You are not logged in.

Friday, April 18th 2014, 2:31am

Dear visitor, welcome to Avira Support Forum. If this is your first visit here, please read the Help. It explains in detail how this page works. To use all features of this page, you should consider registering. Please use the registration form, to register here or read more information about the registration process. If you are already registered, please login here.

1

Tuesday, November 25th 2008, 8:47am

Rootkit scan problem!!

I thought I could not run a rootkit scan since I still have the standalone version installed? It ran though just now and I am not happy as it went into MyPrivate folder! In the past it NEVER entered that Microsoft protected folder and it has no business doing so now. It wanted to quarantine EVERYTHING in the folder. That is a sealed, password protected folder and it has no business inside it. It used to report the folder itself as suspicious because the folder is password protected and it couldn't enter it. So, how the heck did it get past the password this time?

How do I exclude it for a rootkit scan? In LukeFilewalker's exclusion window? If the rootkit scanner can take a sealed, hidden, private, password protected folder and get inside it then are Guard and Lukefilewalker able to do the same now?! Do I need to exclude it from Guard? I don't understand how the scanner got past the password. It should not have been able to do that. It should have simply reported MyPrivate folder as suspicious without breaking the password and looking inside.
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

  • "Radu Gheorghe" has been banned

Date of registration:
May 22nd 2006

Operating System:
Windows

  • Send private message

2

Tuesday, November 25th 2008, 11:04am

Hello Mele20,

I'm not sure it really went into the folder and scan the contents. It's more likely that it saw it as hidden and asked you to quarantine it all. Do you use Microsoft Private Folder for this?

To answer the rest of your questions: you can't exclude items for a rootkit scan, because it doesn't actually scan files, it just searches for hidden objects. Guard doesn't include rootkit scanning, only the on-demand scanner can do that if you choose to. And if the on-demand scanner searches for rootkits, it will be have just like the standalone tool, but with another graphical interface.
Radu Gheorghe
Avira Operations GmbH & Co. KG

kevin009

Community member

Date of registration:
Aug 9th 2007

Operating System:
Windows 7

  • Send private message

3

Tuesday, November 25th 2008, 12:07pm

Hello Radu and Mele,

I use Lock Folder XP here, AntiVir Rootkit scanner (in the free version) was able to detect the hidden folder and quarantine the hidden (private data) in the hidden folder without entering the password. I found that then the user could restore the files to a normal folder or any location and access the files (Same problem as Mele20)

Is it not possible to exclude the data hidden by such "locking software" from being quarantined? Otherwise who would buy such software like Lock Folder XP and Folder Lock If the security of their data cannot be protected by any means?.

So, Radu, can you please ask internally whether this special "Rootkit" exclusion can be added to Avira's To Do List ?
I mean that legitimate software like MyPrivate folder, Lock Folder XP and Folder Lock should be recognized as legitimate by AntiVir and be allowed to hide their data.

This post has been edited 2 times, last edit by "kevin009" (Nov 25th 2008, 12:11pm)


4

Tuesday, November 25th 2008, 12:49pm

Hi Radu,

Rootkit scanner, when it finished the scan, (I had it minimized during the scan) popped up a message listing the ENTIRE CONTENTS of MyPersonal Folder! It wanted to place all of the listed items in quarantine. It gave me the choice of placing all items in quarantine or picking certain ones to place there. It also gave me the choice of DELETING ALL ITEMS. It got in the folder. It could not see the individual items in the folder otherwise so it must have broken the password. Further, every item in that private folder is listed in the rootkit scanner report! Not very private if someone else was also using this machine and looked at the reports. :thumbdown:

I used the rootkit scanner function from LukeFilewalker because the stand alone rootkit scanner doesn't work now. I just haven't gotten around to uninstalling as it was just a few days ago that I learned it doesn't work anymore. If the scanner will not honor a password and insists on listing the contents of the private folder in the Reports section of the main Avira GUI then I will not use Avira's rootkit scanner.

Aloha kevin,

this really surprises me and I agree fully with your assement that if rootkit scanners are able to mess with protected folders that no one would buy locking software. I got Microsoft's Private folder right before they withdrew it. If I hadn't been able to get it, I would have bought some kind of locking software and I would be even more upset if this had happened in spite of a program I purchased that was designed to hide and protect a folder.

Radu,

I add my request to kevin's that you inquire if Avira can make this exclusion for legitimate privacy/locking software and quickly if possible. What changed with the rootkit scanner as it didn't used to enter MyPrivate folder? It used to simply list the folder as a hidden object, and thus suspicous, but did not list the contents of the folder item by item nor did it used to want to quarantine anything from the folder or quarantine the folder itself. I don't do rootkit scans on a regular basis so I don't know when this change was made but it is a big change for the worse. No one who has private, locked folders will want to use Avira rootkit scanner once they know about this. There are other rootkit scanners and I haven't encountered another one that acted this way but I have not used others very recently so it is possible some may act like Avira now but I'm sure I can find one or more that doesn't if I need to do a rootkit scan. I'd rather use Avira's though because it is really good so I hope this can be fixed soon.
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

5

Tuesday, November 25th 2008, 1:05pm

I forgot this earlier...what is "avirarkd.exe"? That is the rootkit scanner isn't it? I had to reboot my computer several hours ago because explorer.exe was using all the CPU and when I looked at Task Manager the first entry was "avirarkd.exe" and it was using 52k memory. I had NOT done the rootkit scan that is the subject of this thread (I did it AFTER I rebooted). The computer had been running 7-8 days when I had to reboot but I don't recall any rootkit scan during that time. Could that have been from my trying the stand alone scanner about a week ago after I read here that it doesn't work any longer? I do recall trying it after I read that here and it didn't scan but I guess it started the "avirarkd.exe" process and left it running all this time?
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

kevin009

Community member

Date of registration:
Aug 9th 2007

Operating System:
Windows 7

  • Send private message

6

Tuesday, November 25th 2008, 1:07pm

Hello Mele,

I agree with you fully that Avira should honor a password from legitimate locking software even before displaying its contents in the reports. But the last time I checked, I found that AntiVir Personal's Rootkit scanner listed the hidden data (hidden by Lock Folder XP). Although it was able to quarantine the data, it was not able to delete the hidden data. That was a bit long ago and I haven't checked so far with the updated Avira personal's rootkit scanner, so don't know what it does with the hidden data.

BTW : If anyone has information what other antivirus programs's rootkit scanners do with data hidden by legitimate software, please post here. I'd like to hear them.

  • "Radu Gheorghe" has been banned

Date of registration:
May 22nd 2006

Operating System:
Windows

  • Send private message

7

Tuesday, November 25th 2008, 2:01pm

Hello,

@Mele20: the fact that avirarkd.exe remains loaded is because of the incompatibility with AntiVir 8. You need to uninstall the standalone rootkit tool, then restore your rootkit protection from AV8. If you need assistance with this, we are here to help.

What My Private Folder and other similar programs to is to install a driver that doesn't allow you to access the folder, unless you enter a password. This is a method that is sometimes used by rootkits (using a driver to hide something). Adding exceptions is not a solution, because exceptions can be removed. I think a much better way to secure your private data is to encrypt it. In Windows XP you have data encryption transparently available through NTFS.
Radu Gheorghe
Avira Operations GmbH & Co. KG

8

Tuesday, November 25th 2008, 2:14pm

I don't understand why you claim there is a conflict with using rootkit scanner in Avira 8 if you have the stand alone scanner still installed. The scan alone scanner doesn't work now which is a shame because a rootkit scanner should be completely separate from the AV scanner I think. Anyhow, the rootkit scanner in Avira 8 works fine even though I have not uninstalled the stand alone scanner.

