Other antispyware products have a special boot scan feature that can be run before windows starts. it kills spyware deeply embedded in memory, registry and files before windows starts. Maybe you can implement it in version 8.0? Maybe you can add this new feature I dont think any antivirus has this feature, this can be a first with Kaspersky. It would give you an edge over the competition.

Avast has this, yes. I've been pleading for this a long, long time ago...

Paul

first of all it can't be before windows "starts", it still depends on the windows kernel, so things might still be undeletable, if they have a way to get to a low start (maybe even patch the kernel). IMO if your system is that badly infected, create a rescue disk, which can remove embedded malware better.

KAVDOS32.exe (free download from KAV) has a boot sector scan, in fact I've been rummaging around in these KAV forums to try and find the best place to post and get some clarity on the kavdos32.exe CLS switches ! ...it's all a bit manual though.

regards, Richard

No lucian, I think our friend is talking about a standalone boot which could scan safely windows before operating. In other words, a rootkit, to chase rootkits...

Sounds pretty hairy to setup such feature for the immediate benefits we can get... (just imagine the compatiblity issues with VMWare, multi-boot ...). I think the idea is not bad but would prefer the anti-rootkit effort to be pushed forward on detection.

I may have misunderstood the point - still open to discuss it...

That version of KAV is no longer supported, and signatures might be incompatible with it.

According to p2p, Avast has this: the question is how can they do it then?

i don't think avast's bootscan is different then your usual chkdsk runs at start option.
edit, and it isn't actually. the avastbootscan just adds a entry for itself under HKLM\SYSTEM\CurrentControlSet\Control\Session Manager , bootexecute value: aswBoot.exe /A:"*" /L:"English" (in the default, just click ok, case)

Therefore it could be argued KAV/KIS could add a similar entry to the Registry for a boot scan.

theoretically yes, practically no. you nee to make a special exe which can call that console and use it. this application has to laso be able to remove an add that entry at will.

try it, if you add the usual commandline scan to that registry entry you should get an on demand scan (make sure that your pc will not get any detection because loading of windows may pause at an invibile waiting for action on malware) - i advise on vmware, if your full scan take a couple of hours it's going to be annoying watching the blue worm move from side to side for three hours.

I may be completely out of fashion there, but methink this registry hook for special boot exec is not bringing much ... When scanning at that time, one should search for specific things (kernel, registry, loaded modules) and not perform a full scan.

I have a suggestion. Since BartPE may be complemented with add-ins (Firefox for instance), do you think possible to get a KAV plugged into a bartPE standalone windows, possibly with signature databases fetched on an external device such as a floppy or USB.

This way, booting the CD would make it possible from time to time to perform a scan from the outside, most likely with the "extended rootkit detection" feature enabled.

How about that ? Does it sound sensible or completely out of reach ?

EDIT: spelling

that sounds already implemented in v7 it's under the scan menu, create rescue disk.

I know it is possible to create a bartPE from Kaspersky (had already one at hand at KIS install time...).
Are you sure KAV/KIS is then bundled with the PE ? I could see nothing written about that.

doubt you can bundle KAV so easily in the PE. From bartPE's site, a number of contributors added tools or third party software as PE add-in. So you are telling me this is already the case for KIS ? How about refreshing the database then (that's why I considered using an external storage for them) ?

EDIT: just recall the topic - I am not about getting a rescue disk, but a standalone boot which could scan windows on HD without being fooled by possible rootkits.

due to legal reasons, bart pe is only distribute in form of a link.
but the plugin s available as a standalone version (the zip archive rescuecd.zip: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ )

Sounds great. Didn't know about the plugin. I'll get that CD burned, yes ...

I'll try that to perform in-depth but focused inspection of my PC's from time to time... Only way someone could fool that beforehand would be to dig in the BIOS, so I hope it's a good solution for a semi-paranoid like me.

I really prefer that one to a "registry-based" boot solution.

You're of invaluable help, Lucian. Thanks.


[got to jump headlong in the MONSTROUS traffic jams outside now - talk to you later guys]

Fred

hi fred, as far as i understood this thread correctly - i am an pc idiot - it is possible to use the rescue zip file, burned on a cd, as a boot scan possibility. if this assumption is correct, do i have to just unzip the rescue file and burn this on the cd?

tnx a lot
gerhard

hello
use the linux based one, download the iso from within kav/kis 2010 (in security+) and burn it. in 2009 you have the possibility to make the bartpe disk from the anti-malware tab>rescue disk