The database was not initially accessible online. Only CDs containing the data sets were offered on the project’s website which made it impracticable to use for everyone who wanted to look up a single file or hash.

The Internet Storm Center (ISC) has converted the full set of hashes into an online application that can be checked on the new Find A Hash beta testing website.

The database of non-malicious software programs and files consists of 39,944,023 samples. Supported are the search for filenames and SHA1 or MD5 hashes.

We are using version 2.27 (December 2009). You can search for SHA1 or MD5 hashes. There are no Windows 7 hashes yet. NIST offers a Knoppix bootable CD that can be used to collect hashes. We are interested in adding more sources of hashes and would be interested in your hash collection if you have one to offer. Note: The NIST NSRL database only includes hashes of files from original install media. Currently, no patched versions are included. As a result, your hash may differ if that particular file was patched after the original release.

In addition to the NIST database, we also run a test agains the Team Cymru Hash Registry. It covers malware. If a match is found we will post a link to the respective page at Threatexpert.com (only for MD5 hashes right now).

The concentration on original install media and only unpatched files makes the database impracticable for many uses but the developer’s are asking for hash contributions to improve the database.

The Cleaner is an antivirus software, not a suite which means it does not offer a firewall, email spam scanning or any of the other modules that security suites offer. It can therefor be best compared to other standalone antivirus solutions such as AVG 9 or Avast.

The developers have divided the program into a scanner and a resident program, both highly compatibly with other antivirus solutions installed on the computer system. The program uses a database of malicious software plus advanced heuristics to detect known and unknown threats on a computer system.

The Giveaway of the Day edition does not offer the TCActive module that monitors processes in the background. This version of The Cleaner is therefor only suitable for scanning the computer system for malicious software.

TCActive is available in the program directory despite the help file claiming that it is only available in retail versions of the security program. It needs to be started manually and will run in the background afterwards.

The tab driven program is easy to use. The user should start by clicking on the Update tab to update the program’s database, something that does not seem to be handled automatically by the antivirus software.

The scan tab provides the means to perform a smart scan that will only scan popular locations for malware or full scan which will scan everything on the hard drives selected by the user.

The only other options provided are to change the heuristics level from relaxed to paranoid in a slider, to whitelist files so that they are not scanned by the software and to take a look at reports and the log.

The Cleaner in this regard is therefor a solid addition to any security setup a user might already have installed on the computer system. The lack of the background process monitor make it not suitable as the only antivirus program on the system.

Installation of The Cleaner

Installation is straightforward. Just execute the setup.exe after extracting the files to the local computer system. The serial number for The Cleaner is located in the readme file that is part of the zip file. The program can be registered after the first startup. A restart of the software is required afterwards.

Positive

• Fast Scan
• Compatible with other antivirus software and security suites
• Background monitoring with TCActive

Negative

• No TCActive module means no background monitoring
• Updates have to be initiated manually

The Cleaner, well the crippled version without TCActive, is available for free at the Giveaway of the Day website. The developer’s website is accessible here.

It all begins at a website or server. This is the starting point and it might be a good idea to start validating that server before even thinking about downloading files from there. This can be done manually by performing some searches in search engines but also automatically with browser add-ons or plugins like Web of Trust, McAfee’s Site Advisor and a plethora of other respected programs including local security software that can also check websites and servers.

The second step involves downloading the file to the local computer system. There is not a lot that can be done here in this step. The only defense are security software programs that are installed on the computer system that should scan the file and report back to the user if they believe it to be malicious. Cautious users can also use one of the many online virus scanners to upload the file and scan it online. Services like Virus Total scan the files with more than a dozen different up to date antivirus engines resulting in a more precise analysis of the file.

Another option is to check the hash values of the downloaded files to make sure that they have not been tampered with. This only makes sense if the developer is displaying the values on a trusted website.

It is pretty safe to assume that the file is safe and can be executed on the computer system if it did pass the tests. There is however a last step that can be done to add the extra mile of security: Virtualization. Programs like Sandboxie or VMWare Player make it possible to execute programs in a closed environment for testing purposes. The benefit of this approach is that they cannot harm the rest of the computer system if they should be malicious.

Did we leave something out? Let us know in the comments.

