Author Topic: Avast rootkit scanner (aswMBR) stops at service winDefend  (Read 10922 times)

0 Members and 1 Guest are viewing this topic.

suti

  • Guest
Avast rootkit scanner (aswMBR) stops at service winDefend
« on: February 09, 2014, 08:02:27 PM »
I have been trying to debug a problem in one of my computers.  I wanted to run the Avast rootkit scanner and decided to run it first on a system that was working fairly well.

This is a Dell Inspiron 5040 running Windows 8 64bit.  When I run aswMBR.exe it runs and the stops before completing.  The last entry in the on-screen list is

 Scanning: service winDefend C:\Program Files          sys

I can't tell whether it has crashed on that file or on the start of the scan of the next in line.  I do get the dialog box stating avast! Antirootkit has stopped working.

The other computer is a Windows 7 32bit system that has an intermittant (but almost continuous) loss of internet access even with a good signal.  I don't want to start with a new tool that isn't reliable so if someone can point out my problem on the 64bit system, I would appreciate the help.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4239
    • Ambulanta MyCity Forum - ASAP Member
Re: Avast rootkit scanner (aswMBR) stops at service winDefend
« Reply #1 on: February 09, 2014, 08:09:13 PM »
Hi suti,

aswMBR drivers can't work on Windows 8.x kernel.

Do you have any problems? Do you need malware/rootkit check?

suti

  • Guest
Re: Avast rootkit scanner (aswMBR) stops at service winDefend
« Reply #2 on: February 09, 2014, 11:58:53 PM »
I wasn't aware that the app was not compatible with win8.  I didn't get a response when I ran the compatibility check. My problem with win8 is minor.  An app that I have been using for years to monitor my internet access on my satellite ISP, runs but has quit displaying on the monitor screen.  It ran perfectly for about 6 months after I updated to win8 then quit.  I haven't had an answer to the problem.  One of the few things I haven't tried is to look for rootkits.

I have a larger problem with my Win7 machine, where I am told I have internet access but I can't even get a consistent ping return.  I hope the rootkit scanner will run on that.  If not, I will try your suggestion.

Thanks for your help. :)

Randissimo

  • Guest
Re: Avast rootkit scanner (aswMBR) stops at service winDefend
« Reply #3 on: February 16, 2014, 12:46:46 PM »
aswMBR drivers can't work on Windows 8.x kernel.
The kernel isn't the problem or else it wouldn't be able to launch at all, not even in compatibility mode.
The main problems are compatibility issues with the new windows defender which are - just like the compatibility issues with Visual Studio and possibly other things - apparently not a very high priority for the avast developers to fix.

There are better alternatives like GMER and/or scanning with different rescue CDs outside of Windows.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4239
    • Ambulanta MyCity Forum - ASAP Member
Re: Avast rootkit scanner (aswMBR) stops at service winDefend
« Reply #4 on: February 16, 2014, 06:58:37 PM »
Hi Randissimo,
Quote
The kernel isn't the problem or else it wouldn't be able to launch at all, not even in compatibility mode.
The main problems are compatibility issues with the new windows defender which are - just like the compatibility issues with Visual Studio and possibly other things - apparently not a very high priority for the avast developers to fix.

Allow me rephrase the sentence...
The kernel is the problem as aswMBR's drivers can't be loaded at kernel version on Windows 8 or 8.1 systems.

AntiRootKit tools (like aswMBR or GMER ...etc) are these diagnostic tools which operate on kernelspace, not on userspace level. The purpose is to verify the Windows "core" segments that userspace tool does not have access (not aware of their existence). Malicious RootKit works on kernel levels, so these tools are referred as ARK tools.

avast! can detect known RootKits as well so ...





« Last Edit: February 16, 2014, 07:00:24 PM by magna86 »

Randissimo

  • Guest
Re: Avast rootkit scanner (aswMBR) stops at service winDefend
« Reply #5 on: February 17, 2014, 01:12:53 AM »
Then tell me why it stops exactly on the same part, why it even bothers to load+scan files and why there is a software compatibility issue with Visual Studio.

What's your basis that it cannot be a simple "software" problem because of the new Defender when there still exists a known compatibility issue with Visual Studio even on earlier Windows versions?

Are you standing for what you're talking on about the aswmbr.exe issues on a knowledge basis or is that just an answer you've learned and/or are told to write?

I don't want to sound rude, but rather I'd like to make things clear on this matter.

Also, when you write "avast! can detect known RootKits as well", are you referring to boot-time scans, to the scans from the created rescue disk or to the normal scan?
« Last Edit: February 17, 2014, 01:29:56 AM by Randissimo »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87080
  • No support PMs thanks
Re: Avast rootkit scanner (aswMBR) stops at service winDefend
« Reply #6 on: February 17, 2014, 01:35:37 AM »
Avast runs an anti-rootkit scan 8 minutes after boot.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Randissimo

  • Guest
Re: Avast rootkit scanner (aswMBR) stops at service winDefend
« Reply #7 on: February 17, 2014, 01:45:29 AM »
That's a nice fact to know, but from where do you have that information?

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87080
  • No support PMs thanks
Re: Avast rootkit scanner (aswMBR) stops at service winDefend
« Reply #8 on: February 17, 2014, 02:53:01 AM »
Many years of using avast and helping in the forums.

You can check the C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\log\aswAr.log (XP) or C:ProgramData\AVAST Software\Avast\log\aswAr.log (win7 and later). At the top of that log it gives the start time, you can then work roughly back to when you booted.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Randissimo

  • Guest
Re: Avast rootkit scanner (aswMBR) stops at service winDefend
« Reply #9 on: February 17, 2014, 10:41:59 AM »
I vaguely remember that those logs are stored in the hidden ProgramData folder, though I didn't bother to skim through it by myself, so thanks for telling me.
Do you have any information about the incompatibility issues with the mentioned programs?

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87080
  • No support PMs thanks
Re: Avast rootkit scanner (aswMBR) stops at service winDefend
« Reply #10 on: February 17, 2014, 01:32:18 PM »
I'm not sure which you mean as you have mentioned several and I have lost the context.

If you are talking about aswMBR and windows 8/8.1 (which seemed to kick this off) then aswMBR was designed prior to win8's release, so it was never designed for compatibility with win8. I have no idea if this is going to be updated to work on win8/8.1 systems.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Randissimo

  • Guest
Re: Avast rootkit scanner (aswMBR) stops at service winDefend
« Reply #11 on: February 17, 2014, 01:58:43 PM »
Well the Visual Studio issues are actually an old problem, see http://forum.avast.com/index.php?topic=96929.msg773679#msg773679 or http://forum.avast.com/index.php?topic=100019.msg798736#msg798736 and they still haven't fix those, so you can guess that the developers simply don't care in providing support for non-Avast users in detecting rootkits.

However, there are still better alternatives such as GMER or SARDU to scan for rootkits, because they don't have software and/or operating system issues.
On a side note, SARDU might create some false positive because of the PUPs which you can skip/deselect in the installer if you're paying attention and even if there is no virus alert even after creating the rescue stick, you might need to temporarily turn of Avast shields so that the formation can work smoothly => it should rename the USB-stick to something like "SARDU" after formatting it, if not, you might need to create it again without the intervention of AV-software.
If your stick does not boot, you can test different sizes and vendors. 
« Last Edit: February 17, 2014, 02:00:53 PM by Randissimo »

AdrianH

  • Guest
Re: Avast rootkit scanner (aswMBR) stops at service winDefend
« Reply #12 on: February 17, 2014, 02:17:11 PM »
GMER  ;)

Quote
http://www.gmer.net/

Download

The latest version of  GMER 2.1.19357

GMER runs only on Windows NT/W2K/XP/VISTA/7/8
GMER application:          or ZIP archive: gmer.zip ( 372kB )
It's recommended to download randomly named EXE (click button above) because some malware won't let gmer.exe launch.
 
