how can i find the path to a detection in AntiVir?

Discussion in 'other anti-virus software' started by iceni60, Jun 11, 2007.

Thread Status:
Not open for further replies.
  1. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    i've got antivir and it says it found a rootkit using a sig, but the path it gives looks a bit like this c:\users\ice60\appdata\local\...\xxxxxxx i did a search for the file but i can't find it so i have no idea what it's flagging :mad: how am i suppose to know what ... is?? what am i suppose to do? it could be a rootkit, or a security program or a pentesting program. what do people normally do in this situation, i don't know what i'm suppose to do!!
     
  2. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    so can antivir see files windows explorer can't? because i can't find that file so maybe it is a rootkit o_O
     
  3. plantextract

    plantextract Registered Member

    Joined:
    Feb 13, 2007
    Posts:
    392
    since you are a linux user, you could boot into linux and see if the file can be seen from there. a file invisible to windows explorer is usual a sign of a rootkit. also make sure that the detected item isn't stored in an ADS (can be seen if : is used in the bath for example c:\windows:xxx.sys means that the sys file is stored in a stream attached to the windows folder)
     
  4. ASpace

    ASpace Guest

    As already mentioned , you need to removed the rootking in a non-Windows environment because the rootkit is not visible for Windows API.

    You may also try (in Windows environment) the MS Rootkit Revealer or post for more help in AVIRA AntiVir's forums
     
  5. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    i don't know if it's a rootkit or not because i've no idea what the path is. i don't know how the vista search works to know if the file is hidden or if the search is looking somewhere else. maybe antivir changed the permissions o_O i'll never know unless i know what ... is suppose to mean :rolleyes:

    how am i suppose to find out the path?
     
  6. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    it's done it again!!!!! :mad: when i search for the file it's not there again!!!! and i don't have permission to search all the locations in AppData. how can i search within AppData\Local? i even ran the program as admin, but i still didn't have permission to search there.

    how am i suppose to know what the flagged file is? it doesn't show the full path to the file!!!!!!!!!
     

    Attached Files:

  7. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,186
    I agree with you Iceni60, it is not very helpfull.
    But if you set the alert to ignore, you can later see in scan report the file path.
    Like this:
    C:\RECYCLER\S-1-5-21-1960408961-1637723038-682003330-1005\Dc10.zip
    [0] Archive type: ZIP
    --> eicar.com
    [DETECTION] Contains code of the Eicar-Test-Signature virus
    [WARNING] The file was ignored!
    C:\RECYCLER\S-1-5-21-1960408961-1637723038-682003330-1005\Dc11.zip
    [0] Archive type: ZIP
    --> eicar.com
    [DETECTION] Contains code of the Eicar-Test-Signature virus
    [WARNING] The file was ignored!

    Also that alert does not show even if it is just eicar, but some other thing, but then you can move that alert window a bit aside and look the other window. Still does not help about the file path that you can see later in the scan reports.
    Jarmo
     
  8. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    ok, i found out where the path is shown, in events. and it's in the obvious place - the temp folder. i denied access to that file before so it's not there now. next time i get an alert i hope i can find the file before i make a decision :rolleyes:
     
  9. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,186
    Yes, if something is get from real time guard, it will be shown in 'Events'.
    On demand scand results on 'Reports'.
    At least it will not be a black box for you from now on.
     
  10. ASpace

    ASpace Guest

  11. Thug21

    Thug21 Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    141
    Location:
    Illinois
    Hello,

    If you hold your mouse over the partial path given on the antivir warning, doesn't it show the full path? I think it does on mine.
     
  12. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    i've had quite a few popups about malware, but i'm not that worried because they must be F/Ps, unless there's something wrong with vista?? i put the heuristics up to the highest level, is that screenshot an heurisitc alert?

    i haven't done anything wrong :cool: but, i just downloaded a eicar file to that temp folder so i can see if i can find the path if antivir finds it :D
     
  13. ASpace

    ASpace Guest

    Yes , AVIRA produced more FPs than the competition . Anyway , turn back this heuristic level to Medium , boot in Safe Mode and perform full scan with it
     
  14. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    You have to be able to detect, before you can produce a FP.:rolleyes:
     
  15. Sportsfan1212

    Sportsfan1212 Registered Member

    Joined:
    Apr 20, 2007
    Posts:
    5
    So how many people put their heuristics on high? I have been using the default settings on the paid version.
     
  16. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    iceni60, when detection pops up again simply put your mouse over the incomplete path shown and a small yellow box will show you the full path to the file. ;)

    Now, if you have this file in your quarantine choose to restore it to your desktop, then go to http://analysis.avira.com/samples/index.php and submit the file to Avira's VLab. You'll receive the analysis report in couple of hours. They will tell you if the file is infected or not. Good luck! :thumb:
     
  17. ahinterl

    ahinterl Registered Member

    Joined:
    Oct 5, 2005
    Posts:
    31
    An example of not the best UI design. The programmers should be much more aware that path info etc. for such software are of utter importance and design their UI accordingly.

    In addition, too many developers neglect the fact that people use different screen resolutions and zoom factors (I mean the nice possibility in Windoze XP and up where you can adjust the screen dpi and introduce some kind of zoom factor) where real funny things can happen on the monitor (clipped text, unreachable because out of screen buttons etc.)...

    Andreas
     
  18. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    mine are set to high except on the mailguard and no problems.:)
     
Loading...
Thread Status:
Not open for further replies.