Well this is my first thread, and maybe the only one. It's about what most concerns me: Rootkits.:lurking:
1- What is, in your view, the best rootkit protection/prevention? Free and paid. You can name more than one of course. I use GeSWall + Prevx1 mainly, and playing with SSM free. Somehow i think it's missing something...:-\

And for detection, i use Rootkit Revealer and GMER. I have others, but mainly these. I really like GMER :thumb: , but no documentation exists, so i don't know how to use it, not really. I'm not an expert. I get concepts. Period. There are a lot of options in GMER, even for protection, it looks like a powerfull tool.
2- So how about some of the experts here start a thread to write a manual? Starting with the basics and moving on? If he agrees with it. It would save him time to continue the development of the program. And many of us would appreciate the effort. As you go forward, send him the progress for correction.
Is it a bad idea????

Protection- A sandbox &/or HIPS( GW and SSM)
Detection- BlackLight, Gmer and PWalker(Process Walker)
Removal- clean snapshot/ image or reformat

Don't forget about NOD32 2.7 which makes removal of active rootkits a piece of cake :)

Hi Marcos, can you explain a little bit more on this new feature of NOD32 v2.7 (e.g. how to use it)? I am running it now but I cannot distinguish its new features from v2.5.

Thanks.

-{ Quote: "Don't forget about NOD32 2.7 which makes removal of active rootkits a piece of cake :)" }-

PWalker... don't know that one. Does it work on windows or need cmd?
And what do you say of no.2? GMER manual?

How about this Helios?

http://helios.miel-labs.com/2006/07/download-helios.html

Best regards,
Firefighter!

-{ Quote: "PWalker... don't know that one. Does it work on windows or need cmd?
And what do you say of no.2? GMER manual?" }-
PWalker runs on windows, no need for commands. Looks nice( the only one to detect latest rootkit phide.exe- there is a thread here)
Gmer I have used only few times, it does tell u if ur sytem is modified since last scan. Don,t know about manual. I just used to do a scan, nothing else.
Very little play with rootkits so can,t say much.

-{ Quote: "How about this Helios?

http://helios.miel-labs.com/2006/07/download-helios.html

Best regards,
Firefighter!" }-

It's an alpha and requires Mocrosoft.Net framework.
Otherwise I would try it.;)

-{ Quote: "Don't forget about NOD32 2.7 which makes removal of active rootkits a piece of cake :)" }-

That sounds impressive! Can you explain it a little more?

NOD32 2.7 provides a new method for detecting active rootkits which is called "Anti-Stealth technology". It is supported by AMON and the on-demand scanner. When enabled, NOD32 can see rootkits that are otherwise hidden from Windows API.

My 0.02$:
Using this option in the on-demand scanner, you can even discover any file that behaves like a rootkit and is undetected even by NOD32 - simply run 2 scans, one with Anti-Stealth enabled and the other one with AS disabled. If the total numbers of scanned files do not match (whilst using the very same settings), it's an indication of a rootkit-like file being active. Of course, it can also be a legit application that behaves this way.

Thanks Marcos. Do I have to run what you had described in Windows Safe Mode in order to be effective?

-{ Quote: "NOD32 2.7 provides a new method for detecting active rootkits which is called "Anti-Stealth technology". It is supported by AMON and the on-demand scanner. When enabled, NOD32 can see rootkits that are otherwise hidden from Windows API.

My 0.02$:
Using this option in the on-demand scanner, you can even discover any file that behaves like a rootkit and is undetected even by NOD32 - simply run 2 scans, one with Anti-Stealth enabled and the other one with AS disabled. If the total numbers of scanned files do not match (whilst using the very same settings), it's an indication of a rootkit-like file being active. Of course, it can also be a legit application that behaves this way." }-

-{ Quote: "Don't forget about NOD32 2.7 which makes removal of active rootkits a piece of cake :)" }-

I have version 2.5, where and how can I download version 2.7 in French (the paid version)???
Does version 2.7 a final release or is it still a beta version?

Thanks,
Atomas31

If I had to select an AV with a rootkit capability it would be F-Secure with its Blacklight.

I think a combination of F-Secure and the Bit Defender Rootkit Uncover would be a formidable defense. I also use UnHackMe and Snoopfree. I am not sure how the last two stack up.

