Vba32 AntiRootkit 3.12.* beta

[sergey ulasen]

VirusBlokAda Ltd. glads to offer you a new version of Vba32 AntiRootkit and invite you to participate in beta testing of our product.
Links to download:

ftp://anti-virus.by/beta/Vba32arkit_beta.rar

ftp://anti-virus.by/beta/Vba32arkit_beta.zip

ftp://vba.ok.by/vba/beta/Vba32arkit_beta.rar

ftp://vba.ok.by/vba/beta/Vba32arkit_beta.zip

The following techniques of kernel-mode rootkit detection are implemented in Vba32 AntiRootkit:

• searching for SYSENTER hooks;
• searching for hooks by replacing addresses in SSDT table;
• searching for hooks by replacing addresses in Shadow SSDT table;
• searching for hooks by modifying IDT table;
• searching for export table modifications of main kernel modules (ndis.sys, hal.dll, ntoskrnl.exe);
• searching for hooks by modifiying machine code (splicing);
• searching for hooks by replacing addresses of IRP packet handlers;
• searching for hooks by replacing addresses of FastIO request handlers;
• searching for kernel modules hidden in the memory. If an object is considered as hidden, it'll be marked as Hidden in memory;
• searching for processes hidden in memory. If an object is considered as hidden, it'll be marked as Hidden in memory;
• searching for kernel modules which image on the hard drive doesn't correspond to the image in the memory. Such objects will be marked as Modified image;
• searching for installed kernel mode notificators.

Moreover the following additional techniques are implemented:

• scanning autoruns;
• scanning drivers and services specified in the registry;
• scanning all obtained objects (process files, autoruns, loaded drivers/services and kernel modules);
• checking digital signature of all obtained objects (process files, autoruns, loaded drivers/services and kernel modules);
• displaying additional information retrievied from file resources.

The following features are designed for neutralizing rootkits:

• restoring hooks in SSDT table;
• restoring hooks in Shadow SSDT table;
• restoring hooks in IDT table;
• restoring hooks in main kernel modules (ndis.sys, hal.dll, ntoskrnl.exe);
• restoring hooks made by machine code modifications;
• restoring SYSENTER hooks;
• removing specified objects from autoruns;
• enabling/disabling drivers/services specified in the registry;
• copying specified files to the quarantine early in the system boot;
• deleting specified files early in the system boot;
• scanning and deleting autorun.inf files;
• removing installed kernel mode notificators.

Vba32 AntiRootkit allows user to collect information, which may help in solving problems at user's computer.

Vba32 AntiRootkit has English help (Vba32ArkitEN.chm file).

You can send your feedback to beta[at]anti-virus.by or post it here.

[Saraceno]

This is the english site for the company, for those interested:

http://www.anti-virus.by/en/

[Meriadoc]

Much more serious ark than from other antivirus houses, trying out now but first impression is good one.

[PROROOTECT]

Saraceno, your link is only for antivirus, not for antirootkit.

Link for antirootkit - come also from this Post #17 (with VBA forum link - by Sergey Ulasen - for this antirootkit software) from the thread: 'ANTI-ROOTKITS: Good, Safe ...' here: http://www.wilderssecurity.com/showp...6&postcount=17

Very good tool.

Thank you Sergey!


PROROOTECT

[Keyboard_Commando]

Worked fine XP SP3. Haven't tried installing driver at boot yet.

[StevieO]

sergey ulasen

Thanx

Your 4th link doesn't work, the f in front of ftp doesn't get resolved ?

[sergey ulasen]

Quote:

Originally Posted by PROROOTECT

Link for antirootkit - come also from this Post #17 (with VBA forum link - by Sergey Ulasen - for this antirootkit software) from the thread: 'ANTI-ROOTKITS: Good, Safe ...' here: http://www.wilderssecurity.com/showp...6&postcount=17

Very good tool.

Thank you Sergey!

Thanks for your post there(http://www.wilderssecurity.com/showpost.php?p=1540086&postcount=17).

Until now we have discussing only on http://virusinfo.info/showthread.php?t=41137 in Russian. From this time we will get English-speaking audience to testing Vba32 AntiRootkit.

Product is constantly evolving. We have had four beta-iterations (3.12.3.0, 3.12.3.1, 3.12.3.2, 3.12.3.3) for 7 monthes. You can see it in readme.en.

Now we are working up a low level disk access.

[sergey ulasen]

Quote:

Originally Posted by StevieO

Your 4th link doesn't work, the f in front of ftp doesn't get resolved ?

Thanks

[Tarnak]

No problems on XP Pro SP2.

[sergey ulasen]

Vba32 AntiRootKit 3.12.3.3 beta:

ftp://anti-virus.by/beta/Vba32arkit_beta.rar

ftp://anti-virus.by/beta/Vba32arkit_beta.zip

ftp://vba.ok.by/vba/beta/Vba32arkit_beta.rar

ftp://vba.ok.by/vba/beta/Vba32arkit_beta.zip

+ Added support of Windows 7

I think it's the last major change in the present branch. In the nearest future (during the month) we are planning to release public-version Vba32 AntiRootkit 3.12.4.0.

