Multibooter

Kaspersky Anti-Virus 6.0

27 posts in this topic

It looks like Kaspersky Anti-Virus 6.0 (Win98-compatible)) will have signature updates until 1-Oct-2012 http://support.kaspersky.com/de/wks6mp3?level=2 i.e. for nearly 2 more years. There are quite a few tricks necessary, however, before old KAV 6 works today. I am only interested in KAV 6 as a virus checker, not in the protection stuff. Attached is a screen shot, taken just yesterday, after license renewal for signature updates for another year.

Trick 1: Download Kaspersky Anti-Virus v6.0.2.621

- The virus signatures of Kaspersky Internet Security 6, in contrast to Kaspersky Anti-Virus 6, canNOT be updated anymore. KIS 6 is useless for virus checking today.

- There are several different products named Kaspersky Anti-Virus 6.0: One is the retail "Personal" product, another is the corporate "Workstation" product. An activation key for the Personal product does NOT work with the Workstation product and vice versa. The last Win98-compatible versions are v6.0.2.621 (Personal) and v6.0.3.837 (Workstation).

- "Kaspersky v6.0.4.1424 for Windows Workstation MP4" is not Win98-compatible http://support.kaspersky.com/de/wks6mp4/install?qid=208639675

- A trial version of Kaspersky Anti-Virus v6.0.3.837 Workstation can be downloaded here ftp://KAVWorkstation:4HaEgnxkFxCyh8cB@partner.kaspersky.ru/6.0/english/kav6.0.3.837_winwksen.exe but I have no idea how an individual could obtain a license key for it. An English link to v6.0.3.837 (MP3 = Maintenance Pack 3) is at http://support.kaspersky.com/wks6mp3?level=2

This seems to leave just one choice for the individual: Kaspersky Anti-Virus v6.0.2.621, i.e. the Personal product version.

Kaspersky Anti-Virus v6.0.2.621 comes again in 2 flavors:

- as a single file kav6.0.2.621en.exe, digitally signed 21-Mar-2007, which can be downloaded from http://www.filehippo.com/download_kaspersky_antivir/tech/2396/ or http://www.softpedia.com/progDownload/Kaspersky-AntiVirus-Personal-Pro-Download-5005.html Unfortunately when you try to buy a license via softpedia/Digital River, only v7 is offered.

- as a set of 4 files (Setup.exe, kav6.en.msi, kav6.0en.pdf and release_notes_en.html) digitally signed 19-Dec-2007, which I had downloaded from http://data2.kaspersky.com:8080/Distr/6.0.2.621/ in Sept.2008, now 404. The release notes name the version of 19-Dec-2007 as "MP2 CF1" I have no idea were to get these files now.

My suspicion is that the version signed 21-Mar-2007 might be an expiring trial version, i.e. KAV 6 might not work anymore after the license key expires, while the version signed 19-Dec-2007 might be an unexpiring version, i.e. continue to work, even if you cannot update the signatures anymore. But I don't know, I have installed only the version of 19-Dec-2007.

ADDENDUM: See posting #12. The version of 21-Mar-2007, once activated, is NOT an expiring trial version, it works just as well as the version signed 19-Dec-2007 after the expiration of the license key with which it was originally activated.

Another alternative might be to use the original CD which came in the retail box, and select "Update application modules" in the update settings, but I haven't tried that.

Trick 2: A valid activation code

The only way I know of getting a valid activation code for v6.0.2.621 (21-Mar-2007) is to buy an old retail box of v6, with the activation code on the CD envelope inside the box. But these old unused boxes are getting very hard to find. And there are no valid activation codes for v6 floating around elsewhere.

Trick 3: Saving your license key file

When KAV 6 is activated or the signature license is renewed, the activation key is being sent to the Kaspersky Activation Server, which then sends back a valid license key in the form of a 849-byte .key file. It may be quite prudent to keep this key file for backup purposes.

If, for example, the computer has become corrupted or is off-line, this key file enables one to re-install and activate KAV 6 without being connected to the activation server: the key file has to be placed during installation, exactly when the window "Installation Complete" is displayed, into the install-to directory, then the next window Activation displays: "License key already installed".

