Endpoint Protection

I recently needed to run Power Eraser on a Windows 7 (32bit) machine.  I selected the option for rootkit/bootlog analysis, as I suspected a possible rootkit infection.

Upon rebooting the computer for Power Eraser to start, Bitlocker complained and required recovery keys to gain access to the drive.  Of course this led to a complete decrypt /recrypt sequence after the Power Eraser ran.

Is this a normal occurrence?  Is there a way to use the Power Eraser to check for rootkits without "Breaking" Bitlocker?

The scan came back clean, btw, and I also ran some additional tools to be sure there was no infection.

thanks in advance

I am not finding any mention of this issue in the forums. I am betting you will need to decrypt before running the Power Eraser tool.

Hello,

I agree with Thomas on his above statement.

It is very important to Decrypt the drive before running the Power Eraser Tool.

Symantec Power Eraser Tool is designed to complement mainline antivirus applications by detecting and remediating specific types of threats:

• • New variants of existing threats for which there is no coverage by the current definition sets
  • Fake antivirus applications, and other rogueware
  • Rootkits
  • System settings that have been tampered with maliciously

Because Symantec Power Eraser uses aggressive methods to detect these threats, there is a risk that it can select some legitimate programs for removal.

Whereas; Encryption is the process of transforming information using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext). 

In many contexts, the word encryption also implicitly refers to the reverse process, decryption (e.g. “software for encryption” can typically also perform decryption), to make the encrypted information readable again (i.e. to make it unencrypted).

So, How would Symantec Power Eraser find the Right Threat if the Drive is already Encrypted?

That's why it is very important to Decrypt the drive before running the Power Eraser Tool.

Again, We recommend to use standard antivirus applications and troubleshooting techniques first; if they do not remove all of the threats, use Symantec Power Eraser. 

Let me clarify.  Power Eraser runs fine on a bitlocker encrypted drive, as long as you don't select the rootkit/bootlog analysis option.  Power Eraser should have no problem finding threats on the drive, since Bitlocker runs underneath the OS, and is transparent to file scanners.

The issue at hand is with the rootkit analysis option.  At this point, Power Eraser should be 'analyzing' the drive, not making changes to it, however it seems that, unlike other rootkit scanners, Power Eraser is making changes that Bitlocker 'sees' (possibly to the MBR or other pre-boot areas of the drive?) and so the bitlocker tamper protection kicks in.

I'm looking for suggestions on how to clean up TDSS rootkit infections (TDL3, TDL4) with Symantec products in an environment that uses bitlocker.  There are several scanners/cleaners out there from other companies that seem to have addressed this issue.

It seems we are seeing quite a bit of these types of infections lately, mostly infecting basic disk and system drivers to load with the OS.

Have you tried this removal tool (FixTDSS.exe)?

http://www.symantec.com/security_response/writeup.jsp?docid=2010-090608-3309-99

Please let me know the outcome.

Best,

Thomas