best virus scanning/removal tool for use in PE

I would certainly like to see your MalwareBytes script... I haven't seen a working one for some time.

I would certainly like to see your MalwareBytes script... I haven't seen a working one for some time.

Here is the Malwarebytes script i use.  By default, the script doesnt work.  The problem is innounp.exe is version .36.   I grabbed version .38 from here
http://sourceforge.net/projects/innounp/?source=dlp
and then ran the script.   While it was downloading the files, i manually put version .38 of  innounp.exe in Workbench\common\Malwarebytes' Anti-Malware overwriting version .36 and the files unpacked ok.  You only have to do this the first time, as the needed files will be kept in workbench for the next run.  If you were to update the encoded version of innounp.exe in the script, it should be automated for everyone.

For the main contributors, these are what work for me in in ChrisRs projects.  Im happy to share any.

I put esetsmartinstaller.exe in my pe builds and make a shortcut to it.

It's free and runs just fine.

esetsmartinstaller_enu.exe

Thanks SIW2, halikus

I will update list soon, time...

halikus,
I made a small mod on mbam plugin, to use latest innounp....
test to see if it works ok
http://www.sendspace.com/file/76f4j1

I assume the new MBAM works, i can't seem to get sendspace working though.  It only has the option to upload a file.

not sure what you mean,

when you click
http://www.sendspace.com/file/76f4j1

there should be a new browser screen saying
"Click here to start download from sendspace"

Its strange, but when i click on your link, all i see is this.  Maybe its my adblock or something...

Yep, whatever you add to your browser, blocks heavly 
 link is working fine with "FF + Adblock Plus"

try with opera portable ;) (tested  )

I grabbed the script with IE (i knew it was useful for something besides downloading a better browser) and it built fine in w7x86 and w8x64 PEs, and grabbed the updated definitions ok,  but running it and having it do anything useful is another matter.   My family is all streaming films off my server, so i can't reboot into a real machine to test.   The one time i did boot on real hardware, it w7x86, was without updates, and on a laptop with only wifi, so i couldnt get online to grab the updated definitions.  The program did "scan", but only for 1 second and then said scanning complete.   With w8x64, i included the updated definitions but it said they were corrupt and complained of (iirc) ieframe.dll being unregistered, but it could just be an x64 bug. 

I will try to build a quick and suitable testing environment in VMware and try a few more variations.   The only time i had used the script previously was a few months ago on a live system and it worked, but it was many builds ago.  Im sure its a simple bug i can iron out.

As for my knowledge of scripts, i learned a little bit about many languages, and am self taught through google and "reverse engineering" the parts i understood.  With winbuilder scripts, i find it difficult because the capi (or api?), variables, and commands change through the ages and different releases of winbuilder, so there isn't really a standard i am familiar with to base my learning on.  I just dive in, hope for the best, and if theres an error, try to pinpoint it and fix it.  My methods are probably back asswards and the hard way. :)

For example, how you updated the script with innounp.exe.  I would of run the script builder and only added innounp.exe, then cut and paste the result of that script overwriting the embedded innounp.exe part in the old script.  I have no idea if that would of worked, or if thats the proper way to do it, but its what i would of tried.

I grabbed the script with IE (i knew it was useful for something besides downloading a better browser) and it built fine in w7x86 and w8x64 PEs, and grabbed the updated definitions ok,  but running it and having it do anything useful is another matter.

yep, my hand only to get this mbam plugin work with minium touch, other than plugin utility working is totally another matter,
 besides mbam already known not good working on PE, as indicated by JonF.

As for my knowledge of scripts, i learned a little bit about many languages, and am self taught through google and "reverse engineering" the parts i understood.  With winbuilder scripts, i find it difficult because the capi (or api?), variables, and commands change through the ages and different releases of winbuilder, so there isn't really a standard i am familiar with to base my learning on.  I just dive in, hope for the best, and if theres an error, try to pinpoint it and fix it.  My methods are probably back asswards and the hard way. :)

Well, if you were familiar with cmd batches, you would figure out easier.
 One of stupid mistake (not ours ;)) was naming "script"  which they are not,
  one of bad effect is people like you think it is like many scripting languages, which is not....
   Better name them "Plugin"  for the files that are used inside Projects....

And why named "script" in old times  ,
 Checking AutoIT v2 syntax http://www.sendspace.com/file/0eya83 you can easly figure out where winbuilder syntax comes from 
  and why winbuilder developers do not like to talk about AutoIT 
   In time, AutoIT developer Jonathan Bennett moved to next levels of script engine, with AutoIT v3, getting better and better everyday 
    hence winbuilder developers plans to compete with AutoIT totally ended  ,
     after understanding they lost, they also themselves start not using "script" name for winbuilder files, and half abolish plans on this goal.

