Exclusions? Good Idea?

[WacoJohn]

I am a little confused on how Immunet products work . but if I understand correctly .. there is an issue with the concept of exclusions.

 

Let us say Immunet (or any other product) scans a file. It is a false positive. The file is then put into the Exclusion list. I take that to mean it will not scan that file again .. ever.

 

Later on, the computer gets some kind of infection .. which THEN infects that file. On the next scan .. won't that 'now infected' file NOT be scanned?

 

Somehow, I don't think it is a great idea to tell an Antivirus product to NOT scan ... anything. Files can become infected at anytime. A full scan should scan EVERY 'infectible' file on the computer .. detect any infection .. and clean it.

 

Or am I confused (I often am)?

[sweidre]

1. Let us say Immunet (or any other product) scans a file. It is a false positive. The file is then put into the Exclusion list. I take that to mean it will not scan that file again .. ever.

2. Later on, the computer gets some kind of infection .. which THEN infects that file. On the next scan .. won't that 'now infected' file NOT be scanned?

3. Somehow, I don't think it is a great idea to tell an Antivirus product to NOT scan ... anything. Files can become infected at anytime. A full scan should scan EVERY 'infectible' file on the computer .. detect any infection .. and clean it.

Hi WacoJohn,

1. If an Anti-Malware product #1 scans & finds a malware, the infected file will then be qurantined in the quarantine of that Anti-Malware #1 only as a "malware". The file remains there, because the Ant-Malware #1 still thinks, that the file is infected. If an analysis by the laboratory of that Anti-Malware #1 is done by request, and the file is found to be a "false positive", the user should normally restore this file to its normal place in the computer, because the file is found to be "clean" and should be in use again. Next time this Anti-Malware #1 scans the computer, it shall not regard this file as infected any longer, so that particular file will not be qurantined again by Antimalware #1. (Provided, that the database of Anti-Malware #1 is immediately updated after the result of the analysis.) So normally the Exclusion List of that Anti-Malware #1 should not be used for that purpose.

Now, there can be another unexpecting problem! If you have another Anti-Malware #2 installed, it can qurantine the file in its own qurantine immediately, because this Anti-Malware #2 regards the file to be infected by a malware. (Note, that Anti-Malware #2 qurantined the file in its own qurantine, not due to a scan done but due to the restoring from quarantine #1.) Another analysis by the laboratory of Anti-Malware #2 and so on.....

To have several Anti-Malwares installed (even if they accept each other) can strengthen the protection, but can cause more troubles than expected!

2. Placing files on any Exclusion List should be avoided, because files on any exclusion list will never be scanned or detected. (So go thru all exclusion lists frequently and delete as many files from them as possible. Really treat Exclusion Lists literaly as Exclusion only and keep their contents at a minimum!

3. Completely correct, WacoJohn!

4. Exception: If some softwares not accept each other completely, some exclusion lists must then be filled with necessary exclusions. Note, that Immunet has already at installation listed necessary exclusions for Avira, Kaspersky, & Avast. When new security products are issued in the future, maybe some of them must be added to the list!

Cheers,

sweidre

[sweidre]

4. Exception: If some softwares not accept each other completely, some exclusion lists must then be filled with necessary exclusions. Note, that Immunet has already at installation listed necessary exclusions for Avira, Kaspersky, & Avast. When new security products are issued in the future, maybe some of them must be added to the list!

Hi again,

I have my doubts about one of the default exclusions in Immunet: C:\Windows\System32\CatRoot2\, because I am studying "Zero Days Threats - Videos by srjaure" ,see thread:

http://forum.immunet...ro-day-threats/

On some of the videos there it is just mentioned, that many threats are hiding in C:\Windows\System32\ folder! Note, that he did not mention C:\Windows\System32\CatRoot2\, so maybe the threat files will hide directly under C:\Windows\System32\ root folder, not in the CatRoot2 sub-folder! I am not sure, anyhow!

Cheers,

sweidre

[WacoJohn]

Thank you for the comprehensive reply. From what you describe, having an exclusion list is dangerous .. as I mentioned. A product will not scan anything on its exclusion list .. so if it ever gets infected ... one would not know it.

 

So .. I have an item on my I3.0 exclusion list. I did not put it there. It is a false positive I submitted to Immunet a few days ago. In fact, .. for some reason .. it is listed twice.

