Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Kaspersky Anti-Virus 6.0

- - - - -

  • Please log in to reply
26 replies to this topic

#1
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • Joined 21-March 08
  • OS:98SE
  • Country: Country Flag
It looks like Kaspersky Anti-Virus 6.0 (Win98-compatible)) will have signature updates until 1-Oct-2012 http://support.kaspe...wks6mp3?level=2 i.e. for nearly 2 more years. There are quite a few tricks necessary, however, before old KAV 6 works today. I am only interested in KAV 6 as a virus checker, not in the protection stuff. Attached is a screen shot, taken just yesterday, after license renewal for signature updates for another year.

Trick 1: Download Kaspersky Anti-Virus v6.0.2.621
- The virus signatures of Kaspersky Internet Security 6, in contrast to Kaspersky Anti-Virus 6, canNOT be updated anymore. KIS 6 is useless for virus checking today.
- There are several different products named Kaspersky Anti-Virus 6.0: One is the retail "Personal" product, another is the corporate "Workstation" product. An activation key for the Personal product does NOT work with the Workstation product and vice versa. The last Win98-compatible versions are v6.0.2.621 (Personal) and v6.0.3.837 (Workstation).

- "Kaspersky v6.0.4.1424 for Windows Workstation MP4" is not Win98-compatible http://support.kaspe...l?qid=208639675

- A trial version of Kaspersky Anti-Virus v6.0.3.837 Workstation can be downloaded here ftp://KAVWorkstation:4HaEgnxkFxCyh8cB@partner.kaspersky.ru/6.0/english/kav6.0.3.837_winwksen.exe but I have no idea how an individual could obtain a license key for it. An English link to v6.0.3.837 (MP3 = Maintenance Pack 3) is at http://support.kaspe...wks6mp3?level=2

This seems to leave just one choice for the individual: Kaspersky Anti-Virus v6.0.2.621, i.e. the Personal product version.

Kaspersky Anti-Virus v6.0.2.621 comes again in 2 flavors:

- as a single file kav6.0.2.621en.exe, digitally signed 21-Mar-2007, which can be downloaded from http://www.filehippo...ivir/tech/2396/ or http://www.softpedia...nload-5005.html Unfortunately when you try to buy a license via softpedia/Digital River, only v7 is offered.

- as a set of 4 files (Setup.exe, kav6.en.msi, kav6.0en.pdf and release_notes_en.html) digitally signed 19-Dec-2007, which I had downloaded from http://data2.kaspers...istr/6.0.2.621/ in Sept.2008, now 404. The release notes name the version of 19-Dec-2007 as "MP2 CF1" I have no idea were to get these files now.
My suspicion is that the version signed 21-Mar-2007 might be an expiring trial version, i.e. KAV 6 might not work anymore after the license key expires, while the version signed 19-Dec-2007 might be an unexpiring version, i.e. continue to work, even if you cannot update the signatures anymore. But I don't know, I have installed only the version of 19-Dec-2007.

ADDENDUM: See posting #12. The version of 21-Mar-2007, once activated, is NOT an expiring trial version, it works just as well as the version signed 19-Dec-2007 after the expiration of the license key with which it was originally activated.

Another alternative might be to use the original CD which came in the retail box, and select "Update application modules" in the update settings, but I haven't tried that.

Trick 2: A valid activation code
The only way I know of getting a valid activation code for v6.0.2.621 (21-Mar-2007) is to buy an old retail box of v6, with the activation code on the CD envelope inside the box. But these old unused boxes are getting very hard to find. And there are no valid activation codes for v6 floating around elsewhere.

Trick 3: Saving your license key file
When KAV 6 is activated or the signature license is renewed, the activation key is being sent to the Kaspersky Activation Server, which then sends back a valid license key in the form of a 849-byte .key file. It may be quite prudent to keep this key file for backup purposes.

If, for example, the computer has become corrupted or is off-line, this key file enables one to re-install and activate KAV 6 without being connected to the activation server: the key file has to be placed during installation, exactly when the window "Installation Complete" is displayed, into the install-to directory, then the next window Activation displays: "License key already installed".

Unfortunately the license key file is a little hard to find. According to the Wikipedia "Kaspersky antivirus software also uses techniques resembling rootkits" http://en.wikipedia.org/wiki/Rootkit and the license key file is actually inside of a "cloaked" folder, seemingly invisible. But under Win98, in contrast to WinXP, there is an excellent tool, MS Find: When entering in field Named: key and in field Look in: \windows\Local Settings\Temporary Internet Files\Content.IE5\, the license key file is displayed and can be backed up. The license key file gets deleted by KAV 6 during the next startup of the opsys where KAV 6 was installed.

If KAV 6 was installed under WinXP, the license key file can probably be backed up by booting after installation into another opsys, where it should be found in I:\Documents and Settings\<user name>\Local Settings\Temporary Internet Files\Content.IE5\

Trick 4: Update distribution folder
The Update distribution folder allows signature updates from a folder instead of from the Kaspersky server. Only a single folder has to be updated from the Kaspersky server, saving bandwidth. Currently the Update distribution folder has about 159 MB, slowly growing. In a multibooting environment, for example, KAV 6 under WinXP could be set to download from the Kaspersky server, while KAV 6 under Win98 could download from the Update distribution folder. Apart from possible licensing issues, there are no technical problems re-using a key in an environment containing update distribution folders. For portability, the update distribution folder could also be on a stick.

