Author Topic: Anti-rootkit shield possibly making Powershell and other processes hang  (Read 695 times)

0 Members and 3 Guests are viewing this topic.

Offline CriticalHit_NL

  • Newbie
  • *
  • Posts: 7
Alright so I've been running Avast! since the Windows XP era, but recently I've noticed some strange behaviour with certain processes not terminating after a program was fully closed.

Today I noticed an odd problem with Powershell, when launched from any place in explorer, it would just hang, it does not show up with the current directory path at all.
It would shortly work after a fresh start-up of Windows, but it would hang shortly after. Even in a VMWare Workstation virtual machine with Avast! installed this issue would occur.

In both cases Windows 10 22H2 x64 Professional is used which is fully up-to-date.

So I just tried to dug into it deeper, and closed all running programs except the Anti-Virus, guess what? The problem persists.
So I disabled Avast! entirely, the problem disappeared.

There is an issue within Avast! that is causing this.

So I looked further, disabling shield by shield and toggling some options including self protection etc, and then I found the culprit
The Anti-rootkitshield under Important Shields > Malware in settings is causing conflicts with programs processes not properly closing.

I am running the most recent version of Avast! Anti-virus Premium Security (24.7)
My system should be in my signature below.

Programs that I know have trouble closing their processes and require manual termination with anti-rootkit shield turned on:
- Discord
- Curseforge
- Powershell

I know Powershell worked perfectly fine with Avast! not a very long time ago, but I also know this does not affect every system with Avast! installed, for example I have not noticed an issue with a free version on a different system HOWEVER that is an Intel core i5-12500 processor dat does not employ any E-cores.

I sometimes also have trouble starting up programs but I have a feeling that it might be related to either the E-cores and/or the amount of threads that the 13900K has which maybe not all applications handle very well.

This would often result into:
- Programs hanging on start (often multiple times with jdownloader or discord)
- Programs processes are running but not visible (e.g. steam) requiring a manual termination and then it works after a manual start.

This is not something I see happening on Intel i5-12500, but I have seen happening on Intel 13900K from the start in 2022, even as far as the 'Save as' window freezing and crashing applications with it such as paint.net when the hard-drive list is expanded in explorer, but not when the list is collapsed.

This happens both on NVMe as SATA-600 SSDs as a start-up drive.

What else has been strange on the previous installation is that Microsoft Edge would hang for a long period of time after Windows start-up to be responsive or loading pages after the Avast! Firewall has been set to Ask instead of smart detection, and even after changing it from Ask to another setting Edge would stay broken on the OS installation.



But anyway, the fact that the anti-rootkitshield in Avast! is making Powershell (and other things) hang is weird and might be looked into further, preferably on a system that does emply Intel 12/13/14th gen with E-cores because something is fishy here.
Cooler Master HAF 700 EVO / Intel Core i9 13900K 5.8Ghz / 128GB Corsair Dominator Platinum RGB DDR5-5600 CL40 @ 5400 XMP / Asus ROG Maximus Z790 Extreme / EVGA GTX1080Ti FTW3 11GB / Corsair AX1200i / Corsair H170i Elite Capellix LCD 420mm + 6x Noctua NF-A14 3000RPM / 2x 4TB 990 Pro / 256GB 840 Pro / 2TB 860 Pro / 3x HGST Deskstar 7K4000 4TB / 2x HGST He10 Ultrastar 8TB / Razer Basilisk V3 / Logitech Z906 5.1 / Logitech G35 7.1 / Windows 10 Pro 22H2

Offline gmer

  • Avast team
  • Jr. Member
  • *
  • Posts: 38
  • The rootkit guy
Re: Anti-rootkit shield possibly making Powershell and other processes hang
« Reply #1 on: August 13, 2024, 07:27:29 AM »
Hello,
Could you update VPS to latest version #240813.0 and then check powershell issue .
Please attach arpot.log file after the update.
Thank you

Offline CriticalHit_NL

  • Newbie
  • *
  • Posts: 7
Re: Anti-rootkit shield possibly making Powershell and other processes hang
« Reply #2 on: August 13, 2024, 07:07:49 PM »
Hello, thank you for your reply GMER.

I just done an update check of Avast! and are running below versions:


Unfortunately Powershell stays on this screen indefinitely and will have a delay closing due to process-hang:


Until I disable Anti-rootkit shield in Avast! and restart powershell:


With Anti-rootkitshield active Powershell also does not respond from cmd.exe
I have attached the arpot.log as requested after updating Avast! and attempting to open Powershell.

Hope that helps,
Regards.



Update:
I tested somewhat further and I think I've maybe wasted your time unfortunately.
I forgot to disable an important service when I mentioned that it occurred shortly after a fresh boot again.
The computer running the i5-12500 does not run this software.

