(anti-rootkit) Hidden Process Detection (50+ products compared)

Hidden Process Detection Test
http://www.ntinternals.org/process_detection_test.php
the linked page presents the results in a matrix, along with author's methodology notes

methods tested:
- PspNotifyRoutine - RECALLING
- PsActiveProcessLinks - DKOM
- ObjectTable (HANDLE_TABLE) - DKOM
- CSRSS ObjectTable (HANDLE_TABLE) - ERASING
- PspCidTable (HANDLE_TABLE) - ERASING
- SessionProcessLinks - DKOM
- WorkingSetExpansionLinks - DKOM
- ObjectTypeList - DKOM
- CSR_PROCESS/CSR_THREAD - DKOM
- PID & IMAGE NAME - CHANGING
- OBJECT & OBJECT_TYPES - MANIPULATION
- THREAD OBJECT - MANIPULATION

products tested:
ARK2007 1.0
ATool 1.0021
Avast! Antirootkit 1.0.0.1
AVG Anti-Rootkit 1.1.0.42
Avira AntiRootkit Tool 1.1.0.1
AVZ 4.32
BitDefender Rootkit Uncover 1.0
CMC CodeWalker 0.2.4.500
CsrWalker 1.0.0.600
DarkSpy Anti-Rootkit 1.0.5
DeepMonitor 1.8
DiamondCS Deep System Explorer 1.0.406
Dr.Web DwShark 1.0.0.11140
ESET SysInspector 1.2.021.0
F-Secure BlackLight 2.2.1092.0
GMER 1.0.15.15227
Helios 1.1
Helios Lite 1.0
Hidden Finder 1.5.6.7
IceSword 1.2.2
Kernel Detective 1.3.0
KLISTER 0.4
KsBinSword 1.0.0.1
kX-Ray 1.0.0.98
Malware Defender 2.4.4
McAfee Rootkit Detective 1.1.0.1
NhsScan 0.9.4
NIAP Rootkit Detect Tools 1.02
Panda Anti-Rootkit 1.08.00
PScanner++ 1.8.3.0
Process Hunter 1.0
Process Master 1.1
Process Walker (EP_X0FF & MP_ART) 1.0.8
ProcessWalker Express 5.4.1000.10
RootKit Hook Analyzer 3.02
Rootkit Unhooker LE 3.8.LE.383.585.SR1
RootRepeal 1.3.5
Safe'n'Sec Rootkit Detector 1.0.0.2
SafetyCheck 1.7
SanityCheck 2.00
SnipeSword 1.0.2.2
Sophos Anti-Rootkit 1.5.0
SpyDLLRemover 2.5
Spyware Process Detector 3.20
SysProt AntiRootkit 1.0.1.0
SysReveal 1.0.0.7
System Eyes & Ears Monitor 4.5
Trend Micro RootkitBuster 2.80.1077 Beta
USEC Radix 1.0.0.9
Vba32 AntiRootkit 3.12.4.0
Wsyscheck 1.68.33
XueTr 0.30
Yas Anti RootKit 1.223


page presenting related testing & results:
Hidden Dynamic-Link Library Detection Test
http://www.ntinternals.org/dll_detection_test.php

methods tested:
- InLoadOrderModuleList - DKOM
- InMemoryOrderModuleList - DKOM
- InInitializationOrderModuleList - DKOM
- HashLinks - DKOM
- ProcessObject - MANIPULATION
- Vad - ERASING

products tested:
ArcaVir Process Manager 2010.0.0.6
ATool 1.0021
Dr.Web DwShark 1.0.0.11140
GMER 1.0.15.15163
HookExplorer 1.0
HookShark BETA 0.6
IceSword 1.22
KernelDetective 1.3.0
kX-Ray 1.0.0.98
MalwareDefender 2.4.3
NhsScan 0.9.5
ProcessWalker Express 5.4.1000.10
RkU 3.8.382.584
RootRepeal 1.3.5
SEEM 4.5
SpyDllRemover 2.5
Spyware Process Detector 3.20
SysInspector 1.2.021.0
SysReveal 1.0.0.7
VMMap 2.4
XueTr 0.29

 

Re: (anit-rootkit) Hidden Process Detection (50+ products compared)

hey inka cool testing thanks

 

Re: (anit-rootkit) Hidden Process Detection (50+ products compared)

Also here - author is Alex NT Internals

 

Re: (anit-rootkit) Hidden Process Detection (50+ products compared)

RootRepeal 1.3.5 was on top and Gmer wasnt

 

Re: (anit-rootkit) Hidden Process Detection (50+ products compared)

thanks meriadoc for the links i love to play with this kind of tools

 

Re: (anit-rootkit) Hidden Process Detection (50+ products compared)

What are top ten?

 

Jmonge, if I understand, - it's Sunday - in the first table GMER is one of the best. Anyway, I always use GMER and RootRepeal too.

 

There is no one ark you should use when looking for rootkits.

 

Avast! Antirootkit (GMER technology) seems to work fine on Win 7 while GMER doesn't work flawlessly? Very interesting ...

 

Isn't Avast Antirootkit built into the main program now?

