Jump to content

Recommended Posts

Posted
Another general question may be: Does the installation of KernelEx make Win98 vulnerable to WinXP malware, which a regular Win98SE installation would just ignore? In other words, does the installation of KernelEx eliminate the raison d'être of Win98?

That is completely unexplored territory. The answer will largely depend on what type of malware it is. For kernel rootkits that target NT systems, KernelEX won't make 98 any more vulnerable to them. For more conventional "user mode" adware, nuisance-ware, etc, KernelEX might make a system more vulnerable. KernelEx might also make 98 more vulnerable to malware that targets applications, just by enabling 98 to run these applications. The only way to know for certain would be to collect samples and try them on test units. I wouldn't expect any major increase in the amount of malware that would affect 98 due to KernelEX, but I would expect a fairly small percentage of some types to work. It's just something that we will have to watch and remain aware of the possibility.


Posted (edited)

Just found a new candidate : http://www.bitdefender.com.au/PRODUCT-14-au--BitDefender-10-Free-Edition.html

A long-standing and respectable anti-virus house, and this package lists W98.

Edit : Bummer, this free BitDefender version is an on-demand scanner, no real-time protection. However, Avast 4.8 Professional is still available (for the moment).

Joe.

PS. Some updated info on Avast 4.8 ... :

Edited by jds
  • 5 months later...
Posted

Well, I was wrong. As you've also since found, SAV 9 (mine's 9.0.0.1400, yours' 9.0.3.1000) doesn't know to scan RAR archives. How disappointing!

Well, I was kinda wrong about being wrong ;) ... the following page shows that at least versions 9.0.6.* supported RAR decompression (the page relates to a security fix for the decompression engine) :

http://www.symantec.com/business/support/index?page=content&id=TECH102208

Unfortunately, there don't seem to be any publicly available upgrade paths from a version 9.0.X.* to a version 9.0.Y.* (which might even fix the broken real-time/on-access/auto-protection with current virus definitions) :(

Joe.

  • 3 months later...
Posted

Kaspersky Anti-Virus 6.0 still updates Ok under Win98, my last manual signature update was about a week ago.

Russian Kaspersky helping the U.S. military?

Kaspersky Anti-Virus 6.0 is the best virus scanner under Win98SE. www.drudgereport.com just had as its top headline a link to http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/ and it looks like even the U.S. military look for Russian help: the technicians at Creech Air Force Base in Nevada "followed removal instructions posted on the website of the Kaspersky security firm. “But the virus kept coming back,” a source familiar with the infection says".

The comment there by David Banes may or may not be indicative of the quality of Symantec software: "I'm sorry but I've got 20+ years experience in the anti-virus industry (some of it running virus research for Symantec) so to see the comment “We keep wiping it off, and it keeps coming back,” in the text above just tells me that the person trying to remove this virus is not qualified for the job, which is very scary given where it is!"

It took the Iranians maybe a year to get the Stuxnet virus out of their nuclear and industrial sites. About 2 years ago I had a nasty infection on my laptop (i.e. a simple single-user environment) with the Tenga virus, which came back 2 times within 3 months of the initial infection.

Posted (edited)

In Germany a major political scandal is brewing about the German federal police apparently planting trojans, ignoring prohibitions by the highest German court. It's currently the top story (in German) of the Spiegel, "Programmed breach of the constitution" http://www.spiegel.de/netzwelt/netzpolitik/0,1518,790768,00.html

The description of the Backdoor:W32/R2D2.A is at http://www.f-secure.com/weblog/archives/00002249.html No idea whether this backdoor works under Win98

Here a posting by Noob at http://www.wilderssecurity.com/showthread.php?p=1952822 : "only F-Secure, Clam AV and Kaspersky detects it".

I was also a little surprised that Clam AV detected it. If Kaspersky should stop providing signature updates for v6.0 after October 2012, maybe Clam AV can continue to provide protection for Win98 against new malware. Kaspersky v6.0, with its big signature data base, could then still detect old malware.

A possible solution to the looming virus scanner issue under Win98 might be to use 2 scanners, Kaspersky for pre-October-2012 malware, and Clam AV for post-October-2012 malware.

Several other virus scanners can at this moment detect this Backdoor, perhaps after some decision-making. Here the constantly updated list by Virus Total: http://www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318148319

Edited by Multibooter
Posted (edited)

Kaspersky Anti-Virus 6.0 is the best virus scanner under Win98SE.

