The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Incidents|No good deed goes unpunished

Kaspersky Lab Expert
Posted September 06, 14:21  GMT
Tags: Antivirus Technologies

I think I speak for just about the entire security industry when I say that I really value the work of the people who help out on security forums.
These people put in a lot of hard work and effectively it's all voluntary.

Some of these people create tools to remove certain malware families/types, and these tools will be very popular within the communities that they belong too.

Recently the tools created by members of one community have proved so popular that someone decided to copy them. Most of these tools are scripts, which means that they can very easily be edited. Normally editing is done to update the scripts so that they can detect new malware. Sadly, in this case someone has basically copied the scripts and put his own name to them.

This copying and taking credit for other people's work has been going on for quite a while now. Normally ignoring such people is the best course of action, so as not give them any (more) attention, but I think a line has been overstepped.

'Pcbutts1' is actively promoting 'his' anti-malware tools which remove a number of threats. This is what people see when they go to his very recently updated downloads page.

The people listed on this page are well respected within the security community and a number of them are actually Microsoft MVPs. It's 'pcbutts1' who is the fraud, not them.

Let's hope 'pcbutts1' grows up - and fast.

Comment      Link

Publications|And some thoughts on the anti-virus industry

Kaspersky Lab Expert
Posted June 13, 13:29  GMT
Tags: Antivirus Technologies

I now travel a lot. Trips - mostly business - make up about half my life.
Conferences, exhibitions, meetings (with short stops at the seaside or ski resorts if I stop at all). And at these events I'm asked lots of different questions. Last year one of the most frequently asked questions was my opinion about Microsoft's anti-virus, and the changes it might cause in the anti-virus industry.

That question started me thinking about the situation on the anti-virus market - and here's the result

Comment      Link

Incidents|No rootkit in Kaspersky Anti-Virus

Kaspersky Lab Expert
Posted January 13, 14:47  GMT
Tags: Antivirus Technologies, Rootkits

Mark Russinovich, who is well known as an IT security expert, and who was a major player in the Sony rootkit scandal, is now suggesting that we use 'rootkit' technology in our products. His comments have been picked up in a PCWorld article (http://www.pcworld.com/news/article/0,aid,124365,00.asp). He said that "the techniques used by ... Kaspersky's Anti-Virus products are rootkits, a term usually reserved for the techniques that malicious software uses to avoid detection on an infected PC".

Our products do use a technology called iStreams™, which is what Russinovich seems to be worried about. But this isn't a rootkit.

We started using iStreams™ technology a couple of years ago to improve scanning performance. Basically, this means that our products use NTFS Alternate Data Streams to hold checksum data about files on the user's system. If a checksum remains unchanged from one scan to another, KAV products know the file has not been tampered with and do not, therefore, require a repeat scan.

To view NTFS Alternate Data Streams you need special tools. When KAV is active it hides its streams because they are its internal data only. Just because you can't see them either automatically or with a special tool, it doesn't mean that they're malicious. It also doesn't mean that a product which uses and hides these streams is using rootkit technology.


Exactly two years ago we introduced our extended databases.

These databases protect against AdWare, RiskWare and PornWare. Some people like to refer to the extended databases simply as anti-spyware protection, but we actually detect much more than just that with the help of these databases, most notably RiskWare programs.

Back then we still had cumulative updates and the extended databases consisted of three components: advware.avc, riskware.avc and pornware.avc.

Later two of those names changed to adware.avc and obscene.avc. Since the beginning of this year we simply have combined them into extxxx.avc database, where the x stands for a decimal figure. However, we've actually been detecting these types of threats for much longer than two years.

Before we introduced the extended databases the detection of AdWare etc. was included in x-files.avc.

Two years ago it was special to have a separate option to cover such threats, now it is a much more common feature for antivirus programs.

You can select the extended databases by going to KAV's settings, clicking on Threats and exclusions, and then selecting the extended database.

Screenshot of KAV Personal with Threats and exclusions window open

Be sure to read the pop-up message when choosing a database from the dropdown list.

Comment      Link