The corporate Kaspersky Anti-Virus v6.0.3.837 (Workstation) can also take its signature updates from the Update distribution folder maintained by v6.0.2.621 (Personal)

I am regularly archiving the Update distribution folder, so that, when Kaspersky eventually stops providing signature updates for v6, I will still have a near-to final Update folder. So if I wished to re-install KAV 6 under Win98, say in 5 years, I could update the initial signature of 19-Dez-2007 (only 489.076 signatures) from the last archived update distribution folder (currently 4.451.072 signatures= 8-fold increase in 3 years).

Edited by Multibooter, 03 January 2011 - 07:58 AM.



How to remove advertisement from MSFN

#2
Guest_wsxedcrfv_*

Guest_wsxedcrfv_*
  • Guests
  • Joined --
Norton Antivirus 2002 is still functional for win-98 systems, and doesn't really need any tricks to keep operating. The automatic update or "liveupdate" feature doesn't work (I think it stopped working 3 years ago) but it can still be updated by downloading the "intelligent updater" package - which is generated daily (it's about 100 mb in size these days, and continuously growing larger).

That said, I don't really keep mine updated - I'll go 3 to 6 months between downloading a new update package. Win-98 isin't really vulnerable to anything that can get onto your system under you nose (so to speak) or without your help.

For on-demand scanning, I'll submit a suspect file to virustotal.com for analysis against about 40 different AV programs.

#3
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • Joined 21-March 08
  • OS:98SE
  • Country: Country Flag

Norton Antivirus 2002 is still functional for win-98 systems, and doesn't really need any tricks to keep operating.

Hi wsxedcrfv,
First my best wishes for the new year to you and all the good folks here at msfn.org

I have looked into the archive, but I don't seem to have Norton AntiVirus 2002. I tried and tested under Win98 2 versions, however, which come close to your Norton AntiVirus 2002: Symantec AntiVirus Corporate Edition v8.1.1.323 Client (corresponds to NAV 2002, has the initial virus definition file 6/19/02 rev.5) and Norton AntiVirus 2003 v9.0 Pro v9.00.68. I was able to update both versions under Win98 with the current virus definition files, so that they had today's virus signatures.

For the Corporate Edition v8.1 I downloaded the current update file vd333c03.xdb from ftp://ftp.symantec.com/AVDEFS/norton_antivirus/xdb/ To update the signatures I just had to copy the .xdb file to the install-to directory and then reboot; after Windows startup the .xdb file was processed automatically, which made the 700MHz laptop nearly unresponsive for about 5 minutes. The 118MB .xdb file was expanded to about 688MB of virus definitions. When selecting -> Detectable Virus List, the Definition version was not displayed and the Total signatures was displayed incorrectly at 75279 (instead of millions), without any apparent ill effects.

For Norton AntiVirus 2003 I downloaded the current Intelligent Updater 20101231-002-i32.exe from http://www.symantec....l.jsp?gid=savce
The virus definitions created from the 102 Mb i32.exe file took only 189MB, much less than the 688MB of Corporate v8, no idea why.

Test 1 - Checking new downloads: I then downloaded for about 30 minutes some stuff with eMule to check how well the updated Symantec/Norton AntiVirus detects malware. About 30-90% of eMule downloads are infected nowadays, this specific download sample (23 files, 142MB) contained actually 10 infected files. Symantec/Norton AntiVirus 2002 and 2003, with current signatures, detected only 1 infected file out of 10, mainly because the old scan engine couldn't look into .rar files or detect malware hidden in .wmv files. After manually extracting the .rar file Symantec/Norton AntiVirus 2002 and 2003 detected 3 more infected files. The inability of the Symantec/Norton AntiVirus 2002 and 2003 to look into .rar files makes it useless to me for checking new downloads. Kaspersky Anti-Virus 6 with the current signature detected 9 out of 10 infected files.

Test 2 - Checking the computer: I ran a 2nd test under Win98 with Norton AntiVirus 2003 + current signatures: I checked most of my laptop. Norton AntiVirus 2003 detected 3 "infected" files. The 3 were leftover patch files, sitting for years on the laptop without having been noticed or having done any damage. I would classify these as 3 false positives. I guess the Symantec scanner tends to identify anything which looks like a patch as an infected file.

At this point in time I would not trade under any circumstances the Kaspersky Anti-Virus 6 scanner for the Symantec/Norton AntiVirus 2002 or 2003 under Win98. On the other hand, in a corporate environment, for a computer running an old Win98-only application, with no patches and no downloads, Symantec/Norton AntivVirus 2002 or 2003 looks OK.

2 questions: Can the 2004/2005 versions of the Symantec scanner check .rar files? Is there a standalone version of the 2004/2005 Symantec scanner, which doesn't corrupt the system with activation stuff?

For on-demand scanning, I'll submit a suspect file to virustotal.com for analysis against about 40 different AV programs.

And maybe get 37 false positives.

