avast! Antirootkit bypasses CFP's quarantine


It seems that avast! Antirootkit scanner bypasses CFP’s “lockdown” feature. I’ve quarantined a directory, but the scanner finds the malware samples in it. The log file says all the files(not just the infected ones) in that directory are hidden which is reasonable.

CFP v.
avast! Antirootkit v.0.9.6 Avast WEBforum - Index
CPU 32 bit

Okay, maybe not a bug. Other rootkit scanner can find those files too.

What other rootkit scanners can do the same? Can you please provide links to those malware samples or PM those samples. Thanks.

Oh Oh. Isn’t the Avast! rootkit scanner used as part of the boot sequence? Does this mean that CFP3 is not protecting during the boot sequence as previously advertised, or something else?

I think the privilidge to see those files was given to the scanner by cfp…
For instance I can shut down cfp from icesword. But only if I allow it to gain debug privilidge, access the COM interface ect…

Help file claims following:

Comodo Firewall Pro allows you to lock-down files and folders by completely [b]denying all access rights[/b] to them from other processes or users - effectively cutting it off from the rest of your system. If the file you quarantine is an executable then neither you nor anything else will be able to run that program. [b]Unlike files that are placed in 'My Protected Files', users cannot selectively allow any process access to a quarantined file[/b].

To my understanding “denying all access rights” means no read-access also. If scanner can report about malware samples and attributes of files (“hidden”) i guess it can at least read-access that quarantined folder.

As for the privilige to see those files, i marked in red second phrase: to my understanding it means that even trusted or whatever process must not succeed in accessing quarantined object.
You can reproduce such behavior doing the following: add any folder to quarantined objects, then use explorer.exe (i assume it has default priviliges to modify any protected or whatever files) to access/delete that folder. Result: access is denied even explorer.exe is super-trusted app.

Thanks Yuriy for pointing that out. I was too lazy to read the manual.
Is the scanner able to clean/delete the files found in the quarantine or it can only read the contents?

I wasn’t right in my first post, avast! Antirootkit couldn’t recognise the malware in the quarantined directory, it just recognised that the files were hidden. I’ve attached the avast log file(aswar.txt)
The other rootkit scanner I tried and which can also recognise the hidden files is McAfee Rootkit Detective. Link to its site:
Log file attached(RootkitDetectiveReport.txt)

Yuriy is right, we can’t open a quarantined folder. An error message comes when trying to open it.

Anyway, the folder contains my malware collection. :slight_smile:

[attachment deleted by admin]

[attachment deleted by admin]

Very interesting…

F-Secure Blacklight & Trend Micro RootkitBuster detects nothing… GMER does, as Avast! AntiRootkit is based on it…

Regarding AVs, these are my findings… Avira Rootkit scan in Premium 8 detects nothing, but if it’s only one file quarantined and not the folder at least it scans it although of course it says can’t open the file. The sad thing is that KIS 2009 will not even scan the quarantined file. No contextual menu for scan for CFP quarantined files (!), and if you add the file manually in main GUI again the report says ‘0 objects scanned’.

I know its a bit offtopic but if someone with better english than me can explain that in Kaspersky forums will be fantastic, since that was my election until CAVS 3 is released! (I’m not using Avira for real time because in vista SP1 closes itself randomly).


I’ve even tried Avira AntiRootkit, F-Secure Blacklight, Panda Anti-Rootkit, Trend Micro Rootkit Buster, none of them could find those files.

I agree that GMER is a good one.


IceSword doesn’t need debug privileges, all it needs is to install its driver. CFP3 is chanceless if a driver is loaded, but luckily, CFP3 can prevent the loading/creation of the driver.


Thx ragwing.
It was a long time ago. But Im sure some sort of security app similar to icesword needed that too…
I know cfp can protect against it, I was the one who allowed the driver installation. The point I tried to make was if the driver of the rootkit scanner was allowed to be installed then the chances of cfp are less to protect the quarantine. (although in this regard the quote from the manual is confusing. Maybe I should try deleting files in the quarantine with icesword.)

So folks, what do you think?

Tempest in a teapot.

The point I tried to make was if the driver of the rootkit scanner was allowed to be installed then the chances of cfp are less to protect the quarantine

That’s the weak point of security software even one’s has paranoid as CPF. Once you allow something to install a driver, if the driver is evil, game over most of the time.

Moral of story, don’t allow drivers to install unless you are 100% sure…