As for encrypting NO WAY! This really irritates me. We bring you a problem and you skirt the issue. Is Avira going to fix this or not? I'll find another AV if necessary. I want to use MyPrivate folder or locking paid software like kevin is using and if Avira is going to make that impossible then I will have to get another antivirus. The solution is simple. Have the scanner detect the folder as a hidden object. Do NOT allow the scanner to break the password. That is so objectionable that it makes me actually sick to my stomach that you and Avira could for one minute think this is acceptable behavior! To violate my private folder that is password protected is outrageous. You are making me question Avira's integrity. X( :thumbdown:
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

  • "Radu Gheorghe" has been banned

Date of registration:
May 22nd 2006

Operating System:
Windows

  • Send private message

9

Tuesday, November 25th 2008, 3:24pm

Quoted

I don't understand why you claim there is a conflict with using rootkit scanner in Avira 8 if you have the stand alone scanner still installed.

That's because of the way the two applications were designed. They use the same driver and conflicts will arise, as you already noted.

As for the encryption solution, I'm sorry that I irritated you, it was not my intention. I was just giving you alternatives, it's your choice to use whatever software you like.

Back to the MyPrivate Folder issue: Avira Rootkit detection doesn't break your password or violate your security. It just searches for hidden objects, and can't say on it's own if these hidden objects are legitimate or not, as we say on our website:

Quoted

Avira AntiVir Rootkit Protection recognizes active rootkits. However, there also exist rootkits, which are used legally in programs. Avira AntiVir Rootkit Protection also detects those. Please note that using reported rootkits is at your own risk and it can cause program errors.

Since the files in your private folder are hidden objects, it prompts you to quarantine or ignore these objects, and again it's your decision what to do.

We are aware of this feature suggestion, to add exceptions for the rootkit search module, but we decided not to do that at the moment, because there's a security risk. We may add this for future versions, as we are aware that some customers need it.
Radu Gheorghe
Avira Operations GmbH & Co. KG

NiteHawk

Community member

Date of registration:
Feb 14th 2006

Operating System:
XP Pro SP3, Windows 7 Pro - Ubuntu 10.04 LTS

  • Send private message

10

Wednesday, November 26th 2008, 10:57am

Hi Kevin!

BTW : If anyone has information what other antivirus programs's rootkit scanners do with data hidden by legitimate software, please post here. I'd like to hear them.

Check it out yourself, e.g. with F-Secure's Blacklight. I'm quite convinced it will report the hidden objects, too.

Regards, NiteHawk

kevin009

Community member

Date of registration:
Aug 9th 2007

Operating System:
Windows 7

  • Send private message

11

Wednesday, November 26th 2008, 1:01pm

Hello,

@Radu

Quoted

Adding exceptions is not a solution, because exceptions can be removed
But exceptions can be removed in the paid versions only after entering the password.

Quoted

Avira Rootkit detection doesn't break your password or violate your security
Breaking the password - What I meant here, is not that Avira removes the Lock Folder XP password, it is capable of quarantining the hidden files without entering the password. Then an unauthorized user can release the private data from the quarantine to any folder and access the file. This is what I meant by breaking the password.

Quoted

Since the files in your private folder are hidden objects, it prompts you to quarantine or ignore these objects, and again it's your decision what to do
Yes, before quarantining these objects (in the detection window and in the reports), it should ask for the user to enter the password (in a user account) if the scan is run as an Administrator, then it can quarantine the hidden objects without the password. This is my suggestion.

@NiteHawk,

Quoted

Check it out yourself, e.g. with F-Secure's Blacklight. I'm quite convinced it will report the hidden objects, too
Thanks, but I did not check it out. I only meant to ask if it is able to Quarantine these hidden objects like AntiVir did.

This post has been edited 1 times, last edit by "kevin009" (Nov 26th 2008, 1:09pm)


NiteHawk

Community member

Date of registration:
Feb 14th 2006

Operating System:
XP Pro SP3, Windows 7 Pro - Ubuntu 10.04 LTS

  • Send private message

12

Wednesday, November 26th 2008, 1:27pm

Hi Kevin!