Edited by Multibooter, 31 December 2010 - 08:05 PM.


#4
jds

jds

    -DOS+

  • Member
  • PipPipPipPip
  • 603 posts
  • Joined 03-June 08
  • OS:98SE
  • Country: Country Flag
Well, I looked into KAV 6 some time ago when I first started experiencing some issues with SAV 9 (more later) and unfortunately, have to tell you that it was extremely unstable on my W98 system at work. This was a full install, including the run-time protection. It was a struggle to get a few minutes of system operation before lock-ups and other aberrations occurred. It was even a struggle to uninstall it for the same reason. :-(

Now, the problem with SAV 9 (FYI, SAV 8 is useless, its database can no longer be updated) is that since about August/September 2009, the virus database has grown to such an extent, that it silently breaks the run-time protection of SAV 9. No doubt the same will be true for the corresponding NAV edition.

So, that was the reason for trying out KAV 6. In the end, I reverted to SAV 9, since at least that was stable, and the on-demand scan still works, despite the broken run-time protection. In fact, even the automatic updates still work (also manually via Live Update).

Note that there are several sub-versions of SAV 9, so there is a slight chance that some later versions are not afflicted by the "broken run-time protection" issue, but Symantec don't seem to offer an upgrade path between sub-versions of SAV, just between different builds. Grrr.

In summary :

KAV 6 is extremely unstable, at least for a full installation (including run-time protection).
SAV 9 is stable but only useful for on-demand scanning, the run-time protection is broken with current virus databases.

Finally, from memory, SAV 9 does know to scan RAR archives (I'll check when I return to work and correct this entry if needed).

Joe.

#5
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • Joined 21-March 08
  • OS:98SE
  • Country: Country Flag

Well, I looked into KAV 6 some time ago... it was extremely unstable on my W98 system at work. This was a full install, including the run-time protection. It was a struggle to get a few minutes of system operation before lock-ups and other aberrations occurred. It was even a struggle to uninstall it for the same reason... KAV 6 is extremely unstable, at least for a full installation (including run-time protection).

Hi Joe,
The Kaspersky people are good with malware, but not good at writing software. I never liked their interface. As I wrote in the 1st paragraph:

There are quite a few tricks necessary, however, before old KAV 6 works today. I am only interested in KAV 6 as a virus checker, not in the protection stuff.

I have selected during installation only "Virus Scan", and KAV 6 is rock stable. I suspect that some left-over real-time protection components of your Symantec AntiVirus were interfering with the real-time protection components of KAV 6. Having 2 different installations of anti-virus software on the same instance of an operating system may cause major problems. As a general rule you can have only 1 anti-virus software installed on an opsys.

The Kaspersky Removal Tool v1.0.162 kavremover.exe http://support.kaspe.../?qid=208279463 unfortunately does not seem to run under Win98. There is a "Norton_Removal_Tool_9x.exe" at http://us.norton.com...0080710130643EN which has worked fine removing other Symantec stuff under Win98, recommended by dencorso at http://www.msfn.org/..._20#entry946265 posting #32

Trick 5: Do NOT select the "Protection components" during installation

Looking back at the infection with the most vicious Tenga.a virus on my laptop/attached USB drive, plus 2 re-infections in the following 2 months, I doubt that Tenga's blazingly fast infection of .exe files could have been stopped by real-time protection. The best protection against malware under Win98 is frequent backups+restores of clean computer partitions plus 2 backups of stuff on external drives.

BTW, if you really insist on run-time protection, the modules File Anti-Virus, Mail Anti-Virus, Web Anti-Virus and Proactive Defense of KAV 6, if not selected during the initial installation, can be added later on via Add-Remove -> Modify.

Trick 6: In KAV 6, under -> Settings -> Update: Do NOT select "Update application modules"

Eventually some newer application module may not run under Win98 anymore. About 2 years ago KAV v4.5 died on my laptop/wouldn't run anymore after a signature update when "Update application modules" was selected. I was not able to update from the Kaspersky server after a re-install of KAV v4.5 and I had not created a signature backup in an Update distribution folder.

ADDENDUM: Selecting "Update application modules" does not cause any problems currently. I you have it selected, updating will end with the msg: "Update completed successfully". If you have de-selected "Update application modules", then updating will end with the msg: "Not all components were updated", but that's Ok too. Selecting "Update application modules" does not does change the build number 6.0.2.621.

FYI, SAV 8 is useless, its database can no longer be updated

I did update Symantec AntiVirus Corporate Edition v8.1.1.323 Client with a .xdb file, see posting #2. Maybe it's an issue of a later build.

Finally, from memory, SAV 9 does know to scan RAR archives (I'll check when I return to work and correct this entry if needed).

Please do. Does SAV 9 have this activation stuff, or is the activation stuff only in the retail NAV?

Edited by Multibooter, 03 January 2011 - 08:46 AM.


#6
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • Joined 21-March 08
  • OS:98SE
  • Country: Country Flag
I just installed Symantec Antivirus Corporate Edition v9.0.3.1000 Client under Win98. Its About displays just after installation:
Program: v9.0.3.1000
Scan engine: 1.2.0.13
Virus Definition File: 10/20/04 rev.38

I updated the virus signatures by just copying the downloaded virus definition file vd333c03.xdb to the install-to directory. No need to reboot, SAV 9 extracted the virus signatures by itself. SAV 9 uses on the install-to partition currently at least 1.2GB of free space for processing the .xdb file.

