Wednesday, November 17, 2004

Finding a second opinion: Using free Web-based AV scanning resources (Virus)

Several antivirus companies offer free Web-based services you can use to scan your entire system for infection. Since they scan an entire machine for viruses and worms, I refer to these tools as "system scanners" to differentiate them from the "file scanners" which I'll discuss later. With a system scanner, simply surf to the site, click on a button typically labeled "scan now", and watch as your system is scanned. Here is a list of my three favorite Web-based system scanners for Windows machines:

* Computer Associates' system scanner. This tool has a very easy to use point-and-click interface with results that are simple to understand.
* Symantec's system scanner. This solid scanning tool is one of the faster ones. Also, beyond an antivirus scanner, this site also includes a separate scanner to look for common Windows vulnerabilities and Trojan Horses.
* Trend Micro's system scanner. This tool is also very good, featuring reports showing more detail about potential infections than the other services.
Most of these system scanners are implemented via ActiveX controls the Web site sends to your browser. Therefore, depending on your browser configuration, you may need to permit a single ActiveX control to run on your system. Given that a major antivirus vendor runs each of these sites, allowing such access is likely quite reasonable in most organizations. Furthermore, by pushing the ActiveX control to your browser, where the scanning occurs, none of these services involves sending any of your files across the Internet for inspection. All scanning is done locally. Remember that none of these system-scanning services is a replacement for a solid antivirus tool installed locally. They give you a good second opinion, but require you to manually surf to their Web sites to initiate a scan.

But what if you only need to check an individual file? That's where free Web-based file scanners come in handy. For each of these services, you can submit a single file or an archive containing a group of files. The service then runs one or more antivirus tools against the file and sends you the results. All scanning takes place at the services' machines, so no new software at all runs on your system, not even an ActiveX control. Here is a list of some of my favorite Web-based file scanners:
# Virustotal.com's file scanner. This Web site is the best one I've found for scanning individual files. (I use it all the time.) You can submit a suspicious file or archive by filling out a Web-based form, thereby sending the file via http. Alternatively, you can send the suspect file via e-mail to scan@virustotal.com. The beauty of this service is that they will scan your file with 11 different antivirus tools, including ClamAV, CA, Eset Software, FRISK Software, Kaspersky Labs, McAfee, Norman, Panda Software, Softwin, Sybari and Symantec. You'll get the diagnosis from each of these tools in a nice little report. Once you've submitted a file, you'll typically hear back within five seconds to two minutes.
# Kaspersky's file scanner. This one lets you submit files via a Web form, and get a response within a few seconds
# Symantec's file scanner. This scanner lets you submit files via e-mail. You'll need to zip the file in a password-protected zip archive with the password "infected" and send it to AVSubmit@symantec.com. They claim they'll respond within 24 hours with the verdict, although every time I've used the service, I get the results back in about an hour.
Keep in mind that these file-scanning services merely attempt to see if the file you submit matches any of their respective signatures. Your file might get a clean bill of health in these scans, but could still be very malicious. It's possible that you've received custom-created malicious code for which no signature has been created. Therefore, use the results of a file scanner as a single data point in your decision about whether the suspect file is really malicious. However, even given this limitation, these free services are immensely helpful in identifying infected systems and malicious code.

About the author
Ed Skoudis, CISSP, is cofounder of Intelguardians Network Intelligence, a security consulting firm, and author of Malware: Fighting Malicious Code (Prentice Hall, 2003).

No comments: