Author Topic: aswSnx.sys false positive with anti-rootkit scanners  (Read 5705 times)

0 Members and 1 Guest are viewing this topic.

nord

  • Guest
aswSnx.sys false positive with anti-rootkit scanners
« on: August 20, 2011, 02:57:11 AM »
Pretty sure this is a false positive and that Avast is not compromised.

PATH;"ROOTKIT_NAME";"HIDDEN";"INT2E_MODIFIER";"MSR_MODIFIER";"REGISTRY_KEY";"REGISTRY_VALUE";"REGISTRY_HIDDEN";"PROCESS_COMMANDLINE";"PROCESS_HIDDEN";"SDT_FUN_NAME";"EAT_OBJECTIVE";"EAT_FUN_NAME";"IRP_DRIVER";"IRP_FUNCTION";"IDT_ID";"IDT_TYPE"

C:\## aswSnx private storage\snx_rhive.LOG;;"TRUE";"FALSE";"FALSE";

C:\## aswSnx private storage\snx_rhive;;"TRUE";"FALSE";"FALSE";

Anyone?


Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 88767
  • No support PMs thanks
Re: aswSnx.sys false positive with anti-rootkit scanners
« Reply #1 on: August 20, 2011, 03:41:32 AM »
What anti-rootkit scanners ?

That is the avast sandbox and is obviously hidden to protect your system when the sandbox is used it is isolated from the live system.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

nord

  • Guest
Re: aswSnx.sys false positive with anti-rootkit scanners
« Reply #2 on: August 20, 2011, 04:10:15 AM »
What anti-rootkit scanners ?

That is the avast sandbox and is obviously hidden to protect your system when the sandbox is used it is isolated from the live system.

Panda Pavark* & Sophos** Anti-rootkits found it, TDSS did not.

* Panda is old and did not know what to do with it. I've been using Avast 4.8, 5 and 6 since its beta and never had this kind of finding before today and I run Panda all the time.

** Sophos gave no details but did not recommend removal (see below).

Area:   Local hard drives
Description:   Unknown hidden file
Location:   C:\## aswSnx private storage\snx_rhive
Removable:   Yes (but clean up not recommended for this file)
Notes:   (no more detail available)

rea:   Local hard drives
Description:   Unknown hidden file
Location:   C:\## aswSnx private storage\snx_rhive.LOG
Removable:   Yes (but clean up not recommended for this file)
Notes:   (no more detail available)

TDDSKiller 2.5.16.0

Sophos 1.3.1

Pavark 5.0.0.4

« Last Edit: August 20, 2011, 04:22:14 AM by nord »

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 88767
  • No support PMs thanks
Re: aswSnx.sys false positive with anti-rootkit scanners
« Reply #3 on: August 20, 2011, 04:57:19 AM »
Considering they aren't actually reporting rootkits, just hidden files. and a .log file at that, not essentially what a rootkit is going to be.

TDSSKiller is an even more specialist rootkit scanner, looking for a particular rootkit variant and it is correct in that it didn't find a TDSS rootkit.

At least Sophos advises against cleanup as it hasn't any information, whilst it says it is removable, I would rather hope that the avast self-defence module would have something to say about that.

Avast already has a rootkit scanner incorporated into the program (runs 8 minutes after boot) and it is based on the GMER rootkit scanner. But it goes further than GMER in that it isn't just an analysis tool, it seeks to take the decisions away from the user where possible. It is also incorporated into the various on-demand scans (at different levels of thoroughness).

So I don't understand why you were running these anti-rootkit scans ?
Generally these are specialist tools that are run if you have a suspicion that something isn't right on your system.

Using old applications or ones that haven't had any development in some time are not going to have kept up with developments isn't advised, as the security applications on systems have continued developing.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

nord

  • Guest
Re: aswSnx.sys false positive with anti-rootkit scanners
« Reply #4 on: August 20, 2011, 04:18:22 PM »
Considering they aren't actually reporting rootkits, just hidden files. and a .log file at that, not essentially what a rootkit is going to be.

TDSSKiller is an even more specialist rootkit scanner, looking for a particular rootkit variant and it is correct in that it didn't find a TDSS rootkit.

At least Sophos advises against cleanup as it hasn't any information, whilst it says it is removable, I would rather hope that the avast self-defence module would have something to say about that.

Avast already has a rootkit scanner incorporated into the program (runs 8 minutes after boot) and it is based on the GMER rootkit scanner. But it goes further than GMER in that it isn't just an analysis tool, it seeks to take the decisions away from the user where possible. It is also incorporated into the various on-demand scans (at different levels of thoroughness).

So I don't understand why you were running these anti-rootkit scans ?
Generally these are specialist tools that are run if you have a suspicion that something isn't right on your system.

Using old applications or ones that haven't had any development in some time are not going to have kept up with developments isn't advised, as the security applications on systems have continued developing.

Appreciate your detailed analysis here. Confirms my thought that it was a false positive.

I never rely upon one solution for these things, which is why I run MalwareBytes Pro and Avast in addition to my firewall. I routinely run 3rd party apps for spyware and rootkits as a "just in case" routine. Having seen all programs fail at one point or another, as much as I like Avast, I will not exempt it from that kind of practice. as for Pavark, I don't run it alone, just first. <g>


« Last Edit: August 20, 2011, 04:20:20 PM by nord »