Avast marks mbamswissarmy.sys as rootkit

I am sure this is a FP
Please correct database update.
Location: C:\Windows\system32\drivers\mbamswissarmy.sys

This is a part of Malwarebytes.

Tevion

No detection here, do you have latest update 100615-1

Yes of course I had the latest update 100615-1.
Was done when the fp warning window opened.

The path also is entered in the general exceptions to Avast.

A Quick Review just did not reveal any other rootkit message.

No alerts here.

100615-1

File: mbamswissarmy.sys
CRC32: DF16EDD9
MD5: 7364D8A830F91C487F430A57FDBD2BBB
SHA-1: 3A693F4E63E130B9CDD284FA7036D04DD457DDC8

No alert 100615-2 with PUP on.

Me if i run mbam scan with avast! memory scan then avast will detect his service as virus but its dont matter i dont recommand any way to run more than 2 scans and mores. :wink:

For those who are saying no problem here or words to that effect (other than Pondus), are you using the MBAM Pro version as the OP is. If not then you aren’t able to replicate this if there is no MBAM resident protections enabled.

What FP warning window ?

I assume this is the anti-rootkit scan about 8 minutes after boot which detects this, if so that doesn’t follow the general exclusions (on-demand scans only) as far as I’m aware.

A Quick scan, doesn’t launch the anti-rootkit scan, that is only part of the Full System Scan (or custom scan), so that I would say is why there is no rootkit detection with that scan.

For those who are saying no problem here or words to that effect (other than Pondus), are you using the MBAM Pro version as the OP is. If not then you aren't able to replicate this if there is no MBAM resident protections enabled.
@DavidR not sure if this makes any difference, but he is on Win7 me on WinXP

No detection here with me with 100615-2

rm

That is the sort of thing I’m trying to get at as for those with the MBAM Pro in theory should all be getting the detection if the resident functionality is enabled.

The only other person I can recall is YoKenny who has MBAM Pro and win7 also. He has a win7 and an XP Pro system but I don’t know if he has MBAM Pro on both. So his would be a good test bed if it detected on one but not the other or not on either.

Pro version, Realtime scanning, No exclusions under Avast, Vista.

@ DavidR

I have MBAM Pro on both systems.

I do not have any Exclusion entries in Windows 7 but I do have C:\Windows\system32\drivers\mbamswissarmy.sys in my XP Pro system as I was testing avast! Internet Security a while back and it is needed for MBAM to be able to auto update.

Same db and everything is ok here.

Thanks for that as it is even more strange that it is happening to Tevion then as your setup in win7 would be the same. The General Exclusions in avast shouldn’t have any impact on the anti-rootkit scan I believe just the user initiated on-demand scans.

So all I can think of is the MBAM Pro version number used by Tevion as there was something about this MBAM driver before if I remember correctly.

I just did a Quick scan on Windows 7

*

  • avast! Scan Report
  • This file is generated automatically
  • Scan name: Quick scan
  • Started on: Wednesday, June 16, 2010 10:03:53 AM
  • VPS: 100616-0, 06/16/2010

Infected files: 0
Total files: 30212
Total folders: 18329
Total size: 12.5 GB

  • Scan stopped: Wednesday, June 16, 2010 10:06:01 AM
  • Run-time was 2 minute(s), 8 second(s)

Read Firefox’s response to MBAM_ERROR_UPDATING, Problems updating topic:
http://forums.malwarebytes.org/index.php?s=&showtopic=53535&view=findpost&p=265339

The Quick scan doesn’t run the anti-rootkit scan, that is only part of the Full System Scan (or custom scan), so I wouldn’t expect it to find a rootkit detection.

I have had this detection before while using MBAM Free…

It could be that an MBAM scan was run while the rootkit scan took place
(IIRC I got that alert shortly after a boot and running MBAM…)

What FP warning window ?

Sorry, wrong designation, i had meant rootkit - see appendix in my first post.

I assume this is the anti-rootkit scan about 8 minutes after boot which detects this, if so that doesn't follow the general exclusions (on-demand scans only) as far as I'm aware.

A Quick scan, doesn’t launch the anti-rootkit scan, that is only part of the Full System Scan (or custom scan), so that I would say is why there is no rootkit detection with that scan.

Yes DavidR you are right, this was an automatic detection after boot.

A quickscan includes system drive, rootkits (fast scan) and startup programs.

Besides, today I had no Avast startup warning ;D

Tevion

Thanks for that, presumably the avast Quick Scan’s rootkit (very quick scan) check doesn’t go into the same level as the auto rootkit scan after boot.

Normally after such a detection avast gathers information for analysis, which can be used to modify the rootkit scan, perhaps this is why. Previously they used to have a section in the alert window to allow the sample to be sent to avast for analysis. Now there is the avast community setting, which if you subscribe may well do that automatically.

No problem with Full scan either

* avast! Scan Report

  • This file is generated automatically
  • Scan name: Full system scan
  • Started on: Wednesday, June 16, 2010 3:08:02 PM
  • VPS: 100616-0, 06/16/2010

Infected files: 0
Total files: 213759
Total folders: 18469
Total size: 83.0 GB

  • Scan stopped: Wednesday, June 16, 2010 3:16:37 PM
  • Run-time was 8 minute(s), 35 second(s)

Yes, looks like the Quick scan rootkit check (very fast scan) and the Full scan rootkit check (fast scan) don’t go into that much depth, but the one 8 minutes after boot is a full rootkit scan. Though that would have presumably have found it anyway.

So it is a bit of a mystery why it happened to Tevion and not you on the boot rootkit scan. Unfortunately it can’t really be investigated further as now Tevion, doesn’t detect it either, looks like the condition no longer occurs to cause the alert or avast has modified the detection.