avast4 home edition, submitting sample and possible root kit
Hello, My first question is is anyone using avast4 home edition on their workstations? I am and about ten minutes ago i got a pop up indicating a hidden rootkit was discovered by huristic means, i quarantined it and there was a checkbox to submit the sample. I kept it checked and hit ok. I didn't get any feedback indicating the sample had been sent or form to fill out for contact. Second question is how can i be sure this thing went in? It might be a false positive i'm not sure. My machine has been periodically slow on the internet for the past day or so, but that's infrequent and now that i'm thinking about it it might be either something or overreaction. Finally, what does everyone use for workstations for detecting rootkits? Thanks. Dave.
Dave, your best bet is to do a pre-boot-up scan, which avast allows. U may need a bit of sighted help w/that, but if u suspect a rootkit at all, this is the route u should take. U might also consider malwareBytes from www.malwarebytes.org as it does a good job of detecting rootkits, though I've seen it get a bit trigger-happy, specifically flagging atapi.sys. Yeah! U might wanna check the quarantined filename, just out of curiosity & to ensure it wasn't a false positive, as avast can get real trigger happy, flagging all sorts of programming apps & network vulnerability sniffing tools as having viruses when they don't. HiJackThis, from trendmicro.com is a very good app to see whether unauthorized stuff is running at startup, in your browser, etc. But it won't detect a true rootkit. This is 1 of those apps that detects legitimate as well as nasty stuff, so if you're at all in doubt, check w/some1. Let us know. On 12/11/09, David Mehler <dave.mehler@gmail.com> wrote:
Hello, My first question is is anyone using avast4 home edition on their workstations? I am and about ten minutes ago i got a pop up indicating a hidden rootkit was discovered by huristic means, i quarantined it and there was a checkbox to submit the sample. I kept it checked and hit ok. I didn't get any feedback indicating the sample had been sent or form to fill out for contact. Second question is how can i be sure this thing went in? It might be a false positive i'm not sure. My machine has been periodically slow on the internet for the past day or so, but that's infrequent and now that i'm thinking about it it might be either something or overreaction. Finally, what does everyone use for workstations for detecting rootkits? Thanks. Dave.
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/mailman/listinfo/blind-sysadmins
-- Change the world--1 deed at a time Jackie McBride www.abletec.serverheaven.net Please join me Saturday, 11/7, on my walk against breast cancer by making a donation at: http://main.acsevents.org/goto/larkspur>
Hello, Thanks. I think it was a false positive. I downloaded malware bytes, updated, and ran it. It came up clean. I updated Avast4 and ran a bootup scan and that showed some corrupted zip files and a trojan still in a zip file inside tempoary internet files, deleted all of it and ran it again this time it came up clear. One thing, i have settings to clear tempoary internet files on browser close, this does not appear to be happening. Does anyone have a script that i can run via task manager that will do this or any other suggestions? Thanks. Dave. On 12/12/09, Jackie McBride <abletec@gmail.com> wrote:
Dave, your best bet is to do a pre-boot-up scan, which avast allows. U may need a bit of sighted help w/that, but if u suspect a rootkit at all, this is the route u should take.
U might also consider malwareBytes from www.malwarebytes.org as it does a good job of detecting rootkits, though I've seen it get a bit trigger-happy, specifically flagging atapi.sys. Yeah! U might wanna check the quarantined filename, just out of curiosity & to ensure it wasn't a false positive, as avast can get real trigger happy, flagging all sorts of programming apps & network vulnerability sniffing tools as having viruses when they don't.
HiJackThis, from trendmicro.com is a very good app to see whether unauthorized stuff is running at startup, in your browser, etc. But it won't detect a true rootkit. This is 1 of those apps that detects legitimate as well as nasty stuff, so if you're at all in doubt, check w/some1.
Let us know.
On 12/11/09, David Mehler <dave.mehler@gmail.com> wrote:
Hello, My first question is is anyone using avast4 home edition on their workstations? I am and about ten minutes ago i got a pop up indicating a hidden rootkit was discovered by huristic means, i quarantined it and there was a checkbox to submit the sample. I kept it checked and hit ok. I didn't get any feedback indicating the sample had been sent or form to fill out for contact. Second question is how can i be sure this thing went in? It might be a false positive i'm not sure. My machine has been periodically slow on the internet for the past day or so, but that's infrequent and now that i'm thinking about it it might be either something or overreaction. Finally, what does everyone use for workstations for detecting rootkits? Thanks. Dave.
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/mailman/listinfo/blind-sysadmins
-- Change the world--1 deed at a time Jackie McBride www.abletec.serverheaven.net Please join me Saturday, 11/7, on my walk against breast cancer by making a donation at: http://main.acsevents.org/goto/larkspur>
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/mailman/listinfo/blind-sysadmins
participants (2)
-
David Mehler -
Jackie McBride