Finally, from memory, SAV 9 does know to scan RAR archives (I'll check when I return to work and correct this entry if needed).

I repeated the same scanning test as with SAV 8. Unfortunately, the scan results were just as poor, this build of SAV 9 could NOT look into .rar files either or detect infected .wmv files.

Does SAV 9 have this activation stuff, or is the activation stuff only in the retail NAV?

There was no need to register/activate etc this build. In contrast to SAV 8, SAV 9 requires the installation of the Microsoft Root Certificate update. This file could be downloaded Ok from http://download.wind...en/rootsupd.exe as described in http://www.msfn.org/...tes-for-win-98/

SAV 9, just like SAV 8, does not have a good options menu for selecting what file types to scan. Unfortunately, I currently have to reject SAV 9 under Win98. Does SAV 10 run under Win98?

#7
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • Joined 21-March 08
  • OS:98SE
  • Country: Country Flag

Does SAV 10 run under Win98?

I have just tried to install Symantec AntiVirus Corporate v10.1.6.6000 Client under Win98, but it won't install. The minimum requirement is Win2000. v10.2 apparently requires Vista. I'll try to install v10.0 under Win98 shortly

#8
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • Joined 21-March 08
  • OS:98SE
  • Country: Country Flag
I just tried to install Symantec Norton Antivirus Corporate Edition v10.0.0.359. under Win98SE, no luck, it requires Win2000 at least.

So galahs posting http://www.msfn.org/...r-windows-98se/
LAST - $$$$ - Symantec AntiVirus Corporate Edition 9.0.5.1000
(I had tried Ok Symantec Antivirus Corporate Edition v9.0.3.1000 with current signatures, see above)

is correct, even if his posting
LAST - $$$$ - Kaspersky Anti-Virus Personal 5.0 (5.0.712 BETA) --- ftp://d5y.kaspersky-labs.com/beta/kav50/Personal/English/
is not.

Apparently there are no good alternatives to Kaspersky v6.0, at least for my purposes. Or are there any other good virus scanners for Win98 with current signatures, which might be a serious alternative to Kaspersky 6.0?

Edited by Multibooter, 02 January 2011 - 12:21 PM.


#9
PROBLEMCHYLD

PROBLEMCHYLD

    The Resurrector for old Windows OS

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,528 posts
  • Joined 07-October 05
  • OS:98SE
  • Country: Country Flag
I think our only solution after they kill off all the AV is just to get a firewall and virus, malware, trojans, worms ( PROOF) etc.... The HELL out of it.

Believe God is the Alpha and Omega.
Believe Jesus Christ died for our sins.
Repent for your sins now or there will be
BLOOD

The Path to God


U98SESP3 03-11-2013


#10
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • Joined 21-March 08
  • OS:98SE
  • Country: Country Flag
I have just installed ClamWin Antivirus v0.96.5 under Win98SE. The software makes a positive impression, it can look into .rar archives, but it seems to be a weak scanner. It detected only 1 out of 10 infected files in the above sample, so unfortunately it's currently not an alternative to Kaspersky.

#11
Krish

Krish

    Newbie

  • Member
  • 19 posts
  • Joined 02-June 10
  • OS:98SE
  • Country: Country Flag
Hey what about Gurdian 2008 Antivirus

or

Quick Heal Antivirus

Or

Can Anyone tried Kingsoft free Antivirus with Kernel Ex 4.5 RC5

Edited by Krish, 03 January 2011 - 05:47 AM.


#12
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • Joined 21-March 08
  • OS:98SE
  • Country: Country Flag
I just test-installed the still downloadable file kav6.0.2.621en.exe, digitally signed 21-Mar-2007, under Win98, then activated it with my a valid license key file, updated it and finally advanced the system time by a year.

In contrast to what I expected in my posting #1, once activated this version of 21-Mar-2007 does NOT expire after the expiration of the license key file. I was still able to virus-check with it, even if I got the red warning msg: License expired. This msg indicates only that the activated version cannot be updated anymore with updates newer than the expiration date of the license key.

The downloads from filehippo and softpedia are still useful. I have updated posting #1 accordingly.

#13
jds

jds

    -DOS+

  • Member
  • PipPipPipPip
  • 603 posts
  • Joined 03-June 08
  • OS:98SE
  • Country: Country Flag

There are quite a few tricks necessary, however, before old KAV 6 works today. I am only interested in KAV 6 as a virus checker, not in the protection stuff.

I have selected during installation only "Virus Scan", and KAV 6 is rock stable. I suspect that some left-over real-time protection components of your Symantec AntiVirus were interfering with the real-time protection components of KAV 6. Having 2 different installations of anti-virus software on the same instance of an operating system may cause major problems. As a general rule you can have only 1 anti-virus software installed on an opsys.

I didn't need any tricks to install KAV 6, the only thing tricky part was finding my way through their web site to the appropriate instructions on updating the database.

