Jump to content

Recommended Posts

So after running a 'Threat Scan' with MBAM free, SYSTEM32\drivers\ntfs.sys as an unknown rootkit driver. This is on a XP sp3 pc. I further scanned said file with Zemana antimalware, (6) engines, and file showed clean, as did a scan with qihoo 360 TSE.  

post-102482-0-77833900-1426792983_thumb.

Link to post
Share on other sites
  • Staff

Hi,

 

If the scanner sees a legitimate file as "Unknown.Rootkit.Driver", then this means there's probably indeed a rootkit present (as we have seen with certain 0access variants) where the files are "forged" by the rootkit. Meaning, reads through WinAPI differs from the contents readen through low-level disk access. In such cases, malwarebytes fixes this and restores this with a "clean" one.
It doesn't always mean that you were indeed dealing with a rootkit. We've seen some other cases as well causing files to be forged (by some legitimate software - eg: Rollback Rx PC) or by a DDA driver failure.

Being this was detected with the rootkit engine you might want to discuss this in the mbar forum.
https://forums.malwarebytes.org/index.php?/forum/116-malwarebytes-anti-rootkit-beta-help/

Link to post
Share on other sites

Hi,

 

If the scanner sees a legitimate file as "Unknown.Rootkit.Driver", then this means there's probably indeed a rootkit present (as we have seen with certain 0access variants) where the files are "forged" by the rootkit. Meaning, reads through WinAPI differs from the contents readen through low-level disk access. In such cases, malwarebytes fixes this and restores this with a "clean" one.

It doesn't always mean that you were indeed dealing with a rootkit. We've seen some other cases as well causing files to be forged (by some legitimate software - eg: Rollback Rx PC) or by a DDA driver failure.

Being this was detected with the rootkit engine you might want to discuss this in the mbar forum.

https://forums.malwarebytes.org/index.php?/forum/116-malwarebytes-anti-rootkit-beta-help/

 

Thanks for your reply. I re-posted at the link you provided.  

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.