Quoted

Breaking the password - What I meant here, is not that Avira removes the Lock Folder XP password, it is capable of quarantining the hidden files without entering the password. Then an unauthorized user can release the private data from the quarantine to any folder and access the file. This is what I meant by breaking the password.

Are you saying the files 'secured' by Folder Lock are not encrypted? Personally, I wouldn't trust (or at least examine closely) a protection solution that relies on 'dirty tricks' (rootkit techniques) to hide confidential data. "Security by obscurity" is a concept known to have limits. When using the HDD under a different OS (e.g. booting with BartPE or a Linux 'Live' CD) these folders/files will likely be visible / accessible. The only reliable protection is industrial-strength encryption of the data in question. And if that works, there's no need to play "hide-and-seek"...

Regards, NiteHawk

13

Wednesday, November 26th 2008, 2:06pm



As for the encryption solution, I'm sorry that I irritated you, it was not my intention. I was just giving you alternatives, it's your choice to use whatever software you like.

Back to the MyPrivate Folder issue: Avira Rootkit detection doesn't break your password or violate your security. It just searches for hidden objects, and can't say on it's own if these hidden objects are legitimate or not, as we say on our website:

Quoted

Avira AntiVir Rootkit Protection recognizes active rootkits. However, there also exist rootkits, which are used legally in programs. Avira AntiVir Rootkit Protection also detects those. Please note that using reported rootkits is at your own risk and it can cause program errors.

Since the files in your private folder are hidden objects, it prompts you to quarantine or ignore these objects, and again it's your decision what to do.

We are aware of this feature suggestion, to add exceptions for the rootkit search module, but we decided not to do that at the moment, because there's a security risk. We may add this for future versions, as we are aware that some customers need it.


I uninstalled the rootkit scanner module. It may not have violated my security..no...it violated my privacy and that is more important to me than anything else. It had no business entering a password protected folder. It should have done what it used to do which is list that folder as a hidden object. Nothing more. Leave the rest to me. The only reason I ran the rootkit module was to see if worked since I have the standalone one installed (and I intend to uninstall it too in just a moment).

I started a thread on this issue at dlsreports and someone just stated that I violated my own privacy by willing running the rootkit scanner. That is not true because I've had the standalone one since it was in beta and I have run it a few times. Each time it simply listed MyPrivate folder as a hidden object. That is all it did. How was I to know that Avira changed it since the last time I ran either one? You didn't make any announcement about it in the forum as I'm here enough that I think I would have seen it. I wouldn't have run it if I had known that it was changed and would enter that folder and list the contents and want to quarantine them. Besides, I only ran it because you said it wouldn't work because I had the standalone one installed also and I wanted to see if that was true. Anyhow, I would have felt a lot better about this if Avira had the foresight to let us know that the scanner would do these things now. I looked at Folder Lock website and they claim complete, total privacy and protection of the folders which is obviously not true.

We really need to be able to place these folders into an exception area where they cannot be moved out of the exception area except by providing the password to folders. I will not use the rootkit scanner again until we have this feature. But the most important reason for Avira giving us this feature ASAP is that if someone else has access to your computer they can run the rootkit scanner and let it put the files in quarantine and then they can restore those files to anywhere and have access to your private files.
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

kevin009

Community member

Date of registration:
Aug 9th 2007

Operating System:
Windows 7

  • Send private message

14

Thursday, November 27th 2008, 5:59am

Hello Mele,

NiteHawk has suggested this : The only reliable protection is industrial-strength encryption of the data in question. I think as there is no other workaround currently available to avoid our problem. I think that the data encryption is the best solution. But now may I ask one question : What is your reason that you hate to encrypt your data as per Radu and NiteHawk's suggestion?

