What it is GMER? -Yes, your REAL-TIME Protection against rootkits. All Settings here

[PROROOTECT]

GMER - our Real-Time Protection against rootkits; also detection and removal of MBR rootkits.

Your last version 1.0.14 here: http://www.gmer.net/index.php Click on gmer.zip or 1.0.14 links.

All Settings (all boxes to notch):

System protection and tracing
Processes
Save created processes to the log
Drivers
Save loaded drivers to the log

User's application protection and tracing
Processes
Save created processes to the log
Libraries
Drivers
Prompt before loading drivers
Save loading drivers to the log
Files and folders
Prompt before creating executable files in the system folders
Registry
Prompt before modification of autorun-like keys

Network
Prompt before unauthorized connection attemps
Save connections to the log

Internet Explorer Browser
Allow defaut IE connexions only
Prompt before creating new processes
Prompt before creating executable file

Microsoft Outlook and Outlook Express
Allow default mail connexions only
Prompt before creating new processes
Prompt before creating executable file

... and more ....

... Log ... AV Scanner ...

... if you search above all: Real-Time Protection ...

Look also: http://www.wilderssecurity.com/showt...highlight=GMER

Your System PROROOTECT ... and more

Wow, I never knew GMER was real-time.
But then again I never put much attention to it, I just know what Avast! uses GMER anti-rootkit.

[Swordfish_]

This is a well-known tool. Some rootkits even block GMER homepage.

Funny however, that it detected the following as malware:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-17 17:18:31
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \FileSystem\Fastfat \Fat TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

---- EOF - GMER 1.0.14 ----

On the other hand, it would be interesting to see if such tools are able to detect Hypervisor Mode Rootkits.

Regards

[PROROOTECT]

Hi Demonon,

No, Demonon, Avast has only little rootkit detector: catchme.exe ... ONLY.

Yes, his developer is this same Mr Gmerek.

PS. To detect/remove MBR rootkit, use GMER or very tiny: mbr.exe, at the bottom of the page: http://www2.gmer.net/mbr/

PROROOTECT

[BrendanAdams]

I used gmer regularly on my previous laptop, and I found it great. Unfortunately, it keeps crashing on my new one

[vlk]

Quote:

Originally Posted by PROROOTECT

No, Demonon, Avast has only little rootkit detector: catchme.exe ... ONLY.

Please refrain from commenting things you don't know.

What you said is not true.


Thanks
Vlk

[PROROOTECT]

Hi Vlk,

Avast anti-rootkit is 'based on GMER technology' - but this is NOT the GMER, of course.

For technical details - ask the developer.

PS. catchme - it is also based ...

Sleep tight.

PROROOTECT

[m00nbl00d]

Quote:

Originally Posted by Swordfish_

This is a well-known tool. Some rootkits even block GMER homepage.

Funny however, that it detected the following as malware:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-17 17:18:31
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \FileSystem\Fastfat \Fat TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

---- EOF - GMER 1.0.14 ----

On the other hand, it would be interesting to see if such tools are able to detect Hypervisor Mode Rootkits.

Regards

Did GMER report those in red color? If not, then is just letting you know there are hidden objects. Not exactly malware.

Regards

[Pedro]

Quote:

Originally Posted by PROROOTECT

Hi Vlk,

Avast anti-rootkit is 'based on GMER technology' - but this is NOT the GMER, of course.

For technical details - ask the developer.

http://www.wilderssecurity.com/showp...3&postcount=42

[Swordfish_]

Quote:

Originally Posted by m00nbl00d

Did GMER report those in red color? If not, then is just letting you know there are hidden objects. Not exactly malware.

Regards

No, it was'n in red, however it was under Rootkit/Malware tab. Of course, I know it's not a malware. Anyway, thanks for your comment.

Best regards.

[andyman35]

Quote:

Originally Posted by Swordfish_

On the other hand, it would be interesting to see if such tools are able to detect Hypervisor Mode Rootkits.

Regards

Are you referring to the so called blue pill malware? If so there's much debate over how undetectable they may or may not be.

[EASTER]

How long is it been since Gmer was updated?

Anyone hold aN ACCURATE time line or review on that?

EASTER

[EraserHW]

Quote:

Originally Posted by Swordfish_

On the other hand, it would be interesting to see if such tools are able to detect Hypervisor Mode Rootkits.

I would rather be more worried about kernel mode rootkits, which are the real threat and most of them are easily bypassing all major antirootkit softwares

[fcukdat]

Quote:

Originally Posted by EraserHW

I would rather be more worried about kernel mode rootkits, which are the real threat and most of them are easily bypassing all major antirootkit softwares

Agreed there is stuff currently in the wild that flattens GMER....fake the SSDT and it bypassed

As we know any ARK to stay effective needs to be updated to counter newly emerging POC's or laterly appearing ITW RK's utilizing those tricks.