As for SAV remnants, no, I did a complete uninstall before trying KAV 6. The extreme instability (at least for a full install) was KAV's own doing.

Also, excluding the run-time protection when installing KAV would have been pointless for me, since SAV 9 on-demand scanning was (and is) still functional.

Trick 6: In KAV 6, under -> Settings -> Update: Do NOT select "Update application modules"

Yes, that's something I do instinctively for all "last version for 9X" software.

FYI, SAV 8 is useless, its database can no longer be updated

I did update Symantec AntiVirus Corporate Edition v8.1.1.323 Client with a .xdb file, see posting #2. Maybe it's an issue of a later build.

I was originally with SAV 8. However, neither Live Update nor the EXE database update were successful after Symantec dropped support, so I was forced to install SAV 9. Can't remember if I tried the "*.xdb method" (did you check the eicar test file with yours?).

Finally, from memory, SAV 9 does know to scan RAR archives (I'll check when I return to work and correct this entry if needed).

Please do.

Well, I was wrong. As you've also since found, SAV 9 (mine's 9.0.0.1400, yours' 9.0.3.1000) doesn't know to scan RAR archives. How disappointing!

BTW, does the run-time protection still work with SAV 9.0.3.1000 when using a current database (eg. just run the 'eicar.com' file and see what happens)?

Apparently there are no good alternatives to Kaspersky v6.0, at least for my purposes. Or are there any other good virus scanners for Win98 with current signatures, which might be a serious alternative to Kaspersky 6.0?

I don't know how good it is (opinions vary), but (as someone here pointed out to me in another thread) Dr-Web still support W9X (and indeed, even DOS:-).

Can Anyone tried Kingsoft free Antivirus with Kernel Ex 4.5 RC5

Well, as a more general question, has anyone tried any W2K+ package with KerenelEx?

Joe.

Edited by jds, 03 January 2011 - 07:22 PM.


#14
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • Joined 21-March 08
  • OS:98SE
  • Country: Country Flag

Also, excluding the run-time protection when installing KAV would have been pointless for me, since SAV 9 on-demand scanning was (and is) still functional... Well, I was wrong. As you've also since found, SAV 9 (mine's 9.0.0.1400, yours' 9.0.3.1000) doesn't know to scan RAR archives. How disappointing!

Hi Joe,
Scanning with an updated SAV 9 may give you a false sense of security. Since SAV 9 cannot look into/extract .rar archives, I would expect also that it cannot look into/extract many .exe archives or other installers either. I have been amazed how Kaspersky v6 was able to check into/unpack various installers, while I with my tools couldn't (e.g. the InstallExplorer v0.9.1 [plug-in for Total Commander] of 18-Jul-2006, msiX).

BTW, does the run-time protection still work with SAV 9.0.3.1000 when using a current database (eg. just run the 'eicar.com' file and see what happens)?

Accessing the Internet under old Win98SE is just enough protection for me. I have been very skeptical towards runtime protection under Win98, it just uses a lot of resources, may make the system unstable and creates a false sense of protection.

I have already removed SAV 9 from my system, so I can't experiment with SAV 9 and eicar.com http://www.eicar.org...s_test_file.htm

It would be interesting to know whether runtime protection would protect against an exe infector virus like Tenga.a. It is blazingly fast because if seems to work via the MS Office file indexer, maybe there is a 50% probability that no current run-time protection software, under any Windows opsys Win9x and later, can prevent Tenga.exe from destroying your system and archives with .exe files. If you need a live specimen for testing, let me know, I kept some on a CD, far away from my system, locked up like in a poison cabinet. But you should be prepared to low-level format anything connected to your computer after double-clicking on a Tenga.a-infected .exe file, with or without runtime protection.

I don't know how good it is (opinions vary), but (as someone here pointed out to me in another thread) Dr-Web still support W9X (and indeed, even DOS:-).

Would be an interesting candidate for testing.

Well, as a more general question, has anyone tried any W2K+ package with KerenelEx?

Another general question may be: Does the installation of KernelEx make Win98 vulnerable to WinXP malware, which a regular Win98SE installation would just ignore? In other words, does the installation of KernelEx eliminate the raison d'être of Win98?

Edited by Multibooter, 04 January 2011 - 07:20 AM.


#15
jds

jds

    -DOS+

  • Member
  • PipPipPipPip
  • 603 posts
  • Joined 03-June 08
  • OS:98SE
  • Country: Country Flag

Well, as a more general question, has anyone tried any W2K+ package with KerenelEx?

Another general question may be: Does the installation of KernelEx make Win98 vulnerable to WinXP malware, which a regular Win98SE installation would just ignore? In other words, does the installation of KernelEx eliminate the raison d'être of Win98?

Good question, and the answer I think, is mostly (well, more than that) no.

KernelEx simply adds API functions and convinces software that it is running on a W2K+ O/S. That can satisfy complex applications that use lots of API functions and/or have an artificial restriction on running in W9X. Almost certainly, malware isn't going to have the later, it will want to infest as broadly as possible. AFAIK, malware typically uses a limited range of basic API functions, so for the most part, isn't going to be influenced by the former.

