• Announcements

    • cpucean

      Bitdefender Business Support Forum Rules - Read carefully before posting   09/13/2016

      Bitdefender Business Support Forum Rules (PLEASE READ BEFORE POSTING) In order to post to the Official Bitdefender Support Forums, you will need to register using a valid email address, and following the instructions to validate your membership. If you like to register, click here. GENERAL RULES Understand that once you have registered as a new user, you consequently agree with ALL THE FORUM RULES written below. These rules were designed to ensure you get the most from interacting with other users in a pleasant and constructive manner and to prevent any sort of abuse. 1. First and foremost, this is a support forum for Bitdefender. Do NOT post comparative tests for security software for they are unrelated to the main character of the forum. Also, the support process can take many forms: a troubleshooting routine is meant to locate the cause of the issue not offer a permanent solution –do NOT post replies in the form of "I need a fix now" instead of the information requested for without locating the cause there isn't any way to implement a fix. 2. Once an official position has been posted concerning a bug in Bitdefender and the ETA for the fix, the topic will be closed down. Do not ask for the topic to be reopened unless you still have the bug after the update targeted to handle this issue. 3. Users that have reached a 50% warn level will have their posts subjected to moderator approval and if they continue to ignore forum rules their account will be banned. 4. Users are not allowed to use clones(using more than one account by a single person). Breaking this rule will lead to a permanent IP ban. 5. Users are not allowed to use anonymous proxy. Breaking this rule will first result in a warning, followed by subjecting the user's posts to moderator approval/banning of the account. 6. When reporting an issue concerning Bitdefender make sure to offer the following basic information: - name and version of your Bitdefender product; - name and version of your Operating System; - the complete error message (if any) that you receive and, if possible, attach a screenshot with it; - name of other security solutions that you are running; - when asking questions about (un)detected files (false alarms, or files that you suspect to be infected, but aren't detected), please attach a complete Bitdefender scan log. Be sure to keep Bitdefender fully updated so the log contains accurate info – on the support forum we only accept the posting of scan logs, for sample submission of false positive/false negative samples please upload them onto a web based platform where we can retrieve and analyze them. 7. Topics related to the lack of response from the support department need to be backed up by as much information as possible concerning the issue that you have been facing. When you send an e-mail to support a Ticket ID will automatically be created - make sure to mention it in the forum post for it will speed up the entire process. 8. Moderators do NOT offer support by PM. Do not send personal messages to moderators unless they expressly request it from your side/ you wish to have a closed topic re-opened/ you wish to report a forum member or topic for abusive language or spam/ you are unsure as to posting a possible solution and you wish to consult with a moderator first. All users are treated as equal on this forum and by sending a PM to a moderator you will not be entitled to faster support. In case of rule violation reports, you can also use the built-in Report button to announce all moderators that there's a topic/post/user that violated the posting rules. Please do NOT use this function to ask for help, or announce the moderating team that you need urgent support! As said, all issues are handled as fast as possible, and none has priority over another. 9. Any form of aggressive language, directed at other forum members or at the Bitdefender Moderating Team or staff is completely forbidden. Continuous attacks will result in an account suspension or BAN. Also, any form of explicit, antisemitic or racial language, or social attacks (by images, text, PMs, signature, or any other form of communication on Bitdefender forum) will NOT be tolerated and will result in an immediately account BAN. Take into consideration that this forum a public place. Treat everyone else just like you want to be treated. 