View Full Version : nod32 vs kernel mode RK
November 14th, 2006, 08:46 AM
hi i'm big fan of nod32 , but how is he dealing with kernel mode rootkits ? i know he detects user mode rootkits , but with the last beta version he is unable to detect rustock.b, a kernel mode rootkit.???
November 14th, 2006, 09:04 AM
(Symantec: ) Backdoor.Rustock.B (http://www.symantec.com/avcenter/venc/data/backdoor.rustock.b.html)
(Kaspersky: ) Trojan-Clicker.Win32.Costrat.h (http://www.viruslist.com/en/viruses/encyclopedia?virusid=130792)
(Sophos: ) Troj/Mailbot-AX (http://www.sophos.com/security/analyses/trojmailbotax.html)
(McAfee: ) Spam-Mailbot.c (http://vil.nai.com/vil/content/v_140181.htm)
This threat is rated as a "low"/"very low" risk by the AV vendors, so could be that ESET just "ignores" this threat and prioritize other more high risk threats instead.
November 14th, 2006, 09:18 AM
it s a well known rootkit ( pe286) for using advanced stealth tricks, i'm just asking how eset is dealing with that sort of rootkits, when they are allready installed on the computer, has they claim to detect and cleaning installed rootkits ( kernel rk ?).
i know its just a beta for the moment , but are they working on this for the future ?
November 14th, 2006, 09:27 AM
You can conduct two scans - one with Anti-Stealth disabled and one with AS enabled. If the total numbers of scanned files do not match, you have a rootkit-like process active. If you set NOD32 to scan all files and compare the logs, you will find such files easily even if NOD32 does not detect that rootkit.
November 14th, 2006, 09:57 AM
ok thanks marcos for the easy way, it would be great if nod32 could deal with kernel rk in the future , just 2 ou 3 tools can do for the moment ( rkunhooker for example ) and absolutely no av can face effectively for the moment to that kind of rk.
vBulletin® Copyright ©2000-2014, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2014, Wilders Security Forums