Unfortunately the license key file is a little hard to find. According to the Wikipedia "Kaspersky antivirus software also uses techniques resembling rootkits" http://en.wikipedia.org/wiki/Rootkit and the license key file is actually inside of a "cloaked" folder, seemingly invisible. But under Win98, in contrast to WinXP, there is an excellent tool, MS Find: When entering in field Named: key and in field Look in: \windows\Local Settings\Temporary Internet Files\Content.IE5\, the license key file is displayed and can be backed up. The license key file gets deleted by KAV 6 during the next startup of the opsys where KAV 6 was installed.

If KAV 6 was installed under WinXP, the license key file can probably be backed up by booting after installation into another opsys, where it should be found in I:\Documents and Settings\<user name>\Local Settings\Temporary Internet Files\Content.IE5\

Trick 4: Update distribution folder

The Update distribution folder allows signature updates from a folder instead of from the Kaspersky server. Only a single folder has to be updated from the Kaspersky server, saving bandwidth. Currently the Update distribution folder has about 159 MB, slowly growing. In a multibooting environment, for example, KAV 6 under WinXP could be set to download from the Kaspersky server, while KAV 6 under Win98 could download from the Update distribution folder. Apart from possible licensing issues, there are no technical problems re-using a key in an environment containing update distribution folders. For portability, the update distribution folder could also be on a stick.

The corporate Kaspersky Anti-Virus v6.0.3.837 (Workstation) can also take its signature updates from the Update distribution folder maintained by v6.0.2.621 (Personal)

I am regularly archiving the Update distribution folder, so that, when Kaspersky eventually stops providing signature updates for v6, I will still have a near-to final Update folder. So if I wished to re-install KAV 6 under Win98, say in 5 years, I could update the initial signature of 19-Dez-2007 (only 489.076 signatures) from the last archived update distribution folder (currently 4.451.072 signatures= 8-fold increase in 3 years).

Edited by Multibooter
0

Share this post


Link to post
Share on other sites

Norton Antivirus 2002 is still functional for win-98 systems, and doesn't really need any tricks to keep operating. The automatic update or "liveupdate" feature doesn't work (I think it stopped working 3 years ago) but it can still be updated by downloading the "intelligent updater" package - which is generated daily (it's about 100 mb in size these days, and continuously growing larger).

That said, I don't really keep mine updated - I'll go 3 to 6 months between downloading a new update package. Win-98 isin't really vulnerable to anything that can get onto your system under you nose (so to speak) or without your help.

For on-demand scanning, I'll submit a suspect file to virustotal.com for analysis against about 40 different AV programs.

0

Share this post


Link to post
Share on other sites
Norton Antivirus 2002 is still functional for win-98 systems, and doesn't really need any tricks to keep operating.

Hi wsxedcrfv,

First my best wishes for the new year to you and all the good folks here at msfn.org

I have looked into the archive, but I don't seem to have Norton AntiVirus 2002. I tried and tested under Win98 2 versions, however, which come close to your Norton AntiVirus 2002: Symantec AntiVirus Corporate Edition v8.1.1.323 Client (corresponds to NAV 2002, has the initial virus definition file 6/19/02 rev.5) and Norton AntiVirus 2003 v9.0 Pro v9.00.68. I was able to update both versions under Win98 with the current virus definition files, so that they had today's virus signatures.

For the Corporate Edition v8.1 I downloaded the current update file vd333c03.xdb from ftp://ftp.symantec.com/AVDEFS/norton_antivirus/xdb/ To update the signatures I just had to copy the .xdb file to the install-to directory and then reboot; after Windows startup the .xdb file was processed automatically, which made the 700MHz laptop nearly unresponsive for about 5 minutes. The 118MB .xdb file was expanded to about 688MB of virus definitions. When selecting -> Detectable Virus List, the Definition version was not displayed and the Total signatures was displayed incorrectly at 75279 (instead of millions), without any apparent ill effects.

For Norton AntiVirus 2003 I downloaded the current Intelligent Updater 20101231-002-i32.exe from http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=savce

The virus definitions created from the 102 Mb i32.exe file took only 189MB, much less than the 688MB of Corporate v8, no idea why.

