[RESOLVED] Behaviour shield/anti-rootkit alerts and logs

[MAG]

I had my first behaviour shield alert (on my XP system) today.

It said rapportcerberus was supicious.

The options I was offered were Ignore or Delete.

I believed this to be part of my Rapport browser security software (the filepath wwas correct), so I wasn't keen to delete, and was in too much of a hurry with something else for much investigation, so I chose ignore, thinking I would come back to it later.

(on reflection this perhaps wasn't the best choice - delete might have been better, since I can easily re-install Rapport). I have since checked with VT and scanned with avast (right click and BTS) and MBAM - all clean

Anyway - the point of this little tale, when I did go back later to check the behaviour shield log, there was  no mention of the detection - the only entry was relating to an auto-decide allow for a different file (which is in fact the only entry I get every day - despite typically 19 files analyzed by the BS per day).

Is this a bug, or a logging deficiency?

Thanks

[NON]

I had my first behaviour shield alert (on my XP system) today.

It said rapportcerberus was supicious.

The options I was offered were Ignore or Delete.

I think it is not an Behavior Shield's alert, but Rootkit alert.
Behavior Shield's alert offers Allow, Deny, Allow and add to exclusion lists, Deny and kill process, etc.
Rootkit alert only offers Delete and Ignore.

Afaik rootkit alerts are not logged, maybe because these alert are issued by anti-rootkit module, not by avast!'s shelids.

[DavidR]

Yes this alert is from the avast anti-rootkit scan (run 8 minutes after boot).

Whilst the two options are Ignore and Delete, don't delete in this case (or any without full investigation).

As you can see from NON's first image there should be an Advanced section in the alert window; clicking that should allow you to submit the sample to avast (does it ?).

Don't select the 'Do not tell me about this rootkit in the future.' The reason I say that is having submitted it to avast for analysis, when it is no longer detected if you chose this option you wouldn't know about it. So petter to put up with the short term hassle of getting the alert and choosing Ignore.

[MAG]

Thanks for the replies NON and David. The information is very helpful, but things aren't yet fully clear!

(i) I can't recall the word Rootkit appearing on the Alert. I do recall it saying the detection was made using heuristic techniques. Unfortunately I didn't check the advanced options drop-down - sorry. (however I guess that also means I didn't select 'Do not tell me about this rootkit in the future', so I may see this pop-up again, and if so I will report to avast).

(ii) The detection is certainly recorded in the behaviour shield statistics, as shown in the attached pic, but isn't mentioned in the behavour shield report for 09/04/11. That only contains the entry below:

* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Saturday, April 09, 2011 10:19:52 AM
*

09/04/2011 10:27:55   Modification of: \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\IPHSend
    By:  C:\Program Files\Common Files\AOL\1171120604\ee\AOLSvcMgr.dll
    Via: C:\Program Files\Common Files\AOL\1171120604\ee\AOLSoftware.exe
         -> Action allowed

(iii) The detection isn't mentioned in the anti-rootkit module log aswAr either (see below), however I think that may be because I rebooted the computer (to do the boot time scan), and it looks as if this log only captures info from the latest boot.
avast! Antirootkit, version 1.0
Scan started: 09 April 2011 11:43:30
Scan finished: 09 April 2011 11:43:36
Hidden files found: 0
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0

(iv) The detection does seem to be mentioned in a log called arpot (not sure what this is - can anybody help?) - again see below:

09/04/2011 10:20:44   Suspic Driver: \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25641\RapportCerberus_25641
09/04/2011 10:20:44      [Mods: 11; Service RapportCerberus_25641; FileSize 0; SSDT: ZwCreateThread; SSDT: (null); SSDT: ZwSetInformationFile; SSDT: ZwSetValueKey; SSDT: ZwTerminateProcess; Inline: ZwCallbackReturn+11448; Inline: ZwCallbackReturn+11484; Inline: ZwCallbackReturn+12132; Inline: ZwCallbackReturn+12224; Inline: ZwCallbackReturn+12264; Hidden module RapportCerberus_25641; ]

Hope this info helps.

Thanks again.

PS I have just rebooted, and anti-rootkit module scan has now run without generating any alert.

[DavidR]

It is normally the C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\log\aswar.log (XP location) file that contains the information on anti-rootkit detections.

I actually don't have anything in the C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\arpot, other than an empty TMP sub-folder. so I don't know if that is only populated if it relates to the anti-rootkit protection (arprot, my best guess).

