dalem29
4 Germanium

Re: Immunet: Safe as a 2nd AV?

Thanks for the update Joe. After the installations mentioned above I have not known they are there. This little program is very quiet in its work, which is the way it should be and I have left it enabled on both machines.

  

0 Kudos
Not applicable

Re: Immunet: Safe as a 2nd AV?

 

Hi Guys emoticon.Smile.title

 

Okay... I can't say I've spent a whole lot of hours researching Immunet and am in no way knocking it, but...

 

...my main concern here is, as it would be when attempting to run any 2 real-time AVs simultaneously, what happens when you stumble across an actual threat that both programs have a signature for? (Edit; See quote below)

That maybe is where the greatest possibility and danger of a conflict could arise.

Example #1 (post 2)

Example #2

 

As a harmless test, it might not be a bad idea to download some simulated threats (Eicar, Trojan Simulator), rather than wait for a real threat to pounce.


Edit; Wording.

Edit 2; Added text and quote.

 

From the Brian Krebs article in Joe's opening post.


BK: If I have Immunet on my system in addition to another anti-virus product, which one speaks up first about an infection? Or will they both?

AH: Typically, the other anti-virus product will reside in front of us, but in some cases they don’t. In both cases, they should both alert if they both have [detection for] it. If you are running Kaspersky anti-virus and our stuff, and you download a threat, if Kaspersky detects it, they’ll flag it even if we do as well.

Maybe I'm missing something, but to me this seems like a potential problem where both may try to quarantine the same file.

0 Kudos
7 Gold

Re: Immunet: Safe as a 2nd AV?

.my main concern here is, as it would be when attempting to run any 2 real-time AVs simultaneously, what happens when you stumble across an actual threat that both programs have a signature for?
I'm glad you mentioned that. I've been wondering about that myself. Maybe one of the Malware Removal Analysts can run a test.


Windows Insider MVP 2016 - Present

Microsoft MVP - Consumer Security 2006-2016

Social Media and Community Professional

0 Kudos
joe53
5 Rhenium

Re: Immunet: Safe as a 2nd AV?

RD:

You ask the million dollar question. Thanks for the links.

Those avast examples you cite were from February, using an earlier Immunet beta version. The current list of  security programs supported by Immunet now includes avast Free 5.0:
http://support.immunet.com/index.php/Immunet_Protect_Software_Requirements_(Beta)

Whether this support addresses the issue you raise is moot.

I forgot to say my NOD32 is not listed as as a supported AV, which is another reason why I disabled Immunet.

The eicar testfile isn't much of a robust test, but it was detected by my AV. If I disabled my resident AV, it was detected by Windows Defender. When I disabled WD, it was detected by IE8. Never did get to Immunet detection. The point being there were no conflicts among these programs for this one simple test, in my particular environment.

It will take more than an eicar test to satisfy my reservations however, and  I'll leave the real testing to the experts. Meanwhile, despite my (inadvertant) positive experiences to date, Immunet beta returns to disabled status on my system, for precisely the concern you express.

_________________________________________


Dell Forum Member since 2,000


 Use OpenDNS   MalwareBytes' Anti-Malware Free


Windows 7/sp1 (64- Bit): Malwarebytes 3.x Premium, Windows Firewall, WinPatrol PLUS, Emsisoft Emergency Kit Free and HitmanPro Free (on-demand scanners), OpenDNS, MVPS Hosts file, SpywareBlaster, Pale Moon web browser, Sandboxie, CCleaner Free.


Windows 10 Pro (64- Bit): Same protection plus Windows Defender AV.


"In the future, everyone will be anonymous for 15 minutes" - Banksy

0 Kudos
kevin27
4 Beryllium

Re: Immunet: Safe as a 2nd AV?

OK, I just had a try running Immunet and Avast, This is in no way a through test as all I have done is try to open the infected files with both AV's running, no system crashes, have not test for slowness and incompatibility issues, just what would happen if both detected a file at the same time.

Results for Avast: (unless stated NO warning box, there was one)

TDL3  Quarantined
LOP  Quarantined
Koobface,  NO warning box but still in Quarantine
W32.Rootkit  Quarantined
W32.Downadup  Quarantined
W32.Fasec x15 different files  Quarantined (2 or 3 files, NO warning box but all in Quarantine)
W32.Monder x8 files Quarantined (1 or 2 as above)
W32.Zapchest x2 files  Quarantined
W32.Obfuscated x2 files Quarantined

Total= 32 malicious files run 28 or so resulted in a warning popup box, ALL in Quarantine.