 

So .. it was an FP .. and should not be 'caught' as infected. It is on my Exclusion list. It needs to come off my exclusion list ... so it will continue to be scanned in case it ever DOES get infected.

 

I have not heard back from Immunet since I submitted it .. that it is OK and 'in their database'.

 

So .. what should I do? It sits there .. excluded.

[sweidre]

Thank you for the comprehensive reply. From what you describe, having an exclusion list is dangerous .. as I mentioned. A product will not scan anything on its exclusion list .. so if it ever gets infected ... one would not know it.

So .. I have an item on my I3.0 exclusion list. I did not put it there. It is a false positive I submitted to Immunet a few days ago. In fact, .. for some reason .. it is listed twice.

So .. it was an FP .. and should not be 'caught' as infected. It is on my Exclusion list. It needs to come off my exclusion list ... so it will continue to be scanned in case it ever DOES get infected.

I have not heard back from Immunet since I submitted it .. that it is OK and 'in their database'.

So .. what should I do? It sits there .. excluded.

Hi WacoJohn,

The exclusion list of Immunet should only contain paths to folders or files, that really must be excluded, for instance Avira, Avast, & Kaspersky, that are security softwares, that conflict with Immunet by experience.

If an analysis by Immunet reports a "false postive", Immunet should report this to the Immunet Cloud, so that all Immunet softwares installed in all users computers get the info that the particular file is clean and not a malware. (Now, I think, it will take some time until the "false positive" will first be reported to the Cloud and from there to each individual computer. I can imagine, that this report to the cloud will be only during Immunet workhours US Mountain Time Mon-Fri 9-5, so sometimes the time lag can be days, especially during long holidays (Xmas+New Year & Easter)! Therefore, I think, that Immunet immediately after the restoration of a file from qurantine automatically adds this file (+path) on the exclusion list. Otherwise Immunet will right away qurantine it again! If you have added the file to the exclusion list and also Immunet had done so, you will of course see dublicates of the exclusion. Note, this paranthesis is only my speculation now; do not take this for certain!) Anyhow, after a few days when reporting to the cloud has been implemented, the exclusions for this particular file are redundant and can be removed by clicking on the (X) to the right of the particular exclusions.

Cheers,

sweidre

[WacoJohn]

So .. if I understand you,

 

I3.0 scans a file. Detects infection or possible infection. It quarantines it. The 'cloud' examines everyone's quarantine folder .. and determines if the file is infected or a false positive.

 

If infected, .. not sure what happens (would love to know).

 

If false positive, I3.0 automatically removes it from quarantine??????? If yes .. then the file is subject to scan again .. but is in the database as OK .. as long as the heuristic matches. If the file has SINCE become infected, it will quarantine again??????

 

If all the above is true .. then I should leave the exclusion list alone .. it will 'manage itself' ... unless of course I intentionally PUT something on the list .. which I don't see ever doing .. in that anything on the list never gets scanned. That would be foolish.

 

I want to thank you for your time and input. I apologize to be 'so concerned' .. it is just that I am trying to understand how the product works.

[sweidre]

1. I3.0 scans a file. Detects infection or possible infection. It quarantines it. The 'cloud' examines everyone's quarantine folder .. and determines if the file is infected or a false positive.

2. If infected, .. not sure what happens (would love to know).

3. If false positive, I3.0 automatically removes it from quarantine??????? If yes .. then the file is subject to scan again .. but is in the database as OK .. as long as the heuristic matches. If the file has SINCE become infected, it will quarantine again??????

4. If all the above is true .. then I should leave the exclusion list alone .. it will 'manage itself' ... unless of course I intentionally PUT something on the list .. which I don't see ever doing .. in that anything on the list never gets scanned. That would be foolish.

5. I want to thank you for your time and input. I apologize to be 'so concerned' .. it is just that I am trying to understand how the product works.

Hi WacoJohn,

As Immunet has no Mamual, Tutorial, or FAQ, we can only speculate (guess)!

1. Emsisoft & ESET examine the qurantine after every update, but I have not seen any info, that Immunet examines the quarantine. (I doubt it, but it should, in fact!). Immunet examines all files outside the quarantine for sure, except files on the Exclusion List.