The problem being in order for Rapport to do its work it will want to stay hidden and that is similar in tactics of certain malware/rootkits. In that case there is always going to be an element of 'suspicion' when avast's anti-rootkit scan is looking for that type of activity.

It, the rapport issue isn't actually reported in the Behavior Shield statistics as that is recording activity and not specific files, so you can't match that up. The Behavior Shield doesn't show and or isn't looking for rootkit activity in the way the specific scan is. Your example (ii) is correct in only showing instances where the behavior shield intervened and made a decision to allow the AOL service manager to modify the registry.

[NON]

(i) I can't recall the word Rootkit appearing on the Alert. I do recall it saying the detection was made using heuristic techniques. Unfortunately I didn't check the advanced options drop-down - sorry. (however I guess that also means I didn't select 'Do not tell me about this rootkit in the future', so I may see this pop-up again, and if so I will report to avast).

There is also a heuristic alert says "Suspicious file detected" (unfortunately I don't have its screen-shot).
Before I had some questions related to this "arpot" thingy and "heuristic" detection in Japanese forums.
The OP says there is no "Advanced settings", so your alert could be this.

(iv) The detection does seem to be mentioned in a log called arpot (not sure what this is - can anybody help?) - again see below:

09/04/2011 10:20:44   Suspic Driver: \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25641\RapportCerberus_25641
09/04/2011 10:20:44      [Mods: 11; Service RapportCerberus_25641; FileSize 0; SSDT: ZwCreateThread; SSDT: (null); SSDT: ZwSetInformationFile; SSDT: ZwSetValueKey; SSDT: ZwTerminateProcess; Inline: ZwCallbackReturn+11448; Inline: ZwCallbackReturn+11484; Inline: ZwCallbackReturn+12132; Inline: ZwCallbackReturn+12224; Inline: ZwCallbackReturn+12264; Hidden module RapportCerberus_25641; ]

I didn't know this kind of alert is logged.

Unfortunately I don't know "arpot" exactly means...
It could be an acronym of "Anti-Rootkit honeypot" or so, but just my speculation

Since Rapport is trustworthy software this alert could be a false positive like DavidR says.

[MAG]

Thanks for the help David. It is still a bit puzzling to me. A bit more info below.

It is normally the C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\log\aswar.log (XP location) file that contains the information on anti-rootkit detections. Yes, thanks - I'd learned that from searching one of your previous posts! I looked there - but it only seems to contain the scan data for the latest boot - and shows no detection.

I actually don't have anything in the C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\arpot, other than an empty TMP sub-folder. so I don't know if that is only populated if it relates to the anti-rootkit protection (arprot, my best guess).I also have the empty folder you describe. The folder I have the arpot log in though is C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\log (ie same place as aswAr log)

The problem being in order for Rapport to do its work it will want to stay hidden and that is similar in tactics of certain malware/rootkits. In that case there is always going to be an element of 'suspicion' when avast's anti-rootkit scan is looking for that type of activity. Yes - that makes sense - thanks

It, the rapport issue isn't actually reported in the Behavior Shield statistics as that is recording activity and not specific files, so you can't match that up. The Behavior Shield doesn't show and or isn't looking for rootkit activity in the way the specific scan is. Your example (ii) is correct in only showing instances where the behavior shield intervened and made a decision to allow the AOL service manager to modify the registry. This is the bitthat still puzzles me. The behaviour shield makes that decision on the AOL service manager every day (it would have helped if I'd posted more of the log originally - see below) - however this is the only time it has ever recorded a red suspicious event rather than an orange analysed event - so something differnt happened yesterday

* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Friday, March 04, 2011 3:22:10 PM
*

04/03/2011 15:29:58   Modification of: \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\IPHSend
    By:  C:\Program Files\Common Files\AOL\1171120604\ee\AOLSvcMgr.dll
    Via: C:\Program Files\Common Files\AOL\1171120604\ee\AOLSoftware.exe
         -> Action allowed
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Friday, March 04, 2011 5:01:46 PM
*

04/03/2011 17:09:04   Modification of: \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\IPHSend
    By:  C:\Program Files\Common Files\AOL\1171120604\ee\AOLSvcMgr.dll
    Via: C:\Program Files\Common Files\AOL\1171120604\ee\AOLSoftware.exe
         -> Action allowed
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Saturday, March 05, 2011 4:07:18 PM
*

