Author Topic: Boot Sector Viruses  (Read 15898 times)

0 Members and 1 Guest are viewing this topic.

derek_jones_37

  • Guest
Boot Sector Viruses
« on: December 06, 2009, 08:25:41 AM »
Hi All. 

  Yeah I know everyone is posting questions, problems..serious problems with the fact that there are not boot sector scans with Avast for 64 bit programs when if it's suppose to be compatible with 64 bit systems then it really should have ALL FUNCTIONS COMPATIBLE, even boot scanning. The question I have is if there is a boot sector virus that gets into the memory and works it's way into your system when booting up then wouldn't it be detected when the Antivirus does the memory scan prior to going into a system scan?  If so then what's the big deal? 

  I can see if the virus becomes hidden inside the memory but then again isn't that what we have anti-virus software for in the first place.....to find the virus.  If there's a problem and there's a virus anyhere in your system then a total scan shuld find it.....ANYWHERE.  I shouldn't have to even do a boot scan on my system as well it I have the BIOS set to only boot up from specific locations.  I don't borrow anything from anyone and leave it in my optical drive, I don't use pirated crap software and I scan absolutely everything I open first therefore I shouldn't have to worry.  Also I was wondering if there's a total security suite being introduced and I just bought my 4.8 professional version can I upgrade?  I really would like to have an all in one program including a firewall with Avast so I don't have to use multiple programs...that really sucks to have to do that.  I don't want multiple applications running when I can just have the one program to do it all.  anyway this isn't a rant I just had some observations, inquires and some general things that I think some people don't really consider when posting questions for duscussion here on this forum.  Not that I'm any different because sometimes we're all in such a hurry to get our problems solved that we don't think about the fact that maybe it's not a problem at all but really a solution hidden in the problem.

Thanks

Jones

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37599
  • Not a avast user
Re: Boot Sector Viruses
« Reply #1 on: December 06, 2009, 10:36:21 AM »
Quote
The question I have is if there is a boot sector virus that gets into the memory and works it's way into your system when booting up then wouldn't it be detected when the Antivirus does the memory scan prior to going into a system scan?  If so then what's the big deal?
The boot scan have to do with removal and not detection. V4.8 does not have boot scan for 64bit OS
QUOTE: Avast Antivirus offers a "boot time" virus scan of your PC. This allows the antivirus engine to scan all of the files on your hard drive before any other programs load - useful in cases where you have an infection which cannot be cleaned because the "file is in use"

Quote
If there's a problem and there's a virus anyhere in your system then a total scan shuld find it.....ANYWHERE.
Maybe, there are no Antivirus program with 100% detection (would be nice to have and the virus problem on the WWW would be gone)

Quote
I really would like to have an all in one program including a firewall with Avast so I don't have to use multiple programs...that really sucks to have to do that.  I don't want multiple applications running when I can just have the one program to do it all.
Soon to be released V5. maybe january. And V5.1 may have boot scan for 64bit OS
http://blog.avast.com/2009/07/20/avast-5-is-coming-soon/




Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37599
  • Not a avast user
Re: Boot Sector Viruses
« Reply #2 on: December 06, 2009, 10:39:58 AM »

YoKenny

  • Guest
Re: Boot Sector Viruses
« Reply #3 on: December 06, 2009, 11:04:01 AM »
Welcome fellow Canadian.

Have a look at the applications I use in my signature and are good additions to avast!'s protection:

Malwarebytes' Anti-Malware (MBAM)
http://www.malwarebytes.org/mbam.php
WinPatrol the System Security Monitor
http://www.winpatrol.com

@ Pondus

64bit scanning is not scheduled for avast! V5.0 but V5.1 as you indicate.


derek_jones_37

  • Guest
Re: Boot Sector Viruses
« Reply #4 on: December 06, 2009, 12:19:56 PM »
Thanks Kenny and Pondus.

I was totally aware of the Boot sector being unavailable to 64 bit users which doesn't bother me so much since I added more layers of protection for my system.

I currently have the Malware program which I ran and and actually caught two malware programs in two downloads that AVG Missed....whew...:-)  I also have in addition to Avast Pro 4.8 and Malwarebytes the PC Tools Plus Firewall installed.  Do I really need the fourth program??  See this is why I need the Total Internet Security when it's released.... with all this other crap I spend all my time scheduling scans......:-(.....just kidding.

I don't currently have the WinPatrol program..is it worth it?

See I thought that the boot scan was done when you first start up the antivus program but instead the program performs a Boot time scan instead.  Sounds like the same thing but I guess it's different. Nice.

So what is the difference between a "Boot Sector Scan" and a "Boot Time Scan"??/

Thanks 

Jones

YoKenny

  • Guest
Re: Boot Sector Viruses
« Reply #5 on: December 06, 2009, 12:45:37 PM »
You can not run 2 anti virus applications at the same time as they will interefer with on another.

AVG Remover(64bit)
http://www.avg.com/ca-en/download-tools

WinPatrol features:
http://www.winpatrol.com/compare.html

The Boot sector is what permits the system to boot up so the Boot time Scan runs when the system boots up.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37599
  • Not a avast user
Re: Boot Sector Viruses
« Reply #6 on: December 06, 2009, 12:51:45 PM »
Boot sector http://en.wikipedia.org/wiki/Boot_sector
A boot sector is a sector of a hard disk, floppy disk, or similar data storage device that contains code for booting programs (usually, but not necessarily, operating systems) stored in other parts of the disk.


Booting http://en.wikipedia.org/wiki/Booting
In computing, booting (also known as "booting up") is a bootstrapping process that starts operating systems when the user turns on a computer system. A boot sequence is the initial set of operations that the computer performs when power is switched on. The bootloader typically loads the main operating system for the computer.

So boot time scan happens before windows have started and before any viruscode is allowed to run
Some Antivirus vendors do it a bit differently using a boot CD,
« Last Edit: December 06, 2009, 01:02:13 PM by Pondus »

derek_jones_37

  • Guest
Re: Boot Sector Viruses
« Reply #7 on: December 06, 2009, 01:31:53 PM »
  Ok I totally understand now...thanks.  I had a feeling one was previously scanned prior to actually seeing your start up screen.  The boot sector Scan must be very fast since the boot up time on my system is probably just under a minute I would say.  I read that the Security Features of Vista 64 bit denies the Boot Sector Scan but that Avast does do a Boot Time Scan during the full system scan...correct?

  Yeah about using the CD...I downloaded and burned the Avira Boot Sector Repair Tool 6.32.255.0  CD.  Is that simply for repairing the Boot Sector once a Virus is found on it or can I use that Cd to scan my Boot Sector prior to Vista Loading?  I know to enable the Boot Sequence for the CD Drive first and then it can just scan it from there using the CD.

  I have already removed AVG but not using the remover...will there be remnants of it on my system I wonder.  Avast Seems to run very well although the user interface is simply horrible.  I found these indicators on the bottom right of the user interface that appear to be last scan times but it never indicates what scan was performed and what the results were.

Thanks

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37599
  • Not a avast user
Re: Boot Sector Viruses
« Reply #8 on: December 06, 2009, 01:46:12 PM »
More info on Avast V5 http://blog.avast.com/2009/11/30/so-when-is-version-5-coming-out/


Quote
Avast does do a Boot Time Scan during the full system scan...correct?
No, you have to start it when you need/want do do it. Se the link to "Digital red" in reply #2

Quote
Is that simply for repairing the Boot Sector once a Virus is found on it or can I use that Cd to scan my Boot Sector prior to Vista Loading?
http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

Quote
I have already removed AVG but not using the remover...will there be remnants of it on my system I wonder.
Yes that is why it is recomended to run the tool


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37599
  • Not a avast user
Re: Boot Sector Viruses
« Reply #9 on: December 06, 2009, 01:54:19 PM »
Quote
The boot sector Scan must be very fast since the boot up time on my system is probably just under a minute I would say.
No, not related, the virus scan stops the computer from booting, then does the scan and when finish the computer starts (i think it scans almost the hole computer)

derek_jones_37

  • Guest
Re: Boot Sector Viruses
« Reply #10 on: December 06, 2009, 01:58:32 PM »
Alright that's awesome thanks.  Unfortunately the Boot Time Scan isn't available to me since I have Vista Ultimate 64 bit so that's out of the way.  

The alvira Program listed in the link is the one I burned to disk.  I'll use this disk to do the Boot time Scan.

I shall run the AVG remover as soon as I get home.

What sucks about the new version of Avast is that it still won't have the Boot Sector Scan available.  I read only 5.1 will have that.  I may have to renew the subscription by the time it comes out.

Which Program would you recommend to scan the Boot Sector?

Thanks

Offline essexboy

  • Malware removal instructor
  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Boot Sector Viruses
« Reply #11 on: December 06, 2009, 02:02:59 PM »
Boot viruses are becoming more sneaky now as they use hooks to legitimate files - mainly sinow

An example of the hook using iastor.sys
Quote
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys >>UNKNOWN [0x8AFD9F61]<<
kernel: MBR read successfully
user & kernel MBR OK

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37599
  • Not a avast user
Re: Boot Sector Viruses
« Reply #12 on: December 06, 2009, 02:06:16 PM »
Dr.Web CD http://www.freedrweb.com/livecd/
How does it work http://www.freedrweb.com/livecd/how_it_works/

But this is something you only do when your system is infected and you need to clean it

Not sure but i think V5.1 is to be released summer 2010
« Last Edit: December 06, 2009, 02:10:21 PM by Pondus »

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11863
    • AVAST Software
Re: Boot Sector Viruses
« Reply #13 on: December 06, 2009, 02:17:05 PM »
What sucks about the new version of Avast is that it still won't have the Boot Sector Scan available.  I read only 5.1 will have that.  I may have to renew the subscription by the time it comes out.

Which Program would you recommend to scan the Boot Sector?

The boot-time scan has nothing to do with scanning boot sectors, it's two completely unrelated things.
Boot sectors are scanned by the usual Windows scans, as well as by the antirootkit scan, present in all avast! versions.

And by the way, no other antivirus has the boot-time scan like avast! does.

Offline essexboy

  • Malware removal instructor
  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Boot Sector Viruses
« Reply #14 on: December 06, 2009, 02:31:17 PM »
If the infection is a hook then no current AV will remove it as the affected file is not changed or modified in anyway.   GMER will show you the hook but as far as I know at the moment it will not remove it.  You will need to locate and remove the hooking file which may be a variant of tdl*.dll