What malware is more likely to rely on is the behaviour of W2K+ O/S, which KernelEx doesn't affect, such as auto-playing a USB drive as soon as it's plugged in, and all those control/notification features that allow a W2K+ O/S to automatically pick-up malware from simply being connected to the Internet. So it's mostly the behavioural differences between W9X and W2K+ that make the later more vulnerable to malware, not the extra API functions (unless of course there's a new API function that itself introduces a vulnerability, and KernelEx implements it, but such an API function would more likely be implemented as a dummy "stub" anyway).

Joe.

#16
herbalist

herbalist

    paranoid independent

  • Member
  • PipPipPipPipPip
  • 731 posts
  • Joined 15-December 06
  • OS:98
  • Country: Country Flag

Another general question may be: Does the installation of KernelEx make Win98 vulnerable to WinXP malware, which a regular Win98SE installation would just ignore? In other words, does the installation of KernelEx eliminate the raison d'être of Win98?

That is completely unexplored territory. The answer will largely depend on what type of malware it is. For kernel rootkits that target NT systems, KernelEX won't make 98 any more vulnerable to them. For more conventional "user mode" adware, nuisance-ware, etc, KernelEX might make a system more vulnerable. KernelEx might also make 98 more vulnerable to malware that targets applications, just by enabling 98 to run these applications. The only way to know for certain would be to collect samples and try them on test units. I wouldn't expect any major increase in the amount of malware that would affect 98 due to KernelEX, but I would expect a fairly small percentage of some types to work. It's just something that we will have to watch and remain aware of the possibility.

#17
jds

jds

    -DOS+

  • Member
  • PipPipPipPip
  • 603 posts
  • Joined 03-June 08
  • OS:98SE
  • Country: Country Flag
Just found a new candidate : http://www.bitdefend...ee-Edition.html

A long-standing and respectable anti-virus house, and this package lists W98.

Edit : Bummer, this free BitDefender version is an on-demand scanner, no real-time protection. However, Avast 4.8 Professional is still available (for the moment).

Joe.

PS. Some updated info on Avast 4.8 ... : http://www.msfn.org/...post__p__986844

Edited by jds, 05 January 2012 - 12:47 AM.


#18
jds

jds

    -DOS+

  • Member
  • PipPipPipPip
  • 603 posts
  • Joined 03-June 08
  • OS:98SE
  • Country: Country Flag

Well, I was wrong. As you've also since found, SAV 9 (mine's 9.0.0.1400, yours' 9.0.3.1000) doesn't know to scan RAR archives. How disappointing!

Well, I was kinda wrong about being wrong ;) ... the following page shows that at least versions 9.0.6.* supported RAR decompression (the page relates to a security fix for the decompression engine) :
http://www.symantec....t&id=TECH102208

Unfortunately, there don't seem to be any publicly available upgrade paths from a version 9.0.X.* to a version 9.0.Y.* (which might even fix the broken real-time/on-access/auto-protection with current virus definitions) :(

Joe.

#19
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • Joined 21-March 08
  • OS:98SE
  • Country: Country Flag
Kaspersky Anti-Virus 6.0 still updates Ok under Win98, my last manual signature update was about a week ago.

Russian Kaspersky helping the U.S. military?
Kaspersky Anti-Virus 6.0 is the best virus scanner under Win98SE. www.drudgereport.com just had as its top headline a link to http://www.wired.com...ts-drone-fleet/ and it looks like even the U.S. military look for Russian help: the technicians at Creech Air Force Base in Nevada "followed removal instructions posted on the website of the Kaspersky security firm. “But the virus kept coming back,” a source familiar with the infection says".

The comment there by David Banes may or may not be indicative of the quality of Symantec software: "I'm sorry but I've got 20+ years experience in the anti-virus industry (some of it running virus research for Symantec) so to see the comment “We keep wiping it off, and it keeps coming back,” in the text above just tells me that the person trying to remove this virus is not qualified for the job, which is very scary given where it is!"

It took the Iranians maybe a year to get the Stuxnet virus out of their nuclear and industrial sites. About 2 years ago I had a nasty infection on my laptop (i.e. a simple single-user environment) with the Tenga virus, which came back 2 times within 3 months of the initial infection.

#20
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • Joined 21-March 08
  • OS:98SE
  • Country: Country Flag
In Germany a major political scandal is brewing about the German federal police apparently planting trojans, ignoring prohibitions by the highest German court. It's currently the top story (in German) of the Spiegel, "Programmed breach of the constitution" http://www.spiegel.d...,790768,00.html

The description of the Backdoor:W32/R2D2.A is at http://www.f-secure....s/00002249.html No idea whether this backdoor works under Win98

Here a posting by Noob at http://www.wildersse...d.php?p=1952822 : "only F-Secure, Clam AV and Kaspersky detects it".

I was also a little surprised that Clam AV detected it. If Kaspersky should stop providing signature updates for v6.0 after October 2012, maybe Clam AV can continue to provide protection for Win98 against new malware. Kaspersky v6.0, with its big signature data base, could then still detect old malware.

A possible solution to the looming virus scanner issue under Win98 might be to use 2 scanners, Kaspersky for pre-October-2012 malware, and Clam AV for post-October-2012 malware.

