Help - Search - Members
Full Version: iSwift and ichecker.
Kaspersky Lab Forum > English User Forum > Protection for Home Users > Kaspersky Internet Security & Anti-Virus for Windows
muf
Hi,

Can you tell me if there is any way to remove what Kaspersky 'puts in' to my system to allow the iSwift and ichecker technology to function. I'm not sure whether these technologies 'tag' a file or whether they store a list in some directory or other. I want to remove whatever Kaspersky put there and wipe the slate clean. I am using KIS6.

The reason I ask is that I use a proactive application that looks for suspicious behaviour. When I run an executable it flags it as suspicious. Now at first because I was trying real malware tests I was happy these were getting flagged, because I expected them to be behaving 'suspicious'. But then I tried a few known good files and they were getting the same alert. "TRYING TO WRITE TO FIDBOX.DAT in the C:\WINDOWS\SYSYEM32\DRIVERS directory. I Googled Fidbox.dat and it appears to be associated with iswift and Kaspersky. So I suspect because KIS is tagging or storing these to the Fidbox.dat file that it is triggering the alert. So I want to wipe out all these Kaspersky tags or whatever it is they are.

There is also the strange fact that there is no such file as Fixbox.dat on my system. I've searched and i've navigated to C:\WINDOWS\SYSYEM32\DRIVERS and even though I have 'show all hidden files' enabled this file is a phantom. Simply not there. Yet KIS must be using something to store this iSwift tag thing.

Can someone please give me more of an insight into what exactly this technology does to my system to work how it does. Also, and more importantly, is there any way to remove these iSwift ichecker tags/lists. And please don't tell me a clean install of Windows is the only way because that simply won't be funny.

Thanks,
muf
Lucian Bara
Hello
both ichecker and iswift informations are saved inside 2 files (fidbox.dat and sfdb.dat). This means that removing the files (with the uninstallation) will remove any trace of iswift & ichecker from the system.
Only kav 5 used alternate data streams to store the information (which meant attaching 'stuff' to every file).

It's strange that you do not have that file. Have you also disabled the option to hide operating system files and use the search function to find it?
muf
Haha, you bloody genius!!!

It was the hide system files that was stumping me. I thought I'd disabled that but after checking, you are quite right. So if I delete the FidBox.dat file will it break KIS. I was thinking of deleting it to the recycle bin and trying my test again to see if the Fidbox alert disappears.

So can I delete it or have I really got to uninstall.

muf
Don Pelotas
You can delete it, but why would you want to if you have already disabled the two technologies?
muf
Well because even though I have unticked the option "Scan new and changed files only" and also unticked the iswift and ichecker in the scan option's it still keeps alerting me when I test a file that it is trying to write to the Fidbox.dat file. It's as if KIS still wants to access that file even though I've switched it off.

Just to clarify. Are the only places in settings to disable this technology in these places or are there other options.

Protection\File Antivirus\General
- Scan new and changed files only
- Scan New only archives
- Scan New only installation packages
- Scan New ony embedded OLE objects


Scan\General
- Scan new and changed files only


Scan\Advanced
- Enable iChecker Technology
- Enable iSwift Technology


I disabled all these and then download a file, run it through my proactive defence and it alerts as in the screenshot. So it appears the Fidbox.dat is still being written to for some reason. Any idea's?

muf
Don Pelotas
The option to uncheck iswift and ichecker as well as "Scan new and changed files only" is found in all Scan options under: Scan, Critical areas, Scan my computer and Startup objects.

Scan new and changed files only is also found in file-av.
muf
QUOTE(Don Pelotas @ 28.10.2006 22:53)
The option to uncheck iswift and ichecker as well as "Scan new and changed files only" is found in all Scan options under: Scan, Critical areas, Scan my computer and Startup objects.

Scan new and changed files only is also found in file-av.
*



Yep, I had already disabled all those as well. Any other suggestion's as to why it's still writing to the Fidbox.dat because i'm awfully confused right now. Maybe I should submit a ticket to Support?

muf
Whizard
You can switch them off in the registry with Self-Defense disabled. Although keep in mind you are doing so on your own peril:

[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\AVP6\profiles\File_Monitoring\settings]

"UseIChecker"=dword:00000000
"UseIStreams"=dword:00000000

smile.gif
Lucian Bara
Whiz, do you know why is it still called istreams in the registry?
Sportster
QUOTE(Whizard @ 29.10.2006 07:05)
You can switch them off in the registry with Self-Defense disabled. Although keep in mind you are doing so on your own peril:

[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\AVP6\profiles\File_Monitoring\settings]

"UseIChecker"=dword:00000000
"UseIStreams"=dword:00000000

smile.gif
*
Doesn't work here. Fidbox is still heavily accessed. The reg keys you mentioned are in a subfolder (settings\0). But it doesn't work either...
[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\AVP6\profiles\File_Monitoring\settings\0]
"UseIChecker"=dword:00000000
"UseIStreams"=dword:00000000

KAV 6.0.1.411

Any other suggestions to disable it?
Sportster
No ideas?
So, there are no official devs in the forum? No one knows how to prevent kav from accessing fidbox files?
cruser921
QUOTE(Sportster @ 12.12.2006 18:04)
No ideas?
So, there are no official devs in the forum? No one knows how to prevent kav from accessing fidbox files?
[right][snapback]240462[/snapback][/right]

hi all so if i remove these two files after a uninstall of the aol active virus shield then i will not have any trace of these two technolages corect
Whizard
Yes thats correct. Although why would you do it is beyond me.
cruser921
QUOTE(Whizard @ 6.07.2007 19:34)
Yes thats correct. Although why would you do it is beyond me.
[right][snapback]390552[/snapback][/right]


i was just curious as to the fact that if i ever wanted to was it posable
jmorlan
QUOTE(Whizard @ 6.07.2007 18:34)
Yes thats correct. Although why would you do it is beyond me.
[right][snapback]390552[/snapback][/right]
Hmmm...

