and the user chooses to ignore the item detected, moreover it also checks the box near do not tell me about this rootkit in the future.
Questions:
Is the ignored item added to the exclusion list of the File System Shield?
Or is it added to a different “internal” exclusion list not accessible via GUI?
I treat them in much the same way I would for any other detection.
Never delete (first do no harm), until you have investigated and are 100% sure of the detection.
That investigation can take many forms:
1: Start with your visit to the avast forum, and search as it is highly unlikely that you will have been the first.
In the unlikely event there is nothing on the forums, then hit google searching for the file name and see what information it brings.
You should be able to get an idea of what the file is and if it is likely to be legit.
Is this a file that has been on your system for some time (check the file properties), if so, then it is possible that it could be a false positive.
Have you been experiencing any strange occurrences or symptoms, that might be down to malware. If not then there is a possibility of an FP, especially if the above also returns nothing untoward.
Upload the file to virustotal for analysis. In the case of a rootkit detection like this one then there is zero point in doing this as VT can’t replicate the anti-rootkit scan. That can only be done on a live system.
EDIT ####
I as far as I’m concerned a mistake to choose this option “do not tell me about this rootkit in the future” as you will never know if it was an FP which has been corrected as you won’t be told. If it is an FP and that gets corrected then you won’t get any alerts, so how would you tell the difference.
With the Rootkit scan, I see nowhere that I can change the default action of “Delete now”. When I got the alert I choose Ignore, but others using this computer might not do so. I realize in this particular instance that no real harm would have been done as it is easily restored if deleted.
Thanks for the reply, although I wish it were otherwise. That leaves the computer’s administrator with little option to protect the system from less knowledgeable users using limited windows accounts, since Avast is run with and has System rights.
Then do as suggested in the many other topics on this, ensure you have the latest VPS update 111206-2 and reboot 8 minutes after the boot the rootkit happens and you shouldn’t get an alert.
See image extract of the end of the aswAR.log file run after a reboot on my system with that VPS.
If your issue is different than the sfloppy.sys detection which the above cures, then start your own new topic in the viruses and worms forum.
Thank you for your kind and detailed reply, DavidR. However I didn’t asked about how to treat a rootkit detection or how to investigate potential false positive - it’s probably due to my poor English, sorry…
The question was about a specific user’s action:
When a user chooses to ignore the suspicious object and chooses also the “do not tell me about this rootkit in the future” option, is the ignored item added to the exclusion list of the File System Shield?
Or it is added to a different “internal” exclusion list not present in the GUI (maybe something related to GMER)?
I have said that checking that option is I feel a mistake as you have no way of telling if this was an FP if it has now been resolved.
The anti-rootkit scan is based on the GMER (the developer now is with avast) and the idea is to try and get away from the user having to analyse the results and make a decision. That is where the avast anti-rootkit scan tries to keep it simple and taking the decision to ‘recommend’ Delete or Ignore but the user can override that recommendation.
There are no user set anti-rootkit GUI options, so they can’t add something to an exclusion as such. Other than the “do not tell me about this rootkit in the future” option on a detectsin, which doesn’t exclude it from the scan (as far as I’m aware), it just does as it says “do not tell me about this rootkit in the future” option.
Given that there isn’t any anti-rootkit GUI element I don’t know where this “do not tell me about this rootkit in the future” option would be stored (perhaps one of the .ini files). This is why I’m concerned about selecting that option as I don’t know if there is a way to reverse it.
I’d like to point out that my questions were only theoretical questions - perhaps it was not so clear. The only purpose was and is to learn more about that particular Avast! feature.
Moreover, like you, I do think that checking that option would be a mistake.
Given that, I also suspect that some .ini file could be involved in storing that setting.
It’d be very useful to know if there’s a way to reverse the user’s action (“do not tell me about this rootkit in the future”). For example, editing a .ini file (providing such .ini file exists). Anyway, if in the near future you should find out more, please let us know.
The .ini files can be edited (using notepad only), usual this can seriously spoil your day warning. Assuming that we were able to find which one it is stored in as I see none for the anti-rootkit scan. Since I have never applied that option in any rootkit alert, it isn’t something I can search for.