About changes / standarts,
Stupid mistake with capi-api-Winbuilder Syntax, is lieing behind the politics of killing projects in time (winbuilder sin), which behind serves some commercial goals....
 Well, obviously not mistake  and not stupid   ,
  it is a well hidden agenda that is away enough from regular users like you 
   also well hidden enough to fool new developers and gain some temporary man power...
    but people wake up in time 
     check amalux quoted post at reply 1 here, which summerize part of this story.
      http://TheOven.org/index.php?topic=332




We make current forum,
 set good standarts,
  create and develop projects together with a team spirit and hoby soul, with motto Fun Freedom and Flexibility

   natural result of being none commercial , we have limited time, development goes quite slow
    but with strong steps, so far we are doing well 

Here on http://TheOven.org,
 you will find
  Total ~ 750 working plugins in all projects,
   ~250 - 300 application plugins that works inbetween,
    and some none-app plugins that works inbetween (Virtualizations, Components, OtherOS, Utils ...)

Good standarts not only help sharing, and ease maintaining, but also ease creating new projects, like Win8PESE

Sure we have done all these with some Good Standarts and Visions, Even other developers including winbuilder developers trying to follow us for a long while now 

Macro Library syntax / standarts along with some none ML standarts is here,
http://TheOven.org/index.php?board=14.0
which is very sufficient for a new and advanced users, even not complete

For the plugins that you may find out of http://TheOven.org , which from your list I see maybe 10 plugins,
 it will not be much difficult to Follow Standarts with small touches (as I did on mbam).

Aside, we are here to support to share experiences and knowledge on writing plugins when required 

For example, how you updated the script with innounp.exe.  I would of run the script builder and only added innounp.exe, then cut and paste the result of that script overwriting the embedded innounp.exe part in the old script.  I have no idea if that would of worked, or if thats the proper way to do it, but its what i would of tried.

I can only say, the plugin I modded will not have innounp trouble anymore  as long as innounp author keeps updates and mbam do not change its setup engine 
We already made a "standart" to avoid this (and to ease maintance and to keep smaller plugin size),
 and I simply use that "standart" on mbam plugin you provided, to avoid such not necessary touchs on plugin.




As long as one make a good plugin, and decide to share on TheOven.org,
 we assure put it in one of projects, and assure it stays as "Working" Plugin 

You can learn writing plugins by using
\Utils\"PC Packed"  (Plugin Creator Packed)
and checking result plugin syntax 
There is also
\Utils\"PC Innounp" (Plugin Creator Innounp)

both above ease writing plugins, and helps learning,
 and let developer focus on real hard part, making utility work on project (registries, dependencies etc.)
  We even provide debug plugins for that purpose ;)
2 most popular ones:
Apps\System Tools\Debug\"Sysinternals Process Monitor"
Apps\System Tools\Registry\"RegShot2 Unicode"
which may help you to figure out mbam things 

After a long writing ;) I hope now we are back at main focus on AV , on currently on mbam focus.

I am following this topic to make a nice Free AV list, maybe later to make a nice plugin or tutorial or etc on some of them...
 so everyone can use  I hope more things figured out in time 

See you

Very interesting topic
It is really good to have a return from pc techs which uses these tools in real situation.

I would certainly like to see your MalwareBytes script... I haven't seen a working one for some time.

I confirm aslo, I had already tested the same MBAM script before, with real spyware in vmware, it does not work in PE for me.
MBAM seems incompatible with Offline system, even with Runscanner, until they do develop this feature, as in SpyBot.

I had used Spybot - Search & Destroy Portable (portableapps.com), In my previous tests with real spyware, it works well. This is even better with a script .

Besides, I still have a problems with RunScanner /sv switch !!!. Not only in MBAM script, perhaps due to version 1.0.0.26.

I put esetsmartinstaller.exe in my pe builds and make a shortcut to it.

It's free and runs just fine.

I tried the ESETs Online Scanner (online, just for updating), with eicar testfile , it works very well with a really quick scan, good find SIW2  .
Avira Free Antivirus, works well also, if we do not put the real-time protection, but it remains heavier and more difficult.

Does anyone have any links to download test bases AV, Malware, I am looking in the other way, normally 

Here are things I gather through this topic so far (including links)
http://www.sendspace.com/file/0purry

So far free AV (+related) list is:

ps: Anti X :) or Anti Bad 

Avira Free AntiVirus
AVZ Antiviral Toolkit
Bitdefender Rootkit Remover
DrWeb
ESET Online Scanner_SmartInstaller
ESET SysRescue
EzPCFix
HijackThis
HitManPro
Kaspersky Virus Removal Tool
Malware Bytes
McAfee Stinger
Norton Power Eraser
Sophos Virus Removal Tool
SpyBHORemover
Spybot - Search & Destroy
Trend Micro System Cleaner (SysClean)
Viper
VirusTotal

I would certainly like to see your MalwareBytes script... I haven't seen a working one for some time.