2. You mean in quarantine? An infected file remain in the quarantine until you personally press on "restore" or "remove" buttons. When in qurantine the file can not do any harm, but cannot be used neither. Qurantine is like a prison, where you are the guard to open to door to freedom or to the electric chair! (But the file can be kept in jail for life also)

3. I think, that you must personally restore (not remove) it from the quarantine by clicking on button "restore", if the file is clean = false postive! An infected file in qurantine you can keep in the quarantine or personally remove by clicking on button "remove". Note, that a removed file is gone from your computer for good and can not be restored. (Some AV products have the possibility to clean an infected file in certain cases, so it can be used normally again as cleaned. I have not seen, that Immunet has this function) A restored file is free in the computer until it get infected. Immunet will then quarantine it again. New analysis and so on.....

4. All above is not true!

5. To really know how Immunet works, Immunet must issue a manual, tutorial, or FAQs. On the homepage of Immunet, there are no links to Manual, Tutorial, or FAQ! Immunet has a lot of homework to do!

6. I know, that you want Immunet to do everything automatically for you, but that is not the case! Many users believe only in themselves and want to handle things by themselves and not leaving all decisions do be done by a non-human software!

Cheers,

sweidre

[WacoJohn]

Hi WacoJohn,

As Immunet has no Mamual, Tutorial, or FAQ, we can only speculate (guess)!

1. Emsisoft & ESET examine the qurantine after every update, but I have not seen any info, that Immunet examines the quarantine. (I doubt it, but it should, in fact!). Immunet examines all files outside the quarantine for sure, except files on the Exclusion List.

 

 

As long as SOMETHING is examining the file for 'bad code', ... fair enough. I really don't know anything about Emisoft or Eset. I expect 'the product' to do something with quarantined files .. which is to presumably determine infection or not.

 

 

2. You mean in quarantine? An infected file remain in the quarantine until you personally press on "restore" or "remove" buttons. When in qurantine the file can not do any harm, but cannot be used neither. Qurantine is like a prison, where you are the guard to open to door to freedom or to the electric chair! (But the file can be kept in jail for life also)

 

I understand 'quarantine'. What I don't get is how it is up to me to know whether to unquarantine or delete or leave the file IN quarantine? If I knew the file was safe .. I could unquarantine. If I knew it was infected, I could delete it. If I knew it was FP, I could delete it. I know none of these conditions. That's why I have an antivirus product... to tell me.

 

3. I think, that you must personally restore (not remove) it from the quarantine by clicking on button "restore", if the file is clean = false postive! An infected file in qurantine you can keep in the quarantine or personally remove by clicking on button "remove". Note, that a removed file is gone from your computer for good and can not be restored. (Some AV products have the possibility to clean an infected file in certain cases, so it can be used normally again as cleaned. I have not seen, that Immunet has this function) A restored file is free in the computer until it get infected. Immunet will then quarantine it again. New analysis and so on.....

 

There is the flaw in the logic. Unless 'the product' somehow confirms it is safe, infected, or FP, I have no idea what to do with it.

 

4. All above is not true!

 

I know .. we are speculating.

 

5. To really know how Immunet works, Immunet must issue a manual, tutorial, or FAQs. On the homepage of Immunet, there are no links to Manual, Tutorial, or FAQ! Immunet has a lot of homework to do!

 

Our speculation indicates that Immunet merely scans files .. compares them to some heuristics and if there is a failure to compare, it simply quarantines the file. That's about it .. no more, no less.

 

6. I know, that you want Immunet to do everything automatically for you, but that is not the case! Many users believe only in themselves and want to handle things by themselves and not leaving all decisions do be done by a non-human software!

 

That would be nice, but at a minimum, what I would like for it to do is tell me what to do with a quarantined file. I have submitted several suspected FPs. Depending on where I submit them (at least 3 options .. with one of them being recommended), I have received feedback on about two .. that they were indeed FPs. The others .. I am still left to wonder. It comes back to 'what to do with a quarantined file?' Immunet product happily goes along quarantineing this or that, .. but there is no comprehensive instruction for what to do when it does quarantine. If the file is infected .. I want to delete it or leave it in quarantine. If it is FP, I want to undelete it and I don't want it quarantined again UNLESS it BECOMES infected. It appears the Immunet product is not that comprehensive. It 'flags' files and puts them in quarantine. At that point, the user is left to figure out what to do next. I guess that is better than nothing. If that is the case, Immunet needs to say so and I would know that a quarantined file needs to be further 'certified' by SOME means. I have assumed that when Immunet quarantines a file, the file was 'somehow processed' and that Immunet dispatched the file properly .. somehow. Evidently it doesn't. All it does is flag a file as not matching some heuristic and tossing it into quarantine. If I am wrong .. then I would love for Immunet to clarify all this.

