[sergey ulasen]

No to both.

Ok.

So far this happened x2 after interrupting half way through file system scan.

Did you interrupt scanning in Low-Level Disk Access Tool or scanning in the main window ? Sorry, it was not very clear for me. Could you please give me more details ?

[Meriadoc]

Did you interrupt scanning in Low-Level Disk Access Tool or scanning in the main window ? Sorry, it was not very clear for me. Could you please give me more details ?

Scanning in the main window. Seems to be intermittent but only after using vba ark and so far only happening when interrupting - but I will see what happens after more tries.

I also notice after using the ark explorer gets really sluggish but all symptoms are gone after re-boot.

[STRELiTZIA]

Hi,
Vba32 Dedicated Desktop option, BSoD when I resize VMWare screen...

Flash movie attached.

[sergey ulasen]

Hi,
Vba32 Dedicated Desktop option, BSoD when I resize VMWare screen...

Flash movie attached.

STRELiTZIA, thanks for your interest!

This bug is connected with Vba32 Defender mode. It's a default mode on the dedicated desktop.
Vba32 Defender blocks driver's loading and process's launching. When you resize VMWare's screen antirootkit blocks video driver and it causes BSOD.

I think we was in a hurry when this mode was being set up on default... :?

[sergey ulasen]

2- It crashes after test machine infection (Trojan.Win32.VBKrypt).

Sorry for delay...

This sample hijacks functions NtTerminateThread and NtTerminateProcess in ntdll.dll. In addition, the malware doesn't clean stack (it uses c3 opcode instead of c2 opcode). It's a reason of fail. We don't want to realize now something like a workaround because we are going to develop good-quality solution in one of the next version.

Thanks!

[sergey ulasen]

Hiya!

Vba32 AntiRootkit 3.12.5.3 beta build 222:

Download link: http://anti-virus.by/en/beta.shtml
Change list:

+ Listing filesystem minifilters
+ Operations on filesystem minifilters ( Unload, Unregister )

FileSystem Minifilters window (and table in the report) has been added. User can find there information about filesystem drivers-minifilters. Also there are available two operations: Unload and Unregister. These operations are used to unload minifilter from memory. But Unregister is less safety and can cause to BSOD.

+ Listing kernel devices ( Kernel Device Stack )

Kernel Device Stack window (and table in the report) has been added. The window displays kernel device stacks. Because of this user can analyze what kind of stack malware uses.

devices.png (59.48 KiB) Viewed 679 times

There are no any operations with objects in Kernel Device Stack yet. It's planned on the future.

+ View/delete for FsRtlRegisterFileSystemFilterCallbacks notificators

It can be helpful.

+ Detection of DriverInit, DriverStartIo, DriverUnload hooks

It can be useful to detect some versions of TDL.

+ Detection and restoration of hooks in Object Functions ( ObjectType hooks )
+ Object type hijack detection for drivers and devices

Not very widespread type of hooking (in view of complexity) but looks like malware and some sort of security software use them.

+ Operation with opened handles ( CloseHandle )

Very useful function! It's available from the Process Manager window inside the Handles tab.

+ Terminating status in the time of Process Manager closing

Closing of the Process Manager window looks more clearly now.

* Fixed nonworking checkboxes in html-report ( in FireFox )

Sorry for FF users because we haven't supported you for 1.5 monthes. But now it's fixed.

* Focus from "YES" button was moved to "NO" button in the dedicated desktop request message

As I wrote early the antirootkit had some problems in the dedicated desktop mode. We have removed this mode by default. In the future, of course, the problem will be solved more radical way.

* Fixed GUI crash on infected with Trojan.Win32.VBKrypt machines
* Overall work robustness of antirootkit was improved

We have spent most of our developing time to increase stability of the application. We have fixed most known bugs that lead to BSODs or hangs.
Special thanks to STRELiTZIA for bug with Trojan.Win32.VBKrypt.

* Help in Russian was improved

Remind you our e-mail: arkit@anti-virus.by.

And thanks to everybody who sent us feature requests, errors and dumps. Your attention is very important to us!

[STRELiTZIA]

Hi,
Speed tests: Windows Xp SP3 (Updated)
1- BSoD:
(INVALID_KERNEL_HANDLE)
Process Manager... Select, Explorer.exe --> Handles -->> KEY : \REGISTRY\MACHINE --> Close handle.

2- System Hang:
2-1- performs registry attack:

Code: Select all

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\VIDEO]
"MaxObjectNumber"=dword:99999999

2-2- Try to launch Vba32arkit.exe

Edit:
3- System restarts:
Try to launch Vba32arkit.exe when Shadow Defender in Shadow Mode.

Regards.

[sergey ulasen]

To STRELiTZIA:

Sorry for delay. We are having a big holiday (4 days :roll: ) here now.

All your cases are reproduced.

I'll be able to answer in details some days later.

Thanks!

[sergey ulasen]

Hi,
Speed tests: Windows Xp SP3 (Updated)
1- BSoD:
(INVALID_KERNEL_HANDLE)
Process Manager... Select, Explorer.exe --> Handles -->> KEY : \REGISTRY\MACHINE --> Close handle.

This problem was fixed. Update will be in public with next beta version.

Thanks.

Other issues are being analyzed.

[sergey ulasen]

Hi,

2- System Hang:
2-1- performs registry attack:

Code: Select all

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\VIDEO]
"MaxObjectNumber"=dword:99999999

2-2- Try to launch Vba32arkit.exe.

It seems that this key/value has nothing to do with antirootkit's work.

But in theory it can be used by malware to block the antirootkit. Therefore it should be included to self-protection.

If you have more facts about this key/value, could you please share them with me.

Thanks!