Hmmm ... before being tempted to install this, read :

Perhaps KAV still useful as an "on demand" (manual) scanner only, but even SAV 9 (or the NAV equivalent) with its broken "real time" protection can do that (just download the SAV 10 virus definitions every once in a while and run it).

For the moment, Avast 4.8 is still the best complete solution, IMHO.

Joe.

Edited by jds
  • 3 months later...
Posted (edited)

... the following page shows that at least versions 9.0.6.* supported RAR decompression (the page relates to a security fix for the decompression engine) :

http://www.symantec.com/business/support/index?page=content&id=TECH102208

Unfortunately, there don't seem to be any publicly available upgrade paths from a version 9.0.X.* to a version 9.0.Y.* (which might even fix the broken real-time/on-access/auto-protection with current virus definitions) :(

Well, the plot thickens!

I re-read the above page from Symantec, this time paying attention to the irrelevant section about how to disable CAB and RAR scanning, and learnt that the DLL responsible for "decomposing" RAR files is called 'Dec2RAR.dll' and that the file 'Dec3.cfg' specifies which "decomposers" are enabled.

It was no surprise to find that the file 'Dec2RAR.dll' was missing from my SAV9 installation, and that of course, it wasn't listed in the 'Dec3.cfg' configuration file. What was surprising however, was that a version of 'Dec2RAR.dll' is actually included in the SAV9 installation package, at least as far back as version 9.0.0.338 (as file 'Dec2RAR.dll.007A9270_AFB4_4E86_AD37_A139D0C95AB2', within 'SAV\Data1.cab')!

So the capability to scan RAR files does seem to exist even in fairly old versions of SAV9, yet it never seems to get installed. The relevant DLL is never extracted during the installation, and the configuration file doesn't refer to it. Unfortunately, trying to remedy this situation manually, by extracting the DLL and editing the configuration file, wasn't successful. SAV still failed to scan a RAR file I had prepared for it with the EICAR signature file within. I guess there's some registry stuff that must also be required to enable this missing capability.

BTW, the 'Dec3Update9.exe' update that's given in the above web page refuses to run even with the help of KernelEx. After trying several options, I was finally able to extract its contents with the help of "Resource Hacker" (well recommended). By checking the extracted binaries via "Windows Explorer - Properties - Version - Original Filename", I now had 16 (correctly named) DLL files. However, they were not exactly the list given by Symantec, instead, there was a new version of 'rec2.dll' and no updated 'dec2rar.dll'. But that would be just "icing on the cake". No point worrying about an updated version of 'dec2rar.dll' if I can't convince SAV9 to use it, anyway! :}

Joe.

PS. Well, I've managed to find the missing 'Dec2RAR.dll' file (and the other associated v3.02.14.26 DLL's) that's supposed to be within 'Dec3Update9.exe', in a rather unexpected location : ftp://ftp.symantec.com/public/deutsch/produkten/symantec_antivirus/symantec_antivirus_corp/10.1/updates/SAVCE_10.1.5.5010_Win64_GE.zip

(Using 7-Zip, extract via the path 'SAVCE_10.1.5.5010_Win64_GE.msp' -> 'PCW_CAB_SAV' -> 'Dec2RAR.dll.007A9270_AFB4_4E86_AD37_A139D0C95AB2')

Edited by jds
  • 6 months later...
Posted (edited)

Kaspersky Anti-Virus 6.0 is the best virus scanner under Win98SE.

For the moment, Avast 4.8 is still the best complete solution, IMHO.
Hi jds,

I beg to disagree. Avast, in contrast to KAV6, generates a lot of false positives, and quite a few of my downloads were erroneously flagged by Avast as infected. Kaspersky Anti-Virus 6 generates rarely false positives. I have used Avast in 2010, and rejected it because of the false positives. To me, a false positive is more annoying than an infected file not flagged.

I have not experienced a stability issue with KAV6 under Win98, but I use KAV6 only as an on-demand scanner. During the last 6 months, however, KAV6 does occasionally crash upon loading, but only under WinXP SP2 (not under Win98SE), and only on my 11-year-old Inspiron laptop (512MB RAM), not on my dual core desktop (2GB RAM). WinXP seems to work Ok after such a crash, but I do reboot then.

Decreased signature count

I have just updated the signatures of Kaspersky Anti-Virus 6, the signature count on 6-Sep-2012 was 7.772.298. The last time I ran the signature update from the Kaspersky server (under Win98, of course), was on 18-Jul-2012 with a signature count of 8.585.549 signatures. No idea why the signatures decreased by 800.000 over the last 6 weeks.

I hope this decreased signature count is not a sign of a possibly approaching end-of-updates for v6.0.2.621, perhaps on 1-Oct-2012.

Kaspersky Anti-Virus v6.0.2.621 after it reaches its end-of-updates

I am archiving the Kaspersky Update folder after each successful signature update. In this way Kaspersky Anti-Virus v6.0.2.621 can be re-installed with a reasonable signature count: After adding a license key with an expiration date after the last update, KAV6 can be updated from the Kaspersky Update folder. Without a signature update, KAV6 would be useless, only about 500.000 signatures, of Dec-2007, are installed after a fresh installation.

The size of the rared-up Kaspersky Update folder is currently about 250MB.

I am very eager to see whether the signatures of Kaspersky Anti-Virus v6.0.2.621 can be updated after 1-Oct-2012.

Edited by Multibooter
Posted

Hi jds,

I beg to disagree. Avast, in contrast to KAV6, generates a lot of false positives, and quite a few of my downloads were erroneously flagged by Avast as infected. Kaspersky Anti-Virus 6 generates rarely false positives. I have used Avast in 2010, and rejected it because of the false positives. To me, a false positive is more annoying than an infected file not flagged.

I have not experienced a stability issue with KAV6 under Win98, but I use KAV6 only as an on-demand scanner. During the last 6 months, however, KAV6 does occasionally crash upon loading, but only under WinXP SP2 (not under Win98SE), and only on my 11-year-old Inspiron laptop (512MB RAM), not on my dual core desktop (2GB RAM). WinXP seems to work Ok after such a crash, but I do reboot then.

Hi MB,

It's OK to disagree, however, my comment was "For the moment, Avast 4.8 is still the best complete solution, IMHO." Since you don't use KAV6 for real-time protection (my guess is you'll encounter the same stability issues as I did if you try), that doesn't qualify.

As regards your false positives, I'm surprised. I've used Avast for quite a few years and on many systems, and I've only encountered a single instance of this. Do be sure to double-check with 'virustotal' in case these aren't nasties that KAV6 is missing.

Joe.

Posted (edited)
As regards your false positives, I'm surprised. I've used Avast for quite a few years and on many systems, and I've only encountered a single instance of this.

Hi jds,

I would speculate that the frequency of false positives depends on what one is scanning. Most of the stuff I am scanning comes from the mule and often contains patches etc. Some of these little files are apparently created by software with which also malware may be produced. Some antivirus programs tend to identify all files created by such software as malware, even if the files are good and clean.

False positives might lead one to delete files which are actually good. I have come across a rare false positive by Kaspersky Anti-Virus for one series of little files, which was incorrectly identified as a trojan "packed win32.black.a". About 5-20% of the downloads with the mule are infected, as identified by Kaspersky. Avast flags more - but it is practically impossible to know whether these files flagged by Avast, and not by Kaspersky, are really infected or just false positives.

About 2 years ago, after the terrible infection with the Tenga exe infector, I had installed Avast under WinXP and Kaspersky under Win98, for double-checking. After a while I stopped using Avast because of the (probably) false positives.

Do be sure to double-check with 'virustotal' in case these aren't nasties that KAV6 is missing.
virustotal is impractical for checking large quantities of files. I make a pre-check of the stuff from the mule as follows:

1) I open archive files (e.g. .rar) with WinRAR. Maybe 5% don't open (corrupt archives or the file extension was changed from e.g. .avi to .rar). I then look at the modification dates of the files in the archive. If the file modification dates differ substantially, e.g. by several years, then some recent malware may have been injected and the archive is suspicious. If the archive contains just a few files, including a .dat and a .exe file, it is in most cases malware.

2) nfodiz is a most useful program for pre-checking downloads containing an .nfo file. After opening an archive in WinRAR I just double-click on the .nfo file in the WinRAR window. If nfodiz displays a nice-looking nfo, and the modification dates of the other files in the archive are close to the modification date of the .nfo file (and close to the date often displayed in the .nfo window), there is a good chance that the archive is Ok. If nfodiz displays jibberish, then the archive is infected and can be deleted. The description page of nfodiz is http://web.archive.org/web/20050205083144/http://www.softpile.com/Development/Distribution/Review_03050_index.html nfodiz can be downloaded from http://liveweb.archive.org/http://www.brigada.ro/downloads/nfodiz_setup.exe

3) downloaded .exe files I drag onto the desktop icon of MiTeC EXE Explorer. If the .exe file is supposed to be old software, but has a much more recent timestamp, the .exe is most likely infected.

