How is AVG Anti Rootkit???

Hello,

A nice tool from AVG, very simple, good for everyone...
Considering the competition, a serious boost to AVG reputation. Nice, light, good apps, anti-virus, anti-spyware, now an anti-rootkit.

Erik, rootkit is a legit term, just like driver. You can have good or bad rootkits, just like good or bad drivers. In your case, the found item is a good one.

Mrk

 

I have'nt found one that cannot be removed with advanced use of RKU tool but that said (Rustock C is allegedly in the wild) and no current ARK tool can see it according to the author(PE386).

In general if you have an advanced forensic ARK such as RKU that *see's* the hidden files/driver etc then its wipe file ability will kill the active content of the file= RIP rootkit.

With reguards system settings changes that might have been actioned by the bot then RKU will not undo these changes and with the more ugly malwares(Remote Access Trojans)sometimes the *changes* are best undone by a fresh OS install after reformatting or aleast that is the more common expert advice recently.

In short you can kill the active bot but some legacy might remain such as backdoor for later infiltration of the infected system

 

Thanks, fcukdat,
That is helpful.
Regards,
Jerry

 

Well, my copy always says i'm up to date, and then i check with the website (the link i gave), it's not up to date
I manually copy the updates to the folder, with SAS turned off.

 

They don't need to be malware, I just use malware as a group name for all the bad stuff. OK I use infection.
Any infection causes a change on your harddisk and it doesn't matter which change or where the change occurred.
There was a change, if there was no change at all, nothing happened, it's that simple. Supernatural changes don't occur, that's stuff for movies.

A frozen snapshot removes these changes, otherwise there is something wrong with the frozen snapshot itself, but there is NO PROOF of it and as long qualified people don't test a frozen snapshot to see if it removes indeed any kind of infection, I assume that a frozen snapshot works properly.

Why don't they test frozen snapshots, like they do with all scanners ? What is their problem ? Beats me.
My guess is that most people are brainwashed by scanners and act like there is nothing else.
After so many years of scanners, don't you think it's high time to test something else for a change ?
Or don't they have enough brains to test something else or do something that has never been done before.
I can't do these tests, I'm not the expert. I don't even know how to infect myself on purpose or how an infection looks like.

Meanwhile, I keep my frozen snapshot, until somebody proves the opposite and when they do, I like to see it for myself first.

 

Hey ErikAlbert(straying OT yet again,thats me )

FWIW image roll back is good.I used M$ shared toolkit(WDP feature) for sometime and its integrity held for rollback to a point oneday.One particular infection targeted part of the softwares functionability and subsequent hal.dll corruption occured at following boot.This happened 4 times after R&R from the same source and eachtime the OS became inoperable until reinstalled.

FWIW i believe it was a targeted attack,so i would'nt expect it to be a widespread issue.Also please bear in mind image rollback dose not offer any same session security unless other tools are used in addition to the rollback software

 

Sorry you are mixing everything together.
An attack on any software is always possible and counts for EVERY software, including FDISR. What common is for all software isn't worth to talk about.
Put these attacks aside, because it has nothing to do with my question;
I solved that problem already.

I know that a frozen snapshot NEEDS security software, I never said it was a security software.
Put that aside too, because it has nothing to do with my question.
I'm working on that problem, so it's not a problem anymore.

I only need ONE answer : Does a frozen snapshot remove any kind of infection or not ?

 

AFAIK a frozen snapshot will not remove a Boot sector virus infection, but these are pretty rare nowadays.

 

Going OT yet again but i have just tried this 3 times in safe mode with unique B variants and each time SAS has detected& removed loaded Rustock B whilst in safe mode.

Screenshot/image attached of Autoruns(Driver's)as benchmarking(RKU does not run under SM) and SAS full scan from safe mode attached.
http://img365.imageshack.us/img365/9567/sasautolf1.jpg

2nd SAS scan from regular mode picking off orphaned Rustock reg keys
http://img409.imageshack.us/img409/6109/sasph8.jpg

So pass on why no show for you unless possibly you did not have SAS enabled to scan ADS which is where the driver is loaded too ?
(4th box up that is checked but not by default settings as it slows the scan down)
http://img441.imageshack.us/img441/4133/sasccqr3.jpg

HTH

 

Can you recover it with restoring an IMAGE of an Image Backup Software

 

Thanks fcukdat. A side question. Can SAS scan for the same rootkits (e.g. Rustock) when the option to scan alternate data stream is turned off? I wonder if the deep scan option in AVG Anti-Rootkit means scanning ADS while the simple scan does not.

Oops, I did not read one of the previous posts which already mentioned the option to scan ADS within SAS.

 

It depends of what kind of imaging software. Some do not rebuild the MBR.
The safest way is to wipe the HDD contents (MBR, partitions, etc)

 

That's what I do always zero my harddisks if I do a complete restore.
Image backup softwares, like ShadowProtect and Acronis TI are able to do this.

So I consider such a virus as a direct attack on FDISR and I already solved this problem.
That still doesn't answer my last question, but don't bother, I know already nobody can answer that question.