Test 1 - Checking new downloads: I then downloaded for about 30 minutes some stuff with eMule to check how well the updated Symantec/Norton AntiVirus detects malware. About 30-90% of eMule downloads are infected nowadays, this specific download sample (23 files, 142MB) contained actually 10 infected files. Symantec/Norton AntiVirus 2002 and 2003, with current signatures, detected only 1 infected file out of 10, mainly because the old scan engine couldn't look into .rar files or detect malware hidden in .wmv files. After manually extracting the .rar file Symantec/Norton AntiVirus 2002 and 2003 detected 3 more infected files. The inability of the Symantec/Norton AntiVirus 2002 and 2003 to look into .rar files makes it useless to me for checking new downloads. Kaspersky Anti-Virus 6 with the current signature detected 9 out of 10 infected files.

Test 2 - Checking the computer: I ran a 2nd test under Win98 with Norton AntiVirus 2003 + current signatures: I checked most of my laptop. Norton AntiVirus 2003 detected 3 "infected" files. The 3 were leftover patch files, sitting for years on the laptop without having been noticed or having done any damage. I would classify these as 3 false positives. I guess the Symantec scanner tends to identify anything which looks like a patch as an infected file.

At this point in time I would not trade under any circumstances the Kaspersky Anti-Virus 6 scanner for the Symantec/Norton AntiVirus 2002 or 2003 under Win98. On the other hand, in a corporate environment, for a computer running an old Win98-only application, with no patches and no downloads, Symantec/Norton AntivVirus 2002 or 2003 looks OK.

2 questions: Can the 2004/2005 versions of the Symantec scanner check .rar files? Is there a standalone version of the 2004/2005 Symantec scanner, which doesn't corrupt the system with activation stuff?

For on-demand scanning, I'll submit a suspect file to virustotal.com for analysis against about 40 different AV programs.
And maybe get 37 false positives. Edited by Multibooter
0

Share this post


Link to post
Share on other sites

Well, I looked into KAV 6 some time ago when I first started experiencing some issues with SAV 9 (more later) and unfortunately, have to tell you that it was extremely unstable on my W98 system at work. This was a full install, including the run-time protection. It was a struggle to get a few minutes of system operation before lock-ups and other aberrations occurred. It was even a struggle to uninstall it for the same reason. :-(

Now, the problem with SAV 9 (FYI, SAV 8 is useless, its database can no longer be updated) is that since about August/September 2009, the virus database has grown to such an extent, that it silently breaks the run-time protection of SAV 9. No doubt the same will be true for the corresponding NAV edition.

So, that was the reason for trying out KAV 6. In the end, I reverted to SAV 9, since at least that was stable, and the on-demand scan still works, despite the broken run-time protection. In fact, even the automatic updates still work (also manually via Live Update).

Note that there are several sub-versions of SAV 9, so there is a slight chance that some later versions are not afflicted by the "broken run-time protection" issue, but Symantec don't seem to offer an upgrade path between sub-versions of SAV, just between different builds. Grrr.

In summary :

KAV 6 is extremely unstable, at least for a full installation (including run-time protection).

SAV 9 is stable but only useful for on-demand scanning, the run-time protection is broken with current virus databases.

Finally, from memory, SAV 9 does know to scan RAR archives (I'll check when I return to work and correct this entry if needed).

Joe.

0

Share this post


Link to post
Share on other sites
Well, I looked into KAV 6 some time ago... it was extremely unstable on my W98 system at work. This was a full install, including the run-time protection. It was a struggle to get a few minutes of system operation before lock-ups and other aberrations occurred. It was even a struggle to uninstall it for the same reason... KAV 6 is extremely unstable, at least for a full installation (including run-time protection).

Hi Joe,

The Kaspersky people are good with malware, but not good at writing software. I never liked their interface. As I wrote in the 1st paragraph:

There are quite a few tricks necessary, however, before old KAV 6 works today. I am only interested in KAV 6 as a virus checker, not in the protection stuff.

