[jds]

Multibooter, on 07 October 2011 - 05:10 PM, said:

Kaspersky Anti-Virus 6.0 is the best virus scanner under Win98SE.

Hmmm ... before being tempted to install this, read : http://www.msfn.org/...post__p__951440

Perhaps KAV still useful as an "on demand" (manual) scanner only, but even SAV 9 (or the NAV equivalent) with its broken "real time" protection can do that (just download the SAV 10 virus definitions every once in a while and run it).

For the moment, Avast 4.8 is still the best complete solution, IMHO.

Joe.

This post has been edited by jds: 09 October 2011 - 06:57 PM

[jds]

jds, on 15 June 2011 - 02:29 AM, said:

... the following page shows that at least versions 9.0.6.* supported RAR decompression (the page relates to a security fix for the decompression engine) :
http://www.symantec....t&id=TECH102208

Unfortunately, there don't seem to be any publicly available upgrade paths from a version 9.0.X.* to a version 9.0.Y.* (which might even fix the broken real-time/on-access/auto-protection with current virus definitions)

Well, the plot thickens!

I re-read the above page from Symantec, this time paying attention to the irrelevant section about how to disable CAB and RAR scanning, and learnt that the DLL responsible for "decomposing" RAR files is called 'Dec2RAR.dll' and that the file 'Dec3.cfg' specifies which "decomposers" are enabled.

It was no surprise to find that the file 'Dec2RAR.dll' was missing from my SAV9 installation, and that of course, it wasn't listed in the 'Dec3.cfg' configuration file. What was surprising however, was that a version of 'Dec2RAR.dll' is actually included in the SAV9 installation package, at least as far back as version 9.0.0.338 (as file 'Dec2RAR.dll.007A9270_AFB4_4E86_AD37_A139D0C95AB2', within 'SAV\Data1.cab')!

So the capability to scan RAR files does seem to exist even in fairly old versions of SAV9, yet it never seems to get installed. The relevant DLL is never extracted during the installation, and the configuration file doesn't refer to it. Unfortunately, trying to remedy this situation manually, by extracting the DLL and editing the configuration file, wasn't successful. SAV still failed to scan a RAR file I had prepared for it with the EICAR signature file within. I guess there's some registry stuff that must also be required to enable this missing capability.

BTW, the 'Dec3Update9.exe' update that's given in the above web page refuses to run even with the help of KernelEx. After trying several options, I was finally able to extract its contents with the help of "Resource Hacker" (well recommended). By checking the extracted binaries via "Windows Explorer - Properties - Version - Original Filename", I now had 16 (correctly named) DLL files. However, they were not exactly the list given by Symantec, instead, there was a new version of 'rec2.dll' and no updated 'dec2rar.dll'. But that would be just "icing on the cake". No point worrying about an updated version of 'dec2rar.dll' if I can't convince SAV9 to use it, anyway!

Joe.

PS. Well, I've managed to find the missing 'Dec2RAR.dll' file (and the other associated v3.02.14.26 DLL's) that's supposed to be within 'Dec3Update9.exe', in a rather unexpected location : ftp://ftp.symantec.c...10_Win64_GE.zip
(Using 7-Zip, extract via the path 'SAVCE_10.1.5.5010_Win64_GE.msp' -> 'PCW_CAB_SAV' -> 'Dec2RAR.dll.007A9270_AFB4_4E86_AD37_A139D0C95AB2')

This post has been edited by jds: 09 February 2012 - 08:51 PM

[Multibooter]

jds, on 09 October 2011 - 06:56 PM, said:

Multibooter, on 07 October 2011 - 05:10 PM, said:

Kaspersky Anti-Virus 6.0 is the best virus scanner under Win98SE.

For the moment, Avast 4.8 is still the best complete solution, IMHO.

Hi jds,
I beg to disagree. Avast, in contrast to KAV6, generates a lot of false positives, and quite a few of my downloads were erroneously flagged by Avast as infected. Kaspersky Anti-Virus 6 generates rarely false positives. I have used Avast in 2010, and rejected it because of the false positives. To me, a false positive is more annoying than an infected file not flagged.

I have not experienced a stability issue with KAV6 under Win98, but I use KAV6 only as an on-demand scanner. During the last 6 months, however, KAV6 does occasionally crash upon loading, but only under WinXP SP2 (not under Win98SE), and only on my 11-year-old Inspiron laptop (512MB RAM), not on my dual core desktop (2GB RAM). WinXP seems to work Ok after such a crash, but I do reboot then.

