Rollback Rx is a rootkit?

Why does HMP report Rollback Rx as a rootkit? I have a fresh installation, so its impossible for me to have rootkit.

 

This has been discussed before. Take a look here.

Rollback Rx does modify the system very similar to MBR boot/rootkits hence its detection by vendors such as HMP. I believe other dedicated rootkit scanners do report this as well. Someone said GMER does this too. It doesn't mean Rollback Rx is a rootkit and is therefore bad; it means the technologies used are similar, and is why some anti-malware programs alert on it.

 

You'll need to set HMP disk access to Compatible Disk Access instead of Direct Disk Access.

 

what's the difference?

 

Thank you,,, can I trouble you to explain what the difference is and what it means for the scans?

 

Hitman's Compatible Disk Access mode uses Windows' API to access the disk (instead of its normal direct disk access) so that it works within Rx's environment. Rx protect's the MBR from programs (safe or malicious) which use Windows' API for disk access, but is vulnerable to programs (especially malware) which use direct disk access. But using Hitman's CDA mode is a two-edge sword because when doing so you also reduce Hitman's ability to detect malicious rootkits!

Scott

 

thanks for explanation!

 

Very well said Scott! Especially, "But using Hitman's CDA mode is a two-edge sword because when doing so you also reduce Hitman's ability to detect malicious rootkits!"

Best regards,

 

Thank you Scott.

So would this imply that programs such as Malwarebytes or the AV/AM suite I use as my first line of defence (ESET) are monitoring via normal disk and thus are lax in detecting rootkits? They do not see the RX function as a rootkit. Or is Hitman just more aggressive? In other words is it like setting protection from normal to extreme or from poor to OK?

 

I suspect that those AV programs do not use Direct Disk Access reads along with its Windows 'API reads', but I really don't know that for certain. For sure though, Hitman is very aggressive in using Direct Disk Access mode in concert with Windows API mode.

In order to help you better understand what's going on, Rx hides its MBR entry much like a malicious rootkit (it is 'invisible' when reading the MBR via Windows API). So when Hitman sees that an MBR read via Direct Disk Access differs from an MBR read via Windows API it issues a heuristic alert of a likely MBR rootkit, which is precisely what it should do. When opting to use Hitman's CDA mode (i.e., using Windows API only) all appears well to Hitman in that it doesn't see Rx's non-malicious bootkit, but the likelihood of Hitman detecting a malicious rootkit (in CDA mode) is also diminished.

Scott

 

Perhaps,although more likely they've just whitelisted the likes of RollbackRX

 

Thanks for the info

 

I thought that was likely and wonder why Hitman does not do this too. Supposedly "suspicious" files are uploaded for analysis,,,,I would have thought this would have dealt with the issue by now.

 

Why the onus is on Hitman, why not on HDS the maker of Rollback Rx advising their customer to whitelist their rootkit from the AV and/or Rootkit programs?

 

From my experience with HMP,much as I like it,they're very slow to deal with FPs,often you need to report it a few times to get a result.
Also once they have dealt with it you can guarantee it'll reappear when the application in question is updated.

 

In a perfect world I guess the onus would be on both parties but that still does not explain why any of the programs other than Hitman that I have used do not see the code as malicious. Also, there is no way to whitelist anything in Zemana AntiMalware that I was able to find. So now Zemana is in the mix as well making things that much more complicated.

As an aside,,,,,is anyone using a program other than Hitman that is picking up the code as malicious? It would be good to compile a list for reference.

 

Thanks for the info, much appreciated.

 

HitmanPro uses several scanners: Emisoft, Bitdefender, Dr.Web, G Data, and Ikarus.
Emisoft, I tested it myself, is the one that won't accept Rollback Rx as a FP because the same device is used by malware, I suspect Ikarus might as well but I'm not sure. HitmanPro won't change simply because Emisoft won't change.

I can't see what is the big deal about it, when I tested Emisoft it was clear that its detection was a FP and ignored it, same with Hitman Pro.

 

Its not a big deal if you have the knowledge to understand (or find out) that its an FP but it can be a bit of an issue if you just go ahead and tell the program to "fix it" because it said you should. Sure you should check first but not everyone knows enough to do this.

 

In principle Rollback should notify users about it and Emisoft shouldn't really flag it as malware. I figure that if someone goes to the trouble of buying and understanding a software like Rollback and then installing HitmanPro (which is really still a tool for people interested in security) one would expect such a user to know of the possibilities of FPs. All AVs can produce FPs, the danger is always there if one doesn't pay attention.

 

Good point Osaban, you are 100% correct.