I have selected during installation only "Virus Scan", and KAV 6 is rock stable. I suspect that some left-over real-time protection components of your Symantec AntiVirus were interfering with the real-time protection components of KAV 6. Having 2 different installations of anti-virus software on the same instance of an operating system may cause major problems. As a general rule you can have only 1 anti-virus software installed on an opsys.

The Kaspersky Removal Tool v1.0.162 kavremover.exe http://support.kaspersky.com/faq/?qid=208279463 unfortunately does not seem to run under Win98. There is a "Norton_Removal_Tool_9x.exe" at http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&selected_nav=&pvid=&docurl=20080710130643EN which has worked fine removing other Symantec stuff under Win98, recommended by dencorso at posting #32

Trick 5: Do NOT select the "Protection components" during installation

Looking back at the infection with the most vicious Tenga.a virus on my laptop/attached USB drive, plus 2 re-infections in the following 2 months, I doubt that Tenga's blazingly fast infection of .exe files could have been stopped by real-time protection. The best protection against malware under Win98 is frequent backups+restores of clean computer partitions plus 2 backups of stuff on external drives.

BTW, if you really insist on run-time protection, the modules File Anti-Virus, Mail Anti-Virus, Web Anti-Virus and Proactive Defense of KAV 6, if not selected during the initial installation, can be added later on via Add-Remove -> Modify.

Trick 6: In KAV 6, under -> Settings -> Update: Do NOT select "Update application modules"

Eventually some newer application module may not run under Win98 anymore. About 2 years ago KAV v4.5 died on my laptop/wouldn't run anymore after a signature update when "Update application modules" was selected. I was not able to update from the Kaspersky server after a re-install of KAV v4.5 and I had not created a signature backup in an Update distribution folder.

ADDENDUM: Selecting "Update application modules" does not cause any problems currently. I you have it selected, updating will end with the msg: "Update completed successfully". If you have de-selected "Update application modules", then updating will end with the msg: "Not all components were updated", but that's Ok too. Selecting "Update application modules" does not does change the build number 6.0.2.621.

FYI, SAV 8 is useless, its database can no longer be updated
I did update Symantec AntiVirus Corporate Edition v8.1.1.323 Client with a .xdb file, see posting #2. Maybe it's an issue of a later build.
Finally, from memory, SAV 9 does know to scan RAR archives (I'll check when I return to work and correct this entry if needed).
Please do. Does SAV 9 have this activation stuff, or is the activation stuff only in the retail NAV? Edited by Multibooter
0

Share this post


Link to post
Share on other sites

I just installed Symantec Antivirus Corporate Edition v9.0.3.1000 Client under Win98. Its About displays just after installation:

Program: v9.0.3.1000

Scan engine: 1.2.0.13

Virus Definition File: 10/20/04 rev.38

I updated the virus signatures by just copying the downloaded virus definition file vd333c03.xdb to the install-to directory. No need to reboot, SAV 9 extracted the virus signatures by itself. SAV 9 uses on the install-to partition currently at least 1.2GB of free space for processing the .xdb file.

Finally, from memory, SAV 9 does know to scan RAR archives (I'll check when I return to work and correct this entry if needed).
I repeated the same scanning test as with SAV 8. Unfortunately, the scan results were just as poor, this build of SAV 9 could NOT look into .rar files either or detect infected .wmv files.
Does SAV 9 have this activation stuff, or is the activation stuff only in the retail NAV?
There was no need to register/activate etc this build. In contrast to SAV 8, SAV 9 requires the installation of the Microsoft Root Certificate update. This file could be downloaded Ok from http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe as described in

SAV 9, just like SAV 8, does not have a good options menu for selecting what file types to scan. Unfortunately, I currently have to reject SAV 9 under Win98. Does SAV 10 run under Win98?

0

Share this post


Link to post
Share on other sites
Does SAV 10 run under Win98?
I have just tried to install Symantec AntiVirus Corporate v10.1.6.6000 Client under Win98, but it won't install. The minimum requirement is Win2000. v10.2 apparently requires Vista. I'll try to install v10.0 under Win98 shortly
0

Share this post


Link to post
Share on other sites

I just tried to install Symantec Norton Antivirus Corporate Edition v10.0.0.359. under Win98SE, no luck, it requires Win2000 at least.

