AntiVir and TDSS rootkit

Discussion in 'other anti-virus software' started by Durad, Sep 1, 2009.

Thread Status:
Not open for further replies.
  1. Durad

    Durad Registered Member

    Joined:
    Aug 13, 2005
    Posts:
    591
    Location:
    Canada
    AntiVir is installed and up to date, it does not detect TDSS rootkit, if I extract infected files all of them are detected.
     
  2. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    Most AV's won't. It can't do any damage if it's zipped or archived. It's only when it's extracted that it will be detected and prevented from executing.
     
  3. Durad

    Durad Registered Member

    Joined:
    Aug 13, 2005
    Posts:
    591
    Location:
    Canada
    Let me explane better:

    AntiVir is installed and up-to-date
    TDSS is running and active
    AntiVir does not detect it

    if I use LIVECD and extract files to USB stick and scan with AntiVIr than it detect all files.

    So the thing is that AntiVir is unable to detect TDSS on already infected machine.
     
    Last edited: Sep 1, 2009
  4. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    Doesnt Avira even detect it if you do a scan with all settings at Max?
     
  5. Julian

    Julian Registered Member

    Joined:
    Sep 14, 2008
    Posts:
    103
    There are plenty of TDSS variants, no AV detects them all. But a good HIPS should help, KIS should even all block of them in auto mode.
    On Windows x64 no TDSS variant should be working.

    Edit: Oops, seems like active sample was meant here.
     
    Last edited: Sep 2, 2009
  6. Durad

    Durad Registered Member

    Joined:
    Aug 13, 2005
    Posts:
    591
    Location:
    Canada
    Everything on maximum...
     
  7. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Öhm, you exactly described how a rootkit works. :ninja: It hides infected files from the system. So the file is hidden from the AV too.
    LiveCD system is not affected so the files can be caught.
     
  8. tgell

    tgell Registered Member

    Joined:
    Nov 12, 2004
    Posts:
    1,075
    Durad,
    Are you testing this rootkit on a virtual machine or are you actually infected? See if this will remove it.
    Code:
    http://www.esagelab.com/projects/
    Code:
    http://www.esagelab.com/files/tdss_remover_latest.rar
     
  9. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Is this a surprise...really?
     
  10. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    Hmm I'm tempted to infect my own rig to try it ;)

    the avira forum has its own room to discuss issues related to malware. link
     
  11. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Without comparing products, if you're still testing, does Hitman Pro remove it? There was a video showing it removing the TDSS rootkit, and it uses Avira as one of its removal engines.
     
  12. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    BTW Durad, for a proper rootkit search you have to start a dedicated scan task from the GUI: Local protection tab | Scanner | Rootkit search
     
  13. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    ... but it the AV's job to detect malware and most AVs and other specialist removal tools are indeed capable of detecting rootkit infections, and have been able to do so for some time now.
     
Thread Status:
Not open for further replies.