Vba32 AntiRootkit 3.12.* beta

Re: Vba32 AntiRootkit 3.12.3 beta

Tried again, but not in "Dedicated antirootkit desktop" mode, this time, and was successful. See screenshots.

 

Re: Vba32 AntiRootkit 3.12.3 beta

2Tarnak:

Could you please send me dump file ?

It should be in c:\windows\minidump directory.

e-mail: arkit@anti-virus.by

thx

 

Re: Vba32 AntiRootkit 3.12.3 beta

BSOD was probably caused by Defender. It blocks driver load which may lead to BSOD in some cases ( usually with NVIDIA drivers ). We will extend Defender functionality in further versions to solve this potential problem.
As for ctfmon.exe, windows automatically starts it (and creates an autorun record) on newly created desktop.

 

Re: Vba32 AntiRootkit 3.12.3 beta

I just sent you the minidump.

 

Re: Vba32 AntiRootkit 3.12.3 beta

I've just took a look at your minidump. As far as I can see BSOD was caused by safemon.sys, so I suggest contacting System Safety Ltd. regarding this problem.

 

Re: Vba32 AntiRootkit 3.12.3 beta

I can't...Program ceased development in 2008/09.

 

Re: Vba32 AntiRootkit 3.12.5.2 beta

Yes, we are planning to develop it in the future.

 

About an hour ago, whilst still having the GUI open as shown in my post #76 above, I decided to access the feature as per screenshot, but the mouse and keyboard became unresponsive. Had to hard reboot.

 

Did you use dedicated mode (or Vba32 Defender) ?

 

I have not tried the dedicated mode after that BSOD, earlier.

But, I have had another BSOD.

Code:

STOP:0x1000008e  (0xc0000005, 0xb9f9f499. 0xb464dc48, 0x00000000)
mkuk0aea.sys - address B979F499 base at B9F8A000, DateStamp 4d7b80fb

 

Ok, we are analyzing it.

Thx.

Alex from http://www.ntinternals.org/ has tested Vba32 AntiRootkit 3.12.5.2 beta in the Hidden Dynamic-Link Library Detection Test .

 

See your e-mail. Thx.

 

Working good on my Vista SP2.

Siskel Ebert


Would be nice if I could copy from the results window, one or several selections, and if needed I can always create an html log later if more info is required.

What is dedicated v. defender?

 

You aren't the first who tell us about necessity of this feature...
I'm writing it in the feature requests list now.

Vba32 Defender mode blocks loading of new drivers and launching of new processes. Be careful because this mode is default when you choose dedicated desktop. Sometimes it can be a reason for BSOD.

 

Basic log scan functions were working good on the first try. After trying the Low Level Scan, then cancel, 20% 3 hours, then another log scan, frozen on Process scanning section. Tried it with just process scanning again and frozen, no activity.

 

Hi Searching_ _ _,

We know about this problem. I said about it in my first post:

Thank you.

 

Thank you. My memory is dodgy sometimes.

No BSOD's. After a couple of reboots it's working again, file scan completed ok.

Log file: Would like the option to exclude trusted items when saving the log.

Are the base addresses memory locations or virtual addresses?
Can I put the addresses into say Kernel Detective disassembler?

 

We are fixing this problem now.

I think, it's unnecessary feature. "Don't display trusted items" options realize your request.

Yes, it's virtual addresses. You can put them into disassemblers, debuggers, etc.

 

After log is saved, loading into FF 4, checking box "Don't display trusted items" has no effect.

 

This issue is already fixed in the aplha version. Sorry for FireFox users.

 

Vba32 AntiRootkit 3.12.5.3 beta

Hiya!

Vba32 AntiRootkit 3.12.5.3 beta build 222:

Download link: http://anti-virus.by/en/beta.shtml

Change list:

+ Listing filesystem minifilters
+ Operations on filesystem minifilters ( Unload, Unregister )

FileSystem Minifilters window (and table in the report) has been added. User can find there information about filesystem drivers-minifilters. Also there are available two operations: Unload and Unregister. These operations are used to unload minifilter from memory. But Unregister is less safety and can cause to BSOD.

