31 December 2006

Fair-Weather Scanners

I've used a few on-demand antivirus scanners and scanners for commercial malware (usually known as "anti-spyware") and generally they're just not designed for troubleshooting environments such as Safe Mode and Bart CDR boot.

Fancy display mode required

Common advice is to use these scanners from Safe Mode, where screen resolution is usually low (say, 640 x 480) and color depth is low, too (typically 16 colors).

A Squared is almost unusable in low res, because the dialog boxes ASSume you have at least 800 x 600 to play with - often the UI controls are below the edge of the display when in Safe Mode, so you have to guess the number of times to press Tab in order to keyboard the "go" button. The need for this high resolution has nothing to do with the amount of content that needs to be displayed on the screen, and everything to do with wasteful eye-candy UI design.

AdAware delights in using subtle colors that turn to stippled mud in Safe Mode's low color depth, and some needed UI cues (e.g. which UI control is selected) vanish completely.

Mouse required

Both AdAware and Spybot border on the unusable when a mouse is not present, as may be the case in troubleshooting conditions. Freshly-installed Spybot starts with a set of "wizard" dialogs that defy attempts to switch focus from the keyboard, and AdAware's keyboard navigation is highly ambiguous at best.

Installation required

The free BitDefender 8 on-demand scanner and MS Antispyware (now Windows Defender) both require Windows Installer to install, and that service is not present in Safe Mode. In order to use these tools, you first have to run normal Windows - so that the malware you are after is almost certain to be active and well-positioned to interfere with the installation and use of the scanners.

I haven't yet got the above tools, or AVG Antispyware (ex-Ewido), to run from a Bart CDR boot. Trend SysClean, A Squared, AdAware and Spybot are better there, with Spybot claiming the ability to scan relative to the inactive hard drive registry hives without needing RunScanner redirection. In practice, I find Spybot detects less when run from a Bart CDR boot than when it is run from Safe Mode.

No comments: