PDF:

http://www.av-test.org/down/papers/2008-04_vb_rootkits.pdf

Article:

http://www.darkreading.com/document.asp?doc_id=153760&WT.svl=news1_2

Web scanners did poorly, dedicated rootkit detection programs did best.

Enjoy

This is a very interesting test!

But how can bitdefender and bullguard get diffrent results? Bullguard uses the bitdefender engine?

-{ Quote: "This is a very interesting test!

But how can bitdefender and bullguard get diffrent results? Bullguard uses the bitdefender engine?" }-

Yes but the driver is important here, not just the engine. Bullguard licensed the engine but have to develop their own driver.

-{ Quote: "PDF:

http://www.av-test.org/down/papers/2008-04_vb_rootkits.pdf

Article:

http://www.darkreading.com/document.asp?doc_id=153760&WT.svl=news1_2

Web scanners did poorly, dedicated rootkit detection programs did best.

Enjoy" }-

Which KIND OF TEST is that ????? >:( KASPERSKY 7.0.0.119???? :wacko: That version is from Last Year and it's was I think a beta or alfa, not a release versión!!!!!! ... The final versión was 7.0.0.125 and after that came 7.0.1.325 MP1 ...

-{ Quote: "Which KIND OF TEST is that ????? >:( KASPERSKY 7.0.0.119???? :wacko: That version is from Last Year and it's was I think a beta or alfa, not a release versión!!!!!! ... The final versión was 7.0.0.125 and after that came 7.0.1.325 MP1 ..." }-

If you'd read the paper and not just looked at the table you'd know that the first part of the test was done for a german magazine in oct. 2007. The text also explains why they wrote the paper with that data.

-{ Quote: "If you'd read the paper and not just looked at the table you'd know that the first part of the test was done for a german magazine in oct. 2007. The text also explains why they wrote the paper with that data." }-

And???' I know it! but You can't publish now that test after almost 7 months with obsolete info I think ...

Regards.

-{ Quote: " but You can't publish now that test after almost 7 months with obsolete info I think ...

Regards." }-

Again, the reason of why they publish that info now is explained in the report itself.

Avira + Bitdefender seem to do a very good job, and those 2 anti-virus seem to be the best in this test.

Avira,s cleaning is poor atleast in this test.

A step in the right direction could be to focus on providing
bootable rescue media, too: this might be the product
installation CD or a CD or disk that a user can create and
update himself. When the system is started from
this media, the rootkit cannot be activated on the system,
so a scanner would be able to see all fi les and registry
entries which would usually be hidden. This way, the
scanner could detect and delete all rootkit and malware
components as long as the signature database is up to date
and comprehensive.
That might be the crux of this review

AVG antirootkit now incorporated into commercial release
Trend Micro tool still available ( fast scanner)

-{ Quote: "A step in the right direction could be to focus on providing
bootable rescue media, too: this might be the product
installation CD or a CD or disk that a user can create and
update himself. When the system is started from
this media, the rootkit cannot be activated on the system,
so a scanner would be able to see all fi les and registry
entries which would usually be hidden. This way, the
scanner could detect and delete all rootkit and malware
components as long as the signature database is up to date
and comprehensive.
That might be the crux of this review

AVG antirootkit now incorporated into commercial release
Trend Micro tool still available ( fast scanner)" }-

If my sworn to secrecy private ARKD builds can't cut it, i use ERD Commader load the affected O/S system into it for in-depth search and reviews as well as removals.

I really don't know don't any other way to penetrate a deeply affected system other then this method.

EASTER

-{ Quote: "Avira,s cleaning is poor atleast in this test." }-
Just because the tester didn't do it properly. ;)
See that the stand-alone Avira rootkit detector BETA has very good cleaning capacities.
Avira v7 and v8 use the same engine as in that stand-alone app.

In AntiVir there is also the option to do a quick search before a normal scan, and also to do the Full search from the scanner page (tab as it was in v7).

Here's a quote from Avira Help file:
-{ Quote: "Search for Rootkits before scan
If this option is enabled and a scan is started, Scanner scans the Windows system directory for active rootkits in a so-called shortcut. This process does not scan your computer for active rootkits as comprehensively as the scan profile Scan for rootkits, but it is significantly quicker to perform." }-

So, obviously the tester used only the quick search option instead of the full rootkit scanning profile and that is why they got this result.
Maybe if Andreas Marx can be contacted or read this forum will correct the test.

To me it appears as a minimal rootkit scan before any on-demand scan( even for a file or few files). How can he use this option? He must have used complete system scan/ rootkit scan.

Then how do you explain it ? ??? There is the same engine used in Avira 7 or 8 and in avira rootkit detector also.

I don,t know really. But no way I can think that he did not use complete scan or rootkit scan. So obvious, even a beginner will not do like that.

Infact I don,t understand ur mini rootkit scan at all, how can one do it. To me this option means that a minimal rootkit scan will be done before any on-demand scan, for a file/ files. Obviously no such scan can be used for active rootkits.

Looks like they were using the technical release of kaspersky.
Have you seen this more recent other tests? http://www.anti-malware-test.com/?q=taxonomy/term/7

-{ Quote: "Looks like they were using the technical release of kaspersky.
Have you seen this more recent other tests? http://www.anti-malware-test.com/?q=taxonomy/term/7" }-
acually it says they used kis7.0 build 119

Here's another test done by students of Epitech, a french engineer school: in english (http://www.securitynewsletter.com/news/studies/lab-reviews-anti-rootkits) and en francais (http://www.silicon.fr/fr/news/2008/03/26/test_anti_rootkit___les_solutions_sont_loin_d_etre_parfaites___).

The main limit of these tests is the restricted number of samples and ARK tested.

NB: GData provides rootkit detection via a boot CD.

Regarding rootkits, antivirus can't be trusted.
Rootkits exist since 20 years on Unix systems, and officially since 2000 (NTRootkit by Hoglund) on Windows.
And since 25006, there's an escalation of rootkit literature and tools from av companies.
Bravo! great! super! fantastico!
But seriously, just a question: what have they done before?
One of the key of security is reactivity: 6 years, isn't it a strange approach of reactivitty?
Unproffesional? business strategy (less R'n D= more cash flow), or sign of conspiracy (law enforcement door for security agencies like NSA)?
The silence and taboo related to this question is already an avowal of guilt.
The discovery of the spambot Rustock c and its related botnet is a prove of av inefficiency against rootkits.
And by experience i'm often quite sceptical about av marketing speech: i've verified myself the inefficiency of kav 6 against rustock b.
More over, there's still many rootkits unknown (no patter file) from av labs (i have for instance 2 russian rootkits not detected by DR WEB AND KAV).
The key against rootkits is prevention (always better than cure): like some people i've done some efforts on this area to promote the need of HIPS: products like Process Guard, Viguard, Abtrusion protector, SSM provide rootkit protection since 2003/2004.

Detection of rootkits is large subject, but as often the song is the same: more knowledge and experience= less av dependency.

regards

-{ Quote: "Here's another test done by students of Epitech, a french engineer school: in english (http://www.securitynewsletter.com/news/studies/lab-reviews-anti-rootkits) and en francais (http://www.silicon.fr/fr/news/2008/03/26/test_anti_rootkit___les_solutions_sont_loin_d_etre_parfaites___)." }-
Gmer & SafetyCheck passed successfully the tests :thumb:

hi kareldjag,
have you sent the samples to all major vendors?

i would like to see rootkit test including latest Avast! and Alwil antirootkit (tho it utilizes GMER as base it someties does bit better)

This link (http://shmalware.blogspot.com/2007/04/modern-arks-illusion-of-detection.html) purports to give the opinion of the author of Rootkit Unhooker LE regarding the merits of other anti-rootkit software, as of several years ago. The word 'useless' is mentioned often. Rootkit Unhooker LE was the only program that had perfect detection rates in the XP tests mention in post #1.

To prevent the NTFS and FAT 32 rootkits, I did this. Using DOS FDISK, I split a drive a -- a FAT 16 on each partition. Next, I loaded Win 98 SE on a partition, and then I loaded WIN XP SP3 as a separate, clean install on the SAME partition containing the 98 SE choosing the option to leave unchanged the FAT 16 as well as keeping the 98 SE OS in tact as to have a dual boot system on the same partition. Most of the 98 SE works, and XP also works. While using a rootkit test file, the test file stopped responding.

Dave

-{ Quote: "This link (http://shmalware.blogspot.com/2007/04/modern-arks-illusion-of-detection.html) purports to give the opinion of the author of Rootkit Unhooker LE regarding the merits of other anti-rootkit software, as of several years ago. The word 'useless' is mentioned often. Rootkit Unhooker LE was the only program that had perfect detection rates in the XP tests mention in post #1." }-

Hi

I thought it was Sunday, April 8, 2007, so wouldn't it be one year?

But the writer seemed to think that every single anti-rootkit was bad, saying "However, all (without exception) can be avoided."
So according to him anti-rootkits are useless?

Thanks

-{ Quote: "Detection of rootkits is large subject, but as often the song is the same: more knowledge and experience= less av dependency.

regards" }-

Well said.

Rooters & hiders have to go deep for maximum concealment, the same is required by their nemisis patrolers too. AV's already have a full plate with blacklists and adding to their bulk just to examine some of these deep sea divers.

btw, any thoughts to static hardening apps that attempt to position themselves in a chain from the SSDT Table to other entry zones?

Regards as always

EASTER

How bout x64 bit OS with their Patch guard? Are they immune from root kits as they say in this link. http://searchwindowssecurity.techtarget.com/tip/0,289483,sid45_gci1302397,00.html

-{ Quote: "I thought it was Sunday, April 8, 2007, so wouldn't it be one year?

But the writer seemed to think that every single anti-rootkit was bad, saying "However, all (without exception) can be avoided."
So according to him anti-rootkits are useless?
" }-

You're correct that that's the day of the blog entry. However, the blog writer isn't the same person who wrote nor translated those comments, which was originally written in Russian apparently.

The author does seem to take a critical view of others' work. I think the author was trying to convey the idea that, in the author's opinion, most of the other anti-rootkits are easily bypassed if a rootkit writer has the knowledge and willingness to do so. By the way, I've seen elsewhere that the author now works for Microsoft.

-{ Quote: "You're correct that that's the day of the blog entry. However, the blog writer isn't the same person who wrote nor translated those comments, which was originally written in Russian apparently.

The author does seem to take a critical view of others' work. I think the author was trying to convey the idea that, in the author's opinion, most of the other anti-rootkits are easily bypassed if a rootkit writer has the knowledge and willingness to do so. By the way, I've seen elsewhere that the author now works for Microsoft." }-

Hi

Well one thing I'm confused about is, if all anti-rootkits are really so worthless, why are they so popular?

Thanks

They're popular for the same reason that users of Firefox/MacOS/Linux feel they have nothing to worry about.

-{ Quote: "They're popular for the same reason that users of Firefox/MacOS/Linux feel they have nothing to worry about." }-

Ah... I see. But Firefox really is much better than IE.

-{ Quote: "
Well one thing I'm confused about is, if all anti-rootkits are really so worthless, why are they so popular?
" }-

From looking at the results of the anti-rootkit programs from post #1, I wouldn't agree that they're worthless. The alleged author of those comments also made a rootkit that his/her own RootKit Unhooker LE v3.7 can detect but cannot remove, so does that make even his/her own anti-rootkit program 'useless' too because it's not perfect? (See http://forum.sysinternals.com/forum_posts.asp?TID=13773&PN=2)