Windows Defender comes with the usual options to automatically update the program and schedule regular system scans to protect the computer system. Default actions for low, medium and high alerts can be defined that will be executed by the anti-spyware program automatically.

Microsoft’s anti-spyware solution comes with the interesting advanced tool Software Explorer which can display extensive information about startup programs, currently running programs, network connected programs and Winsock service providers.

Each program and provider is sorted by company which makes it easier to find non-Microsoft programs that are running or connected to the computer system.

Microsoft has improved Windows Defender over the years. The company did receive lots of criticism in the beginning which can be attributed to a low spyware detection rate. Several anti-spyware products have performed better in tests, outlined here or here. Please note that the tests linked in this article have been performed about 10 months ago and that the situation may have changed in the mean time.

Which leads to the question: Are you running anti-spyware software? If so which?

The important part of the agreement is outlined below.

… The information which is monitored and collected includes internet usage information, basic demographic information, certain hardware, software, computer configuration and application usage information about the computer on which you install RelevantKnowledge. We may use the information that we monitor, such as name and address, to better understand your household demographics; for example, we may combine the information that you provide us with additional information from consumer data brokers and other data sources in accordance with our privacy policy. We make commercially viable efforts to automatically filter confidential personally identifiable information and to purge our databases of such information about our panelists when inadvertently collected…

The user has the option to go back, accept or decline the agreement. Back simply goes back one screen, accept will install Relevant Knowledge on the computer system while decline will not install Relevant Knowledge and exit the software installation.

Looking at the agreement it is obvious that Relevant Knowledge is collecting and monitoring information about the user, the computer system and usage. It is also clear that the collected information are combined with information from various other sources to create an extensive profile. Relevant Knowledge may also display surveys from time to time on the computer system. It is therefor clear that most anti-spyware applications and other programs that protect a computer system against malicious software consider Relevant Knowledge to be spyware.

Relevant Knowledge can be uninstalled from the Windows Control Panel. It has its own entry there. Uninstallation will not affect the software program it was installed with. Some developers, like those that develop SUMO, provide access to a lite version of their application which will install the program without the Relevant Knowledge addition.

Users who usually click-through installations should begin to pay better attentions to the dialogs presented to them to avoid installing programs like Relevant Knowledge on their computer system.

An Internet connection is needed on the other hand to perform the scan which sometimes can be a problem if the system is not booting into the operating system. A Live CD could help but many Online Virus Scanners demand the Internet Explorer which is obviously unavailable on Linux systems.

Online Virus Scanners can be used to get a “second opinion” without having to install another anti-virus software on the computer. It is probably a good idea to use as many of the virus scanners as possible if it is suspected that the system was infected by a virus. Below is a list of services that provide access to online virus scanners.

Bitdefender Online Scanner – requires Internet Explorer 4+

Eset Online Scanner – requires Internet Explorer

F-Secure Online Scanner – works only with Internet Explorer 6+

Kaspersky Free Virus Scan – browser independent, downloads roughly 25 Megabytes of files prior to scanning. User can select locations to scan. The scanner does not remove infected files.

McAfee FreeScan – requires Microsoft Internet Explorer 5.5+

Microsoft OneCare Live – requires Internet Explorer.

Panda ActiveScan – requires Internet Explorer or Firefox, does not run in Opera.

Shields Up! – browser independent but very slow and unresponsive currently.

Symantec Security Check – down or gone.

Trendsecure HouseCall – Java based scanner, works with Java compatible browsers.

Windows Security – Trojan scan that requires Internet Explorer 5+

File Scanners:

Avast Online Scanner – file size limit of 512 Kilobyte

Virus Scan – file size limit of 10 Megabyte.

Virus Total – email upload option, 10 Megabyte file size limit.

Do you know any other services where users can scan files or the computer ?

The Microsoft Windows Malicious Software Removal Tool checks Windows XP, Windows 2000, and Windows Server 2003 computers for and helps remove infections by specific, prevalent malicious software—including Blaster, Sasser, and Mydoom. When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed. The tool creates a log file named mrt.log in the %WINDIR%\debug folder.

[tags]malware, microsoft, windows, Malicious Software Removal Tool, freeware[/tags]