Vba32 AntiRootkit 3.12.* beta

Discussion in 'other anti-malware software' started by sergey ulasen, Sep 14, 2009.

Thread Status:
Not open for further replies.
  1. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    I ran a scan except for processes...

    P.S. I then initiated a scan for the processes only...but it froze the system completely. Had to reboot.
     

    Attached Files:

  2. AF_

    AF_ Registered Member

    Joined:
    May 13, 2010
    Posts:
    23
    It seems that it's the same issue that you have before with previous build. I will try to get back to you to resolve this problem when I return from vacation.
    Thanks for interesting in our product !
    Btw, I see that you have non-standard MBR. Do you use Grub or Lilo or any other loader? Or maybe it's something "in the wild" for testing purposes ?
     
  3. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    Thanks...Looking forward to it.

    As regards the non standard MBR, it must be something I have added since May 10, as I have created further snapshots since . Interesting, anyhow...will try and out what changed. ;)
     
  4. AF_

    AF_ Registered Member

    Joined:
    May 13, 2010
    Posts:
    23
    Hi everybody,

    I'm glad to present Vba32 AntiRootkit 3.12.5.5 beta build 425.

    Download link is the same: http://anti-virus.by/en/beta.shtml

    Change list:

    + Native support of IDE and AHCI mass storage controllers.

    The main goal of this beta version. We spent thousands of hours studying specifications and debugging third-party drivers to provide the ultimate solution. AntiRootkit will work with the most mass storage controllers directly, however current solution is incompatible with some hardware/software setups, such as Nvidia4 chipset + original nvidia drivers ( there is no problem on Nvidia4 chipset when using standard Microsoft drivers ). We are working to solve this ASAP and if you're unlucky with starting antirootkit ( e.g. system hangs, bsods ), you can use our product in compatibility mode ( /nodmsa command line switch ).

    + Vba32 Defender: interactive mode, white and black lists, hints for users implemented. Ability to start
    processes on dedicated desktop.


    Functionality of Vba32 Defender was significantly increased for convenient use.

    + Basic self-defence functionality has been added.

    AntiRootkit successfully confronts the most threats, including latest ZeroAccess aka Max++, Trojan.Necurs, etc.

    + Ability to detach device from device stack

    Very useful feature.

    + Hidden driver detection technique ( raw memory lookup, only on Vista and later OS'es )

    Also may be very useful.

    + View/delete for ObCallbacks notificators

    For Vista SP1 and later OS'es.

    + Restore MBR and force reboot option

    Safer than using "Restore MBR and force reset"

    + Output of MD5/SHA1 for checked files

    Useful when using services such as VirusTotal.

    + "Don't display items with empty path name" option in drivers/services tool

    + Support of Windows 8 ( Developer Preview Build )

    * Issue with driver unload and loss of sound on some systems

    * Overall work robustness of antirootkit was improved

    * Help in Russian was improved


    Feel free to contact us at arkit[at]anti-virus[dot]by. Feature requests, bug reports, kernel dumps are very welcome !

    Also, we began publishing "Detection & Removal" guides, drafts are available here:
    http://anti-virus.by/en/doc/Vba32 AntiRootKit vs TDL2.pdf
    http://anti-virus.by/en/doc/Vba32 AntiRootKit vs TDL4.pdf
     
    Last edited: Nov 22, 2011
  5. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    I tried to run the new version, but it locked up my system, i.e. clock in the systray stopped.

    It got as far as 'processes' and seemed as if nothing was happening, but I couldn't get Process Explorer to open, to see if there was any CPU activity.

    One good thing, I didn't get a BSOD this time around.

    After 30 minutes or so with nothing changing, I did a soft reboot via the button on my desktop tower.
     
  6. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    After the reboot, I reloaded the program, but before initiating the scan, I shutdown my AV, i.e. Vipre, WSA, and anything else I considered unnecessary.

    This time, omitting 'Processes' checking.

