Author Topic: Rootkit scan flags "gather.km" as suspicious  (Read 7108 times)

0 Members and 1 Guest are viewing this topic.

Offline Vladimyr

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1639
  • Super(massive black hole) Poster
Rootkit scan flags "gather.km" as suspicious
« on: December 16, 2008, 03:12:08 AM »
I'm currently working on an abused-by-prebvious-owner IBM Thinkpad. Yesterday avast! rootkit scanner flagged "gather.km" (which I believe is a temporary file created by pre-installed IBM maintenance software) as suspicious. I ignored it and was then advised that a virus was resident in memory. I ran the suggested boot scan... nothing found. After reboot it seems "normal" (well so far anyway).

Is this a known/likely FP?
There is a way that seems right to a man,
       but in the end it leads to death
.” - Proverbs 16:25

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85945
  • No support PMs thanks
Re: Rootkit scan flags "gather.km" as suspicious
« Reply #1 on: December 16, 2008, 03:15:55 AM »
There should have been an option to submit the file for analysis on the detection.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Vladimyr

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1639
  • Super(massive black hole) Poster
Re: Rootkit scan flags "gather.km" as suspicious
« Reply #2 on: December 16, 2008, 03:30:30 AM »
I did that but I'm not sure if I've reconnected the network cable again. Would it have been submitted before shutting down for the boot scan?
« Last Edit: December 16, 2008, 03:37:55 AM by Vladimyr »
There is a way that seems right to a man,
       but in the end it leads to death
.” - Proverbs 16:25

Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: Rootkit scan flags "gather.km" as suspicious
« Reply #3 on: December 16, 2008, 10:46:56 AM »
the files are sent while updating the VPS...

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re: Rootkit scan flags "gather.km" as suspicious
« Reply #4 on: December 16, 2008, 11:44:19 AM »
the files are sent while updating the VPS...
I never understood this policy... I mean, why don't you allow the user to send the files immediately? Or, at least, choose between immediately and on next update?
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85945
  • No support PMs thanks
Re: Rootkit scan flags "gather.km" as suspicious
« Reply #5 on: December 16, 2008, 03:25:52 PM »
They can effectively by initiating a manual update, at the worst case scenario they would have to wait 4 hours (if they had just don an auto update before the anti-rootkit scan) or when they next connect to the internet (dial-up).

If I have something I want to send immediately I initiate a manual update.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re: Rootkit scan flags "gather.km" as suspicious
« Reply #6 on: December 16, 2008, 03:32:21 PM »
They can effectively by initiating a manual update, at the worst case scenario they would have to wait 4 hours (if they had just don an auto update before the anti-rootkit scan) or when they next connect to the internet (dial-up).
This does not explain the policy...

If I have something I want to send immediately I initiate a manual update.
I don't want to update, I'm a common user that does not understand details of avast, why should an upload be related to update... makes no sense.

I can't understand...
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85945
  • No support PMs thanks
Re: Rootkit scan flags "gather.km" as suspicious
« Reply #7 on: December 16, 2008, 04:06:01 PM »
That is the whole point, the user doesn't have to know, he says to submit the file and to all intents and purposes they have because avast takes care of it for them.

The detection might happen when the user is off-line (we all aren't on broadband and or always connected) and then you are forced to wait, as we both know avast doesn't establish a connection but checks for one, so for me the logical place is in the update process (or you have to include another process solely to handle submissions).

IMHO, they doesn't really need to know the policy (but the help file could outline how it works), but even if they know the policy there shouldn't be any need to have a choice send now or later. avast has one constant, the update process which personally I feel is fine as it is connecting to the avast servers at that point, the connection has been established.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re: Rootkit scan flags "gather.km" as suspicious
« Reply #8 on: December 16, 2008, 09:59:34 PM »
I give up...
The best things in life are free.

Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: Rootkit scan flags "gather.km" as suspicious
« Reply #9 on: December 16, 2008, 11:18:10 PM »
the files are sent while updating the VPS...
I never understood this policy... I mean, why don't you allow the user to send the files immediately? Or, at least, choose between immediately and on next update?

you can manually invoke the update, if you want ;)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re: Rootkit scan flags "gather.km" as suspicious
« Reply #10 on: December 17, 2008, 12:56:27 AM »
you can manually invoke the update, if you want ;)
Maxx, it does not make sense... I'm uploading a file, not updating avast. Why do both action should be related? They aren't for the common users. We need to explain in forums to every newbie that seems astonished with this submission process...
Well, I need to keep my freedom of criticize avast when I think it does not do a good job. In this point, man, you did not make a goal, on contrary, it's not easy to the user.
The best things in life are free.

Offline Vladimyr

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1639
  • Super(massive black hole) Poster
Re: Rootkit scan flags "gather.km" as suspicious
« Reply #11 on: December 17, 2008, 04:15:33 AM »
I did that but I'm not sure if I've reconnected the network cable again. Would it have been submitted before shutting down for the boot scan?

For the record, Thinkpad is back on-line, at least one vps update has occurred, so the sample should have been submitted.
There is a way that seems right to a man,
       but in the end it leads to death
.” - Proverbs 16:25

Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: Rootkit scan flags "gather.km" as suspicious
« Reply #12 on: December 17, 2008, 10:56:44 AM »
Tech: the uploading process is linked to the setup module, which is responsible for updates, so then is suitable to send the files when the update is in progress... that's what i know, i'm not the author of the setup module or the submission system.. Forejt or Vlk are the proper people to tell you more...

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re: Rootkit scan flags "gather.km" as suspicious
« Reply #13 on: December 17, 2008, 11:41:07 AM »
Tech: the uploading process is linked to the setup module
We know that... but, that is precisely the point: why connect both things? Even it there is a 'code' reason, a lot of other programs submit the info right away, immediately after the problem (Windows errors, SuperAntispyware reports, Google, Firefox crashes...).
The best things in life are free.