AntiVir and TDSS rootkit

AntiVir is installed and up to date, it does not detect TDSS rootkit, if I extract infected files all of them are detected.

 

Most AV's won't. It can't do any damage if it's zipped or archived. It's only when it's extracted that it will be detected and prevented from executing.

 

Let me explane better:

AntiVir is installed and up-to-date
TDSS is running and active
AntiVir does not detect it

if I use LIVECD and extract files to USB stick and scan with AntiVIr than it detect all files.

So the thing is that AntiVir is unable to detect TDSS on already infected machine.

 

Doesnt Avira even detect it if you do a scan with all settings at Max?

 

There are plenty of TDSS variants, no AV detects them all. But a good HIPS should help, KIS should even all block of them in auto mode.
On Windows x64 no TDSS variant should be working.

Edit: Oops, seems like active sample was meant here.

 

Everything on maximum...

 

Öhm, you exactly described how a rootkit works. It hides infected files from the system. So the file is hidden from the AV too.
LiveCD system is not affected so the files can be caught.

 

Durad,
Are you testing this rootkit on a virtual machine or are you actually infected? See if this will remove it.

Code:

http://www.esagelab.com/projects/

Code:

http://www.esagelab.com/files/tdss_remover_latest.rar

 

Is this a surprise...really?

 

Hmm I'm tempted to infect my own rig to try it

the avira forum has its own room to discuss issues related to malware. link

 

Without comparing products, if you're still testing, does Hitman Pro remove it? There was a video showing it removing the TDSS rootkit, and it uses Avira as one of its removal engines.

 

BTW Durad, for a proper rootkit search you have to start a dedicated scan task from the GUI: Local protection tab | Scanner | Rootkit search

 

... but it the AV's job to detect malware and most AVs and other specialist removal tools are indeed capable of detecting rootkit infections, and have been able to do so for some time now.