Hi.

I have downloaded KAV 6.0 to check detection of rootkits.


{QUOTE->

3.2.3 Rootkit treatment
3.2.3.1 Hidden process detection
The Proactive Defense Module unconditionally detects any hidden process
which is useful in
detecting malicious code without the need to maintain signature database.
The detection routine is
never idle and is in effect regardless of, for instance, whether the end
user chooses to allow
process injections or not. <-QUOTE}

The movie: http://www.gmer.net/kav6.wmv ( Windows Media Video 9 codec )

http://forum.kaspersky.com/index.php?showtopic=13895

Regards.

Can you upload it to virustotal so we can see how other softwares deal with it?

{QUOTE-> Can you upload it to virustotal so we can see how other softwares deal with it? <-QUOTE}

STATUS: FINISHED
Complete scanning result of "very_bad_rootkit.zip", received in VirusTotal at 05.16.2006, 07:07:56 (CET).

Antivirus Version Update Result
AntiVir 6.34.1.27 05.15.2006 no virus found
Avast 4.6.695.0 05.15.2006 no virus found
AVG 386 05.15.2006 no virus found
BitDefender 7.2 05.16.2006 no virus found
CAT-QuickHeal 8.00 05.15.2006 no virus found
ClamAV devel-20060426 05.15.2006 no virus found
DrWeb 4.33 05.16.2006 no virus found
eTrust-InoculateIT 23.72.9 05.16.2006 no virus found
eTrust-Vet 12.4.2209 05.15.2006 no virus found
Ewido 3.5 05.15.2006 no virus found
Fortinet 2.76.0.0 05.16.2006 no virus found
F-Prot 3.16c 05.15.2006 no virus found
Ikarus 0.2.65.0 05.15.2006 no virus found
Kaspersky 4.0.2.24 05.16.2006 no virus found
McAfee 4762 05.15.2006 no virus found
Microsoft 1.1372 05.16.2006 no virus found
NOD32v2 1.1539 05.15.2006 no virus found
Norman 5.90.17 05.15.2006 no virus found
Panda 9.0.0.4 05.15.2006 no virus found
Sophos 4.05.0 05.16.2006 no virus found
Symantec 8.0 05.16.2006 no virus found
TheHacker 5.9.7.143 05.15.2006 no virus found
UNA 1.83 05.15.2006 no virus found
VBA32 3.11.0 05.15.2006 no virus found

Aditional Information
File size: 1317 bytes
MD5: f6bb3570fdab9b35d461c9bd7618fee3
SHA1: bae0cb076e6efdfbc8e443a38d49d89855978fd6

Regards

VirusTotal will not be a good comparison at all.
You tested KAV6 locally and this one remotely therough VT.
Panda could detect rootkit with TruPrevent, but it can't since it's not even active on VT (it must be on-access, not on-demand).
Just a thought.

Gmer can you test that with NOD32, DrWeb and VBA32 the same way as you did with KAV?

{QUOTE-> File size: 1317 bytes <-QUOTE}

?????

{QUOTE-> Gmer can you test that with NOD32, DrWeb and VBA32 the same way as you did with KAV? <-QUOTE}

I will probably. Does trial version of NOD32 detects rootkits ?

{QUOTE-> File size: 1317 bytes <-QUOTE}
As you saw it was enough for KAV .
This rootkit is very simple.

Regards

{QUOTE-> I will probably. Does trial version of NOD32 detects rootkits ? <-QUOTE}
I think it does, retail has proactive rootkit detection.
You could download & install it, and tell us the version number (found under NOD32 System Tools > Information)

Oh and current retal version is 2.51.26

I think you should submit it to all AV vendors who do not detect it for analysis to make sure that the file should actually be detected.

{QUOTE-> I think you should submit it to all AV vendors who do not detect it for analysis to make sure that the file should actually be detected. <-QUOTE}
Indeed, that skull animation is something I used many many years ago.
Looking old here, but whatever.

{QUOTE-> Indeed, that skull animation is something I used many many years ago.
Looking old here, but whatever. <-QUOTE}

It was just a simple test how strong is new KAV + PDM .
Now I now .

Donno for sure, but to my knowledge, PDM Anti-Rootkit part module says it checks for rootkits every 20 minutes...

http://img352.imageshack.us/img352/7674/kavrootkit9jc.png

{QUOTE-> Donno for sure, but to my knowledge, PDM Anti-Rootkit part module says it checks for rootkits every 20 minutes...
<-QUOTE}
Very nice period .

{QUOTE-> Very nice period . <-QUOTE}Well, in a way, I agree... 20 minutes? What's the point? 20 seconds I understand, heck, even 2 minutes... but 20 minutes?

{QUOTE-> Well, in a way, I agree... 20 minutes? What's the point? 20 seconds I understand, heck, even 2 minutes... but 20 minutes? <-QUOTE}


This is a beta version...;)

{QUOTE-> This is a beta version...;) <-QUOTE}

Release version of KAV ( 6.0.0.299 ) has the same problem .

Mr Sobko (http://forum.kaspersky.com/index.php?showuser=259) is product developer.

Yes, but ever though about overhead made with 20 second intervals?

{QUOTE-> Release version of KAV ( 6.0.0.299 ) has the same problem .

Mr Sobko (http://forum.kaspersky.com/index.php?showuser=259) is product developer. <-QUOTE}
gmer, this is the first version of 6.0, it is at the start of it's development and things will be added as it gets moving, new things will be added and the features already there will be improved. I'm at this point perhaps struggling a bit to see what you hope to gain by all these post here, there and everywhere.

We have listened to you, sobko has responded to you in the thread (he's ill btw and not working 100% ATM), if you really want to help improve the rootkit detection of the PDM, then why not join the beta program instead of posting the same over & over again in different:)

{QUOTE-> gmer, this is the first version of 6.0, it is at the start of it's development and things will be added as it gets moving, new things will be added and the features already there will be improved. I'm at this point perhaps struggling a bit to see what you hope to gain by all these post here, there and everywhere.

We have listened to you, sobko has responded to you in the thread (he's ill btw and not working 100% ATM), if you really want to help improve the rootkit detection of the PDM, then why not join the beta program instead of posting the same over & over again in different:) <-QUOTE}

I have made the test, thats all.
I wrote about this because I think its better to know.

You can always write to moderator to delete my post ( in Poland it was called communism )

{QUOTE-> I have made the test, thats all.
I wrote about this because I think its better to know.

You can always write to moderator to delete my post ( in Poland it was called communism ) <-QUOTE}
Why would i write to the moderator, thats silly.:)