Why does my Anaconda Download look like This?

  • Thread starter Thread starter WWGD
  • Start date Start date
Click For Summary

Discussion Overview

The discussion revolves around issues related to the installation of Anaconda Navigator, particularly concerns about its appearance and potential virus infections. Participants explore troubleshooting steps, the role of virus scanners, and methods for detecting suspicious processes on Windows systems.

Discussion Character

  • Exploratory
  • Technical explanation
  • Debate/contested

Main Points Raised

  • One participant reports that their downloaded copy of Anaconda Navigator appears strange and expresses concern about a possible virus.
  • Another participant suggests that disabling the virus scanner during installation might resolve the issue, although they acknowledge the risks involved.
  • Some participants discuss the potential for virus scanners to flag legitimate files, which could hinder installation.
  • There are inquiries about using SysInternals tools to detect suspicious processes, with some participants sharing their experiences and methods.
  • Concerns are raised about the safety of disabling virus protection, with some arguing that it could expose users to risks.
  • Participants mention that viruses can sometimes disguise themselves by co-opting legitimate processes, complicating detection efforts.
  • Detailed steps for using SysInternals tools like Process Explorer and Autoruns are shared, emphasizing the need for careful verification of processes and files.
  • There is a discussion about the challenges of identifying malicious software, with some participants noting that each virus may infiltrate systems differently.

Areas of Agreement / Disagreement

Participants express a range of views on the safety of disabling virus protection during installation, with some agreeing that it poses risks while others suggest it may be necessary under certain conditions. The discussion remains unresolved regarding the best practices for virus detection and the implications of disabling security measures.

Contextual Notes

Participants highlight the limitations of various detection methods and the complexity of identifying malicious processes, indicating that there is no one-size-fits-all solution to virus detection.

WWGD
Science Advisor
Homework Helper
Messages
7,806
Reaction score
13,125
Hi all,
My downloaded copy of Anaconda Navigator ( a compilation of free utilities including Python) came out looking strange --please see attached. Any idea of what could be going on? Hopefully not a virus.
 

Attachments

Computer science news on Phys.org
jedishrfu said:
This page says if you encounter any problems with anaconda install on windows then disable the virus scanner (scary to me) and try again:

https://docs.continuum.io/anaconda/install#anaconda-for-windows-install

It may be that the virus scanner flagged some key file and wouldn't let it get installed.
Thanks, it says to do so only temporarily, but still a good point. Of course, remember to reinstall ASAP.
 
Just curious, anyone know what to look for in Sys Internals re some suspicious processes/threads?
 
THis article is for windows 7 but still may be useful:

http://www.techradar.com/news/software/how-to-spot-suspicious-processes-in-windows-7-957026

and this one:

http://www.makeuseof.com/tag/handle-suspicious-windows-task-manager-processes/

In general, I looked up the process names via google to see what they did. Some malware may use three or more processes so that deleting anyone will cause the other two to recreate it.

I used to use hijackthis to detect if any OS handles were being intercepted although I think that's now out of date.

https://sourceforge.net/projects/hjt/

If you can't figure out if a process is legit then post it here and maybe someone can help.
 
  • Like
Likes   Reactions: OCR and WWGD
Thanks a lot, Jedi. I will post here if I can find something , for general info/know how.
 
  • Like
Likes   Reactions: OCR
WWGD said:
it says to do so only temporarily
Just what a virus needs.
 
  • Like
Likes   Reactions: jedishrfu
Borg said:
Just what a virus needs.

The old jedi mind trick trick.
 
  • Like
Likes   Reactions: Borg
jedishrfu said:
The old jedi mind trick trick.
lol. These aren't the safe applications you're looking for. :oldtongue:
 
  • Like
Likes   Reactions: jedishrfu
  • #10
Borg said:
lol. These aren't the safe applications you're looking for. :oldtongue:

Move along, move along.
 
  • Like
Likes   Reactions: Borg
  • #11
Borg said:
Just what a virus needs.
But if the source is trustworthy?
 
  • #12
WWGD said:
But if the source is trustworthy?
Even a trustworthy source could have a virus. Software should never be telling you to disable your virus scanner. If so, it's either a virus or they don't know what they're doing. I wouldn't trust either scenario.
 
  • Like
Likes   Reactions: WWGD
  • #13
Do you know a way of using SysInternals/Process Explorer to detect a virus? I have been trying for a while, following online instructions without success.
 
  • #14
Viruses don't always live in identifiable processes sometime they co-opt a legitimate process and run under its umbrella.
 