 

What's your last question?

 

Does a frozen snapshot remove any kind of infection or not ?

And don't confuse it with other problems like in post #32. Always separate problems from one another, if they have nothing to do with eachother.
That's what I learned as an application analyst.

 

I'd say yes, putting those targeted attacks (remember the famous DeepFreeze bug?) aside as you said.

 

Targeted attacks are common for ALL softwares, including FDISR.
So that's nothing special. I use an IMAGE to recover from such an attack. Case closed.

Well I hope it removes all kinds of infection, still not sure, but the copy/update of FDISR is very strong, Peter's latest test proved how strong it was, but it was not a test with infections.
I wished I had some scientific proof of this, not just opinions or guesses.

The difference between AVG Anti-Rootkit and a frozen snapshot is :
- AVG AR reports only rootkits, it knows about (including f/p's), all the rest remains on your computer.
Asking a less-knowledgeable user, which ones have to be removed is the same as asking your cat.

- a frozen snapshot kills them all and without false/positives and without knowledge.

 

My understanding is a frozen snapshot is an image of the system partition. As long as you keep your data on a separate partition then it's easy to roll back.

I suppose if some nasty infects you and it's not apparent to the user, the snapshot could be infected without you knowing it, since nothing is preventing it from getting there.

I prefer full imaging, since you can completely recover and I don't mess around with my MBR, BOOT.INI or anyting else. I acknowledge it's much faster to run off a snapshot then restore an image, though.

 

It shows you are not a FDISR-user, too long to explain how everything works in FDISR. It has its own forum.

 

Erik, I am not an FD-ISR user, but let's look at my 3 points and then you tell me if I'm right or wrong.

1. If you keep your data on the C: drive with Windows and roll back, you'll lose your data. I know they have what they call anchoring, but all I'm saying, is that it does require you to think about how you store your data, if you roll back to a snapshot.

2. You could have false security with a snapshot if there is an infection that is not picked up in some other way. Simply booting from a snapshot is not a 100% guarantee it is not infected. I know this is unlikely, but it is possible.

3. I do believe FD-ISR makes some changes to the MBR or BOOT.INI in order to present you with the up-to 10 snapshots to load from. In that way, it is NOT like a virgin XP system.

 

1. A Rollback snapshot is the standard method of FDISR, designed for beginners, they have to start somewhere.
Most experienced users, don't have a rollback snapshot anymore, they all do it differently.
I don't have a rollback snapshot anymore. If I rollback, I destroy my own snapshots.
The same for keeping your data, some users keep it on the system partition others on a data partition. Some users anchor, others don't anchor. Most users use only 2 snapshots, except Acadia, he uses 20 snapshots.

2. FDISR is NOT a security software, each on-line snapshot needs to be protected by security softwares, just like a computer without FDISR.

3. The latest build 202 has a different method and doesn't depend on the MBR anymore.

FDISR has only technical rules, the user is completely free HOW to use it and that's why every experienced user starts IMPROVISING and the only limit is your own imagination and some users do it smarter than others.
Ask Peter, he will tell you the same.

 

So Erik, give me an idea of exactly how you do use it on a day-to-day basis. I use TI currently, and make an image at least once a week. I also back up my data from one drive to another, so in a worst case, I restore the image and then the data.

How do YOU use FD-ISR to improve on this scenario, other than making it faster to get back to a previous state?

I am interested in using FD-ISR.

 

Wow, fascinating isn't it? How far OT can we go, or let's just say temporarily detoured to bring attention to diaster recovery techniques offered by imaging and (Trumpets Please. FD-ISR)

Seriously, while it is completely noteworthy mentioning all those benefits of imaging/rollbacks/snapshots (Don't forget Power Shadow! ), for pity's sakes aren't we the least bit intrigued on detailing some of the improvements or lack-thereof being noticed from this AVG arkd?

So far as RK detections, like fcutdat i rely heavily on RKU as forensic tool of choice especially now that it can dig deep courtesy the addition of revealing DKOM. Ice Sword and others still have their place but i do believe AVG is still new in this field of dreams and has a way to go yet. Just an opinion.

 

Wow Thanks fcukdat! Really appreciate the trouble you took to show this.

As to why it was different with my uncle's PC, I'm perplexed - ADS was definitely ENABLED. I even ran every scanner TWICE or THRICE (leaving out those scanners that caught nothing) after a full set of scans. Those I ran thrice were SAS, a2 & avira.

Side question: The PC restarts, is that an unusual symptom for Rustock.B infection, or just lzx32.sys crashing the system due to some system incompatibility??

When my uncle first described this symptom (he was suspecting faulty HDD), I was thinking possible Sasser worm as he also described Smitfraud infection. But when he actually brought the PC over to my place, I saw that the restarts occurred without prior warning (no 60 sec countdown), and that it regularly occurred 1-2 min after booting to desktop.

Thanks & sorry OT,
yeow

 

P.S. Autoruns detects lzx32.sys? Wow, and I only just discovered Autoruns 2 days ago.