BTW although I still think that Avira should add Rootkit exceptions also, but why not make vendors of locking software like Lock Folder XP and Folder Lock aware of this problem. I think they can work up a new version to work around this rootkit detection module. (unfortunately Malware authors are trying to improve their malicious rootkits in the same way :( It is a Tug-of-War between users demands and malware authors with the Security vendor as a rope!

15

Thursday, November 27th 2008, 8:28am

I don't know a lot about encryption but in XP you cannot encrypt a compressed file. (Radu said use the facilities in XP but I don't know what he means). Some are compressed files so they have a second password besides the one to MyPrivate Folder. Secondly, I don't understand how encrypting would help. Anyone with access to the computer can unencrypt the files so how is encrypting useful?

With a locking program someone at your computer has to figure out the password to get at your files...until now that Avira's rootkit tool can do it. Talk about a two edged sword! That is what Avira's root kit scanner is and for those of us unlikely to get malicious rootkits the dark side of Avira's tool is most disturbing.

I don't know what "industrial strength encryption" is.
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

16

Saturday, November 29th 2008, 10:42am

Hi Kevin!

BTW : If anyone has information what other antivirus programs's rootkit scanners do with data hidden by legitimate software, please post here. I'd like to hear them.

Check it out yourself, e.g. with F-Secure's Blacklight. I'm quite convinced it will report the hidden objects, too.

Regards, NiteHawk


I didn't see anything about a rootkit scanner at FSecure's site. Site is awful looking now what with being all scrunched up in a small area on the left side of the screen. It used be a really nice site. I looked at all downloads, products, etc and couldn't find any rootkit scanner.
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

NiteHawk

Community member

Date of registration:
Feb 14th 2006

Operating System:
XP Pro SP3, Windows 7 Pro - Ubuntu 10.04 LTS

  • Send private message

17

Saturday, November 29th 2008, 10:52am

Hi Mele20!

The download link is near the bottom of the page:

Quoted

Downloads
BlackLight – Rootkit Detection and Elimination Tool

Regards, NiteHawk

18

Saturday, November 29th 2008, 11:38am

Never mind for the moment.
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

This post has been edited 1 times, last edit by "Mele20" (Nov 29th 2008, 11:50am)


19

Saturday, November 29th 2008, 12:51pm

I can't speak for Kevin and his locked files, but Blacklight did NOT consider Microsoft's My Private Folder to be a rootkit.

That is a really nice scanner with a lovely GUI. Plus, it had a lot of FAQ which were great information. I like how it showed each file name and location as it scanned it. I watched for it to get to My Private Folder which is shown in Explorer under Recycle Bin and Desktop Explorer. When it got to it the scanner just passed right over it. :thumbsup:

I really don't understand how Avira's scanner can misconstrue that Private folder as a hidden object. The folder is NOT EVEN HIDDEN. It sits right there on the C drive and is easy to see if using tree view in Explorer.The only thing a bit odd about it is that it is a password protected folder. Anyhow, if I need to do a rootkit scan in the future I will use FSecure's not Avira's. I already uninstalled the Avira rootkit detector module. Thank you for pointing me to FSecure's Blacklight. I don't like FSecure antivirus but I sure like their rootkit scanner.
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

NiteHawk

Community member

Date of registration:
Feb 14th 2006

Operating System:
XP Pro SP3, Windows 7 Pro - Ubuntu 10.04 LTS

  • Send private message

20

Saturday, November 29th 2008, 1:46pm

Hi Mele20!

That's strange. It's been a while since I last heard about MS "Private Folder", but IIRC AntiVir's rootkit scan reported [...]\my private folder\prvflder.dat to be 'invisible'. Invisible here does not refer to file attributes ('hidden'), but instead means there is a discrepancy between the file system / storage and the Windows API not listing / allowing the file at all (so 'invisible' means 'unreachable'). This is exactly the sort of things that I would expect to show up in Blacklight too, so I'm puzzled why this is not the case here. Guess I'll have to play around with that in my VMware a bit, if I find the time...

Regards, NiteHawk