When I run a program called RunScanner, it shows all running process.

If I was infected with a keylogger etc, would it show up on RunScanner?

Most likely yes, except if it was an undetectable rootkit

-{ Quote: "Most likely yes, except if it was an undetectable rootkit" }-
No offence intended ( I like RS :) )
Ow: heh : my brain hurts >> is that a logic bomb or just an inverted tautology ;)

On a more serious note: I had thought that RS was good at ferreting out hidden processes ??

-{ Quote: "Most likely yes, except if it was an undetectable rootkit" }-

So "undetectable rootkits" dont run in RAM? If not, then how can they do anything if they aren't running in memory?

-{ Quote: "No offence intended ( I like RS :) )
Ow: heh : my brain hurts >> is that a logic bomb or just an inverted tautology ;)

On a more serious note: I had thought that RS was good at ferreting out hidden processes ??" }-

Whats RS?

-{ Quote: "Whats RS?" }-

I guess RunScanner.:)

-{ Quote: "So "undetectable rootkits" dont run in RAM? If not, then how can they do anything if they aren't running in memory?" }-They are running in RAM. The typical scenario: the information provided to you by the OS (say via Task Manager) has been filtered by the rootkit to eliminate references it itself.

Blue

-{ Quote: "I guess RunScanner.:)" }-

Yeah, i thought that too, but the way he used RS in that context sounded like he was disagreeing with RunScanner.

-{ Quote: "They are running in RAM. The typical scenario: the information provided to you by the OS (say via Task Manager) has been filtered by the rootkit to eliminate references it itself.

Blue" }-

can you please elaborate? Do you mean if I run RunScanner, it won't show as it somehow has made itself "invisible" in RAM?

-{ Quote: "can you please elaborate? Do you mean if I run RunScanner, it won't show as it somehow has made itself "invisible" in RAM?" }-First of all, take the time to read and understand what I wrote instead of popping off a few one liner questions without first digging deeper yourself.

My response was to your comment on "undetectable rootkits", not Runscanner. You had initially asked:-{ Quote: " When I run a program called RunScanner, it shows all running process.

If I was infected with a keylogger etc, would it show up on RunScanner?" }-The initial response given was-{ Quote: "Most likely yes, except if it was an undetectable rootkit" }-Which is a correct answer. If you are infected with a keylogger and said keylogger is a part of an "undetectable rootkit", RunScanner may not be able to provide a completely reliable reading of the processes running on your system. Rootkits hook into the OS system calls and will typically filter out self referential information. In a nutshell, that's how they hide.

Think of it this way - consider a simple operation, say a directory listing. Getting that directory listing generally involves calling the OS and information is passed back to you from the OS. If a process is inserted between you and the base OS, it can filter/alter the information that is provided back to you. Clear enough?

Blue