How is AVG Anti Rootkit???

cheater87 · #1 April 11th, 2007, 03:58 PM

I like AVG anti spyware. How is their anti rootkit??

http://www.grisoft.com/doc/download-...otkit/us/crp/0

fcukdat · #2 April 11th, 2007, 06:11 PM

It has vastly improved on the last offerings

It detected 4/4 of unique samples i loaded onto my PC and effectively removed 3/4

Samples being>>>
Haxdoor(Poof) Ntio256.sys and Protector.exe(Hidden from WinAPI)
Rustock B (Lzx32.sys)
Wincom32....dropped by the *storms* worm
Trojan injector aka all-in-one

It choked on Rustock B,it could see the ADS loaded driver but failed to remove it after 5 attempts(detect and reboot to clean).This is still ahuge improvement on its previous incarnation

Attached are screenshots of test with RKU used as benchmarking

lu_chin · #3 April 11th, 2007, 07:09 PM

Thanks fcukdat for the test results. Does it make any difference in terms of detection and removal when the user selects "Perform in-depth search"?

ErikAlbert · #4 April 11th, 2007, 07:30 PM

I also tried "AVG Anti Rootkit" and here is my detailed report.

I ran "Search for rootkits" and it reported only one rootkit : C:\$ISR\0\ISRService.exe
This file belongs to FirstDefense-ISR.

Then I ran "Perform in-depth search" on both harddisks (system and data partition) and it reported again
one rootkit : C:\$ISR\0\ISRService.exe
This file belongs AGAIN to FirstDefense-ISR

It's very depressing to see your very best software, reported as a rootkit.

Well, AVG Anti-Rootkit couldn't find anything, which is normal, because my frozen snapshot removes all rootkits, except the rootkit C:\$ISR\0\ISRService.exe of course

In other words : R.I.P.S. works

lu_chin · #5 April 11th, 2007, 07:43 PM

Now I am beginning to see an "user-friendly" anti-rootkit program with reasonable detection capability. Hopefully, similar improvements will be made to other end-user oriented AR programs by different companies too.

Firecat · #6 April 11th, 2007, 07:59 PM

Anyone noticed how nice the interface of the new AVG product is? It is in sharp contrast to the old looking interface found on the AVG 7.5 products. I guess Grisoft let Ewido design the interface this time....This means great things for the upcoming AVG 8.0

cheater87 · #7 April 11th, 2007, 10:57 PM

Yay I'm clean

JerryM · #8 April 11th, 2007, 11:24 PM

I may have to try it. Right now I have BD Rootkit Uncover, FS Blacklight, and today I downloaded and installed AVira anti-rootkit. All run well, and I have no way to determine which is best, as there have been no rootkits uncovered.

Is AVG AR intended to remain free and stand-alone?

Regards,
Jerry

fcukdat · #9 April 12th, 2007, 02:20 AM

FWIW Jerry

SAS will detect and remove more genre of malware rootkits then any of the ARK tools you have listed.So you have your bases covered to some degree

ErikAlbert · #10 April 12th, 2007, 04:59 AM

Quote:

Originally Posted by lu_chin

Now I am beginning to see an "user-friendly" anti-rootkit program with reasonable detection capability. Hopefully, similar improvements will be made to other end-user oriented AR programs by different companies too.

AVG Anti-Rootkit wasn't very "user-friendly" to me, because it reported a false/positive.
C:\$ISR\0\ISRService.exe is NOT a rootkit, it's a legitimate file.

A less-knowledgeable user or even worse would have deleted this false/positive and that would have caused problems in FirstDefense-ISR. So I ditched the freeware and classified it as a 'dangerous' security software for users of a lesser God.

Pedro · #11 April 12th, 2007, 09:32 AM

Quote:

Originally Posted by ErikAlbert

AVG Anti-Rootkit wasn't very "user-friendly" to me, because it reported a false/positive.
C:\$ISR\0\ISRService.exe is NOT a rootkit, it's a legitimate file.

A less-knowledgeable user or even worse would have deleted this false/positive and that would have caused problems in FirstDefense-ISR. So I ditched the freeware and classified it as a 'dangerous' security software for users of a lesser God.

It doesn't detect anything for me. And if you consider what GMER or RKU will throw at you, this is very good. Not as good as the other two, ok, but usable by anyone. Just google your 1/2 results. Very simple.
I have this AVG-AR for some time now, and i'll be keeping it. It gets better every edition it seems.

