Author Topic: Avast rootkit scanner (aswMBR) stops at service winDefend  (Read 10928 times)

0 Members and 1 Guest are viewing this topic.

AdrianH

  • Guest
Re: Avast rootkit scanner (aswMBR) stops at service winDefend
« Reply #15 on: February 17, 2014, 02:26:19 PM »
Rootkit scan at startup ........

Randissimo

  • Guest
Re: Avast rootkit scanner (aswMBR) stops at service winDefend
« Reply #16 on: February 17, 2014, 04:01:59 PM »
@ magna86: I believe you about the issues with Windows 8.X, but that still doesn't explain why the program still has the problems on userspace level with certain software during the file scan phase with the (down)loaded Avast signatures.
Also if a developer from GMER actually is working on aswMBR how come it still has those issues with Visual Studio (which original GMER never had) and is still not compatible even with Windows 8?
Why do other companies like Malwarebytes or Kaspersky or the one behind GMER even bother to make their anti-rootkit tools work on Windows 8.X when Secure Boot and UEFI installation on GPT formated drives supposedly prevent every rootkit?

@ DavidR: of course you would ask in an Avast forum about a problem related to an Avast product, regardless of whether the users themselves use Avast as their AV or not. It's just meant as an evidence that such software related problems do exist in aswMBR.

@ AdrianH: I know that option, but thanks for posting that screen shot.
« Last Edit: February 17, 2014, 04:04:30 PM by Randissimo »

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4239
    • Ambulanta MyCity Forum - ASAP Member
Re: Avast rootkit scanner (aswMBR) stops at service winDefend
« Reply #17 on: February 17, 2014, 04:42:08 PM »
Randissimo, I see you many things do not understand or do not want to understand so I will stop to explain as you stubbornly pursue your own story even though I clearly explained how the things are but you do not want to hear abaut.
aswMBR does not work on userspace nor is it an essential part for him, it checks only when it start avast engine in small, short range (services).  ARK are kernel based tools.


Quote
Why do other companies like Malwarebytes or Kaspersky or the one behind GMER even bother to make their anti-rootkit tools work on Windows 8.X when Secure Boot and UEFI installation on GPT formated drives supposedly prevent every rootkit?

Malwarebytes and Kaspersky ( MBAR and TDSSKiller ) works on known level of detection. They shall detect and remove only these rootkits that is known to them.
They have a large range of database and many heuristic detection, but in addition they can always skip of detectio and allow to run some malicious rootkit for which they are not aware that it is malicious.

GMER again works differently, purely diagnostic nature. GMER should report in his ARK logs any suspicious-legitimate and malicious activity. It will not always detect the loading point but for helper who preform diagnosis and who can read GMER logs (a lot of them do not know), this is enough.


« Last Edit: February 17, 2014, 04:52:53 PM by magna86 »

Randissimo

  • Guest
Re: Avast rootkit scanner (aswMBR) stops at service winDefend
« Reply #18 on: February 18, 2014, 12:16:21 AM »
Quote
Why do other companies like Malwarebytes or Kaspersky or the one behind GMER even bother to make their anti-rootkit tools work on Windows 8.X when Secure Boot and UEFI installation on GPT formated drives supposedly prevent every rootkit?
Malwarebytes and Kaspersky ( MBAR and TDSSKiller ) works on known level of detection.
I wasn't asking in detail how they operate, though it's a nice fact to know, thank you.
I was asking why they do work and why aswmbr still doesn't on Windows 8/8.1

Quote
Randissimo, I see you many things do not understand or do not want to understand so I will stop to explain as you stubbornly pursue your own story even though I clearly explained how the things are but you do not want to hear abaut.
Let's see about how "clearly" you explained things:

Question: "What's your basis that it cannot be a simple "software" problem because of the new Defender when there still exists a known compatibility issue with Visual Studio even on earlier Windows versions?"

Answer: "It does not matter where stalls. It's load and preform because it's made so to work. Visual Studio is software working on userspace, does not have any driver loaded in kernel.
Simple software as you say works in userspace. Windows Defender on Windows 8 is AntiVirus, therefore it's owns his own loaded drivers in kernel."


I get the part about the Windows Defender driver, but what is the issue with scanning a "software working on userspace" on Windows 7 or earlier which supposedly should work without issues? How come that only having a simple software installed which doesn't even have drivers loaded can ruin a whole program of it's main purpose? Is it really that easy to stop an anti-rootkit tool by installing a simple "software working in userspace"?

Well, I guess I'll take a break again for now and I hope for this thread that some official wordings are made about the ongoing Visual Studio issues and/or if and when aswMBR will be made compatible with Windows 8/8.1.

You don't need to answer back if you can't or don't want to.

Have a nice day.

- Randissimo.



« Last Edit: February 18, 2014, 12:19:02 AM by Randissimo »