I'm sure most of you already know how the FreeFixer application works: It scans many locations on your Windows machine, such as the browser plugins, processes and services that are installed on your system. In its current state, FreeFixer does not have much knowledge whether a file is good or bad: It greenlists files from trusted software vendors and hides critical system files completely from the scan result. The remaining files appears in the scan result, neither listed as good, nor as bad. It's the responsibility of the user to figure out, with the help of the other FreeFixer users and the FreeFixer file library, if a file should be considered safe or if it should be removed.
This is how FreeFixer is designed to work, but admittedly, it's not easy for an inexperienced user to figure out which of the files in the scan result, if any, that should be selected for removal.
Many FreeFixer users have contacted me and suggested that FreeFixer should also detect and display malware files in red like most of the other anti-spyware and anti-virus tools do. And the suggestion makes perfect sense: It would be great to combine malware detection with the manual inspection and removal features. It would attract both beginners and experienced users.
However, I've always said no to this feature request, since it already requires lots of work to add new scan locations, supporting even more platforms than those supported today and working on the FreeFixer.com web site. Adding an additional task of analyzing lots of malware and creating malware definitions would probably result in crappy FreeFixer program with a crappy malware detection list.
I'm currently experimenting with a new set of features that allows anyone to create malware definitions for FreeFixer. I've started out with the simplest thing that could possibly work: Detection based on file locations. You simply define which files are malware by specifying the file locations in an .xml file. For example, the existence of ld14.exe in the Windows directory indicates that your machine is infected with the Koobface worm.
I'll link to your definition file from FreeFixer.com. FreeFixer users downloads your .xml file. Now the malware files get flagged in their scan results. The detection name that you gave the file appears and if users click on it they will be linked to your web site where you can explain more about the threat. You get credit for your work.
I've created a tiny example how to build the malware-definitions. I think you'll
understand the concept by looking directly into the .xml file:
http://www.freefixer.com/static/freefixer-demo-defs.xml
Put this file in c:\Program Files\FreeFixer\definitions\
and
FreeFixer will detect some variants of the Koobface worm. The Koobface
files will appear in red in the scan result.
If there's interest in building malware definitions for FreeFixer I'll keep on adding detection features. Some of the features that would be nice is SHA256 and MD5 detection, detection based on various parts of a file, detection of registry keys, values and data, memory scanning, signed xml-files, automatic updates, etc. You name it.
Actually, with this method the scanner won't detected many viruses - most (modern) viruses can use other file names/locations, decrypt themselves etc. IMHO your scanner will not be as good as one of the "professional" ones.
So, why just not put a link behind the result that the user can send the file to virustoal.com?
# 24 Oct 2009, 1:14
Maybe you could start by adding detection for conficker or gumblar. If detected the program could advise users to run a very good anti-virus scan.
# 31 Oct 2009, 3:58
Cool idea and nice realization.
Our team <a href="http://filegets.com/info/freefixer.html">researched and awarded FreeFixer</a>. Good job!
# 5 Nov 2009, 11:45
I and my friends at CMCLab Support forum are very interested in this feature of your FreeFixer program .
Maybe I could give you some suggestions :) .
# 15 May 2010, 5:55
Nyoman writes