Author Topic: Rootkit scan - how it works?  (Read 3924 times)

0 Members and 1 Guest are viewing this topic.

Offline TheOwner

  • Poster
  • *
  • Posts: 406
Rootkit scan - how it works?
« on: February 23, 2017, 03:19:41 PM »
Hello guys,

i did mistake and ran full system scan during broken virus definitons. I did not delete anything, but there is feature called rootkit scan which is part of all scans and also start automaticaly during windows startup. Is rookit scan affected by virus definitons or its independend feature? Because in scan overview is nothing about rookkits, but in log called aswAr1.log is written 3 hidden registry keys found. I know those keys are perfectly safe, because contains registration data for my installed software. I hope Avast not clean rootkits atumaticaly. How it's  work in reality? Is possible this feture deleted something in my pc during false positive plague? Thank you

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Rootkit scan - how it works?
« Reply #1 on: February 23, 2017, 04:01:56 PM »
The rootkit scan starts 8 minutes after boot (as far as I'm aware), so it shouldn't impact adversely during boot.

It is looking in areas where rootkits tend to hide or use to obfuscate them. If avast did detect a rootkit, then it would display an alert window to tell you so. It should (from memory) offer the user options in the alert window, not to delete, etc.

I think what you are seeing in the log file is more advisory, e.g. reporting a hidden registry entry, not necessarily that it has found a rootkit.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Alikhan

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
Re: Rootkit scan - how it works?
« Reply #2 on: February 23, 2017, 04:09:13 PM »
The rootkit scan starts 8 minutes after boot (as far as I'm aware), so it shouldn't impact adversely during boot.

Correct.

During on-demand scans, rootkits are scanned too but if anything is found, it will show up in scan lolg.
Windows 10 Home 64-bit • Avast Free (latest stable version) •  Malwarebytes 4 Premium (On-Demand) • Windows Firewall Control • Google Chrome • LastPass • CCleaner • O&O ShutUp10 •

Offline TheOwner

  • Poster
  • *
  • Posts: 406
Re: Rootkit scan - how it works?
« Reply #3 on: February 23, 2017, 04:19:38 PM »
So it is not affected by virus definitions? And cannot delete something by self? Thank you.

Offline Alikhan

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
Re: Rootkit scan - how it works?
« Reply #4 on: February 23, 2017, 04:21:06 PM »
So it is not affected by virus definitions? And cannot delete something by self? Thank you.

Well, it can be affected by the VPS but it will NOT delete something by itself - always popup etc.
Windows 10 Home 64-bit • Avast Free (latest stable version) •  Malwarebytes 4 Premium (On-Demand) • Windows Firewall Control • Google Chrome • LastPass • CCleaner • O&O ShutUp10 •

Offline TheOwner

  • Poster
  • *
  • Posts: 406
Re: Rootkit scan - how it works?
« Reply #5 on: February 23, 2017, 04:26:18 PM »
Maybe, but everyone knows what boot time scan do, deleting files by self due false positive plague. So i am so careful now.

Offline Alikhan

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
Re: Rootkit scan - how it works?
« Reply #6 on: February 23, 2017, 04:29:11 PM »
Maybe, but everyone knows what boot time scan do, deleting files by self due false positive plague. So i am so careful now.

There's a difference. In the case of a rootkit detected in memory, a user option is required.
Windows 10 Home 64-bit • Avast Free (latest stable version) •  Malwarebytes 4 Premium (On-Demand) • Windows Firewall Control • Google Chrome • LastPass • CCleaner • O&O ShutUp10 •

Offline TheOwner

  • Poster
  • *
  • Posts: 406
Re: Rootkit scan - how it works?
« Reply #7 on: February 23, 2017, 04:32:13 PM »
Thank you for answer. I am calmer now.