Thursday, April 21, 2011

ComboFix Or Not To ComboFix

Once more a question from a customer gives me a hopefully good idea for an article. This is what the customer wrote:

We had a family get together last weekend, and during a computer conversation, our one son-in-law said he has this great anti virus software on his computer. This week he sent me the name, with instructions for downloading.

The name is ComboFix, on Bleeping website.

I have Microsoft Security Essentials on my computer. Isn't this ComboFix just another piece of anti virus software? Why would I want two like programs running?

I have done nothing, and won't until I hear from you.

Here is my reply: (Begin quote)

[Customer's name],
Good question, Thank you and congratulations on the wise choice to ask first!

Yes, no doubt, Combofix is a good and VERY powerful program. In this power lie the pits waiting for a normal user to fall into.

Just read the first few paragraphs of the instructions "How to use ComboFix" on (this is the only legitimate web site to download this program from).
I have added red color to the important parts that your son-in-law IMHO might not fully understand in all consequences.

ComboFix is a program, created by sUBs, that scans your computer for known malware, and when found, attempts to clean these infections automatically. In addition to being able to remove a large amount of the most common and current malware, ComboFix also displays a report that can be used by trained helpers to remove malware that is not automatically removed by the program.
. . .
You should not run ComboFix unless you are specifically asked to by a helper.
Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.
. . . .
Please note that this guide is the only authorized guide for the use of ComboFix . . . . It is also understood that the use of ComboFix is done at your own risk.
Let me summarize:
  1. It can detect but sometimes NOT automatically remove some malicious software.
  2. You run it at your own risk if you use it on your own.
  3. The information it displays is for trained people, NOT for the casual home user!
  4. If you run into problems there is NOBODY who might be able and willing to help you!

If your son-in-law is a trained helper than he does well; if he is a "normal" self-taught user he will create problems for himself down the road.

Since you asked here my advice to you:

Don't touch it!

Again, thanks for asking this question. This is so intriguing that I might make an article for my blog out of this.

(End quote)

And now a few additional remarks:

Some things I did not mention in my reply:

Microsoft Security Essentials (MSE) is a full fledged anti virus program that is always running and continuously monitoring ALL file operations (and much more) during normal operations of the computer.

ComboFix is an on-demand scanner that DOES NOT RUN continuously scanning file operations.

Just having ComboFix sitting on the computer and occasionally running it can IN NO WAY be compared let alone equaled to the workings of a "real" anti virus program. It is beyond my understanding how someone can assume that to be sufficient protection.

ComboFix gets updated fairly often; it has NO provisions at all to dynamically download new virus definitions or the like when it is being run. You would have to download it every time you want to run it just to have the latest and greatest version. That is a far cry from a dependably self-updating program like MSE.

The people that maintain know what they are doing; I depend since many years on their evaluations and advice. To ignore the clear warnings and instructions in the short quotes above IMHO is blatantly foolish and ignorant. Dear unknown son-in-law, I apologize for eventually hurting your feelings but that's how I see it.

As usual I welcome comments and suggestions right here in the blog. Thank you in advance.

