Hi,

Here is the requested information:

Windows XP home SP2
OA ++ version 3.5.0.32
Other security: Sandboxie 3.38 and Secunia PSI
Older security - uninstalled: Nod32 4.x

Some general questions about the av function are:

1. Is there a way to update av without updating OA Premium part?

2. Does extract mean: extract the virus infection from a file?

3. Does marking possible or suspicious files as "ask" or "blocked" function as an effective quarantine (awaiting further scanning to show conclusively one way or another)?

4. AV scanner shows that there are several hundred excluded files from the scan. What files are these?

5. Does the av scanner scan trusted programs?


A specific questions is:

When scanning for alternative data streams, all my faxes were marked as suspicious both in the inbox and sentbox, all folders in C:\install, and a few other files. I used Bit 9 File Advisor, Google, VirusTotal.com and OASIS to check the few other and either they were ok or not verifiable by any of these sources. Regarding the faxes, am I right in assuming that they are fine. In a 150 or so faxes not all can be bad? The 50 or so folders in C:\install seemed ok on the inspection of a few. Doesn't it seem unlikely that they are all poisioned? But the bigger question for me is: what am I looking for to conclude whether a malicious alternative data streams is present?

Finally, I would like to see: a Scan Now button on the Antivirus pages, an updated AntiVirus help page, the Av report page where copy applied to a specific line(s) of text would work, a log file for each scan, and direction how to contact someone about specific question about antivirus issues (such as false positives, removal of difficult infections, etc.)


Thank you in advance,
Lucent

1. Is there a way to update av without updating OA Premium part?
You can use the OA icon's right click menu and choose 'Check for Updates -> Signatures and Rules' only.

2. Does extract mean: extract the virus infection from a file?
If you have an alternate data stream detected you can extract it using this option in order to scan it effectively.

3. Does marking possible or suspicious files as "ask" or "blocked" function as an effective quarantine (awaiting further scanning to show conclusively one way or another)?
Marking them as blocked would prevent them being accidently run, so I guess in a way that's similar to quarantine.

4. AV scanner shows that there are several hundred excluded files from the scan. What files are these?
That would depend on your chosen settings. If you have 'Check only executable files' ticked, then all other file types would be excluded. Similarly, if you aren't scanning hidden file or ADS, these files would be excluded. There is also the option to exclude other file types.

5. Does the av scanner scan trusted programs?
No


A specific questions is:

When scanning for alternative data streams, all my faxes were marked as suspicious both in the inbox and sentbox, all folders in C:\install, and a few other files. I used Bit 9 File Advisor, Google, VirusTotal.com and OASIS to check the few other and either they were ok or not verifiable by any of these sources. Regarding the faxes, am I right in assuming that they are fine. In a 150 or so faxes not all can be bad? The 50 or so folders in C:\install seemed ok on the inspection of a few. Doesn't it seem unlikely that they are all poisioned? But the bigger question for me is: what am I looking for to conclude whether a malicious alternative data streams is present?
You need to extract the alternate data streams to a temporary folder and then scan this folder with ++. OA can't scan the ADS, it can only detect them, but once you've extracted them it can scan them. If this scan comes up clean then they should be safe.


Finally, I would like to see: a Scan Now button on the Antivirus pages, an updated AntiVirus help page, the Av report page where copy applied to a specific line(s) of text would work, a log file for each scan, and direction how to contact someone about specific question about antivirus issues (such as false positives, removal of difficult infections, etc.)


If you think you have false positives, they can be submitted by using the contact form here :) http://www.tallemu.com/contact_us.html The information Tall Emu will need is the filename, hash (any of MD5, SHA1, SHA256) and what the file is (ie, it belongs to Nero Burning 6 for example).

If you don't know the hash of the file, right clicking the file in OA's programs list and choosing Show file information -> More will take you the OASIS page for the file which contains the hash in the URL. You can then send this URL along with the other relevant information.

Thank you Cat Princess.

You said:
"You need to extract the alternate data streams to a temporary folder and then scan this folder with ++. OA can't scan the ADS, it can only detect them, but once you've extracted them it can scan them. If this scan comes up clean then they should be safe."

I did this for a few, and they scanned clean. I have a 160 to do. You can only extract one at a time. Is there a way to extract the suspicious ADS in mass and then check them?

I did this for a few, and they scanned clean. I have a 160 to do. You can only extract one at a time. Is there a way to extract the suspicious ADS in mass and then check them?

You should be able to click and drag with your mouse downwards to highlighted all entries. I'm not sure if with multiple entries highlighted it will allow you to extract them though as I haven't had multiple ADS to try it with.

You should be able to click and drag with your mouse downwards to highlighted all entries. I'm not sure if with multiple entries highlighted it will allow you to extract them though as I haven't had multiple ADS to try it with.

It does not allow more that one extraction at a time. Multiple extraction would be a great addition.

Yes I can see that would be useful :)

It seems that I have a number of Kavichs left from Kaspersky 5.x that I unstalled sometime ago. These are showing up in the ADS anti virus scan. Does anyone know how to install them?

Thank you for your help

Kaspersky explain how to do this here http://support.kaspersky.com/faq/?qid=193238621using a removal tool.

Kavichs remover doesn't remove as far as I can tell. It counts how many streams. When i check if any have been removed it still shows them present.

Its been some time since I used Dos so I may be doing something wrong. I typed at the prompt: C:\klstreamremover.exe -r [where -r is the required parameter] Then I hit enter. It runs through the files in C:\ counting the streams but doesn't appear to remove them.

I was thinking if I remove the Kaviches the av scanner might scan the suspicious files as clear since all are marked with the Kaviches.

I will start the manual clearing. Once I have finished and find they are all clear, how do I remove them from coming up in the scan again?

Sorry I can't help more since I don't have any of these kavichs. The article says the utility removes them, so assuming you followed the instructions listed there, I don't know what else to suggest. I assume ++ is unable to delete them?


I will start the manual clearing. Once I have finished and find they are all clear, how do I remove them from coming up in the scan again?

Marking them as trusted will stop them from appearing in future scans.

This product may help - http://www.merijn.nu/programs.php#adsspy.