Decreased signature count
I have just updated the signatures of Kaspersky Anti-Virus 6, the signature count on 6-Sep-2012 was 7.772.298. The last time I ran the signature update from the Kaspersky server (under Win98, of course), was on 18-Jul-2012 with a signature count of 8.585.549 signatures. No idea why the signatures decreased by 800.000 over the last 6 weeks.

I hope this decreased signature count is not a sign of a possibly approaching end-of-updates for v6.0.2.621, perhaps on 1-Oct-2012.

Kaspersky Anti-Virus v6.0.2.621 after it reaches its end-of-updates
I am archiving the Kaspersky Update folder after each successful signature update. In this way Kaspersky Anti-Virus v6.0.2.621 can be re-installed with a reasonable signature count: After adding a license key with an expiration date after the last update, KAV6 can be updated from the Kaspersky Update folder. Without a signature update, KAV6 would be useless, only about 500.000 signatures, of Dec-2007, are installed after a fresh installation.

The size of the rared-up Kaspersky Update folder is currently about 250MB.

I am very eager to see whether the signatures of Kaspersky Anti-Virus v6.0.2.621 can be updated after 1-Oct-2012.

This post has been edited by Multibooter: 06 September 2012 - 12:32 PM

[jds]

Multibooter, on 06 September 2012 - 12:23 PM, said:

Hi jds,
I beg to disagree. Avast, in contrast to KAV6, generates a lot of false positives, and quite a few of my downloads were erroneously flagged by Avast as infected. Kaspersky Anti-Virus 6 generates rarely false positives. I have used Avast in 2010, and rejected it because of the false positives. To me, a false positive is more annoying than an infected file not flagged.

I have not experienced a stability issue with KAV6 under Win98, but I use KAV6 only as an on-demand scanner. During the last 6 months, however, KAV6 does occasionally crash upon loading, but only under WinXP SP2 (not under Win98SE), and only on my 11-year-old Inspiron laptop (512MB RAM), not on my dual core desktop (2GB RAM). WinXP seems to work Ok after such a crash, but I do reboot then.

Hi MB,

It's OK to disagree, however, my comment was "For the moment, Avast 4.8 is still the best complete solution, IMHO." Since you don't use KAV6 for real-time protection (my guess is you'll encounter the same stability issues as I did if you try), that doesn't qualify.

As regards your false positives, I'm surprised. I've used Avast for quite a few years and on many systems, and I've only encountered a single instance of this. Do be sure to double-check with 'virustotal' in case these aren't nasties that KAV6 is missing.

Joe.

[Multibooter]

jds, on 07 September 2012 - 03:55 AM, said:

As regards your false positives, I'm surprised. I've used Avast for quite a few years and on many systems, and I've only encountered a single instance of this.

Hi jds,
I would speculate that the frequency of false positives depends on what one is scanning. Most of the stuff I am scanning comes from the mule and often contains patches etc. Some of these little files are apparently created by software with which also malware may be produced. Some antivirus programs tend to identify all files created by such software as malware, even if the files are good and clean.

False positives might lead one to delete files which are actually good. I have come across a rare false positive by Kaspersky Anti-Virus for one series of little files, which was incorrectly identified as a trojan "packed win32.black.a". About 5-20% of the downloads with the mule are infected, as identified by Kaspersky. Avast flags more - but it is practically impossible to know whether these files flagged by Avast, and not by Kaspersky, are really infected or just false positives.

About 2 years ago, after the terrible infection with the Tenga exe infector, I had installed Avast under WinXP and Kaspersky under Win98, for double-checking. After a while I stopped using Avast because of the (probably) false positives.

Quote

Do be sure to double-check with 'virustotal' in case these aren't nasties that KAV6 is missing.

virustotal is impractical for checking large quantities of files. I make a pre-check of the stuff from the mule as follows:

1) I open archive files (e.g. .rar) with WinRAR. Maybe 5% don't open (corrupt archives or the file extension was changed from e.g. .avi to .rar). I then look at the modification dates of the files in the archive. If the file modification dates differ substantially, e.g. by several years, then some recent malware may have been injected and the archive is suspicious. If the archive contains just a few files, including a .dat and a .exe file, it is in most cases malware.

2) nfodiz is a most useful program for pre-checking downloads containing an .nfo file. After opening an archive in WinRAR I just double-click on the .nfo file in the WinRAR window. If nfodiz displays a nice-looking nfo, and the modification dates of the other files in the archive are close to the modification date of the .nfo file (and close to the date often displayed in the .nfo window), there is a good chance that the archive is Ok. If nfodiz displays jibberish, then the archive is infected and can be deleted. The description page of nfodiz is http://web.archive.o...3050_index.html nfodiz can be downloaded from http://liveweb.archi...fodiz_setup.exe

3) downloaded .exe files I drag onto the desktop icon of MiTeC EXE Explorer. If the .exe file is supposed to be old software, but has a much more recent timestamp, the .exe is most likely infected.