The arms race goes on...

[EASTER]

Those LINE OF replies answered my question, thanks.

EASTER

[alex_s]

Quote:

Originally Posted by BrendanAdams

I used gmer regularly on my previous laptop, and I found it great. Unfortunately, it keeps crashing on my new one

The same here. Prev versions worked on Vista, but the last two just crash

[Toby75]

Can someone who knows how to use GMER help me understand it? Am I looking only for red entries? I understand that if the entries are not red then they are hidden...not necessarily malware. Does it NEED to be red in order for it to be malware?

I'm confused

Also, on the first page of this thread it says GMER protecs in real-time...how so? Does this mean it actively prevents rootkits?

Sorry for the dumb questions...I've just always wanted to know how this program works.

Thanks,
Toby

[dell boy]

yes the red ones are malware, make sure you scan with no other programs open because it can have disastrous results, it said firefox was a bad rootkit, at the time i didnt know i had to close everything.

[StevieO]

Toby75

Actually, RED ones " might " be Malware. Not absolutely 100% RK's or Malware, but could be.

Lots of legitimate Apps hook the Kernel, such as HIPS etc. For example, Online Armor shows quite a number of RED entries.

If you delete etc any RED entries that are safe, you may end up in serious doo doo.

If you don't immediately recognise entries, RED or otherwise, then use a search engine to research further on them.

If you're not certain what you're doing, it's probably best not to tinker.

You could also cross reference with other ARK's. Here's a short list of some of the better ones.

Rootkit Unhooker, Radix, kx-Ray, RootRepeal, IceSword

Also it might be a good idea to have a look on here http://forum.sysinternals.com and ask there for advice too.


Real-time protection has been removed from the later version of GMER.

Quote:

Originally Posted by StevieO

If you're not certain what you're doing, it's probably best not to tinker.

+1
this is an excellent site for ARK....http://www.antirootkit.com/software/index.htm

[andyman35]

Quote:

Originally Posted by Pedro

http://www.wilderssecurity.com/showp...3&postcount=42

I guess he may just have some idea about what's in Avast then.

[Toby75]

Quote:

Originally Posted by StevieO

Toby75

Actually, RED ones " might " be Malware. Not absolutely 100% RK's or Malware, but could be.

Lots of legitimate Apps hook the Kernel, such as HIPS etc. For example, Online Armor shows quite a number of RED entries.

If you delete etc any RED entries that are safe, you may end up in serious doo doo.

If you don't immediately recognise entries, RED or otherwise, then use a search engine to research further on them.

If you're not certain what you're doing, it's probably best not to tinker.

You could also cross reference with other ARK's. Here's a short list of some of the better ones.

Rootkit Unhooker, Radix, kx-Ray, RootRepeal, IceSword

Also it might be a good idea to have a look on here http://forum.sysinternals.com and ask there for advice too.


Real-time protection has been removed from the later version of GMER.

Thanks man.

I have no RED entries..so this means I have no rootkits right?

[StevieO]

Toby75

" I have no RED entries..so this means I have no rootkits right? "


Not necessarily ! GMER is a very useful tool, but some of the others i listed earlier can show more info. Also each ARK analyses the system in slightly different ways, and some are capable of more indepth probing etc.

That's why, as i suggested previously, it would be a good idea to use those other ARK's too, and cross reference any results/discrepancies etc.

As a point of interest, do you think you might have an RK in your PC, or are you just experimenting ?


http://www.antirootkit.com/software/index.htm hasn't been updated for quite some time, but it's still very useful as a reference, as is http://forum.sysinternals.com/forum_posts.asp?TID=962

[Toby75]

Quote:

Originally Posted by StevieO

Toby75

" I have no RED entries..so this means I have no rootkits right? "


Not necessarily ! GMER is a very useful tool, but some of the others i listed earlier can show more info. Also each ARK analyses the system in slightly different ways, and some are capable of more indepth probing etc.

That's why, as i suggested previously, it would be a good idea to use those other ARK's too, and cross reference any results/discrepancies etc.

As a point of interest, do you think you might have an RK in your PC, or are you just experimenting ?


http://www.antirootkit.com/software/index.htm hasn't been updated for quite some time, but it's still very useful as a reference, as is http://forum.sysinternals.com/forum_posts.asp?TID=962

Thanks for the info. Yes, I should have mentioned that I am just playing around with different ARK's. I'll try out the ones you mentioned above.

Thanks again,

Toby

[Joeythedude]

I like the look of these features.

• Prompt before loading drivers
  
• Prompt before creating executable files in the system folders
  
• Prompt before modification of autorun-like keys
  
• Prompt before unauthorized connection attemps

I'm looking for something to replace Threatfire as it used to crash occasionally and Outpost didn't install properly.

Looks good.

EDIT :
Where are these setting in the GMER GUI ? I can't see them ?