Avast Antirootkit - How and when?

[hlecter]

HI;

I have beem following the ARK-tool from the earliest betas in March this year, and tested version 0.9.6
of the beta successfully. The same goes to the AR-module in Avast.

Since then I have done a lot of reading to catch up on this tool and the module in Avast.
I must have missed something, and I have some questions to ask around this.

As I learned 9 months ago the tool was automatic at Windows boot every time after 8 minutes,
and this scan takes 3-5 seconds. Resuts are logged in aswar.log.

By duing a manual thorugh or standard scan the tool is run, but I suppose in another way than the 3-5 seconds at Windows boot. No logging of those AR results (at that time.)

While waiting for the Standalone AR that didn't come out of beta I played with some batch-files
to accomplish what I hope is same results as the AR-tool.

I did as described on the fora and used Ashquick.exe to make 3 batchfiles named SUPER-QUICK, QUICK and FULL. They run for 3-5 seconds, half a minute and a little more than a minute on one of my systems.
(It will of course depend on many variables.)


Lately I dicovered a new log, aswar1.log, which is produced by doing a Thorough scan manually through the userinterface, but not by a Standard scan. The heading of the log is Quick.

Here are my questions;

1. Does the standard manual scan do a RT-scan, if yes why is it not logged in aswar1.log?
  (Or must we use a thorough scan to accomplish this which produces a QUICK scan log in aswar1.log).

2. Is the only means of getting a FULL scan using Asqick.exe with parameter FULL.

3. Will 2 give us more safety than 1 concerning RK detection. It uses the double time as far as I can see.

4. Is FULL scan something like what was planned for the standalone tool that AFAIK never got out of beta?

5. During the beta period it was talked about a special version of a RK-scanning done during a scheduled boot-time scanning. Is this there by now?

---

As you can see the only part of Avast RT-part I am familiar with is the scanning 8 minutes after Windows boot.
It is in the log all the time, but it takes VERY short time. That is my reason for the other questions...

I use my FULL scan with my batchfile, but I suppose this was not the intention..

My goal for asking is to get the most out of Avast RK-module.

Thanks for answering.

[Lisandro]

4. Is FULL scan something like what was planned for the standalone tool that AFAIK never got out of beta?

I never understood why the program did not exit the beta phase...

[hlecter]

Hi TecH;

Still 5 questions to go. I suppose you can't answer them so let us hope some of the answers will come.

They should be interesting to a lot of people.

Kudos goes to you for posting many months ago how to make the batch-files descibed in my first post.

HL

[Lisandro]

I suppose you can't answer

You're right... if I could, I've already posted

[hlecter]

Tech;

Have you all of a sudden got aswar1.log?

avast! Antirootkit, version 1.0 [Quick]

It'f from a thorugh, manual scan, and as you can see it gives a 'medium' AR-scan(Quick) as asked in
question 1 in original post. As I asked I don't get it with standard scans?

EDIT: IT's easy to find because it gets appended all the time.

[Lisandro]

Have you all of a sudden got aswar1.log?

Yes, I have a huge log file there...

EDIT: IT's easy to find because it gets appended all the time.

avast does not do housekeeping... SHAME...

[onlysomeone]

4. Is FULL scan something like what was planned for the standalone tool that AFAIK never got out of beta?

if you use the professional version of avast you have got the possibility to set a full rootkit-scan... (pic)

5. During the beta period it was talked about a special version of a RK-scanning done during a scheduled boot-time scanning. Is this there by now?

probably you mean the automatic scan for rootkits every times windows boots... that should already be implemented i think

yours
onlysomeone

[hlecter]

Quote from Onlysomeone:"probably you mean the automatic scan for rootkits every times windows boots... that should already be implemented i think"

Please read my first post quoted here: 

As you can see the only part of Avast RT-part I am familiar with is the scanning 8 minutes after Windows boot.
It is in the log all the time, but it takes VERY short time. That is my reason for the other questions...

HL

[hlecter]

Yes, I know about the pro versions possibilities, but that was not my question here.

Still 5 to go...

HL

EDIT: Q5 is AFAIK  'hidden' inside here:

Version 4.8.1169
March 29, 2008
avast! now contains a built-in anti-rootkit protection

improvements in boot-time scanner (detection & removal of hidden or hard to delete files)
(I think it was this one.)

[onlysomeone]

Still 5 to go...

and which ones? could you sum it up please...?

i think most of the users don't want to read so much text to answer 5 little questions...
if you want an answer the question should be small and clearly asked!

Please read my first post

sry, too much text for me 

[hlecter]

and which ones? could you sum it up please...?

i think most of the users don't want to read so much text to answer 5 little questions...
if you want an answer the question should be small and clearly asked!

My 5 questions still remain in the first post numbered from 1-5.

'5 little questions' was really an understatement. 

Some material is impossible to ask with a short sentence. This is a black area for the most of us.
But those interested and knowledgeable in the field will take their time to read and possibly answer.

You like it short: 'Give me an oveview of Avast antirootkit protection from the users point of view.'
(super-quick, quick and full and when they are performed automatically...)'

I'll stick with the numbers to make communication easier. 

[onlysomeone]

1. Does the standard manual scan do a RT-scan, if yes why is it not logged in aswar1.log?
  (Or must we use a thorough scan to accomplish this which produces a QUICK scan log in aswar1.log).

can just be answered by an avast!-team-member...

2. Is the only means of getting a FULL scan using Asqick.exe with parameter FULL.

in my opinion the opinion of alwil is that a home-user shouldn't be able to do a manual rootkit-scan - and so there is no other posibility than by in my opinion "hacking" or tricking ( i dont know an fiting english word) on avast with batch-files or special parameters...
or use the pro version...

3. Will 2 give us more safety than 1 concerning RK detection. It uses the double time as far as I can see.

with a full scan more areas on your pc are scaned (in the pro-version you see it) so it is able to detect more rootkits (in more areas), but in my opinion the most important areas are scanned by a quick scan too and that should be enough...

4. Is FULL scan something like what was planned for the standalone tool that AFAIK never got out of beta?

also can just be answered by an avast!-team-member
but what i can say is that a full scan is included in the pro version, so its not only for the standalone anti rootkit and i'm quiet sure that the full scan would also have been included in the standalone tool...

5. During the beta period it was talked about a special version of a RK-scanning done during a scheduled boot-time scanning. Is this there by now?

i didn't hear/read about this, probably also only a avast!-team-member can answer this...

And now we can hope that an avast!-team-member answers the staying questions^^