 

[sweidre]

I think, that the discussion has been become a bit messy now, so I want to start from another end with an example:

”The product” examines files in the computer all the time: when they start, move, and in other aspects. In addition to this “the product” scans files at manual and/or scheduled scanning.

When “the product” regards a file to behave in a way, that is not normal, “the product” decides to place it in quarantine to give the computer user the opportunity to decide, what should be done with it. The user has then 3 options: 1.) “Restore” it to its normal place again and let it continue its role in the computer 2.) “Remove” it for good. 3.) ”Keep it quarantined”. Option 3.) “Keep it quarantined” is often the best solution, if the user does not immediately know what to do with the file. The user might use a search engine (Google, Yahoo, etc) to get more info about that file, a second opinion by letting “another product” analyse the file. If the user has found, that the file has a low risk only and the user will not be without that file, because it is needed for a necessary purpose, let’s say a music player, maybe the user will decide to 1.) “Restore” the file. Then the user must place the file on an exclusion list first, otherwise the file will be quarantined again, until “the product” has received instructions, that the file is clean to use (= so called “false positive”).

If the file has a high risk, and the file is regarded malicious, the user should reconsider his earlier decision. (The user is in a dilemma now, he likes the music player but realizes, that he must look for a similar music player. Temporarily he must keep the file on the exclusion list, while he is looking for another music player software with all files clean. When he has found a new music player, that will fullfill his requirements, he can first uninstall the first music player, and check if the malicious file is gone. If it is gone, the user can delete the file from the exclusion list and then install the new music player. In this example, the malicious was gone without using option 2.) “Remove”

Is the option 2.) “Remove” redundant? No, if the file in the quarantine is a single malware file not as a part of an installed software, but placed unintentionally into the computer thru an email or a careless visit to a bad website. In this case option 2.) ”Remove” should be used. Preferably a complete scan of the computer is now to recommend, because the ”single” contaminated file maybe not arrived alone, but arrived together with other malware files.

These lines show, that we cannot let “the product” automatically decide how to behave. The user can by his own testing solve the problem. We cannot let “the product” decide what music player that shall be used.

This was a single example only! We need to show more examples in order to explain the problem with quarantining! There are many solutions that the user can take himself, but he must be alert and consider many things at the same time!

Cheers,

sweidre

[sweidre]

Hi WacoJohn,

I think, that we cannot on one single thread (topic) discuss these issues, because they all originate from & leads to the core of Immunet product: "The Detection Engines"

Exclusions -> maximize or minimize numbers

Qurantine -> restore from, remove from, keep in

Analysis Methods

Infections <> False Positives

Automatic <> Manual

Decision by User (subjective) <> Decision by Product (Objective)

If we compare with other products, I think the confusion will be total!

Cheers,

sweidre

[WacoJohn]

Hi WacoJohn,

I think, that we cannot on one single thread (topic) discuss these issues, because they all originate from & leads to the core of Immunet product: "The Detection Engines"

Exclusions -> maximize or minimize numbers

Qurantine -> restore from, remove from, keep in

Analysis Methods

Infections <> False Positives

Automatic <> Manual

Decision by User (subjective) <> Decision by Product (Objective)

If we compare with other products, I think the confusion will be total!

Cheers,

sweidre

 

Messy discussion indeed. I apologize. On a positive note, you have actually cleared up a lot for me. Basically, the Immunet 'product' does not 'clean' anything. It does put files in quarantine, but it does not comprehensively 'manage' quarantines ... that is up to the user. It does analyze items in people's quarantines in service to the 'cloud'. What is quarantined on my machine SOMEHOW benefits the cloud .. I do believe. I CERTAINLY hope the product discerns FPs .. otherwise, it is protecting the 'cloud' from a False Positive.

 

What I have learned is .. anything quarantined by 'the product' has to be evaluated by ME .. and then managed as you described (quite well, I will say). Basically, 'the product' scans files, places suspicious and known malware in quarantine, and somehow 'serves a cloud base' .. and that is about it. Hence, it is .. a 'second line' of protection to an 'actual' antivirus product.

 

Here is where it gets a bit more confusing. My I3.0 includes CLAM AV detection Engine. There is an option to install 'the product' withOUT Clam AV. I assume Clam AV does not detect and clean EITHER ... it is just an added 'detection' scheme(?)