    However, after initiating scanning, and about 10 minutes later, the system clock stopped. During this time period, I had tried to take a screenshot using the 'Print Screen' button on the keyboard, but my system seemed unresponsive, i.e. screenshot was not saved.

    Scan started: 9:35 AM and finished 75 minutes later. This is longest duration for a scan, on my system ever. This does not seem normal.

    After, the scan finished, I saved a copy.

    However, because the systray clock was stopped during scanning, I had to do another soft reboot to clear my system.
     
  7. AF_

    AF_ Registered Member

    Joined:
    May 13, 2010
    Posts:
    23
    Tarnak, pls check you pm. We are looking forward to troubleshoot your issue. You still can use /nodmsa command line switch to start antirootkit in compatibility mode.
     
  8. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    I was looking for your PM, but when I didn't see...I checked my e-mail. ;)
     
  9. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    Re: Vba32 AntiRootkit 3.12.3 beta

    does it support x64 ?
     
  10. AF_

    AF_ Registered Member

    Joined:
    May 13, 2010
    Posts:
    23
    Re: Vba32 AntiRootkit 3.12.3 beta

    Currently doesn't. Only 32 bit systems.
     
  11. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    Re: Vba32 AntiRootkit 3.12.3 beta

    Can't wait for the x64 version
     
  12. AF_

    AF_ Registered Member

    Joined:
    May 13, 2010
    Posts:
    23
    Re: Vba32 AntiRootkit 3.12.3 beta

    We are working in this direction, but unfortunately can't promise that we will release it soon.
     
  13. opcode

    opcode Registered Member

    Joined:
    Dec 19, 2011
    Posts:
    37
    Location:
    united states
    Error log: Failure to load driver.

    Has there been a fix for this? I'm on Windows 7 32bit if that helps.

    Also one more question, does this rootkit have the ability to update it's definitions?

    Thanks, looks like a strong product!
     
  14. AF_

    AF_ Registered Member

    Joined:
    May 13, 2010
    Posts:
    23
    Hi, thanks for interesting in our product. We need more information to troubleshoot your issue:
    1. What version are you trying to launch? Is it latest beta version or old release?
    2. Do you have any other anti-malware program running? It may prevent loading driver.
    3. The latest version doesn't use any definitions at all. It detects generic anomalies in the system. However, the next version will be able to use vba32 anti-virus bases for more precise results.
     
  15. opcode

    opcode Registered Member

    Joined:
    Dec 19, 2011
    Posts:
    37
    Location:
    united states
    Thanks for the reply. Yes I believe my other av software prevented it from loading. I will test this again to be sure and report back.
     
  16. AF_

    AF_ Registered Member

    Joined:
    May 13, 2010
    Posts:
    23
    Hi everybody,

    I'm glad to present Vba32 AntiRootKit 3.12.5.6 beta build 500 !

    Download links have been changed a little bit:

    http://anti-virus.by/en/beta.shtml ( .exe is about 500 Kb )

    ftp://anti-virus.by/pub/beta/vba32arkit_beta.zip ( regular version, what's new ( both in en and ru ) and russian help included, ~3.5 Mb )

    ftp://anti-virus.by/pub/beta/vba32arkit_full_beta.zip ( full version with AV kernel and AV bases, ~90 Mb )

    ChangeLog ( builds 493 and 500 ):

    + Volume Boot Sectors verification feature. Detection, view, dump and restoration of non-standard and forged
    loaders. Saving primary volume boot sector in html log.


    For detection / removal Cidox/Carberp malware.

    + Ability to use Vba32 AV-Kernel to verify forged, locked files and boot sectors as well

    Simplifies the detection of complicated infections such as Cidox, Max++, TDLs, Sinowals, etc.

    Some examples:
    tdl3.PNG
    max___4.PNG

    + Force Delete option

    Function is able to delete files that were been opened exclusively or locked with LockFile/LockFileEx/.. functions. For mapped files function "Unmap in all processes and force delete" is available from Process Manager.