GMER.exe SHA256:   812CFD967188DE56C88134E6125724D3F2ECA26A2A1A7ACD8FDDFAA36D712947
 
Avast! antivirus integrated with GMER
 actively protecting over 200 million PCs ...............   http://www.avast.com/


http://en.wikipedia.org/wiki/GMER   

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4239
    • Ambulanta MyCity Forum - ASAP Member
Re: Avast rootkit scanner (aswMBR) stops at service winDefend
« Reply #13 on: February 17, 2014, 02:17:22 PM »
Hi Randissimo,

Let's clear up some things. I am not member of avast tim, nor of his developer department.
I am not associated with aswMBR developer department but I have access to some information that makes me feel competent to say a thing with certificate.
aswMBR is product of joint forces of Gmerek and avast Tim.
I am member of big alliance of Security Forum that does provide valid Malware Removal assistance.
Also know this. I would also like for aswMBR to be compatible with Windows 8.x systems, but it is not. As I need diagnostics for kernel RootKit, not to pay attention to what software displays on the screen, for valid ARK diagnostics I can not rely on aswMBR to Windows 8, which just has a lot of changes compared to Windows 7
Also, I do not care what you're gonna use it. I just telling you how things are.

Quote
Then tell me why it stops exactly on the same part, why it even bothers to load+scan files and why there is a software compatibility issue with Visual Studio.
[...]
What's your basis that it cannot be a simple "software" problem because of the new Defender when there still exists a known compatibility issue with Visual Studio even on earlier Windows versions?
It does not matter where stalls. It's load and preform because it's made so to work. Visual Studio is software working on userspace, does not have any driver loaded in kernel.
Simple software as you say works in userspace. Windows Defender on Windows 8 is AntiVirus, therefore it's owns his own loaded drivers in kernel.

Quote
Are you standing for what you're talking on about the aswmbr.exe issues on a knowledge basis or is that just an answer you've learned and/or are told to write?

I am standing to tell you that ARK tools are something else, they work differently and can not be measured with generic diagnostic tools that run in userspace level. The same goes for simple software. It's not always that simple ...run and scan.
Moreover, Windows 8 & 8.1 goes with usual GPT partition then MBR partition. For now, there is no way to use the GPT malicious purposes.
Moreover, x64bit Widndows editions ( including Win 8.x) own Kernel Patch Protection + Driver Signing Policy on x64. Un-signed driver can NOT be loaded in kernel.
Moreover, Windows 8.x have something that is called Secure Boot. In short, prevents any malicious kernel-level RootKit  to be loaded into the system
Also, beginning with Windows 8 UEFI Secure Boot-enabled platforms have additional signing requirements, including requirements for ARM platforms. The driver code signing policy for 32-bit versions of Windows 8 UEFI Secure Boot-enabled platforms also requires drivers have a digital signature.
aswMBR reads MBR, it read partitions, then it uses his own heuristics to scan drivers (kernel) that it uses avast! engine to scan drivers.
Keep in mind that the aswMBR primarily set up to do diagnostics and Fix for first version MBR-based RootKits like TDL4/3, Sinowal and Whistler, never upgraded (at least not so often) to recognize and later versions of RootKit. aswMBR does that using his heuristics scan.

If you wanna ARK check on Windows 8.x, you may use TDSSKiller or MBAR it searches for malware that is larger rank and therefore scan takes longer.
But if you understand me right, you're be wondering, does I realy need ARK scan on Windows 8 !?

Quote
Also, when you write "avast! can detect known RootKits as well", are you referring to boot-time scans, to the scans from the created rescue disk or to the normal scan?

avast! is AntiVirus, therefore it has strongest system privileges (kernel driver as well) and therefore is able to detect known kernel-level RootKit. It has nothing to do with boot time scan, that's something else...



Edit: Maybe you these semantics help you to understand better
« Last Edit: February 17, 2014, 02:21:03 PM by magna86 »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87080
  • No support PMs thanks
Re: Avast rootkit scanner (aswMBR) stops at service winDefend
« Reply #14 on: February 17, 2014, 02:19:16 PM »
@ Randissimo

Well the GMER guy actually works for avast now and he designed the aswMBR anti-rootkit scanner. A user doesn't have to have avast installed to use aswMBR, they just don't have the ability to do the additional scan.

I'm not sure about your assumption about developers not caring about non-avast users (given the above) and when both of your links indicate they are avast users, so you have me confused.

That is me done with this, as an avast user I have no control/input on what avast developers do.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security