It looks like that HitmanPro Alert anti-exploit software suite has a conflict with Avast! (or vica versa) regarding the Anti-rootkitshield in Avast!
HitmanPro Alert also employs its own MBR protection along with the Cryptoguard shield designed to neutralize ransomware attacks as seen below:


But Powershell keeps working with this software disabled entirely, but as soon as the HitmanPro Alert service is started, it fails.

I don't know whether this is valueable information to you as I know you made the famous GMER anti-rootkit tool I've used in the past.

My apologies for any inconvience.
« Last Edit: August 13, 2024, 07:38:26 PM by CriticalHit_NL »
Cooler Master HAF 700 EVO / Intel Core i9 13900K 5.8Ghz / 128GB Corsair Dominator Platinum RGB DDR5-5600 CL40 @ 5400 XMP / Asus ROG Maximus Z790 Extreme / EVGA GTX1080Ti FTW3 11GB / Corsair AX1200i / Corsair H170i Elite Capellix LCD 420mm + 6x Noctua NF-A14 3000RPM / 2x 4TB 990 Pro / 256GB 840 Pro / 2TB 860 Pro / 3x HGST Deskstar 7K4000 4TB / 2x HGST He10 Ultrastar 8TB / Razer Basilisk V3 / Logitech Z906 5.1 / Logitech G35 7.1 / Windows 10 Pro 22H2

Offline gmer

  • Avast team
  • Jr. Member
  • *
  • Posts: 38
  • The rootkit guy
Re: Anti-rootkit shield possibly making Powershell and other processes hang
« Reply #3 on: August 14, 2024, 12:26:49 PM »
Thank you for details. I'll look closer to this potential conflict with HitmanPro.

Please send us support file using the Avast Support Tool.
https://support.avast.com/en-us/article/submit-support-file/#pc

Would be great if you could also send the powershell.exe user-mode process dump  (when ps hangs) .
https://support.avast.com/en-in/article/56#pc

Offline CriticalHit_NL

  • Newbie
  • *
  • Posts: 7
Re: Anti-rootkit shield possibly making Powershell and other processes hang
« Reply #4 on: August 14, 2024, 04:20:01 PM »
Thank for for the instructions,

I have generated a minidump of powershell.exe during hang and attached dump file to Avast Support Tool.
I could not supply a support ticket in Avast Support Tool as I don't have any yet so I linked this thread URL instead.

If you need support ticket ID generated by Avast Support Tool please let me know.

Hope that helps,
Regards.


Side note:
Avast! Forum currently throws errors opening icons used in forum or navigating and attempting to create posts or trouble loading buttons in reply form to change text visuals.

Appears to be a problem with Google DNS both in router as in network adapter, after switching to DNS 9.9.9.9 issue for Avast! forum disappears.
« Last Edit: August 14, 2024, 06:34:02 PM by CriticalHit_NL »
Cooler Master HAF 700 EVO / Intel Core i9 13900K 5.8Ghz / 128GB Corsair Dominator Platinum RGB DDR5-5600 CL40 @ 5400 XMP / Asus ROG Maximus Z790 Extreme / EVGA GTX1080Ti FTW3 11GB / Corsair AX1200i / Corsair H170i Elite Capellix LCD 420mm + 6x Noctua NF-A14 3000RPM / 2x 4TB 990 Pro / 256GB 840 Pro / 2TB 860 Pro / 3x HGST Deskstar 7K4000 4TB / 2x HGST He10 Ultrastar 8TB / Razer Basilisk V3 / Logitech Z906 5.1 / Logitech G35 7.1 / Windows 10 Pro 22H2

Offline CriticalHit_NL

  • Newbie
  • *
  • Posts: 7
Re: Anti-rootkit shield possibly making Powershell and other processes hang
« Reply #5 on: August 22, 2024, 07:32:43 PM »
I think the problem with powershell and process hangs/not closing got fixed with the recent update that I installed yesterday.

Running Avast! version 24.8.6127 - build 24.8.9372.862
Virus definitions 240822-4.

The only other problem I now noticed is that the software updater no longer shows any programs.

Thank you for looking into it!
Cooler Master HAF 700 EVO / Intel Core i9 13900K 5.8Ghz / 128GB Corsair Dominator Platinum RGB DDR5-5600 CL40 @ 5400 XMP / Asus ROG Maximus Z790 Extreme / EVGA GTX1080Ti FTW3 11GB / Corsair AX1200i / Corsair H170i Elite Capellix LCD 420mm + 6x Noctua NF-A14 3000RPM / 2x 4TB 990 Pro / 256GB 840 Pro / 2TB 860 Pro / 3x HGST Deskstar 7K4000 4TB / 2x HGST He10 Ultrastar 8TB / Razer Basilisk V3 / Logitech Z906 5.1 / Logitech G35 7.1 / Windows 10 Pro 22H2