I don't think so. After removing KAV/AVS the fidbox.dat and associated files are removed, true. But all the NTSF object identifiers that were added by iSwift are still there after a full uninstallation. These are added to every file on your hard drive after a scan and cannot be removed easily.

Dantz has demonstrated that copying the files to another partition and copying them back rids the indexes of these NTSF object identifiers which is expected because copying files removes their uniqueness. But the CHKDSK stage 2 lag which has now been well documented remains after the program is removed.

Basically CHKDSK was not designed to expect NTSF object identifiers which are normally used by the Distributed Link Tracking Service to be present on every file on the drive. When there are many files and many indexes, CHKDSK may get overwhelmed on some systems.

So, I respectfully disagree that all traces of the iSwift technology are removed after the program is uninstalled. That's why there is now such a fuss about it.

An NTSF object identifier removal tool would go a long way to quell the complaints.


Lucian Bara
QUOTE(jmorlan @ 7.07.2007 09:10)
Hmmm... 

I don't think so.  After removing KAV/AVS the fidbox.dat and associated files are removed, true.  But all the NTSF object identifiers that were added by iSwift are still there after a full uninstallation.  These are added to every file on your hard drive after a scan and cannot be removed easily.

Dantz has demonstrated that copying the files to another partition and copying them back rids the indexes of these NTSF object identifiers which is expected because copying files removes their uniqueness.  But the CHKDSK stage 2 lag which has now been well documented remains after the program is removed. 

Basically CHKDSK was not designed to expect NTSF object identifiers which are normally used by the Distributed Link Tracking Service to be present on every file on the drive.  When there are many files and many indexes, CHKDSK may get overwhelmed on some systems. 

So, I respectfully disagree that all traces of the iSwift technology are removed after the program is uninstalled.  That's why there is now such a fuss about it.

An NTSF object identifier removal tool would go a long way to quell the complaints.
[right][snapback]390641[/snapback][/right]

yes, but ntfs has object identifiers & supports them, so if chkdsk hangs, it's chkdsk whih can't handle the IDs. Unfortunatly it's hard to find a ntfs disk checkup tool other then the built in chkdsk
jmorlan
QUOTE(Lucian Bara @ 7.07.2007 01:28)
yes, but ntfs has object identifiers & supports them, so if chkdsk hangs, it's chkdsk whih can't handle the IDs. Unfortunatly it's hard to find a ntfs disk checkup tool other then the built in chkdsk
[right][snapback]390831[/snapback][/right]
NTFS also supports removal of NTSF object identifiers when they are no longer needed or used. MS has published code on the subject:

http://msdn2.microsoft.com/en-us/library/aa364559.aspx

Since some users still experience CHKDSK overload after removing KAV or AVS, and since this symptom disappears when the NTFS object identifiers are removed, why not provide a removal tool for those who are affected. Some people have reported that CHKDSK cannot run to completion which is not a good thing.
Sportster
I dropped KAV these days. Its messing too much with the system. I use it as a file scanner in vmware until it expires. Its maybe good for ppl who want an allround protection and don't care what happens to their system.
Baz^^
QUOTE(Sportster @ 7.07.2007 16:38)
I dropped KAV these days. Its messing too much with the system. I use it as a file scanner in vmware until it expires. Its maybe good for ppl who want an allround protection and don't care what happens to their system.
[right][snapback]391166[/snapback][/right]



Tell that to the millions of users around the world who are running it with no problem smile.gif


Any application you install "messes" with your system in some way or another, and with the chkdsk problem some people seem to be complaining about...all I can say is that it is the same small number of people complaining about it in the vast majority of posts I have seen... If it was such a disaster wouldn't we have a forum full of threads like "Kaspersky fried my data" or "Kaspersky killed my hard drive".... I see no such threads blink.gif
Sportster
QUOTE(MAPKOBKA^^ @ 8.07.2007 00:42)
Tell that to the millions of users around the world who are running it with no problem smile.gif[right][snapback]391462[/snapback][/right]

I have no problems either but i don't like unwanted ring0 and disk activities. For my taste KAV got too heavy these days. There's hardly anything optional in the package. KAV drivers are always active until you de-install it and they do not idle all the time.
They should release a light or mobile version for USB sticks or a dedicated file scanner as a separate version that don't leave any traces in the system.
Baz^^
QUOTE(Sportster @ 8.07.2007 00:36)
I have no problems either but i don't like unwanted ring0 and disk activities. For my taste KAV got too heavy these days. There's hardly anything optional in the package. KAV drivers are always active until you de-install it and they do not idle all the time.
They should release a light or mobile version for USB sticks or a dedicated file scanner as a separate version that don't leave any traces in the system.
[right][snapback]391480[/snapback][/right]


As far as I recall there will be the "avp tool" as a standalone scanner?...


Why it messes with your system is understandable... it needs to lock down as much as possible to stop malware from attempting to remove it...otherwise we would have no chance against nasty rootkits and the like. But I see your point if you like to be in total control.
Whizard
If you cant be the first to lockdown Ring0, than others will get there. And than it is anybodys game, so the API hooks can be removed. It is a battle ground and the double edge sword of protection where developers fight against malware writers, is quite evident to me. As for KAV drivers being active, I do not mind that as long as there is no data corruption and the protection is being optimal. If the program locks down too tight people complain, if the program does not do that than people complain why malware gets through. There is no way to have WIN/WIN situation for everybody.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.