JerryM · #12 April 12th, 2007, 10:43 AM

Quote:

Originally Posted by fcukdat

FWIW Jerry

SAS will detect and remove more genre of malware rootkits then any of the ARK tools you have listed.So you have your bases covered to some degree

Thanks for the reply.
Although I have several good programs, including SAS, I don't really know how to evaluate their effectivness. None ever finds anything.
How did you determine that SAS is better than the ones I mentioned? I don't doubt it as such, but unless one is doing tests or cleaning machines there isn't much data.

Regards,
Jerry

ErikAlbert · #13 April 12th, 2007, 11:41 AM

Quote:

Originally Posted by Pedro

It doesn't detect anything for me. And if you consider what GMER or RKU will throw at you, this is very good. Not as good as the other two, ok, but usable by anyone. Just google your 1/2 results. Very simple.
I have this AVG-AR for some time now, and i'll be keeping it. It gets better every edition it seems.

Any malware causes a change on your harddisk, including rootkits.
My frozen snapshot removes those changes during reboot in less than 2 minutes and without false/positives and without running any AV/AS/AT/AK/AR-scanners.
Other users have at least 5 main scanners and another minimum of 5 scanners on demand, that makes 10 scanners to run each day and is your computer really clean after that ? Maybe until you run a new scanner, that finds malware on your computer, which was never detected by your other scanners. That's not my idea of security.

I simply don't have the time to run all these security applications, so I looked for another solution.
After trying AVG AR, I didn't even have to uninstall it, it was gone when I rebooted the next morning.

lucas1985 · #14 April 12th, 2007, 01:19 PM

Quote:

Originally Posted by ErikAlbert

AVG Anti-Rootkit wasn't very "user-friendly" to me, because it reported a false/positive.
C:\$ISR\0\ISRService.exe is NOT a rootkit, it's a legitimate file.

A less-knowledgeable user or even worse would have deleted this false/positive and that would have caused problems in FirstDefense-ISR. So I ditched the freeware and classified it as a 'dangerous' security software for users of a lesser God.

Erik,
Remember that rootkits aren't malware per se. They are tools designed to hide files/services/reg keys in Windows-based systems. A good amount of legitimate software use rootkit-like techniques, FirstDefense-ISR being one of them.
Rootkit scanners are forensic tools (like Hijackthis) . They report their finds and it's up to the user to decide what to do with the findings. Run RkR (Rootkit Revealer), GMER, IceSword and RkU(Rootkit Unhooker) and you'll see why AVG Antirootkit is labeled "user-friendly".

Quote:

Originally Posted by JerryM

How did you determine that SAS is better than the ones I mentioned? I don't doubt it as such, but unless one is doing tests or cleaning machines there isn't much data.

fcukdat has tested SAS against the nastiest malware (CWS, Vundo, Gromzon, Rustock, etc) with great success. He used RkU as a reference.

fcukdat · #15 April 12th, 2007, 01:49 PM

Quote:

Originally Posted by lu_chin

Thanks fcukdat for the test results. Does it make any difference in terms of detection and removal when the user selects "Perform in-depth search"?

Hi lu_chin

I used deepscan only,its a bit confusing why there is option for 2 tier scan and what the lesser of the 2 purpose is

IMO Only the one option should be there and it being the full scan period

jawadde · #16 April 12th, 2007, 01:59 PM

panda has also a new one (no beta). And you dont have to install the program, i like that

fcukdat · #17 April 12th, 2007, 02:16 PM

Quote:

Originally Posted by JerryM

Thanks for the reply.
Although I have several good programs, including SAS, I don't really know how to evaluate their effectivness. None ever finds anything.
How did you determine that SAS is better than the ones I mentioned? I don't doubt it as such, but unless one is doing tests or cleaning machines there isn't much data.

Regards,
Jerry

Quite streight forward Jerry

I collect malware and hunt new emerging threats out in the wild of WWW daily(total addict

).
As such i have daily wrestling match's removing malware from my system for recovery and submission with which i have encountered a large percentage of malwares out there.
SAS free is my principal malware killing tool after i have recovered malicious files for distribution so i know what it is capable of seeing&removing when it comes down to rootkit malware.
FWIW not one of the paid big 3(CS,SD,SS) or any other free ASW can hold a candle to its raw disk reading of data and subsequent detection and removal of rootkit trojans.
C'mon to think of it Nod32,Kaspersky and BOC are in current builds incapable of seeing loaded Rustock driver to remove it

fcukdat · #18 April 12th, 2007, 02:21 PM

Quote:

Originally Posted by ErikAlbert

AVG Anti-Rootkit wasn't very "user-friendly" to me, because it reported a false/positive.
C:\$ISR\0\ISRService.exe is NOT a rootkit, it's a legitimate file.

