aswMBR questions

system · March 18, 2012, 3:11pm

As far as I can see in this topic: http://forum.avast.com/index.php?topic=92035.15 the new version is able to save the current MBR as a file. Is it also able to restore the saved MBR?
The aswMBR has no digital signature and I can’t find the checksum for it anywhere. Rather unusual for a security product. Anyone know where to find the developers info?
Best regards
Uncle Scrooge

essexboy · March 18, 2012, 3:13pm

Yep it is an inhouse product for Avast http://public.avast.com/~gmerek/aswMBR.htm

system · March 18, 2012, 3:45pm

Yes, I have seen that page, which is neither informative nor updated.

essexboy · March 18, 2012, 3:53pm

The page is only updated when a new function is added

It will not restore the saved MBR as it may be infected. We have a variety of other tools that can perform that job

The properties tab gives the relevant data

system · March 18, 2012, 4:05pm

Which other tools?
The properties tab does not tell if you have downloaded the original file, a checksum is needed.
Thanks
Uncle Scrooge

essexboy · March 18, 2012, 4:09pm

It depends on the type of MBR infection :

aswMBR will cure TDL4/sinowal/zero access
TDSSKiller will cure TDL3/4 Sinowal
After this you will need to use a more specialist tool involving using a linux based operating system to cure it

As for the checksum then that would be needed to be addressed to Avast

system · March 18, 2012, 8:57pm

So, you break almost any rule for reasonable behaviour by downloading and using aswMBR.
You download a non-signed program from a non-official, non-ssl web page. The creator doesn’t inform any checksum, so you don’t even know if it is the correct file.
You then execute the unknown program which is able to modify your MBR.
Perhaps you even give the program Administrative privilegies so it can do kernel mode actions.
Wow, this is really so absurd that even the best antivirus program can’t prevent attacs :o
Best regards
Uncle Scrooge

essexboy · March 18, 2012, 10:26pm

Sorry I do not really know what you are getting at… The programme is downloaded from the correct location. I know the Author. There are a lot of tools out there without checksums that are regularly used to remove malware.

And what does a checksum prove ? Malware has checksums, including the TDL family !!
Programmes are downloaded every day from non SSL sites - CNET, FileHippo etc. etc

When a system file is subborned it keeps a checksum - - not the right one but a checksum all the same

Do you check windows updates before they install ? As your system could be compromised to download them from anywhere

aswMBR questions

Announcements