Unexpected window reboot during SAS's scan

Hi, folks:

This problem has never happened to me, so I am puzzled, please lent your help.
He, a good friend of mine living 150km away, has installed SAS free after my repeated pressures last weekend. He immediately suffered a setback.

According to him, during his first SAS quick scan-after detecting several ad wares-not completing the scan yet, his system automatically shutdown and reboot.

Why would this occur? does SAS have its own protection from being shutdown? Does not ?

Thanks.

 

Posted at SAS Forum as well? I think that is the best way.
SAS can't be shut down unless you tell so during setup or later on at the preferences tab. (choose recommended settings)
Cheers,

Gerard

 

It sounds like his PC is pretty hosed. Reboot to safe mode w/ networking, update, and run SAS again.

 

Just an off handed guess but SAS might have rebooted to get rid of a malware.

 

He might have enabled "Terminate memory threats before quarantining". This option is known to cause some issues on hosed PCs.

 

I had that problem a few months ago, cleaning my father-in-law's laptop. During SAS scan, a BSOD appeared for less than a second and the laptop rebooted. It was a rootkit causing it. Try disabling "terminate memory threats", if this doesn't work, try using a rootkit removal tool first.

 

Hi, folks.

Thanks for the help.

I will make a trip over his place to assist him as much as I could.

Meantime, just wonder, if indeed rootkit were the culprit, then it must be very nasty, being capable to terminate SAS's scanning duty. Then causing window reacting to reboot. SAS has a flaw hidden here ?

Rootkit is more mighty than traditional spyware that we all know ? !!!!

Take care.

 

btw the superantispyware 4.0 beta includes termination protection.
where as the released 3.9 doesnt.

 

Hi Perman,

As suggested earliar if SAS occurs BSoD during scan then the next step is too scan from safe mode.

Here's an angle for you to take on board think of malware RK's as softwares.Unlike legitimate software where the authors take time to Alpha/Beta test out compatability issue's these other softwares are released without too much testing behind them.

SAS is using kernel object manipulation in its engine so it is poking around in Ring0 as it scans and when it comes across certain malware RK's active from ring0 then there is incompatability event and BSoD ensue's.

For example on my setup the RK payload of Storm worm and Haxdoors cause BSoD when SAS trips over them in regular mode.Net result booting into safe mode allows SAS to detect and remove their files/reg entries etc as the RK's have'nt loaded under safe mode.

HTH

 

No hidden flaw - if a rootkit detects you "touching" it, it can BSOD the system - we have traced these issues down to poorly written kernel/rootkit drivers that don't properly handle buffers from user mode vs kernel mode.

Solution : Download SAS 4.0 - turn off Kernel Direct - leave DDA (Direct Disk Access) on, and scan from Normal Mode or Safe Mode - the DDA can't be detected by the rootkits.

 

Well thanks for sharing that Nick.....I would not have thought of that in this lifetime and could have saved myself quite a few safe mode runs

Just loaded wincom32 and Haxdoor(Poof) and tested it out for myself...what can i say no BSoD.....D'oh!

 

Hi,

Thanks all for the extra info derived from a seemingly simple tech question.

I learn each time, either by posting or by reading here.. What a great social club this forum is.

Take care.

 

Nick and Fcukdat should have their own TV tech show something along the line of Mythbusters.