OneCare 2.0 & rootkits

[337]

Does onecare detect rootkits? Playing with it on Vista and hate to say, but I kinda like it.... Has anyone ran ThreatFire alongside it as well?
Thanks!!

[C.S.J]

im not sure,

but their client security does, so does this mean onecare should?

http://www.microsoft.com/forefront/c...y/default.mspx

[midway40]

Though it does not specifically say on OneCare's website, I am led to believe that it does.

Quote:

This blog provides information about what's happening in the anti-malware technology team at Microsoft. We're the team that builds the core antivirus, antispyware, anti-rootkit, and related technology, which is then used across a number of Microsoft products and technologies.

MS AntiMalware Team Blog

[337]

Quote:

Originally Posted by midway40

Though it does not specifically say on OneCare's website, I am led to believe that it does.

Yep, I too can not find a direct statement wether or not it does---they seem to beet around the bush....

[midway40]

Oh, I forgot to mention that I did run Threatfire once with OC. It seemed to interfere with OC's automatic scanning.

Since we are in doubt about OC's rootkit detection maybe better just download a free rootkit cleaner like F-Secure's Blacklight or such to be safe.

[s4u]

Well I guess it should be but I really can't find proof

[C.S.J]

Quote:

Originally Posted by midway40

Oh, I forgot to mention that I did run Threatfire once with OC. It seemed to interfere with OC's automatic scanning.

Since we are in doubt about OC's rootkit detection maybe better just download a free rootkit cleaner like F-Secure's Blacklight or such to be safe.

drwebs cureit.

or prevx does a free scan, but aint sure if it has removal, but it can still tell you if you have any as quickly as a minute or so.

http://www.antirootkit.com/blog/2007...its-has-begun/

[midway40]

I do use Blacklight myself but I added "and such" so I wouldn't appear too biased

AVG has one as well but the Vista version isn't out yet. I will probably use it when it does to keep it "all in the family", lol.

[337]

How about norton anti-bot? Since TF has issues with OC. Black light may also come in handy.
Thanks!!

[midway40]

AntiBot ran well with OC on my 'puter.

I installed Threatfire one evening and later in the early morning I had a OC scan set up. When I got up later that morning and checked the computer the scan had froze. I took TF off and it never happened again. It may just be hardware related but not sure

[337]

Quote:

Originally Posted by midway40

AntiBot ran well with OC on my 'puter.

I installed Threatfire one evening and later in the early morning I had a OC scan set up. When I got up later that morning and checked the computer the scan had froze. I took TF off and it never happened again. It may just be hardware related but not sure

That is good to know. I'll try anti-bot and blacklight for giggles.
Thanks!!

[midway40]

You're welcome

Since you got my curiosity up, I have inquired about whether OC scans for rootkits in the *vista.security newsgroup. I will see what the MVPs has to say and report back.

[337]

Quote:

Originally Posted by midway40

You're welcome

Since you got my curiosity up, I have inquired about whether OC scans for rootkits in the *vista.security newsgroup. I will see what the MVPs has to say and report back.

Then let me thank you in advance!!

[ronjor]

Here's a post. Re: WLOC and RootKits detection

[337]

Quote:

Originally Posted by ronjor

Here's a post. Re: WLOC and RootKits detection

Again some clever wording... potentially detect rootkits; However, it does make me feel better...
Thanks!!

[midway40]

Thanks Ron, I was just on Microsoft's support site looking around and the OC board was next on my list

It is strange though I have yet to see anything official about rootkit detection in OC yet when you go to the Forefront Client Security page it is all in your face, lol.

[midway40]

I got an answer from a MVP (actually the same person who replied in that forum post) in the Vista security newsgroup:

Quote:

Technically, you can't scan for root kits, though programs like Root Kit
Revealer can detect the possible presence of a Root Kit by comparing memory to
the registry on disk.
So, no, OneCare does not look for Root Kits in this manner.

This time he was a little more clear

[solcroft]

OneCare DOES detect rootkits - when they're not loaded into memory. Microsoft detection pops up moderately often for me when comparing rootkit driver files on VirusTotal. In fact, it'd be a very high claim to say that any major vendor today does not detect rootkits when they're in their inactive form.

The more valid question would be whether OneCare includes any mechanism for detecting the rootkits after they've loaded themselves into memory and stealthed themselves from the OS.

[Hangetsu]

While it was with the 1x version of the product, Consumer Reports listed OneCare as *not* detecting rootkits. That's a scary thought.

[Hangetsu]

Ugh, not too sure I'm real happy with the response, considering I have a machine running OneCare...

Quote:

No, OneCare cannot detect a root kit that has invaded a system - and neither can any other a/v protection. Products that scan for root kits typically do so by comparing memory to the registry hive and suggesting that you might be infected or you might not based on that analysis.

The key to protection from root kits is in preventing them from infecting the system to begin with and it would be the delivery mechanism that needs to be protected against. I would suggest that OneCare can do this as can other a/v products, but, as I've stated in the past, no product is 100% effective. The multi-faceted approach that OneCare takes in protecting the system should be better at preventing the intrusion of a root kit that a simple antivirus only product.

[larryb52]

sounds interesting I was looking at blacklight ( F-Secure's technology) are you saying it does essentially the same thing & is not new technology?

[computer geek]

Quote:

Originally Posted by 337

How about norton anti-bot? Since TF has issues with OC. Black light may also come in handy.
Thanks!!

according to a test, (by some lab mentioned in pc tools, threatfire did better)

[C.S.J]

i find onecares reply quite confusing, to say they cant protect against rootkits and basically nobody can is just stupid.

i feel extremely confident that my drweb can easily detect and clean a rootkit, without microsoft spreading this rubbish to its customers.

note: Drweb was the ONLY antivirus to successfully clean the rootkit in the removal test at anti-malware.ru (which is really quite alarming) , the new drweb shield technology was specifically created for rootkit detections, and it works a treat!

Quote:

Dr.Web Shield™ — counteraction to rootkits
The so-called rootkits which actively protect themselves from detection by the anti-virus programs become the main trend in the development of viral codes. An anti-virus program without anti-rootkit technology makes the program a useless and defenseless computer toy, very often a very expensive one. Developers of new Dr.Web version have designed a special component for Dr.Web GUI scanner to counteract rootkits - Dr.Web Shield™. Designed as the driver, it secures access to virus objects hiding in the operating system.

well well.....

[midway40]

I find that hard to swallow as well, Chris. Norton has rootkit detection, F-Secure has it through Blacklight and I am sure more others have it as well.

AVG doesn't have it so I have use a separate scanner.

EDIT: At least AVG tells you up front that it doesn't have it unlike MS's "circular" talk, lol.

[337]

Looks like i need to install kis again... Or DR. web. How is the Doctor on vista?