These 3 steps identify about 60% of the infected files. About 50% of the files identified in these 3 steps are not flagged by Kaspersky, although eventually Kaspersky will identify many as infected, with subsequent signature updates. This is not a critique of Kaspersky, there are just too many new malware programs.

Edited by Multibooter
  • 4 months later...
Posted (edited)
I am very eager to see whether the signatures of Kaspersky Anti-Virus v6.0.2.621 can be updated after 1-Oct-2012.

It's now January 2013 and Kaspersky v6.0.2.621 still updates Ok. There may be some problems with the updater, maybe because I update irregularly, about once every other week. During updating I get quite often error messages like "error updating component KAS300" or "file black.lst is missing or corrupted. Please run Updater to fix this problem". After re-running the Updater, sometimes up to 3 or 4 times, everything is Ok and the message "Update completed successfully" is displayed. The message "Not all components were updated" signals that the Updater has to be run again.

But here is the downside: In November 2012 I used 2 activation codes of Kaspersky Anti-Virus 6.0 retail packages, but the Kaspersky License Key Server only generated license keys up to about 21-March-2013, instead of keys for another year, and the License Key Server did not generate any trial keys for v6.0.2.621. This means that Kaspersky v6.0.2.621 cannot be updated with new signatures after 21-March-2013, although it will continue to run after that date with the last signature update obtained. I keep backups of the Update Folder so that I can re-install v6.0.2.621 and update from the Update Folder, in case I should need an activated but expired version in the future. It makes little sense to buy a retail v6.0 now, since it's going to be dead in March 2013.

"Kaspersky Anti-Virus 6.0 for Windows Workstations" is the corporate version, it is v6.0.3.837 and still runs fine and updates fine under Win98 and WinXP. I doubt that the Moscow head office will sell activation codes for v6.0.3 to individuals. The Kaspersky License Key server still provides a trial key for v6.0.3.837, valid for 10 computers for 30 days. The activation code and the generated license key for the retail v6.0.2 do not work for the corporate v6.0.3. After having used a trial key for 30 days the virus scanner does not scan for viruses anymore and cannot be updated anymore. It is not possible to start a new trial using the Kaspersky removal tool KAVremover v1.0.53 (of 28Nov2007, last version to work with Win98) http://support.kaspersky.com/downloads/kis7/kavremover.zip There are 3 keys hidden in the registry which prevent a restarting of the trial. One simple self-constructed .inf file can delete these 3 keys under Win98 and WinXP and does not require an uninstall/removal. Kaspersky v6.0.3.837 then turns into un-activated and can then get activated as a trial for another 30 days. Re-activation (reset + activate) is a matter of less than a minute, the hard part was to find the 3 lines for the section [DeleteFromRegistry] in the .inf file, and the testing.

In the future, when the Kaspersky License Key Server will not provide trial licenses for the corporate version 6.0.3 anymore, an un-activated Kaspersky v6.0.3 will still run fine with the last obtained virus signatures, except that there is a nag screen at start up "Setup Wizard: Kaspersky Anti-Virus. Welcome! Kaspersky Anti-Virus Setup Wizard will help you to configure protection for your computer", which requires to click on Cancel or Activate Later. The .inf file with 3 instructions has been tested extensively and works fine. I am attaching a screen shot of Kaspersky v6.0.3.837 updated yesterday under Win98.

This Plan B works until there are no more trial licenses for v6.0.3. After that there is a Plan C. I am quite confident that Kaspersky v6 wil be updateable under Win98 and WinXP for the foreseeable future, perhaps for several more years.

post-183045-0-69632100-1359136045_thumb.

Edited by Multibooter
Posted (edited)

The retail Kaspersky Anti-Virus 6.0 is currently still available new at amazon for USD 4.99 plus S+H, but again, it can be activated/updated probably only until mid-March 2013. The activation code on the CD sleeve in the box can be used to activate the downloaded last v6.0.2.621. The CD in the box usually contains an older build.

Edited by Multibooter

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...