Anti Stealth - Am I understanding correctly.......

Hi

Can someone clarify this for me ?

To determine whether potential rootkit activity is present, I run an on-demand scan with AS off and then another scan with AS on and then see if there is a discrepancy of the number of files scanned. Is that right ?

If so, scan A shows 133,814 files scanned, Scan B 133815. How can I find the file that is 'hidden' from Scan A - sounds to me like finding a needle in a haystack unless I'm missing something a bit more scientific here

Sophos AntiRootkit finds no hidden files and Rootkit Revealer displays one Prefetch file as 'hidden'.

Said Prefetch file shows up in both NOD scans- so thats not the discrepancy.

Any thoughts anyone ?

 

Enable "List all files" and then compare both logs.

 

Hi Marcos

Sorry, I didn't make myself clear. I had read that advice previously from your good self but are you really saying the only way is to manually compare two logs both with 133,000 plus files in order to find the discrepancy ?

Hence my comment ' like finding a needle in haystack'

 

I was talking about a trick how to identify a rootkit-like file. It does not mean you have to do this, it's just a kind of assurance for very advanced users.

 

anti-stealth is to find active rootkits (rootkits that were detected while inactive now can also be detected when they are active [and hidding themself]).

 

If you are needing to compare two files or folders, Beyond Compare from Scooter Software makes it a breeze.

Cheers

 

I guess your answer is 'yes' then.

So if I have a discrepancy in files scanned, I have possible rookit-like activity.

I'm not worried for myself as I don't believe I have a rootkit and in my limited experience rootkit tools are notorious for FP's.

Imagine a new customer who latched on to this method via here or your website- found a discrepancy in the 2 scans, got scared witless and THEN found he had to go through 2 logs of 100,000 files to find the discrepancy, and THEN only to find it was a false alarm.

 

Thanks for the assist NOD32 user.

However, I don't plan on spending money to check a couple of logs that I don't think warrant checking but I appreciate your help anyway.

 

windows 2K & XP (all flavors) have a command line utility (comp) that will compare 2 files and log the differences. google windows command comp and the first result is the docs for comp. If it were me, I would copy both log files into a temp folder and use comp to find the differences. note the /a option that will log the differences as text. Good luck if you decide to play.
Jerry

 

Thanks Jerry - good info.

I'll play, I'll play