The case of life, or to the question of choosing antivirus for home use

Should I keep this in mind when choosing an antivirus for the average user?

In no case do I want this post to become a regular holivar.
Exclusive information, without imposing the author's point of view.
I believe that the information obtained can be of interest, both for ordinary users, and for those whom they turn to for advice. Chronology of the detection, treatment and search for remedies from the next VB Script Trojan horse. I am personally interested in your experience in such situations.

Prehistory

My good friends are engaged in a small business - post-processing and photo printing. The specificity lies in the fact that they constantly bring the source materials, mainly photos, on removable media. The number of viruses and trojans on these carriers makes a sad impression about the computer literacy level of the majority of customers.
For this reason, the material is received on dedicated 2 computers that are not connected to the network, as a user with the most abbreviated rights and with an antivirus updated manually before each shift.
On Friday afternoon, the receptionist discovered that the photos on the USB have a strange extension - .lnk, but this, unfortunately, did not alert her and she mechanically launched the view (as she thought), but in fact - to perform VBS, hidden in a subdirectory on this media . In the first half hour, nothing happened, then the "weirdness" began. On clean USB flash drives, the following customers began to appear subdirectories into which the photos were transferred, there was a constant activity of the hard disk. Etc. An hour later, the alarm was raised, the owner made a "call a friend." I arrived 2 hours after the start of events, immediately after the end of my working day at the main job.

Exploratory survey

With the help of HiJackThis, it was discovered that the launch of the script by calling the Wsscript.exe file from the% Userprofile% \ APPDATA subdirectory was registered in the user autorun.
A quick file search produced a 300-kilobyte VB Script which was processed by an obfuscator , i.e. The code was not readable.
Killing the process, deleting this file, and clearing the contents of the temporary directories resulted in the output of the machine, which behaved as uninfected. A quick search for tools that would block the infection led to a utility on Sourceforge . Previously, an undesirable side effect was stopped from its use: creating an Autorun.inf subdirectory at the root of each inserted media and intrusive write error messages if the media is protected from writing. In a situation where the antivirus used did not react at all, I had to make such sacrifices and start using this utility. By the way, she was very useful later. When the situation was resolved.
')

Houston, we have problems!

Upon arrival home, I decided that it was worth looking more closely at the detected trojan and connect the antivirus vendors feedback channel to the work.
Sending a file to Virustotal, even during the day, happily informed that there is a cure and protection tool, but this was not very fun for me.
From home I repeated the request, the result was the same . Urgent purchase and install an anti-virus that was not previously used - this was not the most correct, and most importantly - an ineffective solution. We ask for help from the hall, or rather specialists.
A quick sketch of the list of common antiviruses in our country, the search for Google feedback forms on the phrase “how to send a virus to XXX”, where XXX = the name of the antivirus.
What happened:
1) DrWeb
2) Microsoft
3) Kaspersky
4) ESET
5) Comodo
6) McAfee
7) MalwareBytes - a quick search issued a bummer, but accidentally brought to Emsisoft
8) Symantec

The dispatch itself is a separate song, it is probably worth it for the producers to somehow agree, accept the standard. Where you need to pack an infected file with OS tools, where using ZIP, where you simply attach the file to a form, where to send it to an e-mail. A separate deadlock in me was caused by sending without entering the contract number for Symantec (I never won it). When packing into the archive, there were options: 1) any password, indicate in the letter which, 2) infected, 3) INFECTED, 4) virus, 5) VIRUS.
It took almost half an hour to send it easily. Lot. And this is just a trimmed list of recipients.
* By the way, maybe there is a collector that allows, in addition to analyzing (virus total), also to deliver a sample to all vendors? I would be grateful for a tip on this service in the comments.

First results

After 40 minutes (!), A letter came from McAfee with an attachment to the Extra.dat file, and a link to the instructions on how to use this addition to the main virus database. Options not to miss Saturday for taking photos from customers have become a reality.
Until the morning, in addition to confirmations about taking into work from DrWeb ([drweb.com # 4467210] Created by: SUBMITTED VIRUS), Kaspersky Lab ([VirLabSRF] [Malicious file analysis] [M: 1] [LN: RU] [L: 0] [KLAN-1284347345]), ESET (Your appeal was registered under number 863467) and Microsoft (a letter with a link ) did not receive any more replies.
In the morning, before I went to purchase McAfee, I checked my email again and found a confirmation from Microsoft about solving the problem and including the medication (and therefore real-time protection) in the anti-virus database for their family of anti-virus products. The letter emphasized that the new database is still only in Prerelease state, and there was a link from where it can be downloaded.
Half an hour before the opening I called a friend and said that his most profitable day of the week is not canceled? and went to see how the update will work. Updating the databases with a standard mechanism did not lead to a positive result, the update from the repository of preliminary versions of anti-virus databases closed the problem. The virus on an infected machine specifically for this machine was destroyed, USB drives that were previously affected by the virus were cleared when they were accessed. Converting files and folders from “hidden and system” on the media to regular ones was shown to the receivers, but it turned out to be easier to teach them to press one button in the USB-Guard than to achieve automaticity in clicking the right mouse button and selecting the necessary items in the file and folder properties menu . :-)
Work began, satisfied customers began to take photos in print.

Afterword

An hour after the start of acceptance, I once again regularly updated the antivirus built into Windows 8.1 on my laptop, checked the current version of the databases on it and on the working machine, made sure that the version number was higher than the one sent by the support, checked the remaining sample and remained without sample. (Joke. The sample in the encrypted archive has not gone away) The treatment has worked properly and with the use of public databases. The alarm that on Monday I would see a bunch of infected cars at work was finally gone.
For completeness, I repeated the request for VirusTotal in the evening. The result puzzled me. On the one hand, McAfee was the first to give out medicine (I didn’t put Sophos into a virtual machine for testing, the option to buy was no longer necessary, and their one-time cleaning utility requested 6 hours for a one-time system check - I didn’t wait. It’s overkill. On the other hand, there was no access to public records for the speed of reaction in public access. The remaining working protection options: Trend Micro House Call is a one-time utility. It does not help against a new infection, it is not a solution in my case, I didn’t check Emsisoft. difficulty with the acquisition. They could not sell the computer “store across the road”.

Total: one day after the sample was provided, under protection, without any additional efforts on the part of the user, only those who use built-in (or free of charge) anti-virus protection from the OS manufacturer were found.

Community questions:

I was very surprised by the speed of reaction to the message and the sequence of threats that I got to the list in the databases of anti-virus vendors.

• Is this characteristic or in this case, I saw a rare exception because of the exotic Trojan?
• Something would fundamentally change if the appeal were placed 1) not on Saturday night 2) from a registered user?
• If it were changed, is it normal, knowing about the potential threat not to provide a cure for it to everyone, including product buyers, for such a time?

PS Please refrain from comments like “use Linux / Mac / etc.” - the cost of training personnel and / or the cost of equipment, the cost of ownership is a topic for another conversation. Choosing Windows financially showed satisfactory business results.
PS2 For the purity of the picture, I did not indicate when contacting that I am registered as a corporate user for one product. 1) I had another day in reserve, so that if something happens to use this channel 2) I was interested in the reaction of antivirus vendors to “from outside” messages
PS3 The collector virusscan.jotti.org/ru/scanresult/079f5a1684e57a806447af9109b00b1d19311f15 , as it turned out, gives the status of the scan with a very late update of anti-virus databases.

PS4 Trojan was not so simple. List of side effects and activities