 

As you infer .. this thread is 'messy', complex, convoluted, and speculative. I agree with you. Complex questions, complex answers. On that note, no further comment is expected on your part. I think I have a clearer understanding of what 'the product' does and does not do ... thanks to your patience, time, and courtesy. Thank you again.

[sweidre]

I CERTAINLY hope the product discerns FPs .. otherwise, it is protecting the 'cloud' from a False Positive.

Here is where it gets a bit more confusing. My I3.0 includes CLAM AV detection Engine. There is an option to install 'the product' withOUT Clam AV. I assume Clam AV does not detect and clean EITHER ... it is just an added 'detection' scheme(?)

Hi WacoJohn,

I agree, what you write in the latest post, except for a few lines kept from above, that need my comments:

I CERTAINLY hope the product discerns FPs .. otherwise, it is protecting the 'cloud' from a False Positive -> My Comment: The product looks only for infections (not FPs = clean files). If an anlysis regards an infection to be an FP, the product will no more consider that particular infection as an infection any more, because it has been reported as an FP to the cloud. So the results of our analysis reports really matters! (OK, with a time lag depending on Immunets limited workscheme.) Due to this time lag, that can during some long holidays be up to a week or so, we are forced to temporarily add items to the exclusion list. (Remember to delete unnecessary exclusions frequently using the (x)-es to the right of the exclusions. Our target is to keep the list of exclusions to a minimum.

Here is where it gets a bit more confusing. My I3.0 includes CLAM AV detection Engine. -> My comment: I have installed Immunet Free without ClamAV (alt.1)

There is an option to install 'the product' withOUT Clam AV. -> My comment: I have installed that option (alt.1), because I did not want to have ClamAV (only cloud-based).

I assume Clam AV does not detect and clean EITHER ... it is just an added 'detection' scheme(?) -> My comments: I have once asked Orlando, why I have a clamav folder anyway in my computer. Orlando replied, that the clamav folder is there just in case I want to use ClamAV in the future. Orlando told me, that he has done a short program, that will delete the clamav folder for good to save some space for me, if I am interested.

Cheers,

sweidre

PS. It is very strange, that Immunet has not published any manual, tutorial, or FAQs about these important things! Does Immunet take certain considerations regarding ClamAV (Sourcefire's own product)? Originally Immunet was planning to have 2 products only: Immunet Free (only cloud-based) & Immunet PLUS (Immunet Free+cetain functions: Tetra, email scanning & rootkit scanning). Has Sourcefire at New Year forced Immunet to include ClamAV, that in fact complicates the product sortiment of Immunet. (ClamAV is in fact redundant, as Tetra does the same offline job as ClamAV, and maybe better! ) DS.

[WacoJohn]

I have once asked Orlando, why I have a clamav folder anyway in my computer. Orlando replied, that the clamav folder is there just in case I want to use ClamAV in the future. Orlando told me, that he has done a short program, that will delete the clamav folder for good to save some space for me.

 

Does Immunet take certain considerations regarding ClamAV (Sourcefire's own product)? Originally Immunet was planning to have 2 products only: Immunet Free (only cloud-based) & Immunet PLUS (Immunet Free+cetain functions: Tetra, email scanning & rootkit scanning). Has Sourcefire at New Year forced Immunet to include ClamAV, that in fact complicates the product sortiment of Immunet. (ClamAV is in fact redundant, because the Tetra module in the PLUS version does the same job as ClamAV and maybe better ) DS.

 

 

???????????? ClamAV is redundant in the PLUS version ... I am using FREE ver WITH Clam AV. Now I wonder if Clam AV is even functioning ... I guess since I am using Free .. it is.

[sweidre]

???????????? ClamAV is redundant in the PLUS version ... I am using FREE ver WITH Clam AV. Now I wonder if Clam AV is even functioning ... I guess since I am using Free .. it is.

I do not use the PLUS version, but why should the PLUS version also include ClamAV, when it already has the TETRA module.

I use the FREE version (cloud-based only), but still there is a clamav foilder in my Immunet directory.

I have not yet used Orlandos small program, that will delete the ClamAV folder.

But I assume, that Orlandos program can delete the ClamAV folder both in the FREE & in the PLUS versions, if the user prefers to get rid of ClamAV for good!

Maybe Orlados program should be used to get rid of ClamAV for good, so we do not have to think about that maybe ClamAV still has an effect to some extent.