  • Like
Likes   Reactions: WWGD
  • #15
WWGD said:
Do you know a way of using SysInternals/Process Explorer to detect a virus? I have been trying for a while, following online instructions without success.
There's no simple way of detecting all viruses like that. Each virus has it's own way of infiltrating a system.
jedishrfu's hijackthis link is your best bet and even that is only a starting point.
jedishrfu said:
Viruses don't always live in identifiable processes sometime they co-opt a legitimate process and run under its umbrella.
:thumbup:
 
  • Like
Likes   Reactions: jedishrfu
  • #16
Well, of course, you do the best you can and you catch whichever viruses you are able to catch.
 
  • #17
Like pokemon with real world consequences.
 
  • Like
Likes   Reactions: Borg
  • #18
I am not referring to eliminating virus EDIT protection temporarily, I am referring to using Sysinternals, though.
 
  • #19
When I am investigating systems for infections, I use Process Explorer(sysinterals), autoruns(sysinterals) and hijackthis.
Here's the basic steps i follow, i'll start from the very beginning so i apologise if some of this stuff seems obvious.
1) Reboot to safe mode with networking
2) Log into an admin account
3) Run autoruns as admin
The purpose of autoruns is to examine what software is scheduled to run on your system at boot/login
4) Run process explorer as admin
The purpose of process explorer is to examine what software is currently running in active memory

5) In Autoruns
Click options>Scan Options
Check all the boxes and then agree to virustotal user agreement
Then Click options>check all 4 hide items
Then Click the refresh button (2nd from the left next to the save icon)

6) While autoruns is gathering data, run process explorer as admin
When its open click CTRL+D to show DLL's attached to processes running on your system. The DLL's will show up on the bottom pane. Please sort them by Company Name.
Then Click on the Process menu item, and then select Check Virustotal.com

Now comes the painful part.
You will need to click on each process on the top pane, verify that it's location is valid. You will search for the file in google, learn about what it does, where it resides, who made and signed the file, etc.
Eg: svchost.exe must located at c:\windows\system32\svchost.exe and must be signed by Microsoft Corporation<-- This is safe (assuming virustotal also says it's safe)
if instead you see scvhost.exe located at c:\windows\system32\scvhost.exe and not signed <-- This is malicious. The file name is incorrect, the c and v letters are flipped and there's no signature from microsoft saying this is their file.
if the file is located in c:\windows\system, it is malicious, etc.
If the file passes the initial check, then you need to look at the list of ALL DLLs attached to the process in the bottom pane. This is why we sorted by company name. All the digitally signed files (files you can trust) will be lumped together. Microsoft Corporation is okay. Everything else must be checked and verified as not malicious. This means you will have to google the filename and learn about it to find out if this is a legitimate file and can be trusted or not.
Over time, you will learn patters and will be able to figure out what's safe and what's not just by looking at the file name and location. But when you start, you will have to do this hard dirty work. No pain, no gain.

If you find something you think is malicious, right click on the parent process and then select suspend. This will stop the process from running and give you an opportunity to clean/remove it.
If you accidentally suspend a system process, you will crash windows. There are certain processes you cannot suspend. System, winint, etc are things that your computer cannot run without. There's others that i don't remember and i don't have access to process explorer right now to give you a list (i'm run Debian)

Once suspended, you will have to navigate to the file in question and then change the permissions on the file from allow to deny all. This will prevent the file from running on your system after a reboot.
The really good malware programs have several threads running that monitor each other, so if you kill one thread, the others simply restart it. This is why we suspend and change to deny permissions on all the files one at a time. Then do a hard reset and then on next boot, they cannot run and your computer is clean.

If you mess up and set deny permissions on a valid system file, you will kill windows. Unless you keep a record of your changes so you can undo them, you will end up having to wipe your computer to fix the problem. So please be careful.

When you have gone through the entire list and suspended everything that you think is malicious, go ahead and kill the threads one by one until none of the suspected malicious software is running.

7) Once you are done with Process explorer, you will switch to autoruns. You will need to go through each tab at the top, Logon, IE, Explorer, Services, etc and check the entries that were not hidden (files listed are not windows, and virustotal thinks they are suspicious)
Then just like in process explorer, you will unleash the power of google on those files to figure out what they are and what they do. if the files are safe (virustotal spits out false positives) then ignore them. If they are malicious, uncheck the entry to disable the autorun on the file and then navigate to the location of the file and change the permissions on the file to deny.
Once you are done with the entire list, close process explorer and autoruns and then click and hold th power button till the computer shuts off.

Some malware, spawn with random names and locations as part of the windows shutdown process. A hard shutdown prevents this.

8) Reboot back into safemode with networking. Then run highjackthis as administrator and redo the same thing, check each entry, verify it's okay, if it's not, uncheck it. Then reboot again.

