Sbav on Windows 8.1 laods but never runs

Hello ReggieB,

first of all - what's the reason you want to run SBAV (the article is quite clear that it's an emergency solution)?

Allow me few remarks

Windows 8.1 64 bit

It's totally independent of the operating system installed (in fact it will boot even with no disk present). To be useful it needs a recognizable and unencrypted file system though

loads the files onto the local drive

it doesn't load onto the local drive (what you think is the local drive is a RAM disk) and it doesn't write to the drive unless explicitly instructed from the Scan menu

HP laptop

Slax is (at the moment) stable (that's an euphemism for it hasn't been updated for some time). Though apparently it does boot so basically it should work. What HP laptop model is this? Do you boot from a CD/DVD or some other device?

Christian     

Christian, 

Thanks for the reply. The laptop is a HP Envy TS 17 notebook PC.

I was running the sbav since the Sophos Endpoint would remove the virus but after reboot it would come back.

I never got to the scan options. One thing I didn’’’’t check was for an unencrypted file system.

The last thing on the screen was:  triggering udev events: /sbin/udevadm trigger –

I traced it to the file and is associated with Generic PUA LM

c:\windows\sysWOW64\BDL.dll.

 I could manually remove this but always came back.

Virus list:

Solimba Installer

Troj/Dldr-ir

Airinstaller

Apprider

Conduit search protect

TUTO4PC

Hello ReggieB,

would remove the virus but after reboot it would come back

in conjunction with the other detections this looks like some as yet undetected component. In that case SBAV is no more "powerful" than SESC. Did you submit the PUA to Labs? One common scenario is that a piece of malicious content from a web page slips through, installs itself (depending on the user's rights) in the user or system context, dropping  "other stuff". This "other stuff" often triggers additional detections, most of it is blocked and potentially cleaned up or cleanable but as long as the original threat isn't detected and removed the "infection" will recur at boot or logon time.

After Labs have analysed the sample and issued an IDE for it (which takes only a few hours normally) the threat will be detected and cleaned as we're used to.

Christian

Christian,

Unfortunately I had to delete the .dll in dos so I don’’’’t have a sample to submit.

After deleting it seems the laptop is clean.

And I thought running sbav would give the program the ability to delete the .dll since it wasn’’’’t being used by the OS. When Windows was running I wasn’’’’t able to remove it, and SESC only placed it in quarantine with the option to authorize it.

Thanks for your help.

Reggie

Hello Reggie,

Generic PUA LM [...] quarantine with the option to authorize it

PUA is Potentially unwanted and for Generic there's usually no cleanup (as it isn't considered malicious). It's not a question whether the file is locked or not. SBAV using the same detection data would have come to the same conclusion (i.e. not malicious) - actually there's a better chance for SESC compared to SBAV  to detect the malicious nature of such items when behavior monitoring is enabled.

Christian