iSwift and ichecker., Removing the tags Options

[muf]

Hi,

Can you tell me if there is any way to remove what Kaspersky 'puts in' to my system to allow the iSwift and ichecker technology to function. I'm not sure whether these technologies 'tag' a file or whether they store a list in some directory or other. I want to remove whatever Kaspersky put there and wipe the slate clean. I am using KIS6.

The reason I ask is that I use a proactive application that looks for suspicious behaviour. When I run an executable it flags it as suspicious. Now at first because I was trying real malware tests I was happy these were getting flagged, because I expected them to be behaving 'suspicious'. But then I tried a few known good files and they were getting the same alert. "TRYING TO WRITE TO FIDBOX.DAT in the C:\WINDOWS\SYSYEM32\DRIVERS directory. I Googled Fidbox.dat and it appears to be associated with iswift and Kaspersky. So I suspect because KIS is tagging or storing these to the Fidbox.dat file that it is triggering the alert. So I want to wipe out all these Kaspersky tags or whatever it is they are.

There is also the strange fact that there is no such file as Fixbox.dat on my system. I've searched and i've navigated to C:\WINDOWS\SYSYEM32\DRIVERS and even though I have 'show all hidden files' enabled this file is a phantom. Simply not there. Yet KIS must be using something to store this iSwift tag thing.

Can someone please give me more of an insight into what exactly this technology does to my system to work how it does. Also, and more importantly, is there any way to remove these iSwift ichecker tags/lists. And please don't tell me a clean install of Windows is the only way because that simply won't be funny.

Thanks,
muf

[Lucian Bara]

Hello
both ichecker and iswift informations are saved inside 2 files (fidbox.dat and sfdb.dat). This means that removing the files (with the uninstallation) will remove any trace of iswift & ichecker from the system.
Only kav 5 used alternate data streams to store the information (which meant attaching 'stuff' to every file).

It's strange that you do not have that file. Have you also disabled the option to hide operating system files and use the search function to find it?

This post has been edited by lucianbara: 28.10.2006 22:50

[muf]

Haha, you bloody genius!!!

It was the hide system files that was stumping me. I thought I'd disabled that but after checking, you are quite right. So if I delete the FidBox.dat file will it break KIS. I was thinking of deleting it to the recycle bin and trying my test again to see if the Fidbox alert disappears.

So can I delete it or have I really got to uninstall.

muf

[Don Pelotas]

You can delete it, but why would you want to if you have already disabled the two technologies?

[muf]

Well because even though I have unticked the option "Scan new and changed files only" and also unticked the iswift and ichecker in the scan option's it still keeps alerting me when I test a file that it is trying to write to the Fidbox.dat file. It's as if KIS still wants to access that file even though I've switched it off.

Just to clarify. Are the only places in settings to disable this technology in these places or are there other options.

Protection\File Antivirus\General
- Scan new and changed files only
- Scan New only archives
- Scan New only installation packages
- Scan New ony embedded OLE objects


Scan\General
- Scan new and changed files only


Scan\Advanced
- Enable iChecker Technology
- Enable iSwift Technology


I disabled all these and then download a file, run it through my proactive defence and it alerts as in the screenshot. So it appears the Fidbox.dat is still being written to for some reason. Any idea's?

muf

Attached File(s)

 SGP.jpg ( 38.4K ) Number of downloads: 160

 

[Don Pelotas]

The option to uncheck iswift and ichecker as well as "Scan new and changed files only" is found in all Scan options under: Scan, Critical areas, Scan my computer and Startup objects.

Scan new and changed files only is also found in file-av.

[muf]

The option to uncheck iswift and ichecker as well as "Scan new and changed files only" is found in all Scan options under: Scan, Critical areas, Scan my computer and Startup objects.

Scan new and changed files only is also found in file-av.

Yep, I had already disabled all those as well. Any other suggestion's as to why it's still writing to the Fidbox.dat because i'm awfully confused right now. Maybe I should submit a ticket to Support?

muf

[Whizard]

You can switch them off in the registry with Self-Defense disabled. Although keep in mind you are doing so on your own peril:

[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\AVP6\profiles\File_Monitoring\settings]

"UseIChecker"=dword:00000000
"UseIStreams"=dword:00000000

[Lucian Bara]

Whiz, do you know why is it still called istreams in the registry?

[Sportster]

You can switch them off in the registry with Self-Defense disabled. Although keep in mind you are doing so on your own peril:

[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\AVP6\profiles\File_Monitoring\settings]

"UseIChecker"=dword:00000000
"UseIStreams"=dword:00000000

Doesn't work here. Fidbox is still heavily accessed. The reg keys you mentioned are in a subfolder (settings\0). But it doesn't work either...
[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\AVP6\profiles\File_Monitoring\settings\0]
"UseIChecker"=dword:00000000
"UseIStreams"=dword:00000000

KAV 6.0.1.411

Any other suggestions to disable it?