Its still's a file hidden in an ADS stream,the software is correct in reporting it.Lucky enough it dose'nt auto-clean and you have to check box's and select cleanup before it would exorcise the *hidden* file

eBBox · #19 April 12th, 2007, 02:37 PM

Quote:

Originally Posted by Firecat

Anyone noticed how nice the interface of the new AVG product is? It is in sharp contrast to the old looking interface found on the AVG 7.5 products. I guess Grisoft let Ewido design the interface this time....This means great things for the upcoming AVG 8.0

Any screens?! Ive been looking forward for ages for a new avg interface

JerryM · #20 April 12th, 2007, 02:51 PM

Quote:

Originally Posted by fcukdat

Quite streight forward Jerry

I collect malware and hunt new emerging threats out in the wild of WWW daily(total addict

).
As such i have daily wrestling match's removing malware from my system for recovery and submission with which i have encountered a large percentage of malwares out there.
SAS free is my principal malware killing tool after i have recovered malicious files for distribution so i know what it is capable of seeing&removing when it comes down to rootkit malware.
FWIW not one of the paid big 3(CS,SD,SS) or any other free ASW can hold a candle to its raw disk reading of data and subsequent detection and removal of rootkit trojans.
C'mon to think of it Nod32,Kaspersky and BOC are in current builds incapable of seeing loaded Rustock driver to remove it

Thanks, and that seems to be as well as one can do at this time.

I have read several times that a rootkit cannot be removes except to reformat. Have you found that to be the case/

Regards,
Jerry

lu_chin · #21 April 12th, 2007, 03:04 PM

I agree with what lucas1985 had said. Also, as some experts on this forum had voiced before, anti-rootkit programs would have false positives just like other security programs. And due to the nature of what their scanners did, they would tend to yield more "findings" that were left to the user to decide.

Quote:

Originally Posted by lucas1985

Erik,
Remember that rootkits aren't malware per se. They are tools designed to hide files/services/reg keys in Windows-based systems. A good amount of legitimate software use rootkit-like techniques, FirstDefense-ISR being one of them.
Rootkit scanners are forensic tools (like Hijackthis) . They report their finds and it's up to the user to decide what to do with the findings. Run RkR (Rootkit Revealer), GMER, IceSword and RkU(Rootkit Unhooker) and you'll see why AVG Antirootkit is labeled "user-friendly".

fcukdat has tested SAS against the nastiest malware (CWS, Vundo, Gromzon, Rustock, etc) with great success. He used RkU as a reference.

lu_chin · #22 April 12th, 2007, 03:07 PM

Some folks will probably choose to do a full disk image or snapshot restore instead of a format to get rid of a root-kit. I think FD-ISR, Shadow Protect, Acronis & Paragon's backup programs can do the job too.

Quote:

Originally Posted by JerryM

Thanks, and that seems to be as well as one can do at this time.

I have read several times that a rootkit cannot be removes except to reformat. Have you found that to be the case/

Regards,
Jerry

yeow · #23 April 12th, 2007, 03:10 PM

Quote:

Originally Posted by lucas1985

fcukdat has tested SAS against the nastiest malware (CWS, Vundo, Gromzon, Rustock, etc) with great success. He used RkU as a reference.

Sorry to interrupt but I'd like to ask:

Recently my uncle's PC was infected with Rustock.B (and many other malware), which caused PC to restart 1-2 minutes after loading to desktop, so couldn't run scans in Normal Mode.

Ran SAS Free (& others) at max scanner setting in Safe Mode, but Rustock.B was not detected. Is it because Rustock.B processes are not loaded in Safe Mode?

[Luckily the PC restart symptom during Normal Mode gave away the presence of lzx32.sys driver when I disabled Auto Restart, or I wouldn't know to look for it]

Thanks,
yeow

Pedro · #24 April 12th, 2007, 03:17 PM

One tinny sugestion: check the version number, and signatures version too.
Somehow, it fails to update for me. I wonder if the free version doesn't even manually update.
http://www.superantispyware.com/definitions.html

yeow · #25 April 12th, 2007, 03:32 PM

Oh, I forgot to clarify that was about 1 month ago. When I installed SAS on my uncle's PC in Safe Mode, it did update successfully to same engine & signature version as what I had on my own PC -> so it was current at that time. I eventually removed Rustock using RegRun's reanimator.exe.

Edit: Wait, can't recall now if I installed in Normal or Safe Mode, but I did update to current. Scanning could only be completed in Safe Mode.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search