10. Users are not allowed to open polls on the Bitdefender Support Forum. The only members that are allowed to open polls are the moderators. FORUM SIGNATURES, AVATARS AND DISPLAY NAMES The signature is optional on the forum, and should be a personal message of the user that chooses it. Moderators are obliged to include a link for the Bitdefender Forum Rules in their signature. Users will only be allowed to display a custom signature after having completed 15 posts on the forum. The following will NOT be tolerated: 1. Any type of explicit reference to the brand name and symbols of other security solutions available on the international market today, except Bitdefender. This is a support forum dedicated only to Bitdefender and advertising competitor products will lead to editing out the advertisement and a 20% increase in the warn level. 2. The use of images higher than 300 pixels width and/or 100 pixels height. 3. The use of images or text containing the words "Moderator", "Administrator" or "Admin" in the signatures. These will only confuse other users. 4. The use of images taken from other users of this forum. Please use unique avatars. 5. Use of signatures pointing to external links,they will be removed without any notice. WARNINGS Those who repeatedly violate these rules will receive a warn/suspend/ban. POSTING RULES 1. Topic titles must be as concise as possible, and starting posts must provide relevant information on the issues included, to ensure a fast and precise response from those who are willing to help. For example: avoid titles such as "Heeeeeelp!" but instead write "Question about the Bitdefender Antivirus". The last title has a lot more chances of receiving fast responses. Also, topic titles such as "Program X ######! " together with the lack of any constructive arguments will not be tolerated, the topic will be deleted and the user will receive a 20% warning. 2. Post new topics in the correct sections. The forum is structured by Product type (Home/Office or Business protection) and by product version (2008, 2009, 2010 or older versions). If you post the question in the correct section, you have a higher chance of getting a correct answer for your problems. 3. Bumps/Topic advertisements or any other attempts to make a topic more visible without adding any new or relevant information will NOT be tolerated and the post will be DELETED. 4. When posting a reply on a topic try to keep the suggestion within a relevant range – for example, when there is a post concerning an error message in Bitdefender 2009 do not recommend downgrading to Bitdefender 2008 for this suggestion does not address the original issue. Multiple posting of this type will lead to an increase of the warn level with 20%. 5. Off-topic replies (those that have nothing to do with the topic) will be deleted, and users will also receive a written warning . Repeated posting of off-topic replies will lead to an increase in the warn level with 10%. 6. Keep text color, fonts and letter casing within a normal and pleasant range - any post that contains only upper case text will automatically be subjected to editing, the same applies to posts containing characters larger than size 20. 7. Before opening a new topic, we strongly suggest that you use the SEARCH button, to be sure that the problem was not already discussed. In case you start a new topic with an issue that was already discussed, the new topic will be closed down, redirected and merged into the initial one. 8. Do not ask the same thing on more sections of the forum. Do not post the same topic more than once. Twin topics will be removed and redirected to the original one in order to avoid confusion. 9. Do NOT request/post warez software, cracks, serial numbers or any other actions which involve software piracy. Topics and replies related to cracking security software, advice on breaching security systems, cracking security protocols, flood attacks or posts that promote cracking or Internet attacks in any way will be deleted at once and the users that posted them will have their accounts suspended at once. Also, no support will be offered for users that are using a cracked version of BitDefender on their systems. 10. Please avoid topic titles such as "URGENT" since all cases are treated as soon as possible. 11. Be patient – there are a lot of issues on the forum and we are doing the best we can to answer them all. Therefore, you may receive your answer immediately, but it may also take several days just as well. 12. We do not allow people to post threads that advertise or solicit any products, services, funds or donations – all topics of this type will be automatically DELETED . Explicit advertising is also prohibited. FORUM RULES ARE SUBJECTED TO CONTINUOUS MODERATION AND CAN BE CHANGED AT ANY GIVEN TIME WITHOUT PRIOR NOTIFICATION. ANY TOPIC DEBATING FORUM RULES WILL BE CLOSED DOWN AND AUTOMATICALLY DELETED FOR THESE RULES ARE NOT SUBJECTED TO DEBATE. Bitdefender Business Support Forum Team
    • Aurelian Neagu