Results for Immunet:

Popped up them few time that Avast did not,

In Quarantined are 9 of the W32 files out of the 27 W32.Fasec/Monder/Zapchild/Obfuscated so it missed 18 of them files in total.

W32.Downadup was detected (no popup warning) NOT Quarantined
W32Koobface was detected WITH warning box, NOT Quarantined
W32.Rootkit was detected (no popup warning) NOT Quarantined

The malicious .sys file from TDL and the LOP installer are listed in the results window as "A Known Legitimate Program was Installed on your System"

Total= Not very good, I wont be using it.

Hope that helps, I'm really busy this week but will run all them files with the AV's off, and then scan with each program and post the results back here, but that's something to go on for now.

Thanks
K27.


EDIT:

Forgot to add that when you first install Immunet, it prompts for a "Flash Scan" this lasted 50 odd seconds and scanned 2500 or so files and did not flag any of the above files located in a folder in the root of the drive.

Malware Removal Staff at SpywareHammer

The Internet is the New Age Battle of the Old Age Clash Between Good and Evil

0 Kudos
1972vet
5 Tungsten

Re: Immunet: Safe as a 2nd AV?

Quote:
...the company's free product works largely by sharing data about virus detections from other anti-virus products already resident on the PCs of the Immunet user community.

Nothing at all new about that. I don't know of one a/v product that doesn't ask the user to upload statistical data to the vendor. Usually that is a default setting, already checked but the user would have the option to remove that during the installation. Long and short of it is, most vendors ask the community for input but none of them rely on it...except for these new "cloud" computing concept vendors. This "Immunet" program is news to me as I've never heard of it. I would also never use it certainly as a primary security scanner and NEVER as a secondary on board scanner. Why would anyone? You only need one, and if you should ever want another opinion, there are plenty of online scanners available.

The problem with "cloud computing" type a/v products is that one must have an internet connection in order to take advantage of the "cloud". You might have most of what is already in the database already included in the signature database on board, but whatever is newly circulating, one would need access to the cloud in order to download the latest protection. The problem with that as I see it, is that some infections will remove your internet access.

If you have one of those, how then are you to recover the system? Well, according to THAT vendor, you should then rely on your OTHER on board a/v product.

Does anyone else see the futility of this?

Bottom line is, you only need one. They want you to have two.

If you wanted to test two a/v products running on the same system for instability issues you should scan with one a/v product to see if it finds anything in the quarantine folder of the other a/v product. That can be where you should find the most devastating results if there are to be any.

As both a/v engines should be different, including real time scanning, one cannot be sure at what time either is performing a scan and at what pace...that is, while one could be scanning C:\Program Files the other may be scanning C:\ Documents and Settings...you get the idea.

Under that type scenario, there could be a seemingly flawless run when one or either finds one file at a different time and place arresting the offending file and changing it's file extension, then compressing it to a zipped file...but that's not the end of it.

It should be assumed that eventually the scan engine will catch up with the other but that is only an assumption. When it does, and if it's worth it's salt, and of course, depending on the settings, it should complain of the file even though it's already in the lock-up.

At that point, what really creates the instability isn't so much the two scan engines wanting access to the offensive file, but rather the behavior of the antivirus product as observed by the other antivirus product.

It's that "observation" combined with the fact that one a/v product now wants not only the offending file but the other a/v product to relinquish all rights to the file, and if it's a good product, it should also want to arrest the other a/v product just based on it's behavior. This creates, or should create an argument for which there is no solution. If this "argument" does not occur during your test, then one product or the other is not worth having.

That argument is of course, something that should continue for all eternity. THAT is usually what has happened when a user complains of the system freezing. On inspection, when you see there are two a/v products installed, you can bet the farm that is the reason for it.

But that is the test of a good a/v product...you would not want your a/v product to relinquish rights to ANYTHING...not even another a/v product. See?

Problem is, author's of a/v products don't write the programs giving consideration to any of the other a/v products, so one can or should expect this to be an issue anytime there are two a/v products on board running in real time.

As not all scan the same way, the rough ride isn't always noticed immediately...sometimes the argument issue can occur on the next reboot...or maybe the next time Windows creates an image of the system...or even on closing down the system...maybe even 3 or 4 months down the road.

One can't determine all possibilities since they are so vast. My a/v product for example, won't even allow me to mouse over the installer file of another a/v product without screaming about it.

