Unexpected window reboot during SAS's scan

Discussion in 'other anti-malware software' started by Perman, Feb 18, 2008.

Thread Status:
Not open for further replies.
  1. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks:

    This problem has never happened to me, so I am puzzled, please lent your help.
    He, a good friend of mine living 150km away, has installed SAS free after my repeated pressures last weekend. He immediately suffered a setback.

    According to him, during his first SAS quick scan-after detecting several ad wares-not completing the scan yet, his system automatically shutdown and reboot.

    Why would this occur? does SAS have its own protection from being shutdown? Does not ?

    Thanks.
     
  2. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    Posted at SAS Forum as well? I think that is the best way.
    SAS can't be shut down unless you tell so during setup or later on at the preferences tab. (choose recommended settings)
    Cheers,

    Gerard
     
  3. EliteKiller

    EliteKiller Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    1,138
    Location:
    TX
    It sounds like his PC is pretty hosed. Reboot to safe mode w/ networking, update, and run SAS again.
     
  4. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    Just an off handed guess but SAS might have rebooted to get rid of a malware.
     
  5. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    He might have enabled "Terminate memory threats before quarantining". This option is known to cause some issues on hosed PCs.
     
  6. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I had that problem a few months ago, cleaning my father-in-law's laptop. During SAS scan, a BSOD appeared for less than a second and the laptop rebooted. It was a rootkit causing it. Try disabling "terminate memory threats", if this doesn't work, try using a rootkit removal tool first.
     
  7. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks.

    Thanks for the help.

    I will make a trip over his place to assist him as much as I could.

    Meantime, just wonder, if indeed rootkit were the culprit, then it must be very nasty, being capable to terminate SAS's scanning duty. Then causing window reacting to reboot. SAS has a flaw hidden here ?

    Rootkit is more mighty than traditional spyware that we all know o_O? !!!!

    Take care.
     
  8. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    btw the superantispyware 4.0 beta includes termination protection.
    where as the released 3.9 doesnt.
     
  9. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi Perman,

    As suggested earliar if SAS occurs BSoD during scan then the next step is too scan from safe mode.

    Here's an angle for you to take on board think of malware RK's as softwares.Unlike legitimate software where the authors take time to Alpha/Beta test out compatability issue's these other softwares are released without too much testing behind them.

    SAS is using kernel object manipulation in its engine so it is poking around in Ring0 as it scans and when it comes across certain malware RK's active from ring0 then there is incompatability event and BSoD ensue's.

    For example on my setup the RK payload of Storm worm and Haxdoors cause BSoD when SAS trips over them in regular mode.Net result booting into safe mode allows SAS to detect and remove their files/reg entries etc as the RK's have'nt loaded under safe mode.

    HTH:)
     
  10. SUPERAntiSpy

    SUPERAntiSpy Developer

    Joined:
    Mar 21, 2006
    Posts:
    1,088
    No hidden flaw - if a rootkit detects you "touching" it, it can BSOD the system - we have traced these issues down to poorly written kernel/rootkit drivers that don't properly handle buffers from user mode vs kernel mode.

    Solution : Download SAS 4.0 - turn off Kernel Direct - leave DDA (Direct Disk Access) on, and scan from Normal Mode or Safe Mode - the DDA can't be detected by the rootkits.
     
  11. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Well thanks for sharing that Nick.....I would not have thought of that in this lifetime and could have saved myself quite a few safe mode runs;)

    Just loaded wincom32 and Haxdoor(Poof) and tested it out for myself...what can i say no BSoD.....D'oh!:D
    gmer.jpg
    sas.jpg
     
  12. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,

    Thanks all for the extra info derived from a seemingly simple tech question.

    I learn each time, either by posting or by reading here.. What a great social :) club this forum is.

    Take care.
     
  13. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    Nick and Fcukdat should have their own TV tech show something along the line of Mythbusters.
     
Loading...
Thread Status:
Not open for further replies.