      Malware Area Rules   09/14/2016

      Here you have a number of rules for this malware subforum.   Please read them carefully before posting:   1. Any user posting here is automatically assumed to have agreed with the Forum Rules.   2. This area is dedicated to those having problems cleaning the system or simply suspecting an infection.
      Also, those who post here are supposed to be BitDefender users (either home-use products or scan online services).
      If this condition is not met, we reserve the right to refuse support.   3. It is forbidden to attach any suspicious files, infected or potentially dangerous (Viruses, Trojans, Spyware, False Detections or potentially dangerous links).   4. It is forbidden to refer to other security solutions for system disinfection.It is also forbidden posting comparative tests between BitDefender and other security products.   5. When opening a new topic, give as many details about the problem as you can along with a recent scan report and screenshots (if necessary).   6. It is recommended for the scan report to be copied in the topic (not attached) so everyone can see it.   7. Removal instructions will be offered only by persons approved (forum moderators for example) or having knowledge about viruses and how to remove them.   8. Users that provide misleading information will be sanctioned.   9. Topics not covered in this format will be deleted or moved.

      10. If you have a False Positive or a False Negative to report please use our Submit Form   Thank you.
coolcool1227

Bitdefender Protection During Scan

22 posts in this topic

1) How do Bitdefender protect infected items from spreading which are detected during scan, since it takes action at the end of Scan?

2) Sometimes Bitdefender displays pop-up window upon detection of threat something like this “that Bitdefender has detected a threat and Bitdefender has blocked access to it or the access to it is denied” .What action (Clean, Quarantine or Delete) does Bitdefender perform on such infected files?

3) What is the purpose of “Quarantine” the infected files and why they can’t be deleted directly as one can also manually delete these infected files from “Quarantine”?

4) How do Bitdefender protects its installation if the system is already infected badly?

Share this post


Link to post
Share on other sites

Any reply to above asked queries?

Share this post


Link to post
Share on other sites
1) How do Bitdefender protect infected items from spreading which are detected during scan, since it takes action at the end of Scan?

None. OnDemand scans are targeted at detecting and removing inactive threats. If a certain infected file is active, or it's accessed by another (clean or malware) process, then BitDefender Realtime Protection will react, in which case an active prevention method will be started in order to block that request.

2) Sometimes Bitdefender displays pop-up window upon detection of threat something like this "that Bitdefender has detected a threat and Bitdefender has blocked access to it or the access to it is denied" .What action (Clean, Quarantine or Delete) does Bitdefender perform on such infected files?

It depends on the Realtime protection settings, which can be changed from BitDefender Security Center. By default, BitDefender will try to disinfect infected files and move to quarantine suspected files.

Also, when BitDefender notifies you about a detected threat, the popup also contains information about taken actions.

3) What is the purpose of "Quarantine" the infected files and why they can't be deleted directly as one can also manually delete these infected files from "Quarantine"?

Because automatic deletion is a very bad idea. In case of any false positive (which WILL happen, since no heuristic detection engine can be made 100% accurate), suspected files will be removed on sight. Which, of course, is not desired.

It is recommended to leave the action set to:

  • novice users, or users who don't want/like to involve too much: "Disinfect" (the disinfection procedure depends on the type of malware detected, and might be anything from automatic deletion, moving to quarantine, file disinfection, or simply blocking access to file)
  • medium users, or users who want a little bit more control over the taken actions: "Move to quarantine" (the file will be removed from it's location, but can be recovered very easily, either manually, either automatically, because BitDefender is set to re-scan quarantined items. In case a detection for a certain file is removed (because it was a false positive), clean quarantined files are automatically restored to their original locations)
  • advanced users: "Deny access and continue" (the file will be blocked on the spot, no other actions taken. All access to that file will be blocked, so the infection can't spread. Then the suer can take manual action, by scanning that particular file, searching the web for a solution, or asking BitDefender support for advice)
  • totally NOT recommended: "Delete" (this action should be set only in extreme cases and should NOT, under any circumstances, be left permanently)

4) How do Bitdefender protects its installation if the system is already infected badly?

If BitDefender installer detects that the installation cannot be performed correctly, the installation is aborted and you are offered the choice of scanning online with BitDefender Online Scanner. This scanner is not as powerful as a complete version of BitDefender installed locally, but it's the best you can do from within an already compromised system. Alternatively, you can use the BitDefender Rescue Disc to scan the system from outside Windows, or contact BitDefender Support for advice. Every infection is different, so there is no unique and ultimate solution/answer to this question. Specific action should be taken for specific infections.

Cris.

Share this post


Link to post
Share on other sites

Hello Cris

Why Bitdefender sometimes quarantine "autorun.inf" files as they have very few chances to be False Positive and declared as clean in future and also how can I protect my PC from autorun.inf if Bitdefender don't its signature.?

Share this post


Link to post
Share on other sites

That is the generic case. As a user, you are absolutely free to set the product as you like and as you see fit for your purpose. What I said above are my recommendations.

Those files are probably moved to quarantine, either because the disinfection routine for that infection states that infected files should be quarantined, either because the primary action fails and you have set the secondary action to ”move to quarantine”. As long as the system remains clean, the purpose of the antivirus has been met.

