plug the device to your system or Double click on it (The device may be CD-ROM, Removable drives or Hard Drive partitions).

"autorun.inf" files are used to initiate the startup automatically on insertion of the Media. The structure of code in any autorun.inf file is -"

---------------------------------------------

[autorun]
start=path\any program.exe

---------------------------------------------

Even you can make it using notepad and saving it as "autorun.inf . You can start any program you want by using "autorun.inf" files when you insert ur removable media.

If the Antivirus is deleting the "Main Virus Executable File" and not the Autorun.inf file, then don't worry.......it is doing it's job fully and you are totally safe.

You can configure ur Removable media so that No autorun.inf file can bewritten on your Media. Simply make a "FOLDER" named "autorun.inf" in your removable media...............and you will be safe from autorun.inf files.......................

[Cris]

You can also simply completely disable the autorun functionality of your system. This way, even if you connect an already infected removable device, the system will simply ignore the autorun script. Details about how this is done depends on the operating system. Google it. There are plenty sites which present this procedure.

Cris.

[AndreiRC]

You can configure ur Removable media so that No autorun.inf file can bewritten on your Media. Simply make a "FOLDER" named "autorun.inf" in your removable media...............and you will be safe from autorun.inf files.......................

That's an interesting approach, haven't heard of it before. How exactly does that protect you from getting autorun.inf files written on the removable media? If you can explain.

[Cris]

Because everything in the file system is a file (thus the name ”file system”). Folders are also files, with a special FOLDER attribute.

Therefore, since you already have a file named autorun.inf in the root of your removable device, another file with the same name cannot be created. And since that file is marked as a folder, it cannot be overwritten without the folder attribute (so it cannot be changed from a ”folder” into a ”file”).

A similar approach would be to create a normal autorun.inf file and mark it as Read-Only.


However, both these methods can be very easily bypassed, because a malware can just remove the pre-existing file (or folder) and recreate it from scratch. More advanced methods to counter these actions were implemented in so-called ”removable device immunization” software, which somehow ”play” with the internal structure of the file system, making a folder containing a special structure inside, then specifically changing the file table so that folder shows up as a file in the file-system. The result is a file that cannot be touched by basic WinAPI calls (because they were not designed to handle such specially crafted files), so almost no malware will be able to remove it.
However, even though this type of immunization is marketed as ”full-proof”, which cannot be undone, it can be reverted by someone who knows how to use a hex editor to edit the raw information within the file table. And since this can be done manually, it only means that it can also be done automatically. Also, I personally recommend great care when/if using such immunization software. If you use it on devices that were designed to browse their own memory (such as portable media players, camera memory cards, phone memory cards, and so on), those devices might not be able to ”understand” and handle correctly such file system modifications, which might result in operation problems or even data loss.


Cris.

[AndreiRC]

Understood. Thanks for the detailed explanation, Cris. (IMG:style_emoticons/default/smile.gif)

[ONT]

Hello Cris


I have some autorun.inf files undetected by Bitdefender. How may I send you?

[ONT]

That is the generic case. As a user, you are absolutely free to set the product as you like and as you see fit for your purpose. What I said above are my recommendations.

Those files are probably moved to quarantine, either because the disinfection routine for that infection states that infected files should be quarantined, either because the primary action fails and you have set the secondary action to ”move to quarantine”. As long as the system remains clean, the purpose of the antivirus has been met.

Cris.

Hello Cris


Kindly see the attachment. As you can see there are same setting for both autorun.inf files detected, but one is deleted while the other one moved to quarantine.

Why? Is there a difference in the type of infection or any thing else?

Attached File(s)

 1276670642_1_02.xml ( 3.55K ) Number of downloads: 1

 

[ONT]

That is the generic case. As a user, you are absolutely free to set the product as you like and as you see fit for your purpose. What I said above are my recommendations.

Those files are probably moved to quarantine, either because the disinfection routine for that infection states that infected files should be quarantined, either because the primary action fails and you have set the secondary action to ”move to quarantine”. As long as the system remains clean, the purpose of the antivirus has been met.

Cris.

Hi Cris

I have autorun files which have exactly same coding except the executables but one of them is deleted while other one moved to quarantine.Why is this so?

[ONT]

Because everything in the file system is a file (thus the name ”file system”). Folders are also files, with a special FOLDER attribute.

Therefore, since you already have a file named autorun.inf in the root of your removable device, another file with the same name cannot be created. And since that file is marked as a folder, it cannot be overwritten without the folder attribute (so it cannot be changed from a ”folder” into a ”file”).

A similar approach would be to create a normal autorun.inf file and mark it as Read-Only.


However, both these methods can be very easily bypassed, because a malware can just remove the pre-existing file (or folder) and recreate it from scratch. More advanced methods to counter these actions were implemented in so-called ”removable device immunization” software, which somehow ”play” with the internal structure of the file system, making a folder containing a special structure inside, then specifically changing the file table so that folder shows up as a file in the file-system. The result is a file that cannot be touched by basic WinAPI calls (because they were not designed to handle such specially crafted files), so almost no malware will be able to remove it.
However, even though this type of immunization is marketed as ”full-proof”, which cannot be undone, it can be reverted by someone who knows how to use a hex editor to edit the raw information within the file table. And since this can be done manually, it only means that it can also be done automatically. Also, I personally recommend great care when/if using such immunization software. If you use it on devices that were designed to browse their own memory (such as portable media players, camera memory cards, phone memory cards, and so on), those devices might not be able to ”understand” and handle correctly such file system modifications, which might result in operation problems or even data loss.


Cris.

Does the same technique has been implemented in Bitdefender USB Immunizer?

[Christian]

Hi ONT

Bitdefender USB Immunizer has a different approach with the autorun.inf file.

Basically, it will modify a registry key in Windows and if the user wants, it can also create those files on each external device.

The most important thing is to turn off the functionality from Windows. In this way, the USB stick is infected, the autorun.inf file will be ignored and the malware will can not run automatically.

Thank you.

[ONT]

1) Does quarantine the virus also clean its traces from the system?

2) What exactly the does it meant by denying access to the suspected files? Is it not better to quarantine that file rather than to deny access?

3) During the heuristic analysis, the suspected samples are executed in some virtual environment, so how many times are they executed? I mean is it possible that a virus can deceive the heuristic environment e.g if the suspected samples are executed in virtual environment for only once but the virus is programmed to be active when it executed let say third time?

[Christian]

Hello Omer (IMG:style_emoticons/default/smile.gif)

Welcome back.

1. Yes, all detected traces left by the malware will be sent to quarantine or deleted.
2. By denying access, Bitdefender stops all the system resources from accessing that particular file/
3. Some types of malware can't be executed in a virtual environment. The malware code has embedded a function and if a virtual environment is detected(like a virtual machine), the malware won't be execute. If the same file is executed in real environment, it will infect that machine. Depending on the routine or the file type, the sample will be executed once or more than one in the virtual environment(using B-HAVE - Behavioral Heuristic Analyzer in Virtual Environments).

Take care.

[ONT]

During scan, does the B-HAVE mechanism remain active after detecting a threat or it re-open when another threat is found?

This post has been edited by ONT: Apr 18 2012, 02:37 PM

[Christian]

Hello (IMG:style_emoticons/default/smile.gif)

As long as the Active Virus Control is active, B-HAVE is always active.

Take care.