After having used Avast for about 5 years, I now dropped it because this antivirus does not identify rootkits. In several instances, I tested it out with srosa.sys and hldrrr.exe (which are very common) and it did not identify these ruthless malwares in the files which create them. It’s only when they are on your pc that Avast recognizes them and it is unable to destroy them. Actually, Avast does git rid of them but they come back at the following reboot and you have to use other means to throw them out indefinitely.
Indeed, avast missed a hldrrr.exe for me a long time ago, but it was before the rootkit module. I’ve thought it should detect it just after booting (8 minutes by default) while the antirootkit scanning is performed.
The main point is Avast does not detect the Beagle even when you run a scan on the files which contain it. AVG-Antispyware neither, for that matter. As soon as your pc is infected, the system crashes and reboots. It’s when all of xp is ready to run that Avast detects hldrrr.exe. What’s the use ? The harm is already done. And on top of that, Avast is incapable of getting rid of the rootkit even after detection. This is quite an old malware and it’s surprising that it stills gets through certain anti-viruses.
What is this rootkit module you mention? My Avast version was up to date.
Not really sure that this occur all the times. avast could handle very good a lot of rootkit infections.
Shame…
It is inside of avast engine and came from GMER technology (the best around imho).
It will basically just look for hidden services and drivers, that’s it. I.e. it will take a list of loaded services and drivers (which means a list of roughly 200 ~items on a typical XP machine) and compare these results with a low level scan. As I said, it should be fairly fast (not noticiable). It was introduced by version 4.8.
GMER technology is also used by several other fine programs
however there are other fine Rootkit scanners
Polonus has one he recommends, perhaps he will post it up
I do not think that any of them are 100% perfect
what are you doing for prevention?
Self defense module: Yes it was enabled as I did not tick the “disable” option in the settings. In 2 cases out of 3, Avast was still around while Sygate was deactivated the 3 times.
Avast was unable to get rid of the rootkit the 3 times. It was thanks to ComboFix that I got rid of the rootkit in every case. Couldn’t Avast do something similar?
I believed that somebody from Alwil would look into things when I reported this lack a few weeks ago. Apparently not since, once again, I carried out a test with Avast which did not detect a Bagle Trojan. AVG Anti-Spyware neither. Only G-Data did. Is there a deadline for Avast to handle rootkits efficiently?
hldrrr.exe and srosa.sys (at least the variants which arrived at our viruslab) should be detected already… but that’s only a part of beagle infection… each new variant comes up with an Themida packed executable, which is very hard to analyse (you can google something about Themida)… beagle itself is kept up to date all the time and discovers new ways how to hide itself, how to kill AV programs etc… it’s a typical cat & mice game and in this case is almost impossible to make some proactive detection when you don’t want to blacklist whole Themida packer…
Plus from my experience I have yet to see any AV stop Beagle/bagel in its tracks. I have cleaned it from machines running nearly all AV’s available both free and commercial. It destroys most AV’s requiring a re-install, but Avast still functions albeit without finding the latest variant of trigger (changes all the time)