avast rootkit

system · 2017-06-16T22:40:47.000Z

Hey guys, today i found after deep scan this:

C:\ProgramData\Microsoft\Windows Defender\Definition Updates{960E7296-B0DD-49C5-BE4F-9AA0EC444E37}\nisbase.vdm …and the same path but to file …nisfull.vdm

Threat:high, rootkit:hidden file, cannot repair/delete/clean as the file(s) are probably in use by windows defender…

Should I worry or is it probably not real?

Im using Win 10 , ultimate edition, 64bits, avast free

DavidR · 2017-06-16T23:40:18.000Z

The problem with two AVs on one system is the likelihood of detections of each others virus definitions.

This from the path given is in that area definition updates.

When a third party AV (Avast in this case) is installed, windows should shutdown defender to avoid conflict. Whilst windows update will still be trying to keep the virus definitions up to date, which could also cause issues unless these updates/definitions are encrypted they could be a false positive detection.

A search for one of the two files https://uk.search.yahoo.com/search?p=nisfull.vdm should give you an idea of what I have been saying.

system · 2017-06-16T23:48:56.000Z

From path and googling etc. I got very much the same feeling, that it is false report. However just wanted to ask…better ask than be sorry

I´m using Avast + defender for long time and you are right, defender is off all the time. However from time to time i just do scans with both. Because why not…so Avast probably detected todays definition update for defender.

Thx for link, majority of my googling were in style “avast + rootkit win def …vdm” …2AM here so my brain is not working at full.

Anyway thx

DavidR · 2017-06-17T07:58:45.000Z

You’re welcome, not so much a false report as such as AVs are looking out for signatures and unencrypted signatures from other security applications could get pinged.

Recently with all of the ransomware exploits flying around MS has been forced to do some updating to their own software (both OS and windows defender). This activity and your deep scan (?) could have been the trigger.

Announcements