Analysis of common problems that cannot be handled by viruses

Source: Internet
Author: User

Some users reported that the network version of the anti-virus software could not kill a virus. Generally, if the network version of the anti-virus software of rising star can scan a virus, it indicates it has the ability to handle the virus. This article will analyze in detail the specific reasons why rising "cannot kill" a virus.

Generally, the user reports that the Rising antivirus software network "cannot handle" a virus can be divided into the following three types, as shown in 1.

Figure 1

The user reported that rising cannot clear a virus. The most common condition is that rising finds a virus and clears/deletes it. However, after restarting the computer, the virus is detected again, A virus is still reported. At present, the more popular MS08-067 virus belongs to this class, this type of virus is spread through system vulnerabilities, lan sharing, if you want to completely deal with the virus in the network, you need some measures, for example, you can fix high-risk system vulnerabilities and disable LAN sharing (including default sharing) restrict access to the shared directory of the Shared Server, filter permissions for different users, and do not use some common weak passwords as the shared password, logon password, or domain account password. In addition, the accessed webpage, the used USB flash drive, the downloaded software, and the viruses in the compressed package that have not been thoroughly scanned are all sources of re-infection after the virus is killed. Therefore, ensure that all the monitoring data of rising stars is enabled, it can effectively prevent the virus from being infected again.

Another common situation is that rising can scan a virus, but cannot completely clear or delete the infected files. There are four common causes.

1. The infected file is located in the System Restoration path and in the IE cache folder.

In this case, the virus cannot be completely cleared due to windows's own mechanism, but such viruses can be directly cleaned in some simple ways. For example, viruses located in the system recovery path can be completely cleared by shutting down system recovery. The following uses Windows 7 as an example to describe how to disable system restoration.

1. Right-click "computer" and click "properties ". (Figure 2)

Figure 2

2. Click "system protection" in the upper-left corner ". (Figure 3)

Figure 3

3. Select the drive to be restored and click "Configure ". (Figure 4)

Figure 4

4. Select "Disable system protection ". (Figure 5)

Figure 5

After the system recovery is disabled, the virus originally located in the system recovery path can be completely cleared.

Ii. Windows File Protection causes viruses to always kill user system exceptions, leading to abnormal file protection functions, although the virus can be cleared, windows File Protection will replace the backup files with files that have been restored to normal.

Figure 6

In this case, you can use the rising security assistant to fix the abnormal registry value.

3. In normal mode, there are also many causes of such results:

The first case is the boot virus located on the hard disk. After the virus system is started, it will reside in the memory. Normally, it cannot be completely cleared. You can choose to use the Rising Star-guided antivirus method to handle the virus. The following describes how to create a linux-guided anti-virus disk and how to perform linux-guided anti-virus.

A. How to Create a linux boot anti-virus Disk

Red Star LINUX boot disc image: http://rsdownload.rising.com.cn/for_down/ravlinux/2011/linux.iso

After clicking download boot antivirus disc image, burn it to the disc.

If you do not have a burner and you have a client that installs Rising's Personal Antivirus Software/full-featured software, you can also use a simpler method-use a USB flash drive to create LINUX Boot viruses.

Production Method: insert an empty USB flash drive to your computer, open the personal version of the Rising anti-virus software/full-featured software, select the rising tool-linux boot disk production tool, follow the prompts to operate.

B. How to perform LINUX-based anti-virus

1. First, you must set the computer to boot the disc or USB flash disk. (For specific settings, refer to the computer master manual or consult the customer service of the hardware manufacturer)

2. Put the prepared CD into the optical drive (the USB flash drive must be connected to the computer before it is started or restarted). The following prompt is displayed after it is started.

3. Select the language, simplified Chinese, and click OK. (Figure 7)

Figure 7

4. After anti-virus software is started, select Settings. (Figure 8)

Figure 8

5. automatically clear the virus when detected. After you select "Clear failed", perform query processing. (Figure 9)

Figure 9

6. Click "Antivirus" to start scanning and killing computers. After the virus is eliminated, click "exit", remove the disc or USB flash drive, and restart the computer.

In addition, if the infected program is running and protected by the system, this situation cannot be handled directly. For non-system programs, you can try to end the process from the task manager and then delete it, if it cannot be deleted through the task manager, the process may be dual-process protected or the virus is designed to block this operation and other reasons. In this case, we recommend that you go to the security mode to completely eliminate the virus. For some infected viruses, especially infected system files, and even the viruses of Rising's own files, once the virus is infected, first try to go to the safe mode to completely eliminate the virus, check whether the virus can be properly eliminated and processed. If the virus cannot be completely cleared, we recommend that you use the rising PE version for antivirus purposes. The following describes the detailed steps of rising PE anti-virus.