So galahs posting

LAST - $$$$ - Symantec AntiVirus Corporate Edition 9.0.5.1000

(I had tried Ok Symantec Antivirus Corporate Edition v9.0.3.1000 with current signatures, see above)

is correct, even if his posting

LAST - $$$$ - Kaspersky Anti-Virus Personal 5.0 (5.0.712 BETA) --- ftp://d5y.kaspersky-labs.com/beta/kav50/Personal/English/

is not.

Apparently there are no good alternatives to Kaspersky v6.0, at least for my purposes. Or are there any other good virus scanners for Win98 with current signatures, which might be a serious alternative to Kaspersky 6.0?

Edited by Multibooter
0

Share this post


Link to post
Share on other sites

I think our only solution after they kill off all the AV is just to get a firewall and virus, malware, trojans, worms ( PROOF) etc.... The HELL out of it.

0

Share this post


Link to post
Share on other sites

I have just installed ClamWin Antivirus v0.96.5 under Win98SE. The software makes a positive impression, it can look into .rar archives, but it seems to be a weak scanner. It detected only 1 out of 10 infected files in the above sample, so unfortunately it's currently not an alternative to Kaspersky.

0

Share this post


Link to post
Share on other sites

Hey what about Gurdian 2008 Antivirus

or

Quick Heal Antivirus

Or

Can Anyone tried Kingsoft free Antivirus with Kernel Ex 4.5 RC5

Edited by Krish
0

Share this post


Link to post
Share on other sites

I just test-installed the still downloadable file kav6.0.2.621en.exe, digitally signed 21-Mar-2007, under Win98, then activated it with my a valid license key file, updated it and finally advanced the system time by a year.

In contrast to what I expected in my posting #1, once activated this version of 21-Mar-2007 does NOT expire after the expiration of the license key file. I was still able to virus-check with it, even if I got the red warning msg: License expired. This msg indicates only that the activated version cannot be updated anymore with updates newer than the expiration date of the license key.

The downloads from filehippo and softpedia are still useful. I have updated posting #1 accordingly.

0

Share this post


Link to post
Share on other sites
There are quite a few tricks necessary, however, before old KAV 6 works today. I am only interested in KAV 6 as a virus checker, not in the protection stuff.

I have selected during installation only "Virus Scan", and KAV 6 is rock stable. I suspect that some left-over real-time protection components of your Symantec AntiVirus were interfering with the real-time protection components of KAV 6. Having 2 different installations of anti-virus software on the same instance of an operating system may cause major problems. As a general rule you can have only 1 anti-virus software installed on an opsys.

I didn't need any tricks to install KAV 6, the only thing tricky part was finding my way through their web site to the appropriate instructions on updating the database.

As for SAV remnants, no, I did a complete uninstall before trying KAV 6. The extreme instability (at least for a full install) was KAV's own doing.

Also, excluding the run-time protection when installing KAV would have been pointless for me, since SAV 9 on-demand scanning was (and is) still functional.

Trick 6: In KAV 6, under -> Settings -> Update: Do NOT select "Update application modules"

Yes, that's something I do instinctively for all "last version for 9X" software.

FYI, SAV 8 is useless, its database can no longer be updated
I did update Symantec AntiVirus Corporate Edition v8.1.1.323 Client with a .xdb file, see posting #2. Maybe it's an issue of a later build.

I was originally with SAV 8. However, neither Live Update nor the EXE database update were successful after Symantec dropped support, so I was forced to install SAV 9. Can't remember if I tried the "*.xdb method" (did you check the eicar test file with yours?).

Finally, from memory, SAV 9 does know to scan RAR archives (I'll check when I return to work and correct this entry if needed).
Please do.

Well, I was wrong. As you've also since found, SAV 9 (mine's 9.0.0.1400, yours' 9.0.3.1000) doesn't know to scan RAR archives. How disappointing!

BTW, does the run-time protection still work with SAV 9.0.3.1000 when using a current database (eg. just run the 'eicar.com' file and see what happens)?