I do not think, that Sourcefire is happy about Orlandos program, that can delete ClamAV completely, but we do not care, do we?!

Cheers,

sweidre

[sweidre]

Hi WacoJohn,

Prior to the takeover of Immunet by Sourcefire there were FPs reported in the forum, but after the takeover by Sourcefire the number of FPs reported in the forum has really increased. The takeover by Sourcefire, that was published in many media, caused a real fast increase of the number of people (users) protected from an increased number of threats stored in the cloud. As more people join the Immunet community, more users have been members in the forum. Many of these newbies in the forum have reported more FPs. Those FPs are reported to the Immunet cloud via reports to for example support@samples.immunet.com and get removed from the malware database in the Immunet cloud, if analyzed as FPs.

But the number of FPs reported in the forum is only a top of a big iceberg. The majority of users (approx. 1,400,000) are not members in the forum and do not know how to report FPs to Immunet. (The web address support@samples.immunet.com is unknown for them. (Tutorial, Manual or FAQs about FP handling do not exist!) This means, that even if some FPs announced in the forum are analyzed and reported to the cloud, the cloud will contain more and more malwares every day, not enough decreased by reported FPs.

Cheers,

sweidre

PS. After the takeover by Sourcefire, the increased number of members in the forum has increased the number of FP reports (topics), but the number of admins/mods has decreased, so the current active admins/mods in the forum are busy with only FPs. Other topics (Ideas, Defects, Product development, FAQs etc.) are therefore left without any reply or decision. DS.

[WacoJohn]

Your points are well made and well taken. Submitting FPs at this time is gruesome at best. I would agree .. very few even do submissions.

 

I am a networks security expert BY NO means, but it is my opinion that security threats are rising .. and the 'consumer' is losing the battle. Large corporations, govt. agencies including the military, and of course average users of the INTERNET are being hacked, attacked, infected, and damaged to a degree that is not publicized. The threat is rising and the defenses are poor.

 

This just announced today:

 

"Microsoft admits that one in fourteen downloads are Windows malware."

 

http://www.zdnet.com/blog/networking/one-in-fourteen-internet-downloads-is-windows-malware/1079?tag=nl.e550

 

The threats are 'seriously' expanding to MAC and Linux systems.

 

It is CLEAR that terrorist organizations utilize the INTERNET immensely ... and employ high level 'talent' in order to damage computer systems of their targets. I personally believe internet security is MORE threatened than 'open borders' threatens various societies. I think the problem is immense .. and getting worse.

 

Immunet/Sourcefire .. at this time holds the top position in cloud AV/AM but the industry is going to explode. If Immunet accelerates product development and provides effective protection .. they could be as big as Google or MS (almost). It is sad that so many improvements have been posted .. but new versions are slow to come forth. It is sad that the response to forum posts and FP submissions is poor.

 

Immunet needs to move forward FAST .. and maintain a position as a leader in 'security' ... the cloud approach is the best approach (in my opinion), and detection of infections as well as FPs, and the effective dispatch of both are a must in order to stay 'on top'. It will get even better for Immunet when they provide infection CLEANING as well .. as do most AV products.

 

The problem is huge and growing and thereby so is the market. Immunet or someone is going to be up there with the biggest if they can produce a wholesome product and wholesome service.

[sweidre]

PS. After the takeover by Sourcefire, the increased number of members in the forum has increased the number of FP reports (topics), but the number of admins/mods has decreased, so the current active admins/mods in the forum are busy with only FPs. Other topics (Ideas, Defects, Product development, FAQs etc.) are therefore left without any reply or decision. DS.

Hi,

Regarding Immunets product(s), members in the forum can only come of with ideas/proposals and discuss them back and forth. Decisions regarding Immunet can only be done by the admins & mods appointed by Immunet. Many threads (topics) about Immunet Protect have not been decided upon (not even commented upon) by any admin or by any mod. So in my mind, it is rather useless in this situation to come up with ideas regarding Immunet. The list of non-replied threads (topics) becomes only longer and longer! (Forget about topics of pure informative character, which do not need any reply at all!)

Cheers,

sweidre

[sweidre]

It will get even better for Immunet when they provide infection CLEANING as well .. as do most AV products.