    * Functionality of Low-level disk access Scanner enhanced

    Checking of MBRs/VBRs/System Folder from scanner tool. The functionality will be also enhanced in the future versions.

    * Stability of direct mass storage access library was significantly improved

    Now we are working MUCH more stable on supported hardware and provide direct access to the disk content on the most IDE ( PATA/SATA ) / AHCI controllers !

    * Overall work robustness of antirootkit was improved

    Fixed possible BSOD's on some MAX++ versions, also improved detection of Sinowal variant which hijacks \DR0 device object.

    * Stability of Vba32 Defender was improved

    * HTML-report was improved

    * Fixed some minor bugs in GUI

    * Help in Russian was improved

    As usual, please feel free to contact us at arkit[at]anti-virus[dot]by. Feature requests, bug reports, kernel dumps are very welcome !
     
  17. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
  18. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    What exactly are the advantages on installing the extended driver?
     
  19. AF_

    AF_ Registered Member

    Joined:
    May 13, 2010
    Posts:
    23
    Thanks for respond, I will try to find the time to troubleshoot this specific problem.
    Extended driver is intend to start at an early stage of os boot process thus it's able to monitor a suspicious behavior of other system components that loads later. Very useful feature to detect some hidden drivers ( for example, for TDL2 malware ). However, we only recommend using this option for in-depth analysis when it's not possible to identify the threat based on standard log ( rare situation ).
    If you're interested, on Monday I can share 2 logs made on the same infected system in both standard and extended mode to see the advantages of the last one.
     
  20. groft

    groft Registered Member

    Joined:
    Feb 16, 2012
    Posts:
    6
    TDL4 for example
     
  21. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Thanks for the explanations :) The logs would be nice btw.
     
  22. AF_

    AF_ Registered Member

    Joined:
    May 13, 2010
    Posts:
    23
    groft has already shared sample logs for TDL4, pls see the post above.
     
  23. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Ah, missed that, thanks for the logs :)
     
  24. AF_

    AF_ Registered Member

    Joined:
    May 13, 2010
    Posts:
    23
    Hi everybody,

    I'm glad to present Vba32 AntiRootkit 3.12.5.7 beta build 588.

    Download link is the same: http://anti-virus.by/en/beta.shtml

    Change list:

    + Registry hives parsing mechanism has been added. Direct registry access is performed in Autorun and
    Drivers & Services ( from Registry ) windows, and in report as well


    Should have been done long time ago.

    + Added Low-Level Registry Access Tool window. Operations on hidden, locked and forged registry keys / values

    We will expand this window functionality in the nearest builds.

    + Restoration of modified MBR partition table

    Needed for Rootkit.Boot.sst and similar malware treatment.

    + Vba32 Defender: added information about command line and parend pid ( for processes ). Ability to block
    the creation of new registry keys and setting of registry values


    + Reboot on Exit option

    Very usefull to fighting malware which is constantly rewriting the registry keys / values

    + Support of Windows 8 Consumer Preview. Support of Windows 8 Developer Preview has been dropped

    We are trying to support the latest builds.

    - Force reset option

    This is redundant option. Force reboot works in all known cases.

    * Overall work robustness of antirootkit was improved

    * Stability of direct mass storage access library was improved

    * Stability of Vba32 Defender was improved

    * Fixed bugs in self-protection module

    * Fixed bugs in GUI

    We have spent a lot of time working on stability of this build.

    * Help in Russian was improved

    Feel free to contact us at arkit[at]anti-virus[dot]by. Feature requests, bug reports, kernel dumps are very welcome !
     
  25. Ashanta

    Ashanta Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    702
    Location:
    Europe
    Hi,

    How to check 'Use Antivirus kernel' ? It's grewed.

    Where to analyze the Vba32 Antirootkit online ?

    Thanks in advance
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.