Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: xqrzd on July 09, 2010, 11:47:45 PM

Title: avast detects Windows update as rootkit
Post by: xqrzd on July 09, 2010, 11:47:45 PM
I just reinstalled Windows 7 Home Premium 64-bit on my computer, and as I was installing updates avast popped up and said it found a rootkit.
Title: Re: avast detects Windows update as rootkit
Post by: DavidR on July 10, 2010, 12:19:36 AM
Don't delete, select Ignore for now, don't check any option 'not to show this detection again' or words to that effect, as I don't know if there is an easy way to reverse that decision if it happens to be correct.

Try a forum search for trustedinstaller.exe would reveal a couple of topics on this, check this one out http://forum.avast.com/index.php?topic=60682.0 (http://forum.avast.com/index.php?topic=60682.0) and http://forum.avast.com/index.php?topic=60635.0 (http://forum.avast.com/index.php?topic=60635.0). This trustedinstaller being picked up as a rootkit seems to happen every now an them, why I don't really know and this is why I suggest Ignore rather than delete until it is confirmed 100%.

I don't know why the trustedinstaller needs to be a hidden service and that may be why it keeps getting flagged.

When did this happen, 8 minutes after boot (auto anti-rootkit scan) or during a windows update, etc. etc. ?
Title: Re: avast detects Windows update as rootkit
Post by: Lisandro on July 10, 2010, 01:07:05 AM
Is your avast fully updated (program and virus definitions)?
Title: Re: avast detects Windows update as rootkit
Post by: xqrzd on July 10, 2010, 01:18:48 AM
Hi,
Thanks for your responses. It was about 8 minutes after booting up, so I guess it was probably the startup rootkit scan. Also, I'm using the latest avast program and database (5.0.594 & 100709-1).
Title: Re: avast detects Windows update as rootkit
Post by: Lisandro on July 10, 2010, 03:27:12 AM
Can you submit the file to www.virustotal.com ?
Most probably a false positive.
Title: Re: avast detects Windows update as rootkit
Post by: DavidR on July 10, 2010, 03:56:25 AM
Unfortunately VT is useless in this case as it only runs the standard avast on-demand/command line scan and not the anti-rootkit scan which can only be done on the users system as it is comparing what is reported by the windows API and what is actually running on the users system.

This one really needs some intervention by one of the virus labs team.
Title: Re: avast detects Windows update as rootkit
Post by: Lisandro on July 10, 2010, 04:04:50 AM
But isn't it included in the other antivirus definitions and can be detected by Virus Total?
Title: Re: avast detects Windows update as rootkit
Post by: DavidR on July 10, 2010, 04:13:32 AM
No it isn't as it is being detected in the anti-rootkit scan , in other instances of this when it has been sent to VT there are zero hits.

As per the OPs image (extract here) that hidden service must have been loaded at some point in the boot, yet the standard scans didn't detect anything. Given that this was a win7 reinstall I would say that this file has a high degree of being clean and presumably the OP would have also have run an on-demand scan at some point before this.
Title: Re: avast detects Windows update as rootkit
Post by: bo.elam on July 10, 2010, 05:02:44 AM
DavidR I read on another post that you say the default action of the
auto anti-rootkit scan can not be changed. Can you confirm that or
tell me how to change the delete default action to ignore on that scan.
If anybody else can tell me how to do what I want, please help.
Bo
Title: Re: avast detects Windows update as rootkit
Post by: DavidR on July 10, 2010, 04:24:09 PM
No I don't believe I said that at all, so if you have a reference to that post please post it.

There is a drop down list in which you can choose Ignore or Delete, whilst avast displays what it considers the best option based on its detection you don't have to choose that option. So it isn't a default action as such but as it says a (recommended) action, that is likely to change depending on the circumstances of the detection. There is however, no way to change how avast comes to that decision, but you don't have to accept the recommended action, that you should be able to change.

By clicking the inverted triangle, see image extract from the OPs post, it should also show Ignore as an option.
Title: Re: avast detects Windows update as rootkit
Post by: bo.elam on July 11, 2010, 02:54:12 AM

I might be wrong DavidR. What I think I read is that the selected action for
default can not be changed. I know you did not write that the action can not
be changed when the auto-rootkit scan detects something.

Bo
Title: Re: avast detects Windows update as rootkit
Post by: DavidR on July 11, 2010, 03:30:52 AM
There isn't a default action (so that certainly means it can't be changed if it doesn't exist), but a recommended action, so depending on the circumstances of the detection avast will either recommend Ignore Or Delete. Personally I would never select Delete before I had fully investigated it.

Unfortunately for the greatest majority they wouldn't know where to start to investigate and those are the people that avast are trying to look out for. So for me that would be not to recommend deletion unless for whatever parameters (API/heuristic/behavioural, etc.) that are used to determine a rootkit it has to be 100%.
Title: Re: avast detects Windows update as rootkit
Post by: Lisandro on July 11, 2010, 03:53:39 AM
Unfortunately for the greatest majority they wouldn't know where to start to investigate and those are the people that avast are trying to look out for. So for me that would be not to recommend deletion unless for whatever parameters (API/heuristic/behavioural, etc.) that are used to determine a rootkit it has to be 100%.
+1
Title: Re: avast detects Windows update as rootkit
Post by: bo.elam on July 11, 2010, 04:01:28 AM
There isn't a default action (so that certainly means it can't be changed if it doesn't exist), but a recommended action, so depending on the circumstances of the detection avast will either recommend Ignore Or Delete. Personally I would never select Delete before I had fully investigated it.



I got it now, thanks.
Bo
Title: Re: avast detects Windows update as rootkit
Post by: DavidR on July 11, 2010, 04:18:53 AM
You're welcome.
Title: Re: avast detects Windows update as rootkit
Post by: vncoffman on August 06, 2010, 07:53:46 PM
So what do you do if you told it to delete the supposed rootkit?
Title: Re: avast detects Windows update as rootkit
Post by: Lisandro on August 06, 2010, 08:15:53 PM
Hmmm... Delete is not the best alternative, nor the safer.
Better would be send files to Chest (that allows restore).
Get the file from another (similar) computer?
Overinstall Windows?
I can't guess other solutions. Once deleted, the file is gone.
Title: Re: avast detects Windows update as rootkit
Post by: vncoffman on September 18, 2010, 05:54:00 AM
Thanks.  What I wound up doing was restoring the OS. Fortunately that was easy and I had backups of my data.