Best Rootkit Protection

Discussion in 'other anti-malware software' started by Pedro, Nov 7, 2006.

Thread Status:
Not open for further replies.
  1. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Well this is my first thread, and maybe the only one. It's about what most concerns me: Rootkits.:ninja:
    1- What is, in your view, the best rootkit protection/prevention? Free and paid. You can name more than one of course. I use GeSWall + Prevx1 mainly, and playing with SSM free. Somehow i think it's missing something...:doubt:

    And for detection, i use Rootkit Revealer and GMER. I have others, but mainly these. I really like GMER :thumb: , but no documentation exists, so i don't know how to use it, not really. I'm not an expert. I get concepts. Period. There are a lot of options in GMER, even for protection, it looks like a powerfull tool.
    2- So how about some of the experts here start a thread to write a manual? Starting with the basics and moving on? If he agrees with it. It would save him time to continue the development of the program. And many of us would appreciate the effort. As you go forward, send him the progress for correction.
    Is it a bad ideao_O?
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Protection- A sandbox &/or HIPS( GW and SSM)
    Detection- BlackLight, Gmer and PWalker(Process Walker)
    Removal- clean snapshot/ image or reformat
     
    Last edited: Nov 7, 2006
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    Don't forget about NOD32 2.7 which makes removal of active rootkits a piece of cake :)
     
  4. lu_chin

    lu_chin Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    295
    Hi Marcos, can you explain a little bit more on this new feature of NOD32 v2.7 (e.g. how to use it)? I am running it now but I cannot distinguish its new features from v2.5.

    Thanks.

     
  5. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    PWalker... don't know that one. Does it work on windows or need cmd?
    And what do you say of no.2? GMER manual?
     
  6. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    PWalker runs on windows, no need for commands. Looks nice( the only one to detect latest rootkit phide.exe- there is a thread here)
    Gmer I have used only few times, it does tell u if ur sytem is modified since last scan. Don,t know about manual. I just used to do a scan, nothing else.
    Very little play with rootkits so can,t say much.
     
  8. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
  9. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    That sounds impressive! Can you explain it a little more?
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    NOD32 2.7 provides a new method for detecting active rootkits which is called "Anti-Stealth technology". It is supported by AMON and the on-demand scanner. When enabled, NOD32 can see rootkits that are otherwise hidden from Windows API.

    My 0.02$:
    Using this option in the on-demand scanner, you can even discover any file that behaves like a rootkit and is undetected even by NOD32 - simply run 2 scans, one with Anti-Stealth enabled and the other one with AS disabled. If the total numbers of scanned files do not match (whilst using the very same settings), it's an indication of a rootkit-like file being active. Of course, it can also be a legit application that behaves this way.
     
  11. lu_chin

    lu_chin Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    295
    Thanks Marcos. Do I have to run what you had described in Windows Safe Mode in order to be effective?

     
  12. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    I have version 2.5, where and how can I download version 2.7 in French (the paid version)o_O
    Does version 2.7 a final release or is it still a beta version?

    Thanks,
    Atomas31
     
  13. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,306
    If I had to select an AV with a rootkit capability it would be F-Secure with its Blacklight.

    I think a combination of F-Secure and the Bit Defender Rootkit Uncover would be a formidable defense. I also use UnHackMe and Snoopfree. I am not sure how the last two stack up.

    Best,
    Jerry
     
  14. tansu

    tansu Registered Member

    Joined:
    Sep 13, 2005
    Posts:
    210
    There is a recent research about detecting and removing rootkits..
    http://www.eweek.com/article2/0,1759,2051268,00.asp?kc=EWRSS03129TX1K0000614
     
  15. solarpowered candle

    solarpowered candle Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    1,181
    Location:
    new zealand
  16. tansu

    tansu Registered Member

    Joined:
    Sep 13, 2005
    Posts:
    210
    At least they are not hiding:D
     
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    It shouldn't matter, if a particular file is running NOD32 should delete it the next time you start the computer.
     
  18. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
    I believe that BOClean is the best application for
    1. prevention of rootkit installation and
    2. removal of rootkits from an already infected computer

    BOClean was written originally to remove Back Orifice 10 years ago and I doubt that anyone has more knowledge, or understanding of rootkits than Kevin McAleavey.
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    SnoopFree is not for RootKits.
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I gave it a whirl. Don't try this yet unless you have a good recovery option. While it looks interesting, it isn't even at the alpha stage in my opionion. It is proto code at this point. Doesn't like dual core processors, among other things.

    Pete
     
  21. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    A quote from their website:

    Thus Helios uses a 'behavioural' analysis engine as opposed to signatures. The upside to this is that we can catch malware that is 'unknown' in the wild, or for which signature based products do not have a signature definition.

    How do they ensure that Helios does not report many false positives? You can also use NOD32 to detect any file that behaves like a rootkit using the anti-stealth technology. However, NOD32 will hardly report any false positives as it uses advanced heuristics for code emulation as well as signatures for precise detection of known rootkit variants. If you wish, you can conduct 2 scans, one with the anti-stealth technology enabled and one with AS disabled. If the total numbers of scanned files do not match, you have a rootkit-like file active. However, always bear in mind that also legit commercial applications may use such files so it could be just a false indication.
     
  22. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Helios don´t work with dualcores, so forget it.

    Gmer has best chances to become awarded as best anti-rootkit, depends on how it will improve the next time.

    I love to play the unhook game.

    Concerning Symantec: They get the most ressource hungry software award.

    And the how-to-slow-down-your-computer-the-easiest-way award.
     
  23. kdm31091

    kdm31091 Registered Member

    Joined:
    Jul 18, 2006
    Posts:
    365
    Oh of course Symantec-sponsored tests will say Norton is the best. Utter junk.
     
  24. btman

    btman Registered Member

    Joined:
    Feb 11, 2006
    Posts:
    576
    According to PC World or something... Spyware Doctor is the best.
     
  25. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Since no.2 has been discarded, i just want to ask one thing: if i format a disk re-installing Windows, is it possible for a malware to remain? Maybe it's idiotic, but i want to ask anyway.:D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.