Author Topic: SOLVED - 1290 False Positive - Root-Kit  (Read 15545 times)

0 Members and 1 Guest are viewing this topic.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3866
  • Just an avast user
Re: SOLVED - 1290 False Positive - Root-Kit
« Reply #30 on: November 21, 2008, 02:25:57 AM »
Styx,

does C:\passwords.exe still appear in the aswar.log file?

Styx

  • Guest
Re: SOLVED - 1290 False Positive - Root-Kit
« Reply #31 on: November 21, 2008, 02:45:27 AM »
No it does not.... no passwords.exe or passwo~1.exe either.

Since the ; ; showed up in the Avast4.ini there has been no further occurence.
There has been a definitions update however the problem had stopped before
this update. I had rebooted a lot to test.

BTW remember I tried C:\passwords and C:\passwo~.exe in ALL possible combinations in
SETTINGS, Standard Shield, and Avast4.ini. Until the ; ; magically appeared the issue
was constant 8 min after every reboot the Rootkit Notification popped up.

Now I have C:\passwords.exe in Settings and Standard Shield and C:\passwo~1.exe in
Avast4.ini with the ; ; of course.
« Last Edit: November 21, 2008, 02:51:02 AM by Styx »

Styx

  • Guest
Re: SOLVED - 1290 False Positive - Root-Kit
« Reply #32 on: November 21, 2008, 03:02:27 AM »
Here is a total guess. Until I put C:\passwo~!.exe in Avast4.ini AND then CLICKED
IGNORE and DON"T ASK AGAIN after the next reboot (not certain I had not clicked
these everytime I edited Settings, Standard Shield, and Avast4.ini) Avast did not
recognize there was an exclusion entry and it did not pass the name along so it
could be auto-entered into Avast4.ini. Maybe it was not passed on since it was in
9.3 format instead of 8.3 and/or Avast just really can't set the IGNORE and DON'T
ASK AGAIN properly to begin with, meaning a programming error.

Anyway, after I entered it in Avast4.ini it added the ; and ; which could be the
identifiers it uses to trigger the IGNORE and DON'T ASK AGAIN as desired.

Totally supposition.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3866
  • Just an avast user
Re: SOLVED - 1290 False Positive - Root-Kit
« Reply #33 on: November 21, 2008, 04:53:11 AM »
I am very tempted to get into the guesswork game on why it eventually worked for you.  I have a theory but it really is neither here nor there since what matters is getting it working.  One part of my guesswork suggests that you may have shown the avast team that they have some re-working to do to make the exceptions effective. 

Part of that guesswork is, perhaps more to the point, that currently the exceptions are only relevant if a problem is first discovered.  That would mean that predefining exceptions - as I attempted - is an exercise in futility and that the exceptions are only consulted when a suspected rootkit is discovered but (in a kind of chicken and egg issue) having attempted the exception by you may - at least for now - be essential to allowing the ensuing real exception to be set in the avast4.ini.   

I am well convinced that, up to this point, Standard Shield and on demand exclusion lists are completely and utterly irrelevant to the rootkit scan.  Further, if they had any relevance at all the avast team would have said so before now.

I suspect you may well have assisted the team to improve this aspect of avast in the future.  That may never be publicly acknowledged but at least you have my respect for your testing efforts.   
« Last Edit: November 21, 2008, 04:54:52 AM by alanrf »

Styx

  • Guest
Re: SOLVED - 1290 False Positive - Root-Kit
« Reply #34 on: November 21, 2008, 03:14:03 PM »
Now I have

Settings - Exclusions - C:\passwords.exe  set by Browse to Location

Standard Shield - Customize - Advanced - ?:\passwo~1.exe as I have this same file on
other drives (USB - and USB Flash - MicroHD)

Avast4.ini -

[AntiRootkit]
Exceptions=C:\passwo~1.exe;;

all seems to be well.