05/03/2011 16:15:31   Modification of: \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\IPHSend
    By:  C:\Program Files\Common Files\AOL\1171120604\ee\AOLSvcMgr.dll
    Via: C:\Program Files\Common Files\AOL\1171120604\ee\AOLSoftware.exe
         -> Action allowed
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Saturday, April 09, 2011 10:19:52 AM
*

09/04/2011 10:27:55   Modification of: \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\IPHSend
    By:  C:\Program Files\Common Files\AOL\1171120604\ee\AOLSvcMgr.dll
    Via: C:\Program Files\Common Files\AOL\1171120604\ee\AOLSoftware.exe
         -> Action allowed
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Saturday, April 09, 2011 11:35:29 AM
*

09/04/2011 17:25:29   Modification of: \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\IPHSend
    By:  C:\Program Files\Common Files\AOL\1171120604\ee\AOLSvcMgr.dll
    Via: C:\Program Files\Common Files\AOL\1171120604\ee\AOLSoftware.exe
         -> Action allowed
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Sunday, April 10, 2011 4:07:01 PM
*

10/04/2011 16:14:26   Modification of: \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\IPHSend
    By:  C:\Program Files\Common Files\AOL\1171120604\ee\AOLSvcMgr.dll
    Via: C:\Program Files\Common Files\AOL\1171120604\ee\AOLSoftware.exe
         -> Action allowed

[DavidR]

@ NON
Fortunately I do have an image of one from avast5, but I don't know if this is the same in avast6, but it is likely. The Suspicious alert normally has Ignore as the default option and the Advanced option seems to be there but there is no option to submit the sample to avast.

[MAG]

Yes NON and David - that looks very much like the alert I saw. If I had to pick it out from the rest on a police identity parade I would certainly finger it!
(so I guess the question that remains is - if it happens again how do I submit it to avast?

[DavidR]

@ mag
1. The aswar.log file would be overwritten after each anti-rootkit scan. So it may be that as a result of this initial detection (I guess there would be many other Rapport users getting it too), may have resulted in action being taken by avast.

The avast CommunityIQ function may have come into its own in the sharing of data on detections, etc. so avast should see the patterns emerge. They may well then investigate without someone actually having to submit a sample or report; the result of such investigation could be a change in detections. Hopefully that is correct and you don't see this alert in the future on this file.

2. no such arprot.log file on my system, it may just have been created as a result of the alert.

3. The behavior shield and the anti-rootkit scan are totally different, separated and unconnected to one and other.

You could add the C:\Program Files\Common Files\AOL\1171120604\ee\AOLSvcMgr.dll to the behavior shield, expert settings, trusted processes and that would prevent it occurring in the behaviorshield.txt report.

[DavidR]

Yes NON and David - that looks very much like the alert I saw. If I had to pick it out from the rest on a police identity parade I would certainly finger it!
(so I guess the question that remains is - if it happens again how do I submit it to avast?

You obviously can't do it directly via the alert as with the other Rootkit detection rather than suspicious file. So it would have to be sending the sample via the chest (manually add it), but that may not help too much as in essence they can't replicate the alert based only on the file. So you would need to give as much information as possible.

I dare say that if they don't have a system with Rapport on it they probably will in the future to test against.

Hopefully as my last post states you may not have to go through the anti-rootkit alert phase again (totally nothing to do with the behaviour shield) on this file.

[NON]

@ DavidR
Ah, thanks much! Now I can see what that OP meant at that time

@ mag
I don't have arpot.log either.
It is a bit strange that red event recorded only this time... maybe an bug in statistics viewer?

Anyway hope avast fix detections and you will not see this alert again.
Take care...

[MAG]

OK - thanks to you both for all the help. I guess it's case closed.

Hopefully as my last post states you may not have to go through the anti-rootkit alert phase again (totally nothing to do with the behaviour shield) on this file.

It is still a puzzling thing to me that on the only day my behaviour shield ever records a red suspicious event, I also get a 'suspicious files found' pop-up alert, and it is ascribed to an anti-rootkit alert!

....but then puzzled is not an uncommon state of affairs for me as far as IT is concerned.

[DavidR]

To me the only confusing thing is that there is no entry in the behaviorshield.txt file when there is an indication in the BS stats, but this has happened before if I remember rightly, but not on my system.

It is nothing more than a coincidence in my opinion, one which you can check should the anti-rootkit alert happen again, see if there is a Red blip in the BS stats radar