Bottom line is, it's never a good idea to have more than one a/v product on board running real time protection. You only need one. If you want to install two of them then at least you know what to expect.

Disabled Veteran, U.S.C.G. 1972 - 1978
[IMG]http://i72.photobucket.com/albums/i183/1972vet/mvpsigpic.jpg[/IMG]
Member: [url=http://www.uniteagainstmalware.com/]U.N.I.T.E.[/url], [url=http://asap.maddoktor2.com/]A.S.A.P.[/url]

[url=http://www.microsoft.com/windowsxp/using/setup/maintain/improveperf.mspx]Windows XP Performance and Maintenance[/url]
[url=http://windowshelp.microsoft.com/Windows/en-US/maintenance.mspx]Windows Vista Performance and Maintenance[/url]
[url=http://www.microsoft.com/atwork/maintenance/speed.aspx]Windows 7 Performance and Maintenance[/url]

0 Kudos
joe53
5 Rhenium

Re: Immunet: Safe as a 2nd AV?

k27:

Thanks so much for your tests.

My only question is (being a bit confused, is), did you compare
a) avast! (alone) vs. Immunet (alone), or did you compare
b) avast! (alone) vs. avast!+Immunet (both running resident)?

I guess what I'm asking is, did Immunet augment or degrade avasts's protection in your testing. No need for any quick reply.

AFAIK, the Flash Scan looks for malware by scanning your system registry and running processes only. Obviously not a substitute for a full AV on-demand scan.
-----------------------------------

1972vet:

Thanks for your input also. Until I read Kreb's article, it was gospel for me also to only use one resident AV (and indeed I still follow and recommend this practice). It's my nature to explore new ideas, so I follow this one with interest.

But I really appreciate all the expert input from all here.

_________________________________________


Dell Forum Member since 2,000


 Use OpenDNS   MalwareBytes' Anti-Malware Free


Windows 7/sp1 (64- Bit): Malwarebytes 3.x Premium, Windows Firewall, WinPatrol PLUS, Emsisoft Emergency Kit Free and HitmanPro Free (on-demand scanners), OpenDNS, MVPS Hosts file, SpywareBlaster, Pale Moon web browser, Sandboxie, CCleaner Free.


Windows 10 Pro (64- Bit): Same protection plus Windows Defender AV.


"In the future, everyone will be anonymous for 15 minutes" - Banksy

0 Kudos
kevin27
4 Beryllium

Re: Immunet: Safe as a 2nd AV?

joe53,

 

The only test I run was opining the malicious files with BOTH Avast and Immunet running together, the reason for this is that Immunet is meant to be running hand in hand with another AV.

For point of intrest, I have already tested the infections listed with Avast on its own and I can gladly say that Avast block and quarantined every one without problem, when I tried with Immunet running, avast did  not warn about some but when I checked the Virus Vault, everything was in it.

Not quite the case with Immunet, the main thing that worried me was the fact that list listed TDL3 in its report as "legitimate program has been installed"

As 1972vet stated, we will not know of conflicts until I have time to disable both AV's and then run a scan with each one (which I plan on doing tonight) as soon as I have something to post, I will post it here.

Hope that helps,

Regards
K27.

Malware Removal Staff at SpywareHammer

The Internet is the New Age Battle of the Old Age Clash Between Good and Evil

0 Kudos
Not applicable

Re: Immunet: Safe as a 2nd AV?

I too would also like to extend my thanks, to K27, for taking the time to perform these tests, and to 1972vet, for a very informative and well explained post.

0 Kudos
Highlighted
1972vet
5 Tungsten

Re: Immunet: Safe as a 2nd AV?

You can read Here what Symantec has had to say about the cloud security concept. Some other very good and valid points are made in that article.

Disabled Veteran, U.S.C.G. 1972 - 1978
[IMG]http://i72.photobucket.com/albums/i183/1972vet/mvpsigpic.jpg[/IMG]
Member: [url=http://www.uniteagainstmalware.com/]U.N.I.T.E.[/url], [url=http://asap.maddoktor2.com/]A.S.A.P.[/url]

[url=http://www.microsoft.com/windowsxp/using/setup/maintain/improveperf.mspx]Windows XP Performance and Maintenance[/url]
[url=http://windowshelp.microsoft.com/Windows/en-US/maintenance.mspx]Windows Vista Performance and Maintenance[/url]
[url=http://www.microsoft.com/atwork/maintenance/speed.aspx]Windows 7 Performance and Maintenance[/url]

0 Kudos