+ Listing kernel devices ( Kernel Device Stack )

Kernel Device Stack window (and table in the report) has been added. The window displays kernel device stacks. Because of this user can analyze what kind of stack malware uses.



There are no any operations with objects in Kernel Device Stack yet. It's planned on the future.

+ View/delete for FsRtlRegisterFileSystemFilterCallbacks notificators

It can be helpful.

+ Detection of DriverInit, DriverStartIo, DriverUnload hooks

It can be useful to detect some versions of TDL.

+ Detection and restoration of hooks in Object Functions ( ObjectType hooks )
+ Object type hijack detection for drivers and devices

Not very widespread type of hooking (in view of complexity) but looks like malware and some sort of security software use them.

+ Operation with opened handles ( CloseHandle )

Very useful function! It's available from the Process Manager window inside the Handles tab.

+ Terminating status in the time of Process Manager closing

Closing of the Process Manager window looks more clearly now.

* Fixed nonworking checkboxes in html-report ( in FireFox )

Sorry for FF users because we haven't supported you for 1.5 monthes. But now it's fixed.

* Focus from "YES" button was moved to "NO" button in the dedicated desktop request message

As I wrote early the antirootkit had some problems in the dedicated desktop mode. We have removed this mode by default. In the future, of course, the problem will be solved more radical way.

* Fixed GUI crash on infected with Trojan.Win32.VBKrypt machines
* Overall work robustness of antirootkit was improved

We have spent most of our developing time to increase stability of the application. We have fixed most known bugs that lead to BSODs or hangs.

* Help in Russian was improved

Remind you our e-mail: arkit@anti-virus.by.

And thanks to everybody who sent us feature requests, errors and dumps. Your attention is very important to us!

 

I tried to scan, but as you can see from the screenshot, it shows, " Error occurred while getting..."

I will send the log by email.

 

Hello Tarnak,

Do you have any security software that can block loading of vba32arkit's driver ?

 

Hello Sergey,

Nothing, has changed since when I last ran the program in March.

 

Hi everybody,

I'm glad to present Vba32 AntiRootkit 3.12.5.4 beta build 293.

Download link is the same: http://anti-virus.by/en/beta.shtml

Change list:

+ Low-level operations with disk volumes. Support of MBR and GPT. Support of Microsoft/Veritas dynamic
volumes ( Simple, Spanned, Striped, Mirrored and Raid-5 )

Despite the fact that dynamic volumes are quite rare this is a great step forward in our low-level disk access library. As far as I know there is no any other anti-rootkit that can provide this feature.

+ Boot sectors verification feature. Detection, view, dump and restoration of non-standard and forged
loaders. Saving primary boot sector in html log.

This might be the most interesting feature of the build. Finally we are able to detect, view, dump and restore forged and non-standard boot loaders ( that means that we can fight many bootkits such as TDL4/Sinowal/Alipop/Rmnet/etc. ). However, I'd like to point that we are still using "old" tdl3 detection code which can be bypassed on some type of disk controllers. We are currently working in this direction and will provide you with some advanced techniques in the near future.

+ Added detection and restoration of abnormal Global Descriptor Table (GDT) entries

Usually used to provide access to privileged instructions from R3 code.

+ Increased the number of checked autorun items
(LSA Providers, SubSystems\Windows и др.)

In every build we increase the number of checked autorun items.

* Detection and restoration of IDT and SysEnter hooks were improved

GDT selector offset and IA32_SYSENTER_CS register now are taken into account. In the previous builds gdt selector offset considered null, which is not right. The most arkit tools have the same bug unfortunately.

* Safe protected handles closure ( CloseHandle )

Serious bug indeed.

* Checking standard OS Windows Firewall rules

* Overall work robustness of antirootkit was improved

* Help in Russian was improved

Feel free to contact us at arkit[at]anti-virus[dot]by. Feature requests, bug reports, kernel dumps are very welcome !