 

Thankfully, the author didn't presume to rank the tested apps.

Considering that his testing involved a limited (but realistic) number of methods & none of the apps were able to block all methods, "top10" here would amount to "the 10 with least degree of FAIL".

 

just cause they use the GMER technology, doesnt mean they dont do their own developing on top as well and updating it.

 

Re: (anit-rootkit) Hidden Process Detection (50+ products compared)

How is it that Root Repeal is in the top of detectors?

Root Repeal 1.3.5 does well in this area.

Based on these two tests, the only one who tops both tests is Dr. Web DW Shark.

Unfortunately though, DW Shark

 

DwShark was DrWeb unofficial tool. I made a few screens, part1...

 

part2
saving the xml report and then Interactive mode screens...

 

part3

 

hmm interesting MD found none, seen how MD found none would this also mean that MD wouldn't be able to intercept these rootkits from running/installing?

Also too how come no products detects [-12-] ?

 

Re: (anit-rootkit) Hidden Process Detection (50+ products compared)

DWShark is not dead it's in development stage now. only for private use. version in this test very very old, first private alpha. i hope public beta released in next year with powerful script language engine and more features.

 

I would like to know the answer to this too.

 

I'm struggling to understand the 'big picture', but the test author seems to be emphasizing that the apps (both antirootkit and HIPS) fail to deal with the newer type(s) of rootkit techniques, e.g.
http://www.openrce.org/articles/full_view/19
Instead, they are apparently (apparent, via the test results) myopically targeting 'old hat' malware techniques & are breeding a false sense of security among users.

I had found the announcement of the test results in a message posted to the sysinternals malware forum
"Favorite/Custom Rootkit, ARK, HIPS, HIDS Tool(s)" thread:
http://forum.sysinternals.com/forum_posts.asp?TID=17648
(explains test author's motivation/rationale for adding MalwareDefender to the test group)

Someone in that thread (not the ntinternals author) criticized the misdirected efforts of many 'ark' authors:

As I said above, I'm struggling to understand. From reading (poorly translated) Chinese support forum discussions regarding Malware Defender, the quoted criticism might be well-placed. Like so many other vendor sites, the torchsoft site hypes xyz features. Although MD is touted as offering "low level (keyboard, disk) protection... while trialing MD, I found that it didn't seem to protect against clipboard access. The dev replied "no, it does not". At the moment, providing such protection isn't important to him? Per the Chinese forum threads, he's busy keeping step with another hacker/developer. That competition is steering his agenda? What exactly is the hyped "low level" protection? From the position of the ntinternals author & others critically posting to the sysinternals forum -- doesn't matter what the protection is, what matters is that the protection is incomplete & that the practice of selling (and buying into) a false sense of security based on incomplete and poorly-implemented (or outdated / moot) protections is the current norm.

Anyhow, I contacted the ntinternals author via email to suggest that MalwareDefender is a policy-based HIPS, not a rootkit. In reply, he linked to the following post, noting "it should clarify my attitude in this case".

"Actual 2009 Antirootkits" thread:
http://forum.sysinternals.com/forum_posts.asp?TID=20007

 

Low level keyboard access is not the same as clipboard protection. Run the AKLT tests and you'll see the difference. MD has not misrepresented itself.

MD is a classical HIPS. Defensewall, for example, is a policy based HIPS.

imho, it was right to include MD within these tests, but I do think Xiaolin should either improve the anti-rootkit capabilities of MD or think again about how it is promoted. To me, the features of MD are valuable without being labelled as 'anti-rootkit'.

 

I use MD as an hips, not as an antirootkit tool (I prefear using Gmer, Rootrepeal and Rootkit Unhooker to do that).

I did not read all that article, i had no time...
But imho if MD was able to alert about driver loading, files creation/execution, and other process comunication... than the test is passed.
First of all please remember MD is a prevention software, not a removal tool.

If you want you can test even MD firewall, but i'm simply not interested on it

BTW maybe i'm misunderstanding the means of this test, in this case i'm sorry...as i said before unfortunately i had no time

Regards

 

Its not just whether or not MD can intercept these rootkits from running/installing its other HIPS products as well. Personally I"m not to worried
because firstly the said rootkit would have to get passed sandboxie secondly I have file and folder rules in place by MD, for a rootkit to run and install it first has to have its files created on the OS. with my file and folder rules the creation of new files is denied. But I still would like to know if MD can intercept
such rootkits from running/installing.??

some one introduce xiaolin to this thread.

 

I think you people are just confusing it. They tested the ability to detect hidden processes. The process explorer of MD failed to detect any hidden process. That,s my understanding.

CFP, SSM and EQS all have a ProcessExplorer tab for running processes and as far as I remember EQS probably shows hidden processes in red. I will be interesting if any one can test them in this regard.

Personally i think the process explorer of all these HIPS are too weak to detect rootkit hidden processes. Their developers must implement such a feature.

KAV detects hidden processes and so does TF but I am not sure if they are really good in this regard or not.

 

the main idea of a hips program is not to detect but prevent in the first place and all the hips properlly configure and properly read and respond to the pop up before click yes/no are able to prevent the installation of any rootkits