Best,
Jerry

There is a recent research about detecting and removing rootkits..
-{ Quote: "In the study, which was commissioned by Symantec and conducted by veteran anti-virus expert Roger Thompson, 20 randomly chosen pieces of rootkit-laden malware files were pitted against the major anti-virus and anti-spyware vendors to rate detection and removal capabilities." }-
http://www.eweek.com/article2/0,1759,2051268,00.asp?kc=EWRSS03129TX1K0000614

-{ Quote: "There is a recent research about detecting and removing rootkits..



Quote:
In the study, which was commissioned by Symantec

http://www.eweek.com/article2/0,1759,2051268,00.asp?kc=EWRSS03129TX1K0000614" }-

this is kind of funny . especially as the first thing you read is "Symantec Best at Removing Rootkits"

-{ Quote: "this kind of funny . especially as the first thing you read is "Symantec Best at Removing Rootkits"" }-
At least they are not hiding;D

-{ Quote: "Thanks Marcos. Do I have to run what you had described in Windows Safe Mode in order to be effective?" }-

It shouldn't matter, if a particular file is running NOD32 should delete it the next time you start the computer.

I believe that BOClean is the best application for
1. prevention of rootkit installation and
2. removal of rootkits from an already infected computer

BOClean was written originally to remove Back Orifice 10 years ago and I doubt that anyone has more knowledge, or understanding of rootkits than Kevin McAleavey.

-{ Quote: "If I had to select an AV with a rootkit capability it would be F-Secure with its Blacklight.

I think a combination of F-Secure and the Bit Defender Rootkit Uncover would be a formidable defense. I also use UnHackMe and Snoopfree. I am not sure how the last two stack up.

Best,
Jerry" }-
SnoopFree is not for RootKits.

-{ Quote: "How about this Helios?

http://helios.miel-labs.com/2006/07/download-helios.html

Best regards,
Firefighter!" }-

I gave it a whirl. Don't try this yet unless you have a good recovery option. While it looks interesting, it isn't even at the alpha stage in my opionion. It is proto code at this point. Doesn't like dual core processors, among other things.

Pete

A quote from their website:

Thus Helios uses a 'behavioural' analysis engine as opposed to signatures. The upside to this is that we can catch malware that is 'unknown' in the wild, or for which signature based products do not have a signature definition.

How do they ensure that Helios does not report many false positives? You can also use NOD32 to detect any file that behaves like a rootkit using the anti-stealth technology. However, NOD32 will hardly report any false positives as it uses advanced heuristics for code emulation as well as signatures for precise detection of known rootkit variants. If you wish, you can conduct 2 scans, one with the anti-stealth technology enabled and one with AS disabled. If the total numbers of scanned files do not match, you have a rootkit-like file active. However, always bear in mind that also legit commercial applications may use such files so it could be just a false indication.

Helios don´t work with dualcores, so forget it.

Gmer has best chances to become awarded as best anti-rootkit, depends on how it will improve the next time.

I love to play the unhook game.

Concerning Symantec: They get the most ressource hungry software award.

And the how-to-slow-down-your-computer-the-easiest-way award.

Oh of course Symantec-sponsored tests will say Norton is the best. Utter junk.

According to PC World or something... Spyware Doctor is the best.

Since no.2 has been discarded, i just want to ask one thing: if i format a disk re-installing Windows, is it possible for a malware to remain? Maybe it's idiotic, but i want to ask anyway.:D

XD spywaredoctor that thing messed up my uncle's computer and it stopped working on mine

I use Unhackme : simple and good ;)

Do you think unhack me detect anything? It has lots of false positives.

I don´t think it´s max. reliable.

Spywaredoctor has good sides, but I think it could eat up some of your ressources too, not that extreme bad like spy sweeper or even "norton crazy hook fanatics".

-{ Quote: "Do you think unhack me detect anything? It has lots of false positives.

I don´t think it´s max. reliable.

Spywaredoctor has good sides, but I think it could eat up some of your ressources too, not that extreme bad like spy sweeper or even "norton crazy hook fanatics"." }-

I don't know how good it is, but I have had it at least a year, and have never had a FP.

Jerry

-{ Quote: "Since no.2 has been discarded, i just want to ask one thing: if i format a disk re-installing Windows, is it possible for a malware to remain? Maybe it's idiotic, but i want to ask anyway.:D" }-

Anyone?

Yes, surely.

Nothing new here. Norton has detected Rootkit (without a fancy "anti-stealthing" name) since NIS/NAV 2007. Under the covers it uses core APIs acquired from Veritas which (lets just say) know a little more about file systems than eset ever will :-)