[Sportster]

No ideas?
So, there are no official devs in the forum? No one knows how to prevent kav from accessing fidbox files?

[cruser921]

No ideas?
So, there are no official devs in the forum? No one knows how to prevent kav from accessing fidbox files?
[right][snapback]240462[/snapback][/right]

hi all so if i remove these two files after a uninstall of the aol active virus shield then i will not have any trace of these two technolages corect

[Whizard]

Yes thats correct. Although why would you do it is beyond me.

[cruser921]

Yes thats correct. Although why would you do it is beyond me.
[right][snapback]390552[/snapback][/right]

i was just curious as to the fact that if i ever wanted to was it posable

[jmorlan]

Yes thats correct. Although why would you do it is beyond me.
[right][snapback]390552[/snapback][/right]

Hmmm...

I don't think so. After removing KAV/AVS the fidbox.dat and associated files are removed, true. But all the NTSF object identifiers that were added by iSwift are still there after a full uninstallation. These are added to every file on your hard drive after a scan and cannot be removed easily.

Dantz has demonstrated that copying the files to another partition and copying them back rids the indexes of these NTSF object identifiers which is expected because copying files removes their uniqueness. But the CHKDSK stage 2 lag which has now been well documented remains after the program is removed.

Basically CHKDSK was not designed to expect NTSF object identifiers which are normally used by the Distributed Link Tracking Service to be present on every file on the drive. When there are many files and many indexes, CHKDSK may get overwhelmed on some systems.

So, I respectfully disagree that all traces of the iSwift technology are removed after the program is uninstalled. That's why there is now such a fuss about it.

An NTSF object identifier removal tool would go a long way to quell the complaints.

[Lucian Bara]

Hmmm... 

I don't think so.  After removing KAV/AVS the fidbox.dat and associated files are removed, true.  But all the NTSF object identifiers that were added by iSwift are still there after a full uninstallation.  These are added to every file on your hard drive after a scan and cannot be removed easily.

Dantz has demonstrated that copying the files to another partition and copying them back rids the indexes of these NTSF object identifiers which is expected because copying files removes their uniqueness.  But the CHKDSK stage 2 lag which has now been well documented remains after the program is removed. 

Basically CHKDSK was not designed to expect NTSF object identifiers which are normally used by the Distributed Link Tracking Service to be present on every file on the drive.  When there are many files and many indexes, CHKDSK may get overwhelmed on some systems. 

So, I respectfully disagree that all traces of the iSwift technology are removed after the program is uninstalled.  That's why there is now such a fuss about it.

An NTSF object identifier removal tool would go a long way to quell the complaints.
[right][snapback]390641[/snapback][/right]

yes, but ntfs has object identifiers & supports them, so if chkdsk hangs, it's chkdsk whih can't handle the IDs. Unfortunatly it's hard to find a ntfs disk checkup tool other then the built in chkdsk

[jmorlan]

yes, but ntfs has object identifiers & supports them, so if chkdsk hangs, it's chkdsk whih can't handle the IDs. Unfortunatly it's hard to find a ntfs disk checkup tool other then the built in chkdsk
[right][snapback]390831[/snapback][/right]

NTFS also supports removal of NTSF object identifiers when they are no longer needed or used. MS has published code on the subject:

http://msdn2.microsoft.com/en-us/library/aa364559.aspx

Since some users still experience CHKDSK overload after removing KAV or AVS, and since this symptom disappears when the NTFS object identifiers are removed, why not provide a removal tool for those who are affected. Some people have reported that CHKDSK cannot run to completion which is not a good thing.

[Sportster]

I dropped KAV these days. Its messing too much with the system. I use it as a file scanner in vmware until it expires. Its maybe good for ppl who want an allround protection and don't care what happens to their system.

[Baz^^]

I dropped KAV these days. Its messing too much with the system. I use it as a file scanner in vmware until it expires. Its maybe good for ppl who want an allround protection and don't care what happens to their system.
[right][snapback]391166[/snapback][/right]

Tell that to the millions of users around the world who are running it with no problem


Any application you install "messes" with your system in some way or another, and with the chkdsk problem some people seem to be complaining about...all I can say is that it is the same small number of people complaining about it in the vast majority of posts I have seen... If it was such a disaster wouldn't we have a forum full of threads like "Kaspersky fried my data" or "Kaspersky killed my hard drive".... I see no such threads

[Sportster]

Tell that to the millions of users around the world who are running it with no problem [right][snapback]391462[/snapback][/right]

I have no problems either but i don't like unwanted ring0 and disk activities. For my taste KAV got too heavy these days. There's hardly anything optional in the package. KAV drivers are always active until you de-install it and they do not idle all the time.
They should release a light or mobile version for USB sticks or a dedicated file scanner as a separate version that don't leave any traces in the system.