Hi WacoJohn,

Your latest post as a whole is very well written, and the external link I read thru, and it was also very informative. But your post is so important, that it should not be "hidden" in this thread! The post in the thread: "Exclusions? Good Idea?" I think nobody is reading! I suggest, that you copy the whole post including the external link and publish it in a new thread of yours with a new heading, that better describes your post.

Before you post it, I think you should alter my quotation above, because I doubt that most AV products do CLEANING. I know, that ESET try do it, but often, I get the info, that CLEANING was not possible, so the whole file must be qurantined. Without being an expert at all, I understand, that if the file is only superficially infected, the infection can be removed and leave the file cleaned and workable again. But if the file is so infected, that the file structure is completely infected, the file cannot be cleaned without destroying the file at least partly!

Cheers,

sweidre

[WacoJohn]

Thank you for the approval on my post. As for reposting it .. I will have to give it some thought. Somehow I feel it would appear I am overimposing my view to the forum. I'm OK with posting it here .. but don't want to 'over do' it.

 

You are right about cleaning infected files .. depends on the severity, I am sure. As for products that 'clean' .. probably not in the cloud approach, but most of the conventional AV products do .. or attempt to with large success. I speak of those like Avast, McAfee, Norton, PCTools, AVG and quite a few others. Actually, I assumed Immunet DID clean .. and was surprised to find (from your input) that it doesn't. It is just an assumption I made at first.

 

My thought was it probably 'could' be done with the cloud approach .. and if Immunet developed the ability, it would put them right up front.

[WacoJohn]

I do not use the PLUS version, but why should the PLUS version also include ClamAV, when it already has the TETRA module.

I use the FREE version (cloud-based only), but still there is a clamav foilder in my Immunet directory.

I have not yet used Orlandos small program, that will delete the ClamAV folder.

But I assume, that Orlandos program can delete the ClamAV folder both in the FREE & in the PLUS versions, if the user prefers to get rid of ClamAV for good!

Maybe Orlados program should be used to get rid of ClamAV for good, so we do not have to think about that maybe ClamAV still has an effect to some extent.

I do not think, that Sourcefire is happy about Orlandos program, that can delete ClamAV completely, but we do not care, do we?!

Cheers,

sweidre

 

If I understand correctly, .. Paid has Tetra .. so does not need Clam. Paid subscribers could delete Clam with Orlando's utility .. and save some disk space. FREE doesn't have Tetra .. so would benefit from Clam. Free subscribers would therefore not wish to delete Clam. I use FREE with Clam .. hoping for all the protection I can get.

 

 

Incidentally, there is ANOTHER utility written by Orlando (I think) .. called Immunet Protect Fix Tool which automates the deletion of history.db file .. except when I ran it, it did not work. I posted this in the thread which introduces the utility .. but no replies thus far.

[sweidre]

Actually, I assumed Immunet DID clean .. and was surprised to find (from your input) that it doesn't. It is just an assumption I made at first.

Hi WacoJohn,

We have no Immunet Manual, FAQ, or Tutorial, so in fact we do not know! For me Immunet Free has not quarantined many files, but in those cases I have never got any message from Immunet, that it has tried to clean the file prior to qurantining! So therefore, I assume, that Immunet Free does not have any cleaning feature! Does the TETRA module in Immunet Plus have a cleaning fearure? I have no idea! Somebody (I think it was dallas7) has said, that the TETRA module works like BitDefender. Now the question is: "Has BitDefender a cleaning feature?"

Cheers,

sweidre

[sweidre]

FREE doesn't have Tetra .. so would benefit from Clam. Free subscribers would therefore not wish to delete Clam. I use FREE with Clam .. hoping for all the protection I can get.

Incidentally, there is ANOTHER utility written by Orlando (I think) .. called Immunet Protect Fix Tool which automates the deletion of history.db file

Hi WacoJohn again,

Immunet Free(with/without ClamAV)

Once I downloaded & installed Immunet Free with ClamAV (alt.2), but I was disappointed, already at startup of my computer. Startup was very slow. (I have heard, that the reason is that ClamAV updates its malware database in the computer at computer startup.) As I have already enough with softwares starting at computer startup, I decided to not use ClamAV. I have already enough with AVs/AMs with databases in the computer, so I want an only light-weight cloud-based version of Immunet Free. So, I immediately uninstalled Immunet Free (with ClamAV) completely, and I installed Immunet Free without ClamAV (alt.1) instead, and this version I have kept ever since.

