Author Topic: Avast marks mbamswissarmy.sys as rootkit  (Read 12542 times)

0 Members and 1 Guest are viewing this topic.

tevion

  • Guest
Avast marks mbamswissarmy.sys as rootkit
« on: June 15, 2010, 07:47:57 PM »

I am sure this is a FP
Please correct database update.
Location: C:\Windows\system32\drivers\mbamswissarmy.sys

This is a part of Malwarebytes.

Tevion

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: Avast marks mbamswissarmy.sys as rootkit
« Reply #1 on: June 15, 2010, 09:08:04 PM »
No detection here, do you have latest update 100615-1

tevion

  • Guest
Re: Avast marks mbamswissarmy.sys as rootkit
« Reply #2 on: June 15, 2010, 09:25:47 PM »
No detection here, do you have latest update 100615-1
Yes of course I had the latest update 100615-1.
Was done when the fp warning window opened.

The path also is entered in the general exceptions to Avast.

A Quick Review just did not reveal any other rootkit message.
« Last Edit: June 15, 2010, 09:31:23 PM by Tevion »

De Hollander

  • Guest
Re: Avast marks mbamswissarmy.sys as rootkit
« Reply #3 on: June 15, 2010, 09:51:29 PM »
No alerts here.

100615-1

File: mbamswissarmy.sys
CRC32: DF16EDD9
MD5: 7364D8A830F91C487F430A57FDBD2BBB
SHA-1: 3A693F4E63E130B9CDD284FA7036D04DD457DDC8

Mr.Agent

  • Guest
Re: Avast marks mbamswissarmy.sys as rootkit
« Reply #4 on: June 15, 2010, 10:41:00 PM »
No alert 100615-2 with PUP on.

Me if i run mbam scan with avast! memory scan then avast will detect his service as virus but its dont matter i dont recommand any way to run more than 2 scans and mores. ;)

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Avast marks mbamswissarmy.sys as rootkit
« Reply #5 on: June 15, 2010, 11:36:17 PM »
For those who are saying no problem here or words to that effect (other than Pondus), are you using the MBAM Pro version as the OP is. If not then you aren't able to replicate this if there is no MBAM resident protections enabled.

<snip>
Was done when the fp warning window opened.

The path also is entered in the general exceptions to Avast.

A Quick Review just did not reveal any other rootkit message.

What FP warning window ?

I assume this is the anti-rootkit scan about 8 minutes after boot which detects this, if so that doesn't follow the general exclusions (on-demand scans only) as far as I'm aware.

A Quick scan, doesn't launch the anti-rootkit scan, that is only part of the Full System Scan (or custom scan), so that I would say is why there is no rootkit detection with that scan.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: Avast marks mbamswissarmy.sys as rootkit
« Reply #6 on: June 15, 2010, 11:57:54 PM »
Quote
For those who are saying no problem here or words to that effect (other than Pondus), are you using the MBAM Pro version as the OP is. If not then you aren't able to replicate this if there is no MBAM resident protections enabled.
@DavidR
not sure if this makes any difference, but he is on Win7 me on WinXP

cadremis

  • Guest
Re: Avast marks mbamswissarmy.sys as rootkit
« Reply #7 on: June 16, 2010, 02:19:43 AM »
No detection here with me with 100615-2

rm

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Avast marks mbamswissarmy.sys as rootkit
« Reply #8 on: June 16, 2010, 02:23:40 AM »
Quote
For those who are saying no problem here or words to that effect (other than Pondus), are you using the MBAM Pro version as the OP is. If not then you aren't able to replicate this if there is no MBAM resident protections enabled.
@DavidR
not sure if this makes any difference, but he is on Win7 me on WinXP

That is the sort of thing I'm trying to get at as for those with the MBAM Pro in theory should all be getting the detection if the resident functionality is enabled.

The only other person I can recall is YoKenny who has MBAM Pro and win7 also. He has a win7 and an XP Pro system but I don't know if he has MBAM Pro on both. So his would be a good test bed if it detected on one but not the other or not on either.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

De Hollander

  • Guest
Re: Avast marks mbamswissarmy.sys as rootkit
« Reply #9 on: June 16, 2010, 09:53:30 AM »
For those who are saying no problem here or words to that effect (other than Pondus), are you using the MBAM Pro version as the OP is.....

Pro version, Realtime scanning, No exclusions under Avast, Vista.

YoKenny

  • Guest
Re: Avast marks mbamswissarmy.sys as rootkit
« Reply #10 on: June 16, 2010, 01:04:06 PM »
@ DavidR

I have MBAM Pro on both systems.

I do not have any Exclusion entries in Windows 7 but I do have C:\Windows\system32\drivers\mbamswissarmy.sys in my XP Pro system as I was testing avast! Internet Security a while back and it is needed for MBAM to be able to auto update.



disPlay

  • Guest
Re: Avast marks mbamswissarmy.sys as rootkit
« Reply #11 on: June 16, 2010, 01:44:30 PM »
Same db and everything is ok here.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Avast marks mbamswissarmy.sys as rootkit
« Reply #12 on: June 16, 2010, 03:35:26 PM »
@ DavidR

I have MBAM Pro on both systems.

I do not have any Exclusion entries in Windows 7 but I do have C:\Windows\system32\drivers\mbamswissarmy.sys in my XP Pro system as I was testing avast! Internet Security a while back and it is needed for MBAM to be able to auto update.

Thanks for that as it is even more strange that it is happening to Tevion then as your setup in win7 would be the same. The General Exclusions in avast shouldn't have any impact on the anti-rootkit scan I believe just the user initiated on-demand scans.

So all I can think of is the MBAM Pro version number used by Tevion as there was something about this MBAM driver before if I remember correctly.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

YoKenny

  • Guest
Re: Avast marks mbamswissarmy.sys as rootkit
« Reply #13 on: June 16, 2010, 04:18:18 PM »
I just did a Quick scan on Windows 7
Quote
*
* avast! Scan Report
* This file is generated automatically
*
* Scan name: Quick scan
* Started on: Wednesday, June 16, 2010 10:03:53 AM
* VPS: 100616-0, 06/16/2010
*

Infected files: 0
Total files: 30212
Total folders: 18329
Total size: 12.5 GB

*
* Scan stopped: Wednesday, June 16, 2010 10:06:01 AM
* Run-time was 2 minute(s), 8 second(s)
Read Firefox's response to MBAM_ERROR_UPDATING, Problems updating topic:
http://forums.malwarebytes.org/index.php?s=&showtopic=53535&view=findpost&p=265339

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Avast marks mbamswissarmy.sys as rootkit
« Reply #14 on: June 16, 2010, 05:01:32 PM »
The Quick scan doesn't run the anti-rootkit scan, that is only part of the Full System Scan (or custom scan), so I wouldn't expect it to find a rootkit detection.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security