Apparently there are no good alternatives to Kaspersky v6.0, at least for my purposes. Or are there any other good virus scanners for Win98 with current signatures, which might be a serious alternative to Kaspersky 6.0?

I don't know how good it is (opinions vary), but (as someone here pointed out to me in another thread) Dr-Web still support W9X (and indeed, even DOS:-).

Can Anyone tried Kingsoft free Antivirus with Kernel Ex 4.5 RC5

Well, as a more general question, has anyone tried any W2K+ package with KerenelEx?

Joe.

Edited by jds
0

Share this post


Link to post
Share on other sites
Also, excluding the run-time protection when installing KAV would have been pointless for me, since SAV 9 on-demand scanning was (and is) still functional... Well, I was wrong. As you've also since found, SAV 9 (mine's 9.0.0.1400, yours' 9.0.3.1000) doesn't know to scan RAR archives. How disappointing!
Hi Joe,

Scanning with an updated SAV 9 may give you a false sense of security. Since SAV 9 cannot look into/extract .rar archives, I would expect also that it cannot look into/extract many .exe archives or other installers either. I have been amazed how Kaspersky v6 was able to check into/unpack various installers, while I with my tools couldn't (e.g. the InstallExplorer v0.9.1 [plug-in for Total Commander] of 18-Jul-2006, msiX).

BTW, does the run-time protection still work with SAV 9.0.3.1000 when using a current database (eg. just run the 'eicar.com' file and see what happens)?
Accessing the Internet under old Win98SE is just enough protection for me. I have been very skeptical towards runtime protection under Win98, it just uses a lot of resources, may make the system unstable and creates a false sense of protection.

I have already removed SAV 9 from my system, so I can't experiment with SAV 9 and eicar.com http://www.eicar.org/anti_virus_test_file.htm

It would be interesting to know whether runtime protection would protect against an exe infector virus like Tenga.a. It is blazingly fast because if seems to work via the MS Office file indexer, maybe there is a 50% probability that no current run-time protection software, under any Windows opsys Win9x and later, can prevent Tenga.exe from destroying your system and archives with .exe files. If you need a live specimen for testing, let me know, I kept some on a CD, far away from my system, locked up like in a poison cabinet. But you should be prepared to low-level format anything connected to your computer after double-clicking on a Tenga.a-infected .exe file, with or without runtime protection.

I don't know how good it is (opinions vary), but (as someone here pointed out to me in another thread) Dr-Web still support W9X (and indeed, even DOS:-).
Would be an interesting candidate for testing.
Well, as a more general question, has anyone tried any W2K+ package with KerenelEx?
Another general question may be: Does the installation of KernelEx make Win98 vulnerable to WinXP malware, which a regular Win98SE installation would just ignore? In other words, does the installation of KernelEx eliminate the raison d'être of Win98? Edited by Multibooter
0

Share this post


Link to post
Share on other sites
Well, as a more general question, has anyone tried any W2K+ package with KerenelEx?
Another general question may be: Does the installation of KernelEx make Win98 vulnerable to WinXP malware, which a regular Win98SE installation would just ignore? In other words, does the installation of KernelEx eliminate the raison d'être of Win98?

Good question, and the answer I think, is mostly (well, more than that) no.

KernelEx simply adds API functions and convinces software that it is running on a W2K+ O/S. That can satisfy complex applications that use lots of API functions and/or have an artificial restriction on running in W9X. Almost certainly, malware isn't going to have the later, it will want to infest as broadly as possible. AFAIK, malware typically uses a limited range of basic API functions, so for the most part, isn't going to be influenced by the former.

What malware is more likely to rely on is the behaviour of W2K+ O/S, which KernelEx doesn't affect, such as auto-playing a USB drive as soon as it's plugged in, and all those control/notification features that allow a W2K+ O/S to automatically pick-up malware from simply being connected to the Internet. So it's mostly the behavioural differences between W9X and W2K+ that make the later more vulnerable to malware, not the extra API functions (unless of course there's a new API function that itself introduces a vulnerability, and KernelEx implements it, but such an API function would more likely be implemented as a dummy "stub" anyway).

Joe.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.