Thank you.

[Tarnak]

Just tried to run this latest version, but it says - " couldn't install driver"
However, I can still run the earlier version with no problem.
See screenshot attached.

[markusg]

can you ad keyboard support? i can not navigate whith tab and can not select the options.

[sergey ulasen]

Quote:

Originally Posted by Tarnak

Just tried to run this latest version, but it says - " couldn't install driver"
However, I can still run the earlier version with no problem.
See screenshot attached.

May be problem is connected with DefenseWall. Please, add vba32arkit.exe in "white list" and try again.

[Ilya Rabinovich]

Quote:

Originally Posted by Tarnak

Just tried to run this latest version, but it says - " couldn't install driver"

Because you tried to install as untrusted. Run installation file as trusted.

[Tarnak]

Quote:

Originally Posted by sergey ulasen

May be problem is connected with DefenseWall. Please, add vba32arkit.exe in "white list" and try again.

I tried this, but it didn't work.

Quote:

Originally Posted by Ilya Rabinovich

Because you tried to install as untrusted. Run installation file as trusted.

I don't why had so much trouble this time around, but I deleted everything and started over.

I extracted the rar file to the unzipped folder as trusted, and this time it worked.

See a copy of the Dw_log.txt for informational purposes, showing the unsuccessful attempts.

[Ilya Rabinovich]

"module C:\unzipped\vba\Vba32arkit.exe, Loading untrusted/untrusted created module C:\unzipped\vba\Vba32ar.dll. Process is untrusted now". That's the reason of the issue.

Just totally remove "vba" folder and unrar as trusted. Or, another solution- select the "vba" folder and run "change status to trusted".

[sergey ulasen]

Thanks to Ilya Rabinovich

Quote:

Originally Posted by markusg

can you ad keyboard support? i can not navigate whith tab and can not select the options.

We know about problem. But I can't promise that we'll fix it in the nearest future.

[sergey ulasen]

Vba32 AntiRootkit 3.12.4.0 release:

http://anti-virus.by/en/vba32arkit.html

Vba32 AntiRootkit advantages:

• Does not require installation
• Can be used with any antivirus software installed on your computer
• Uses a unique feature of the detection of "clean" files
• Can be used in several modes
• Supports the maintenance of a system status report in html format
• Treatment of the system may be done using a scripting language
• Supports Windows 7
• Help files in Russian and English languages

[Durad]

Can you give some more informations of how this works:

Quote:

Treatment of the system may be done using a scripting language

thanks

[sergey ulasen]

Quote:

Originally Posted by Durad

Can you give some more informations of how this works:

Following operations are available: deleting files, copying files to the quarantine. To do this, select the File - Run Script menu item.

Example:

Code:

Brs_Start(); 
Brs_QtnFile("c:\x.exe"); 
Brs_DelFile("c:\x.exe"); 
RebootSystem();

All information about scripts is available in Vba32arkitEn.chm file in Additional Features/Running Scripts chapter.

[Durad]

Does it have OnBootClean like AVZ?

[sergey ulasen]

Quote:

Originally Posted by Durad

Does it have OnBootClean like AVZ?

Yes, it does

[sergey ulasen]

Vba32 AntiRootKit 3.12.5.0 beta:

ftp://anti-virus.by/beta/Vba32arkit_beta.rar

ftp://anti-virus.by/beta/Vba32arkit_beta.zip

ftp://vba.ok.by/vba/beta/Vba32arkit_beta.rar

ftp://vba.ok.by/vba/beta/Vba32arkit_beta.zip

+ Added direct disk access mechanism. NTFS and FAT 12/16/32 are supported. Low-level file verification is performed in all existed windows / checks

+ Added Low-Level Disk Access Tool windows. View, Copy, Delete and Wipe (with purging from windows file cache) operations were implemented at a low level. Hidden, locked and forged files can be optionally highlighted. NTFS Alternate Data Streams and symbolic links are also supported

+ Vba32 Defender prevents executable file startup and driver loading during the antirootkit operation time

+ Search hidden drivers was improved, Windows driver stack analysis was added

+ Search of hidden processes was improved (were added handle search in csrss.exe, PspCidTable parsing and etc.)

+ Section attributes verification for all kernel-mode modules was added

+ Search of hidden IRP handlers was added

* Possibility to exclude user mode images in kernel modules window was added

* Prosess window was improved, EPROCESS address and short name were added to user view

* Interaction between GUI and antirootkit driver was improved

* Hook detection mechanism was revised. Checking of EAT and code sections of all kernel mode modules was implemented

* Help in Russian was improved

[CloneRanger]

Thank you

[jmonge]

i am trying this one now