These 3 steps identify about 60% of the infected files. About 50% of the files identified in these 3 steps are not flagged by Kaspersky, although eventually Kaspersky will identify many as infected, with subsequent signature updates. This is not a critique of Kaspersky, there are just too many new malware programs.

This post has been edited by Multibooter: 07 September 2012 - 11:32 PM

[Multibooter]

Multibooter, on 06 September 2012 - 12:23 PM, said:

I am very eager to see whether the signatures of Kaspersky Anti-Virus v6.0.2.621 can be updated after 1-Oct-2012.

It's now January 2013 and Kaspersky v6.0.2.621 still updates Ok. There may be some problems with the updater, maybe because I update irregularly, about once every other week. During updating I get quite often error messages like "error updating component KAS300" or "file black.lst is missing or corrupted. Please run Updater to fix this problem". After re-running the Updater, sometimes up to 3 or 4 times, everything is Ok and the message "Update completed successfully" is displayed. The message "Not all components were updated" signals that the Updater has to be run again.

But here is the downside: In November 2012 I used 2 activation codes of Kaspersky Anti-Virus 6.0 retail packages, but the Kaspersky License Key Server only generated license keys up to about 21-March-2013, instead of keys for another year, and the License Key Server did not generate any trial keys for v6.0.2.621. This means that Kaspersky v6.0.2.621 cannot be updated with new signatures after 21-March-2013, although it will continue to run after that date with the last signature update obtained. I keep backups of the Update Folder so that I can re-install v6.0.2.621 and update from the Update Folder, in case I should need an activated but expired version in the future. It makes little sense to buy a retail v6.0 now, since it's going to be dead in March 2013.

"Kaspersky Anti-Virus 6.0 for Windows Workstations" is the corporate version, it is v6.0.3.837 and still runs fine and updates fine under Win98 and WinXP. I doubt that the Moscow head office will sell activation codes for v6.0.3 to individuals. The Kaspersky License Key server still provides a trial key for v6.0.3.837, valid for 10 computers for 30 days. The activation code and the generated license key for the retail v6.0.2 do not work for the corporate v6.0.3. After having used a trial key for 30 days the virus scanner does not scan for viruses anymore and cannot be updated anymore. It is not possible to start a new trial using the Kaspersky removal tool KAVremover v1.0.53 (of 28Nov2007, last version to work with Win98) http://support.kaspe.../kavremover.zip There are 3 keys hidden in the registry which prevent a restarting of the trial. One simple self-constructed .inf file can delete these 3 keys under Win98 and WinXP and does not require an uninstall/removal. Kaspersky v6.0.3.837 then turns into un-activated and can then get activated as a trial for another 30 days. Re-activation (reset + activate) is a matter of less than a minute, the hard part was to find the 3 lines for the section [DeleteFromRegistry] in the .inf file, and the testing.

In the future, when the Kaspersky License Key Server will not provide trial licenses for the corporate version 6.0.3 anymore, an un-activated Kaspersky v6.0.3 will still run fine with the last obtained virus signatures, except that there is a nag screen at start up "Setup Wizard: Kaspersky Anti-Virus. Welcome! Kaspersky Anti-Virus Setup Wizard will help you to configure protection for your computer", which requires to click on Cancel or Activate Later. The .inf file with 3 instructions has been tested extensively and works fine. I am attaching a screen shot of Kaspersky v6.0.3.837 updated yesterday under Win98.

This Plan B works until there are no more trial licenses for v6.0.3. After that there is a Plan C. I am quite confident that Kaspersky v6 wil be updateable under Win98 and WinXP for the foreseeable future, perhaps for several more years.

Attached File(s)

•  Kaspersky WKN v6.0.3.837.png (38.65K)
  Number of downloads: 4

This post has been edited by Multibooter: 25 January 2013 - 02:40 PM

[Multibooter]

The retail Kaspersky Anti-Virus 6.0 is currently still available new at amazon for USD 4.99 plus S+H, but again, it can be activated/updated probably only until mid-March 2013. The activation code on the CD sleeve in the box can be used to activate the downloaded last v6.0.2.621. The CD in the box usually contains an older build.

This post has been edited by Multibooter: 25 January 2013 - 05:58 PM