Several other virus scanners can at this moment detect this Backdoor, perhaps after some decision-making. Here the constantly updated list by Virus Total: http://www.virustota...702f-1318148319

Edited by Multibooter, 09 October 2011 - 08:46 AM.


#21
jds

jds

    -DOS+

  • Member
  • PipPipPipPip
  • 603 posts
  • Joined 03-June 08
  • OS:98SE
  • Country: Country Flag

Kaspersky Anti-Virus 6.0 is the best virus scanner under Win98SE.

Hmmm ... before being tempted to install this, read : http://www.msfn.org/...post__p__951440

Perhaps KAV still useful as an "on demand" (manual) scanner only, but even SAV 9 (or the NAV equivalent) with its broken "real time" protection can do that (just download the SAV 10 virus definitions every once in a while and run it).

For the moment, Avast 4.8 is still the best complete solution, IMHO.

Joe.

Edited by jds, 09 October 2011 - 06:57 PM.


#22
jds

jds

    -DOS+

  • Member
  • PipPipPipPip
  • 603 posts
  • Joined 03-June 08
  • OS:98SE
  • Country: Country Flag

... the following page shows that at least versions 9.0.6.* supported RAR decompression (the page relates to a security fix for the decompression engine) :
http://www.symantec....t&id=TECH102208

Unfortunately, there don't seem to be any publicly available upgrade paths from a version 9.0.X.* to a version 9.0.Y.* (which might even fix the broken real-time/on-access/auto-protection with current virus definitions) :(

Well, the plot thickens!

I re-read the above page from Symantec, this time paying attention to the irrelevant section about how to disable CAB and RAR scanning, and learnt that the DLL responsible for "decomposing" RAR files is called 'Dec2RAR.dll' and that the file 'Dec3.cfg' specifies which "decomposers" are enabled.

It was no surprise to find that the file 'Dec2RAR.dll' was missing from my SAV9 installation, and that of course, it wasn't listed in the 'Dec3.cfg' configuration file. What was surprising however, was that a version of 'Dec2RAR.dll' is actually included in the SAV9 installation package, at least as far back as version 9.0.0.338 (as file 'Dec2RAR.dll.007A9270_AFB4_4E86_AD37_A139D0C95AB2', within 'SAV\Data1.cab')!

So the capability to scan RAR files does seem to exist even in fairly old versions of SAV9, yet it never seems to get installed. The relevant DLL is never extracted during the installation, and the configuration file doesn't refer to it. Unfortunately, trying to remedy this situation manually, by extracting the DLL and editing the configuration file, wasn't successful. SAV still failed to scan a RAR file I had prepared for it with the EICAR signature file within. I guess there's some registry stuff that must also be required to enable this missing capability.

BTW, the 'Dec3Update9.exe' update that's given in the above web page refuses to run even with the help of KernelEx. After trying several options, I was finally able to extract its contents with the help of "Resource Hacker" (well recommended). By checking the extracted binaries via "Windows Explorer - Properties - Version - Original Filename", I now had 16 (correctly named) DLL files. However, they were not exactly the list given by Symantec, instead, there was a new version of 'rec2.dll' and no updated 'dec2rar.dll'. But that would be just "icing on the cake". No point worrying about an updated version of 'dec2rar.dll' if I can't convince SAV9 to use it, anyway! :}

Joe.

PS. Well, I've managed to find the missing 'Dec2RAR.dll' file (and the other associated v3.02.14.26 DLL's) that's supposed to be within 'Dec3Update9.exe', in a rather unexpected location : ftp://ftp.symantec.com/public/deutsch/produkten/symantec_antivirus/symantec_antivirus_corp/10.1/updates/SAVCE_10.1.5.5010_Win64_GE.zip
(Using 7-Zip, extract via the path 'SAVCE_10.1.5.5010_Win64_GE.msp' -> 'PCW_CAB_SAV' -> 'Dec2RAR.dll.007A9270_AFB4_4E86_AD37_A139D0C95AB2')

Edited by jds, 09 February 2012 - 08:51 PM.


#23
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • Joined 21-March 08
  • OS:98SE
  • Country: Country Flag


Kaspersky Anti-Virus 6.0 is the best virus scanner under Win98SE.

For the moment, Avast 4.8 is still the best complete solution, IMHO.

Hi jds,
I beg to disagree. Avast, in contrast to KAV6, generates a lot of false positives, and quite a few of my downloads were erroneously flagged by Avast as infected. Kaspersky Anti-Virus 6 generates rarely false positives. I have used Avast in 2010, and rejected it because of the false positives. To me, a false positive is more annoying than an infected file not flagged.

I have not experienced a stability issue with KAV6 under Win98, but I use KAV6 only as an on-demand scanner. During the last 6 months, however, KAV6 does occasionally crash upon loading, but only under WinXP SP2 (not under Win98SE), and only on my 11-year-old Inspiron laptop (512MB RAM), not on my dual core desktop (2GB RAM). WinXP seems to work Ok after such a crash, but I do reboot then.

Decreased signature count
I have just updated the signatures of Kaspersky Anti-Virus 6, the signature count on 6-Sep-2012 was 7.772.298. The last time I ran the signature update from the Kaspersky server (under Win98, of course), was on 18-Jul-2012 with a signature count of 8.585.549 signatures. No idea why the signatures decreased by 800.000 over the last 6 weeks.