1. This version must be copied to any disk directory on the computer where the anti-virus software of rising star cannot be installed due to viruses by burning a CD or other means without decompression. (If decompressed and copied, the file may be infected with virus and cannot run properly)

2. By loading the windows pesystem on the boot server, find the pe 1 compressed file and uncompress the file. Then run the cmd.exe process. 10.

Figure 10

Wait until the virus is cleared and restart the computer.

Note:

1. boot windows PE system for some servers using disk arrays, may not be able to find the disk used by the normal system because there is no disk array drive, find the appropriate windows PE system version for this type of disk.

2. if the computer that is infected with the exe file virus has installed the anti-virus software of rising star, if the computer can normally enter safe mode, enable the scanning and removal of rising star in safe mode, we do not recommend that you use this method directly.

3. infected files of the exe type may cause serious damage to the file structure by virus. Therefore, restarting the file structure by using the PE version of Rising anti-virus may cause some files to become unavailable, you can reinstall the relevant software or copy the corresponding exe execution file to solve the problem. However, if the system is infected with a serious virus, there may be a situation where the PE cannot normally access the system after virus removal, therefore, please back up important data before anti-virus, just in case.

In addition, if the virus fails to be cleared or the infected file fails to be deleted, the virus is started with the system and the driver is protected. This is also the most effective way to protect the virus, generally, one or more entries are added to the drivers directory. the sys file is essentially a key value created under HKLM \ SYSTEM \ CurrentControlSet \ Services \. For example, CNNIC creates HKLM \ SYSTEM \ CurrentControlSet \ Services \ cdnprot, and the startup level is very high. It will also be started in safe mode. The underlying driver will filter all files and registry operations. If it finds that it is a file/registry operation, returns a true value. If the file is deleted, it will be restored through backup or network download. Normal users cannot delete the file, and there are also some rootkit viruses, in many cases, the security mode cannot be completely cleared. In this case, you can use the rising PE anti-virus method to completely handle the virus.

These species of rising stars will clear the failed viruses, most of which are caused by the virus entering the system due to the fact that the user has not enabled rising monitoring in real time, or the virus has been infected before installing rising. Normally, all the monitoring functions of rising star can be processed before viruses intrude into the computer and cannot infect the client, this will not cause rising to clear viruses or delete infected files under normal circumstances. Therefore, it is necessary to enable rising monitoring in real time.

Iv. Rising's virus processing method is ignored by users

There are two main situations of this phenomenon:

A. The virus processing method selected by the user is incorrect. The administrator can locate the client that the user ignores and view the anti-virus policy settings of the client to verify the client's virus handling method. (Figure 11)

Figure 11

Check the client's processing methods for real-time monitoring, embedded anti-virus and manual virus detection, anti-virus failure, and backup failure, and check whether the client's processing method for virus detection is not handled, if not, we recommend that you change it to the Default policy to clear the virus when detecting the virus. (Figure 12)

Figure 12

B. There is insufficient space for the virus isolation zone. If the virus isolation zone of Rising Star is full, rising will ignore the virus. The following describes how to confirm whether the space in the rising quarantine area is full.

1. Start the virus isolation system (Figure 13)

Method 1: On the client main program interface of the Rising Network, select Tools, virus isolation area, and run ].

Method 2: on the Windows screen, select start, program, Rising antivirus software network, and virus quarantine ].

Figure 13

2. Select the set space to view the remaining size of the quarantine area. (Figure 14)

Figure 14

To avoid occupying a large amount of disk space due to too many backup files, you can set the size of the storage space occupied by the virus isolation system. When the quarantine area space is full, you can choose to [automatically increase space] or [Replace the oldest file] for processing. To do this, start the virus isolation area, select Tools and set space, select in the Settings dialog box, and then click OK to save the settings.

In addition, rising's inability to handle certain viruses also exists in the case that rising's virus has not been detected, and users are suspected to be infected with the virus. Sometimes users may report why rising cannot process a virus. However, by checking the virus database, the virus is not reported by rising, and then confirm that the virus name provided by the user is detected by other viruses. In this case, we recommend that you upgrade rising to the latest version for antivirus purposes. If rising is the latest version and still cannot find the virus, we can report the virus sample for our analysis, to check whether the file is a virus. If it is identified as a virus, rising will scan and kill the virus after the next version update. Some users may suspect that the computer is infected with viruses due to some computer exceptions. In this case, we will send related tools to extract computer information to determine whether the computer is infected with viruses. If the computer is infected with viruses, we will extract the relevant files so that the system can scan and kill the virus after the next update by rising. After analysis, the user's computer is not infected with the virus, but there are still exceptions, other machines in the Network may affect the local machine. For example, if other machines in the network are infected with the ARP virus, the machines without the virus may be unable to access the network.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.