Cris.

Share this post


Link to post
Share on other sites

Hello Cris

How can I protect my PC from autorun.inf if Bitdefender don't have its signature, as Bitdefender has no option to block removable media from autorun? I've some autorun.inf files not detected by Bitdefender.How may I send you these?

Share this post


Link to post
Share on other sites

@ONT and All People..........

Actually "autorun.inf" files are not the virus. The main Virus executable file is always Hidden. The function of "autorun.inf" file is to Initiate the startup of the Main Virus Executable File when you plug the device to your system or Double click on it (The device may be CD-ROM, Removable drives or Hard Drive partitions).

"autorun.inf" files are used to initiate the startup automatically on insertion of the Media. The structure of code in any autorun.inf file is -"

---------------------------------------------

[autorun]

start=path\any program.exe

---------------------------------------------

Even you can make it using notepad and saving it as "autorun.inf . You can start any program you want by using "autorun.inf" files when you insert ur removable media.

If the Antivirus is deleting the "Main Virus Executable File" and not the Autorun.inf file, then don't worry.......it is doing it's job fully and you are totally safe.

You can configure ur Removable media so that No autorun.inf file can bewritten on your Media. Simply make a "FOLDER" named "autorun.inf" in your removable media...............and you will be safe from autorun.inf files.......................

Share this post


Link to post
Share on other sites

You can also simply completely disable the autorun functionality of your system. This way, even if you connect an already infected removable device, the system will simply ignore the autorun script. Details about how this is done depends on the operating system. Google it. There are plenty sites which present this procedure.

Cris.

Share this post


Link to post
Share on other sites
You can configure ur Removable media so that No autorun.inf file can bewritten on your Media. Simply make a "FOLDER" named "autorun.inf" in your removable media...............and you will be safe from autorun.inf files.......................

That's an interesting approach, haven't heard of it before. How exactly does that protect you from getting autorun.inf files written on the removable media? If you can explain.

Share this post


Link to post
Share on other sites

Because everything in the file system is a file (thus the name ”file system”). Folders are also files, with a special FOLDER attribute.

Therefore, since you already have a file named autorun.inf in the root of your removable device, another file with the same name cannot be created. And since that file is marked as a folder, it cannot be overwritten without the folder attribute (so it cannot be changed from a ”folder” into a ”file”).

A similar approach would be to create a normal autorun.inf file and mark it as Read-Only.

However, both these methods can be very easily bypassed, because a malware can just remove the pre-existing file (or folder) and recreate it from scratch. More advanced methods to counter these actions were implemented in so-called ”removable device immunization” software, which somehow ”play” with the internal structure of the file system, making a folder containing a special structure inside, then specifically changing the file table so that folder shows up as a file in the file-system. The result is a file that cannot be touched by basic WinAPI calls (because they were not designed to handle such specially crafted files), so almost no malware will be able to remove it.

However, even though this type of immunization is marketed as ”full-proof”, which cannot be undone, it can be reverted by someone who knows how to use a hex editor to edit the raw information within the file table. And since this can be done manually, it only means that it can also be done automatically. Also, I personally recommend great care when/if using such immunization software. If you use it on devices that were designed to browse their own memory (such as portable media players, camera memory cards, phone memory cards, and so on), those devices might not be able to ”understand” and handle correctly such file system modifications, which might result in operation problems or even data loss.

Cris.

Share this post


Link to post
Share on other sites

Understood. Thanks for the detailed explanation, Cris. :)

Share this post


Link to post
Share on other sites

Hello Cris

I have some autorun.inf files undetected by Bitdefender. How may I send you?

Share this post


Link to post
Share on other sites
That is the generic case. As a user, you are absolutely free to set the product as you like and as you see fit for your purpose. What I said above are my recommendations.

Those files are probably moved to quarantine, either because the disinfection routine for that infection states that infected files should be quarantined, either because the primary action fails and you have set the secondary action to ”move to quarantine”. As long as the system remains clean, the purpose of the antivirus has been met.

Cris.

Hello Cris

Kindly see the attachment. As you can see there are same setting for both autorun.inf files detected, but one is deleted while the other one moved to quarantine.

