Join Us!

Notifications
Clear all

Anti Virus tips  

Page 1 / 2
  RSS
kevinspoon
(@kevinspoon)
New Member

Need some advice on the best Spyware and Antivirus software that most are using. Thinking about going with Norton (not sure which one) but not sure. Also, thinking about getting WebRoot Spy Sweeper. Any suggestions?
This is for my forensics machine of course.

Quote
Posted : 23/05/2009 9:11 am
douglasbrush
(@douglasbrush)
Senior Member

I am a cheap date so I like the many free utilities that are out there. Avast is my AV of choice. It also does much of the spyware/malware prevention you could want. You will certainty want to set the polices and exclusions in the software to avoid false positives (On one of my administrative computers I downloaded Helix to it last night before leaving the office and came in this AM to warnings about Windows Defender scan results for pwdump2)

ReplyQuote
Posted : 23/05/2009 5:48 pm
medilein
(@medilein)
New Member

At the moment we are using Kaspersky Internet Security but I would strictly recommend NOT to use that one. We will for sure switch to another solution.
When acquiring an image with Kaspersky switched on it takes nearly 2 minutes until the acquisition starts. With older versions it was possible to exclude USB-devices from "scanning" but this is not possible anymore. I sent them an email and received a default-answer more than a month after I contacted them.
Another thing is my NAS-box. When Kaspersky is switched on it is not found on the network, only when Kaspersky is disabled.
Another thing is when downloading archives from the internet. By default they are scanned which can take a couple of minutes.
Please share your experiences with other AV-solutions. Since we are most definately going to switch to another antivirus-software this could be very useful information (not only for me;) ).

Cheers.

ReplyQuote
Posted : 23/05/2009 7:09 pm
BitHead
(@bithead)
Community Legend

Switched to ESET NOD32 from Norton. I have also had good luck with avast! and if you are a governmental agency (or healthcare) there is a 30% discount.

ReplyQuote
Posted : 23/05/2009 8:07 pm
kevinspoon
(@kevinspoon)
New Member

Thanks guys. Think im gonna look into the Avast. Im sure we qualify for the discount. On my home PC, im using Norton Internet Security and it works great with the Pulse updates etc. However, I find myself having to boot twice before being able to use my pc.

ReplyQuote
Posted : 23/05/2009 8:38 pm
douglasbrush
(@douglasbrush)
Senior Member

Thanks guys. Think im gonna look into the Avast. Im sure we qualify for the discount. On my home PC, im using Norton Internet Security and it works great with the Pulse updates etc. However, I find myself having to boot twice before being able to use my pc.

I use the free edition.
http//www.avast.com/eng/download-avast-home.html
Works great and I deploy it on most of my SOHO clients' computers. You just have to enter a registration key you get via e-mail that will keep the auto updates going for about a year before you have to register again.

It will not work on a MS Server build however.

I did just poke around on download.com and come across "Rising Antivirus" as a AV for Server 2k3. Might try it on one of my file servers to see if it works as advertised.

ReplyQuote
Posted : 23/05/2009 8:51 pm
 Anonymous

I was looking into this a few weeks ago. Avira Antivirust is another one which did well in detection benchmarks. I tried it however I kept getting pop-ups regarding the paid version so its not recommended. One of my computers had every .exe file infected with malware whilst using AVG.

I'm using Avast now and I'd recommend it.

ReplyQuote
Posted : 23/05/2009 9:08 pm
yunus
(@yunus)
Active Member

No Antivirus is perfect. So, it does not make a big difference if you choose Norton or Nod32. Norton puts too much workload to the computer and will make it work much slower. So, I prefer Nod32, which is as effective as Norton, not so overwhelming though.

ReplyQuote
Posted : 24/05/2009 3:44 am
ctendell
(@ctendell)
Member

Avast, its lite and priced right.

ReplyQuote
Posted : 25/05/2009 8:34 am
unknown
(@unknown)
New Member

Mcafee Virus/Spyware Protection has proven effective. Some of the products mentioned above have performed badly under real world conditions.

ReplyQuote
Posted : 26/05/2009 7:17 am
ronanmagee
(@ronanmagee)
Active Member

Hi guys,

I have some other concerns regarding antivirus, namely the following and I was wondering if anyone else has considered them …

1. Scanning overhead for realtime detection - monitoring each of your processing machines to identify any impact AV scanning has on performance
2. AV scanning modifying timestamps on evidence
3. Deletion of files as opposed to quarantine
4. Ensuring monitoring of Terminal Services
5. Plug in evidence drive and AV kicks in to scan drive
6. Installing AV on a data server

IMO I think that end stations should have AV installed and the server has no AV what so ever. Thinking is 2 fold

1. Large quantities of evidence may take long periods to scan with AV, even when kicked off over the weekend
2. Potential deletion/modification of evidence and/or timestamp modification

If installing AV on end user/processing machines how do you ensure that you do not modify evidence on the external HDD that is plugged in after returning to the lab having been imaging onsite?

Ronan

ReplyQuote
Posted : 26/05/2009 6:41 pm
mitch
(@mitch)
Active Member

Simple answer to this is Sophos in the UK most Goverment organisations use it. is it good YES

I purchased it myself its expensive but you get what you pay for.

regards

ReplyQuote
Posted : 26/05/2009 6:44 pm
jhup
 jhup
(@jhup)
Community Legend

I always wondered why AV? Why scan for the bad things? Why not just make sure the good things are good?

TripWire is the closest to what I think is the best. "Change auditing software".

* There is a limited set of files to scan (number of total valid executable files to number of malware and their variants).
* database does not change, unless new applications are installed versus almost daily updates, with ever increasing database
* real time validation is faster as it no longer needs to check against DB, and heuristic logic, simply against valid DB.

We already use it in forensics. We have huge software fingerprint databases out there.

Just a thought….

I wish there was a Tripwire for WIntel desktops

ReplyQuote
Posted : 26/05/2009 8:16 pm
ronanmagee
(@ronanmagee)
Active Member

I agree with jhup, this would be great but not aware of any tripwire equivalent for windows. Anyone any suggestions or recommendations?

ReplyQuote
Posted : 26/05/2009 9:07 pm
ronanmagee
(@ronanmagee)
Active Member

What methodology do you guys use when deploying AV on your lab network?

1. Do you deploy it on the Server(s) and/or end user workstations?
2. How do you deal with a virus once it is detected, bearing in mind deleting/fixing it results in file modification (if one virus is found then documenting this process is fine - but what if thousands of viruses are found?)
3. Are you concerned that virus scanners may modify timestamps

Ronan

ReplyQuote
Posted : 31/05/2009 4:21 pm
Page 1 / 2
Share: