Author Topic: avast detects Windows update as rootkit  (Read 8987 times)

0 Members and 1 Guest are viewing this topic.

Offline xqrzd

  • Jr. Member
  • **
  • Posts: 62
avast detects Windows update as rootkit
« on: July 09, 2010, 11:47:45 PM »
I just reinstalled Windows 7 Home Premium 64-bit on my computer, and as I was installing updates avast popped up and said it found a rootkit.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85956
  • No support PMs thanks
Re: avast detects Windows update as rootkit
« Reply #1 on: July 10, 2010, 12:19:36 AM »
Don't delete, select Ignore for now, don't check any option 'not to show this detection again' or words to that effect, as I don't know if there is an easy way to reverse that decision if it happens to be correct.

Try a forum search for trustedinstaller.exe would reveal a couple of topics on this, check this one out http://forum.avast.com/index.php?topic=60682.0 and http://forum.avast.com/index.php?topic=60635.0. This trustedinstaller being picked up as a rootkit seems to happen every now an them, why I don't really know and this is why I suggest Ignore rather than delete until it is confirmed 100%.

I don't know why the trustedinstaller needs to be a hidden service and that may be why it keeps getting flagged.

When did this happen, 8 minutes after boot (auto anti-rootkit scan) or during a windows update, etc. etc. ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re: avast detects Windows update as rootkit
« Reply #2 on: July 10, 2010, 01:07:05 AM »
Is your avast fully updated (program and virus definitions)?
The best things in life are free.

Offline xqrzd

  • Jr. Member
  • **
  • Posts: 62
Re: avast detects Windows update as rootkit
« Reply #3 on: July 10, 2010, 01:18:48 AM »
Hi,
Thanks for your responses. It was about 8 minutes after booting up, so I guess it was probably the startup rootkit scan. Also, I'm using the latest avast program and database (5.0.594 & 100709-1).

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re: avast detects Windows update as rootkit
« Reply #4 on: July 10, 2010, 03:27:12 AM »
Can you submit the file to www.virustotal.com ?
Most probably a false positive.
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85956
  • No support PMs thanks
Re: avast detects Windows update as rootkit
« Reply #5 on: July 10, 2010, 03:56:25 AM »
Unfortunately VT is useless in this case as it only runs the standard avast on-demand/command line scan and not the anti-rootkit scan which can only be done on the users system as it is comparing what is reported by the windows API and what is actually running on the users system.

This one really needs some intervention by one of the virus labs team.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re: avast detects Windows update as rootkit
« Reply #6 on: July 10, 2010, 04:04:50 AM »
But isn't it included in the other antivirus definitions and can be detected by Virus Total?
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85956
  • No support PMs thanks
Re: avast detects Windows update as rootkit
« Reply #7 on: July 10, 2010, 04:13:32 AM »
No it isn't as it is being detected in the anti-rootkit scan , in other instances of this when it has been sent to VT there are zero hits.

As per the OPs image (extract here) that hidden service must have been loaded at some point in the boot, yet the standard scans didn't detect anything. Given that this was a win7 reinstall I would say that this file has a high degree of being clean and presumably the OP would have also have run an on-demand scan at some point before this.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline bo.elam

  • Jr. Member
  • **
  • Posts: 96
Re: avast detects Windows update as rootkit
« Reply #8 on: July 10, 2010, 05:02:44 AM »
DavidR I read on another post that you say the default action of the
auto anti-rootkit scan can not be changed. Can you confirm that or
tell me how to change the delete default action to ignore on that scan.
If anybody else can tell me how to do what I want, please help.
Bo

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85956
  • No support PMs thanks
Re: avast detects Windows update as rootkit
« Reply #9 on: July 10, 2010, 04:24:09 PM »
No I don't believe I said that at all, so if you have a reference to that post please post it.

There is a drop down list in which you can choose Ignore or Delete, whilst avast displays what it considers the best option based on its detection you don't have to choose that option. So it isn't a default action as such but as it says a (recommended) action, that is likely to change depending on the circumstances of the detection. There is however, no way to change how avast comes to that decision, but you don't have to accept the recommended action, that you should be able to change.

By clicking the inverted triangle, see image extract from the OPs post, it should also show Ignore as an option.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline bo.elam

  • Jr. Member
  • **
  • Posts: 96
Re: avast detects Windows update as rootkit
« Reply #10 on: July 11, 2010, 02:54:12 AM »

I might be wrong DavidR. What I think I read is that the selected action for
default can not be changed. I know you did not write that the action can not
be changed when the auto-rootkit scan detects something.

Bo

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85956
  • No support PMs thanks
Re: avast detects Windows update as rootkit
« Reply #11 on: July 11, 2010, 03:30:52 AM »
There isn't a default action (so that certainly means it can't be changed if it doesn't exist), but a recommended action, so depending on the circumstances of the detection avast will either recommend Ignore Or Delete. Personally I would never select Delete before I had fully investigated it.

Unfortunately for the greatest majority they wouldn't know where to start to investigate and those are the people that avast are trying to look out for. So for me that would be not to recommend deletion unless for whatever parameters (API/heuristic/behavioural, etc.) that are used to determine a rootkit it has to be 100%.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re: avast detects Windows update as rootkit
« Reply #12 on: July 11, 2010, 03:53:39 AM »
Unfortunately for the greatest majority they wouldn't know where to start to investigate and those are the people that avast are trying to look out for. So for me that would be not to recommend deletion unless for whatever parameters (API/heuristic/behavioural, etc.) that are used to determine a rootkit it has to be 100%.
+1
The best things in life are free.

Offline bo.elam

  • Jr. Member
  • **
  • Posts: 96
Re: avast detects Windows update as rootkit
« Reply #13 on: July 11, 2010, 04:01:28 AM »
There isn't a default action (so that certainly means it can't be changed if it doesn't exist), but a recommended action, so depending on the circumstances of the detection avast will either recommend Ignore Or Delete. Personally I would never select Delete before I had fully investigated it.



I got it now, thanks.
Bo

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85956
  • No support PMs thanks
Re: avast detects Windows update as rootkit
« Reply #14 on: July 11, 2010, 04:18:53 AM »
You're welcome.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security