 

The programs done by Orlando

Regarding Orlandos programs I am a bit hesitant. Once I downloaded a file (executable file) done by Orlando (described in another long thread). The file was qurantined by my Emsisoft Anti-Malware. Orlando said, that the file was clean, so I placed the file on the exclusion list of Emsisoft and restored the file from the quarantine of Emsisoft. What happend? Immediately Immunet qurantined the file. Orlando insisted, that the file was clean. Ok, I placed the file on the exclusion list of Immunet and restored the file, but then suddenly my computer crashed with a blue screen error. Fortunately, I had a fresh backup (Norton Ghost) of my systemdrive to go back to. First then, Orlando reported to several AVs/AMs (including Immunet) that his file is clean = false postive. In my mind, Orlando should have reported this much earlier! So, since then I am really hesitant to use Orlandos files. (I do not want to be a test-rabbit again!)

Cheers,

sweidre

[sweidre]

As for reposting it .. I will have to give it some thought. Somehow I feel it would appear I am overimposing my view to the forum. I'm OK with posting it here .. but don't want to 'over do' it.

Hi WacoJohn,

Only you and me have posted on this thread "Replying to Exclusions? Good Idea?" Nobody else is interested in this topic. Your post with the very informative external link must in my mind be read by others as well! It was about vulnarabilty of Windows, Mac & Linux. Many people have still the impression, that Mac & Linux never will receive malwares. OK, maybe until now, but according to the external article also Mac & Linux will soon be attacked!

Cheers,

sweidre

[WacoJohn]

I run I3.0 with ClamAV (Free version). Whether it extends boot time or not, I cannot say for certain .. I have a number of things running at startup. If I HAD to say .. the answer would be "It could be .. but the extension is minimal." What does happen is that sometimes, for no apparent reason, my system has to wait for a HUGE disk access of some kind and I think it has to do with Immunet. One example is that I do computer support via remote access. I use a product called TEAMVIEWER. It is simple .. when I need to access another's computer, I simply run TEAMVIEWER. It has an option to run or install. Run is for occasional access and INSTALL is for 'frequent' access .. not sure I am explaining this right. RUN does not 'install' TEAMVIEWER to the system. When closing TV, there are no folders, hooks, etc. If INSTALL, there are folders etc.

 

Anyway .. if I have I3.0 'on' .. and RUN Teamviewer, it can take up to 5 minutes or more before TV presents it's first window. If I (remember to) turn off I3.0 .. TV loads normally .. in a few seconds. I don't know what I3.0 is doing with TV .. I guess scanning it. It never does get flagged though. I would think that TV is a KNOWN POSITIVE, and would not be scanned over and over .. but then I have to say .. I WANT my AV product to scan .. anything infectible. Point being ... if TV is not infected today .. it could be infected tomorrow. Regardless of what is happening .. I3.0 seems to often cause LONG disk 'thrashing' ... for whatever reason, and to the degree that it is 'objectionable'.

 

I think it was very noble of Orlando to write his programs. The problem there is. .. they are not supported. I think they are ad hoc programs, may be outdated, not officially Immunet utilities and it is not surprising they fall short. They are simply ad hoc utilities to accomplish features lacking in the I3.0 product .. such as 'clear history' and manage intelligent installs ... Tetra not used in FREE ver ... then don't install it. ClamAV not functional in Paid version .. don't install it. The Orlando 'utilities' are noble ...unfortunately, they are not supported nor should be needed if the 'product' were updated.

 

In conclusion .. I3.0 ... great concept .. but needs a lot of work. I3.0 support needs a lot of work. I3.0 documentation needs a lot of work. Most of the time, I don't know what it is doing. Not sure how it works. Not sure what to do with the results it produces. It hasn't done anything FOR me except produce a lot of false positives ... but that may mean it is doing a GREAT JOB .. I have just not been infected. However, I have it on 3 machines and glad of it. I say this because I assume it is protecting me better than if I don't have it. At this point, it is in Sourcefire's hands to improve it ... or I may end up uninstalling it for one reason or another. From the standpoint of a business model, that would not be a good thing for Sourcefire ... I would think.

[sweidre]

Hello edwin,

Thank you very much for your interest in reading and posting in threads, that the admins/mods not visit or reply to! I have seen, that you often jump into difficult issues and really try to give your assistance and mostly with success also!!!! Since New Year the number of admins/mods have really decreased, but the numbers of members and problems have increased, so I really hope, that Immunet will appoint you as an admin!!

Cheers,

sweidre