Sunday 20 June 2010

Case Study: Auntie's Virus

When Free AV Goes Wrong

When there's PC trouble chez Aunt M, I usually have up to a week to sort it out, before it becomes critical - before, that is, her next weekly Sainsbury's Online order. Such was the case this week, when I battled bravely against Pakes.AV, a Trojan she'd managed to acquire from an XSS attack at some Canadian newspaper's site.

For her Internet connectivity requirements, Aunt M has always been with Virgin Media. They've offered free antivirus software for several years, and we've both found it quite reliable in the past. But then it began to get into a bit of trouble. Resource usage began climbing, and even the expedient of replacing both our PCs with brand new ones couldn't shake off the barnacles.

Eventually, about a year ago, her PC could run little else except a background scan: she was effectively locked out of her PC for hours on end. But still it got worse: the free AV software updates began failing. At this point, the PC's behaviour on power up became utterly monotonous and predictable; thrashing and churning, crashing and burning. Big red button. Repeat.

At one stage I had installed 8GB of RAM into her new machine. Yes, apparently in 2010, Windows needs more than eight million kilobytes of memory, if you want to browse to an occasional more or less static website, or to send or receive one or two emails a day, without having your bank account emptied by Russians.

Free As In Beer

After researching the various free antivirus alternatives available on the web (okay, after searching for "best free antivirus", then selecting the top result from the top comparison site), I had installed AVG Free, whose website trumpets Trusted by Over 110 Million Users!

Also as an experiment, and because the purchase of a new Dell had resulted in my 12-month free McAfee evaluation becoming lost or truncated to 3 months (leaving Sky Broadband's and McAfee's licensing support departments pointing ineffectually at each other), I had also installed AVG Free on my own computer.

Today, my Windows 7 installation continues to work flawlessly, but as I said, Auntie acquired this little nasty bit of code last week. Over the telephone I got her to run a manual scan, which appeared to clean up the problem. As I half expected, the infection reappeared next day.

Another manual scan, and another successful outcome. Left instructions not to visit any websites except Sainsbury's and BBC News. As I three-quarters expected, the infection reappeared next day. She is now unable to start another scan, or do anything else really, including making a Remote Assistance request.

Isn't It Ironic

Remote Assistance can be a great help at times. But on this occasion, the frequent and insistent popup behaviour of the AVG threat notifier itself made the "cure" at least as intrusive and debilitating as the malware. This is also hindered by the relatively loud UI design, the strong colours of which make it difficult for her even to identify the windows on the screen; selecting one of these windows, such as the XP Remote Assistance dialog; bring it to the front (impossible as it happens, since the notification window has the Topmost property); and then use it to allow me remote control of her PC.

I'm not saying that all free software is worth what you pay for it. Regular readers know I'm a huge Linux fan! But the usability requirements of an elderly user seem to dovetail with those of the support engineer attempting to extend help without the benefit of remote assistance and control. It's become clear to me that certain free AV offerings are still designed using a 1990s approach, agnostic to accessibility constraints, and in fact with cursory regard to usability.

Anyway, I'll have to go over there to take a look...

Site Visit #1

Pakes.AV is essentially a search redirection infection. So my first problem, as I began surfing for advice or support from the AVG Free forums, was trying to deflect the incessant torrent of popup ads.

My second problem was discovering that, after battling a path clear through these, I'd been rerouted in flight to a collection of pages offering loans, mortgages, pharmaceuticals and pornography. Quickly scribbling down all of these useful URLs, I proceeded to the AVG site...

My third problem was finding that the AVG Free forums were an unhealthy mess of diagnostic dumps, cross-posted bad advice usually related to quite unrelated issues, poorly written and/or indecipherable instructions, and a proliferation of people with a polymorphic variety of official-sounding titles, making it hard to identify any authority.

I did manage to start a full scan with some additional options switched on. Then I left to continue my researches at an uninfected workstation.

Reflections

What little I could decipher online about the problem seemed to mention the Trojan hiding in Windows System Restore, which should therefore be disabled. Hmm, suspicious, I thought: an antivirus forum, recommending that I disable a feature designed to recover from trouble?

But as I was assuming the worst anyway, i.e., that a complete reinstall of Windows would be at the end of this trail, so I first tried restoring the system to a date in May, when I figured there had to be no infection. Sure enough, as I'd seven-eighths expected, that Trojan horse came right back. So then I bit the .22 slug, disabled System Restore, and scanned again. Did that work? Neigh.



Let's Go To Work

After some consideration that night, I'd decided that a 30 day evaluation of Kaspersky would be the way forward, so I downloaded that on to a USB key drive, ready to take on site and install next day.

Installation on the uncleaned system proved to be a bit of a challenge, as the machine was now in a fit of spawning, flinging up hundreds of command windows on startup. But I persevered, reasoning that Pakes.AV was so long in the tooth that Messrs Kaspersky would by now have a comprehensive treatment for it. And if not, then I could consider the more clinical cleansing and/or full Windows reinstallation options later.

My confidence proved well placed, as a preliminary scan resulted in two, reset-requiring, "special disinfection" procedures becoming invoked. One full scan later, it emerged that some 30+ assorted viruses and Trojans had been jostling and writhing on Auntie's PC, for who knows how long; all unseen by AVG Free.

Conclusions

Most of which were already known, and obvious in hindsight:
  1. As with baked goods and beer, so with antivirus software: you get what you pay for.
  2. Sometimes Remote Assistance alone just isn't up to a disinfection.
  3. Never assume that the visible threat is the only one present.
  4. Have a security strategy - and review it regularly.
I'd also like to add my personal opinion, that Kaspersky is a class act. I've had experience with, and eventually reasons to drop, antivirus software companies such as Trend Micro and McAfee. Admittedly these were reasons related to licensing and support, rather than the technical performance and update issues that have forced me to abandon the several free offerings that I've also tried. But then again: support's the bit you pay for!

Everything about Kaspersky's software, from its UI design to the company's web presence and security lab blog, inspires confidence. I wouldn't be surprised if I never have to contact them for support; but if I do, I'm also confident that experience will be exemplary. Thirty days hence, they'll have two new paying customers.

1 comment:

  1. In downloading the free trial for Kaspersky Anti-Virus 2011, my PC contracted a virus almost immediately that has so far prevented me from using it for most things, including to install Kaspersky...

    *sigh*

    I love computers :-).

    ReplyDelete