I hope this decreased signature count is not a sign of a possibly approaching end-of-updates for v6.0.2.621, perhaps on 1-Oct-2012.

Kaspersky Anti-Virus v6.0.2.621 after it reaches its end-of-updates
I am archiving the Kaspersky Update folder after each successful signature update. In this way Kaspersky Anti-Virus v6.0.2.621 can be re-installed with a reasonable signature count: After adding a license key with an expiration date after the last update, KAV6 can be updated from the Kaspersky Update folder. Without a signature update, KAV6 would be useless, only about 500.000 signatures, of Dec-2007, are installed after a fresh installation.

The size of the rared-up Kaspersky Update folder is currently about 250MB.

I am very eager to see whether the signatures of Kaspersky Anti-Virus v6.0.2.621 can be updated after 1-Oct-2012.

Edited by Multibooter, 06 September 2012 - 12:32 PM.


#24
jds

jds

    -DOS+

  • Member
  • PipPipPipPip
  • 603 posts
  • Joined 03-June 08
  • OS:98SE
  • Country: Country Flag

Hi jds,
I beg to disagree. Avast, in contrast to KAV6, generates a lot of false positives, and quite a few of my downloads were erroneously flagged by Avast as infected. Kaspersky Anti-Virus 6 generates rarely false positives. I have used Avast in 2010, and rejected it because of the false positives. To me, a false positive is more annoying than an infected file not flagged.

I have not experienced a stability issue with KAV6 under Win98, but I use KAV6 only as an on-demand scanner. During the last 6 months, however, KAV6 does occasionally crash upon loading, but only under WinXP SP2 (not under Win98SE), and only on my 11-year-old Inspiron laptop (512MB RAM), not on my dual core desktop (2GB RAM). WinXP seems to work Ok after such a crash, but I do reboot then.

Hi MB,

It's OK to disagree, however, my comment was "For the moment, Avast 4.8 is still the best complete solution, IMHO." Since you don't use KAV6 for real-time protection (my guess is you'll encounter the same stability issues as I did if you try), that doesn't qualify.

As regards your false positives, I'm surprised. I've used Avast for quite a few years and on many systems, and I've only encountered a single instance of this. Do be sure to double-check with 'virustotal' in case these aren't nasties that KAV6 is missing.

Joe.

#25
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • Joined 21-March 08
  • OS:98SE
  • Country: Country Flag

As regards your false positives, I'm surprised. I've used Avast for quite a few years and on many systems, and I've only encountered a single instance of this.

Hi jds,
I would speculate that the frequency of false positives depends on what one is scanning. Most of the stuff I am scanning comes from the mule and often contains patches etc. Some of these little files are apparently created by software with which also malware may be produced. Some antivirus programs tend to identify all files created by such software as malware, even if the files are good and clean.

False positives might lead one to delete files which are actually good. I have come across a rare false positive by Kaspersky Anti-Virus for one series of little files, which was incorrectly identified as a trojan "packed win32.black.a". About 5-20% of the downloads with the mule are infected, as identified by Kaspersky. Avast flags more - but it is practically impossible to know whether these files flagged by Avast, and not by Kaspersky, are really infected or just false positives.

About 2 years ago, after the terrible infection with the Tenga exe infector, I had installed Avast under WinXP and Kaspersky under Win98, for double-checking. After a while I stopped using Avast because of the (probably) false positives.

Do be sure to double-check with 'virustotal' in case these aren't nasties that KAV6 is missing.

virustotal is impractical for checking large quantities of files. I make a pre-check of the stuff from the mule as follows:

1) I open archive files (e.g. .rar) with WinRAR. Maybe 5% don't open (corrupt archives or the file extension was changed from e.g. .avi to .rar). I then look at the modification dates of the files in the archive. If the file modification dates differ substantially, e.g. by several years, then some recent malware may have been injected and the archive is suspicious. If the archive contains just a few files, including a .dat and a .exe file, it is in most cases malware.

2) nfodiz is a most useful program for pre-checking downloads containing an .nfo file. After opening an archive in WinRAR I just double-click on the .nfo file in the WinRAR window. If nfodiz displays a nice-looking nfo, and the modification dates of the other files in the archive are close to the modification date of the .nfo file (and close to the date often displayed in the .nfo window), there is a good chance that the archive is Ok. If nfodiz displays jibberish, then the archive is infected and can be deleted. The description page of nfodiz is http://web.archive.o...3050_index.html nfodiz can be downloaded from http://liveweb.archi...fodiz_setup.exe

3) downloaded .exe files I drag onto the desktop icon of MiTeC EXE Explorer. If the .exe file is supposed to be old software, but has a much more recent timestamp, the .exe is most likely infected.

These 3 steps identify about 60% of the infected files. About 50% of the files identified in these 3 steps are not flagged by Kaspersky, although eventually Kaspersky will identify many as infected, with subsequent signature updates. This is not a critique of Kaspersky, there are just too many new malware programs.

Edited by Multibooter, 07 September 2012 - 11:32 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users