I confirm aslo, I had already tested the same MBAM script before, with real spyware in vmware, it does not work in PE for me.

I fixed a couple of errors in the MBAM script and took out that problematic /sv switch. Still testing to see it it works at all.

I had used Spybot - Search & Destroy Portable (portableapps.com), In my previous tests with real spyware, it works well. This is even better with a script .

Yeah, but the script isn't really ready for wide distribution.

Does anyone have any links to download test bases AV, Malware, I am looking in the other way, normally 

No, but maybe http://nakedsecurity.sophos.com/ or http://www.gfi.com/blog/labs/ could help.

and took out that problematic /sv switch.

Reminding reply #5 at Revo Uninstaller topic - http://theoven.org/index.php?topic=379
 

I put esetsmartinstaller.exe in my pe builds and make a shortcut to it.

It's free and runs just fine.

I wrote a script for ESET SmartInstaller Online Scanner

In a next version, I plan to add a small program
to save components and virus definitions on the media if writable (ufd, usb disk,...), when exiting ESET Online Scanner.
To be used then for the next use and lighten the downloads.

*
AV softwares I guess one of fast "changing" ones, links/tools/names changes in time... along with daily virus definations..
 my idea for av things is, providing an easy way to download & update & inform .... ,
  maybe a simple plugin, having some different av options,
   that ease gathering things easly....

Like "Antivirus" and subfolders organisation I send before...,
 this way user can make an updated Antivirus folder on his/her usb easly,
  which also can be used by "Portable Finder CMD" to make some more automation tasks if requred with own tastes... (no limit ;))


wb not required for such thing at all  ,  besides a plugin might be useful to inform and do some basic tasks..
 (like adding av requirements, ex: cmd adds ... , shortcuts if desired to be in build....)

at least this is what I would do in case I need AV,
 I would put all arsenals (download latest versions)  to USB\Antivirus\<subfolders>....
  and follow a simple written procedure (I am old school ;))
   (1- run this av, 2- run this av 3-restart safe mode - 4 install mbam and run 5 install drweb and run.... etc. etc.)

This also would be quite portable to share too, out of wb easly updatable....


Anyway, only sharing my idea, I do not have time and enough experience on av things, till this summer :turn:

See You

Well, I sure can't get MalwareBytes working in a VM. It always comes up with "database is missing or corrupt". Anyone?

TrustPort AV also Supports WinPE and BartPE. A bartPE plugin is available which could be used to make a winbuilder script.

  https://support.trustport.com/support/index.php?_m=downloads&_a=viewdownload&downloaditemid=11


QuickHeal also have a WinPE based rescue disk. It uses command line scanning so chances are high for it to work from Win7PE SE.

Here is a whole bunch of Antivir scripts that i redid or found that all seem to work.  They gather from the net or within the script all needed files, unless otherwise specified.
All of them are certified to work as of Feb 21 2013.
I have Malwarebytes working now too.
You need a net connection for updates, probably at least 128 - 250 meg wamdisk, and no special runtimes or netframeworks are needed.  All tested and working on Win7PEse x86, x64, and build fine in Win8pe.  The "runscanner" shortcuts didnt work for me.

There is Antispyware:
AVZ 4.39
EzPCFix
HijackThis! 2..04
McAfee Stinger (newest)
SpyBHORemover 4.0
Spybot 2.0
SuperAntiSpyware 5.5.0
X-ClamWin .97.5

Antivirus:
Avast! Virus Cleaner (newest)
Avira Free Antivirus 2013 (newest, needs mfc100u.dll in system32)
Eset Smart Installer Online Scanner (newest)
Eset Sysrescue 6.0.306 (needs "add cmd" scripts or a few files)
Malwarebytes AntiMalware 2013 (newest, for x64 needs ieframe.dll)
Sophos Antivirus

http://www.sendspace.com/file/xx0jtp

Well, I sure can't get MalwareBytes working in a VM. It always comes up with "database is missing or corrupt". Anyone?

Yep, the online update don't works well, it says "corrupted" (update.ini with database, dbDate,... I have not looked).
By cons, I have no problems with the update in VMware (I have 1,5MB of Ram) :

Code: [Select]

The database was sucessfully updated from version v0.00.00.00 to
version v2013.02.22.02.

But even with the update, MBAM still does not work for me, it scan only the X: drive