Why? Is there a difference in the type of infection or any thing else?

1276670642_1_02.xml

Share this post


Link to post
Share on other sites
That is the generic case. As a user, you are absolutely free to set the product as you like and as you see fit for your purpose. What I said above are my recommendations.

Those files are probably moved to quarantine, either because the disinfection routine for that infection states that infected files should be quarantined, either because the primary action fails and you have set the secondary action to ”move to quarantine”. As long as the system remains clean, the purpose of the antivirus has been met.

Cris.

Hi Cris

I have autorun files which have exactly same coding except the executables but one of them is deleted while other one moved to quarantine.Why is this so?

Share this post


Link to post
Share on other sites
Because everything in the file system is a file (thus the name ”file system”). Folders are also files, with a special FOLDER attribute.

Therefore, since you already have a file named autorun.inf in the root of your removable device, another file with the same name cannot be created. And since that file is marked as a folder, it cannot be overwritten without the folder attribute (so it cannot be changed from a ”folder” into a ”file”).

A similar approach would be to create a normal autorun.inf file and mark it as Read-Only.

However, both these methods can be very easily bypassed, because a malware can just remove the pre-existing file (or folder) and recreate it from scratch. More advanced methods to counter these actions were implemented in so-called ”removable device immunization” software, which somehow ”play” with the internal structure of the file system, making a folder containing a special structure inside, then specifically changing the file table so that folder shows up as a file in the file-system. The result is a file that cannot be touched by basic WinAPI calls (because they were not designed to handle such specially crafted files), so almost no malware will be able to remove it.

However, even though this type of immunization is marketed as ”full-proof”, which cannot be undone, it can be reverted by someone who knows how to use a hex editor to edit the raw information within the file table. And since this can be done manually, it only means that it can also be done automatically. Also, I personally recommend great care when/if using such immunization software. If you use it on devices that were designed to browse their own memory (such as portable media players, camera memory cards, phone memory cards, and so on), those devices might not be able to ”understand” and handle correctly such file system modifications, which might result in operation problems or even data loss.

Cris.

Does the same technique has been implemented in Bitdefender USB Immunizer?

Share this post


Link to post
Share on other sites

Hi ONT

Bitdefender USB Immunizer has a different approach with the autorun.inf file.

Basically, it will modify a registry key in Windows and if the user wants, it can also create those files on each external device.

The most important thing is to turn off the functionality from Windows. In this way, the USB stick is infected, the autorun.inf file will be ignored and the malware will can not run automatically.

Thank you.

Share this post


Link to post
Share on other sites

1) Does quarantine the virus also clean its traces from the system?

2) What exactly the does it meant by denying access to the suspected files? Is it not better to quarantine that file rather than to deny access?

3) During the heuristic analysis, the suspected samples are executed in some virtual environment, so how many times are they executed? I mean is it possible that a virus can deceive the heuristic environment e.g if the suspected samples are executed in virtual environment for only once but the virus is programmed to be active when it executed let say third time?

Share this post


Link to post
Share on other sites

Hello Omer :)

Welcome back.

1. Yes, all detected traces left by the malware will be sent to quarantine or deleted.

2. By denying access, Bitdefender stops all the system resources from accessing that particular file/

3. Some types of malware can't be executed in a virtual environment. The malware code has embedded a function and if a virtual environment is detected(like a virtual machine), the malware won't be execute. If the same file is executed in real environment, it will infect that machine. Depending on the routine or the file type, the sample will be executed once or more than one in the virtual environment(using B-HAVE - Behavioral Heuristic Analyzer in Virtual Environments).

Take care.

Share this post


Link to post
Share on other sites

During scan, does the B-HAVE mechanism remain active after detecting a threat or it re-open when another threat is found?

Edited by ONT

Share this post


Link to post
Share on other sites

Hello :)

As long as the Active Virus Control is active, B-HAVE is always active.

Take care.

Share this post


Link to post
Share on other sites

Actually I was talking about the B-HAVE status during scan tasks not in RTP.

Share this post


Link to post
Share on other sites

Hello :)

The module is always active, even during scan.

AVC works independently of RTP, is a different component.

Is included in the Antivirus module, but is not "connected" to the engine.

Take care.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now