9) Finally, boot back into normal mode and if you haven't completely destroyed windows by now, you can be reasonably assured that the system is clean. The only exception is root kits as they filter information about themselves before it reaches the Windows API, meaning you will not see them in process explorer, autoruns, highjackthis. The only way to get rid of them and be sure about it, is to wipe the system.
 
  • Like
Likes   Reactions: jedishrfu, OCR and WWGD
  • #20
Excellent, thanks, one can always ignore extra material but harder to make up what is missing, so prefer your approach. Thanks!
 
  • #21
The process is even more effective if you don't boot the infected system and instead boot from a Linux LiveCD or the windows installation disk. That will ensure that none of the malicious software is running, so root kits cannot hide anymore.

That's my current approach. I boot a Debian Linux USB, mount the windows registry somwhere on the filesystem and start browsing through all the autostart locations to see if there's anything funny looking scheduled to run on boot.
After I'm done, the only things that start are valid windows files and the A/V. Then save the changes and reboot normally. I backup the registry hives before making changes just in case I screw up, so the method is almost fool proof.
You can also throw in a sfc /scannow using windows installation media's recovery console to verify the integrity of system files.
 
  • Like
Likes   Reactions: jedishrfu and OCR
  • #22
Routaran said:
If you mess up and set deny permissions on a valid system file, you will kill windows. Unless you keep a record of your changes so you can undo them, you will end up having to wipe your computer to fix the problem.
If you set a system restore point right before doing all of this, and you did happen to mess up... could that undo the changes you made ?

I know you'd still have the malicious software, but would a system restore operation even run, or work... at all ?

:run: ..... "... and if you haven't completely destroyed windows by now ..." ... lol
 
  • Like
Likes   Reactions: jedishrfu
  • #23
OCR said:
If you set a system restore point right before doing all of this, and you did happen to mess up... could that undo the changes you made ?

I know you'd still have the malicious software, but would a system restore operation even run, or work... at all ?

:run: ..... "... and if you haven't completely destroyed windows by now ..." ... lol
No, system restore backs up portions of your windows registry. It does not affect your file system.

When you modify access permissions on a file, those are file system changes and aren't covered by a system restore. This is the reason why this approach can be very dangerous if you're not careful. You make a change to a system critical file and didn't write it down, then you're hooped.

You can still look at the bug check codes (BSOD error code) go through some of the dumps and identify where you messed up but it's just a giant pain. You've killed Windows at that point, and good riddance I say! Wiping the system and installing Linux is faster lol

If all you did was suspend/kill processes and then uncheck them from autoruns/highjack this, then a system restore will work. But the problem is that its very easy to miss something. Malware will often add autorun entries in multiple places. You can catch one autorun entry and but miss another, it will just run again and you have to restart the entire process. As a beginner, the safe advise is to not change permissions but then you could be at it for hours and hours because some stupid malware keeps respawining at which point, you realize that wiping the computer to begin with would have saved you 4 hours.

Thats why I change the access permissions on the files themselves. Either I completely clean the system in 2-3 reboots or I ruin Windows in 1 reboot and I have to wipe and reinstall windows. I haven't done the latter in several years.
Either way, I will have a fully working system in an hour or two. User is happy.
 
  • Like
Likes   Reactions: OCR, jedishrfu and WWGD
  • #24
Thanks Routaran.... :thumbup:
 
  • Like
Likes   Reactions: WWGD

Similar threads

Why Does My Wife's Zoom Video Keep Freezing and Corrupting?
  • · Replies 36 ·
2
Replies
36
Views
4K
Cannot type "/ etc / hosts" (without the spaces)
  • · Replies 11 ·
Replies
11
Views
2K
"Lost" Content in Excel Spreadsheet
  • · Replies 19 ·
Replies
19
Views
4K
How can I clone a USB drive to a VFD file for use in Windows?
  • · Replies 14 ·
Replies
14
Views
4K
How did early compilers overcome the need for a compiler to compile itself?
  • · Replies 6 ·
Replies
6
Views
3K
Reminders that scammers and hackers are clever
  • · Replies 6 ·
Replies
6
Views
2K
Is Trend Micro Internet Security Really Protecting My Computer?
  • · Replies 3 ·
Replies
3
Views
3K
Could a Mac be useful for a physics student?
  • · Replies 2 ·
Replies
2
Views
2K
Why does Bluetooth suck so bad?
  • · Replies 16 ·
Replies
16
Views
5K
Why Did My BitTorrent Download Speeds Drop After Changing My Internet Plan?
  • · Replies 4 ·
Replies
4
Views
3K