How good is Ewido at detecting rootkits?

From what Nautilus has written, it can do that. I think he states the Ewido guard can stop it. Just from the little reading that I have done, I think it may be possible that both Ewido and BoClean might be able to stop many rootkits before they activate.



Starrob

 

If it is processing within memory, it has passed the gate. To be sure, the moment it enters the computer, it has passed the outer gates (the hardware router firewall), but we are given a second chance, an inner gate if you will. It would be nice if MS would close the gates for us, but since they are too busy to take notice, I think we will have to close them for ourselves - if we choose to.

Rich

 

I am not so certain about the "if it is processing in memory it is too late" part. People have done tests that have actually stopped malware as it enters memory. I have yet to see any tests that proves in memory scanning is not a adequate feature.

I do find it interesting that Kevin of BoClean has said that Memory scanning techniques might not be as effective in the future. I think the Shadow
Walker concept shows why that might be true.

However, there are brilliant coders at Ewido, BoClean and many AV's. They may come up with a solution or solutions for concepts such as Shadow Walker.

If the Memory scanning method was totally invalid, I doubt major corporations or governments would pay BoClean for that type of service but that is neither here nor there.

What I do believe is that different people have different philosophies on security. Some use a AT, some use "HIPS", some use both, some use neither. It doesn't make any one way right or wrong. It just may be the best solution for a person at a certain point in time. There are weaknesses in all products just as there are strenghts. What a person decides to use is a individual decision....everyone should decide for themselves because not everything that is written on Wilders is necesarrily right.

Sometimes, even information from the most knowledgable can be incorrect. That is why i like looking for information both pro and con. If there is any information showing how ineffective in memory scanning is then I would like to see it.



Starrob

 

This is true in every area of life, and has been shown to be so over and over again. All so-called experts, in every field, have their limits, and areas they have not thought of or discovered yet.

Anything any so-called experts claim should be viewed cautiously, until it is proven through tests. And even MORE so if the so-called experts insists they are correct above others. The more someone gives you a one sided view on something, trying to convince you they are correct above all others, the more sceptical you should be about what that person is telling you.

Sadly most peolpe seem to not be aware of this and go right on their merry little way, believing everything the so-called experts tell them to be fact. Not even aware in many cases the so-called experts have been proven wrong. The smartest people in the world are amazingly dumb.

 

This is not to say that mem scanning is ineffective. But we should bear in mind that mem scanning is generally still based on signatures. Therefore, you can create a modified malware sample which is not detected by such sigs. (In particular, scanners using weak signatures are affected by such modifications.)

 

Ewido claims to use strong signatures. It would be interesting to know exactly how effective their use of strong signatures is in a memory scan. I know that type of test would probably be very time consuming (most especially if it included spyware also).



Starrob

 

Even Edison was proven "wrong" by Nikola Tesla. Edison said power distribution should be using DC current. Tesla said AC current. A majority of the world today uses AC current. It was proven DC current was too inefficient for widespread use.


Starrob

 

I guess another question I could ask is if Ewido uses heuristics in it's memory scan to dtect things like rootkits?



Starrob

 

Agreed. Choose not to install/run software from dubious sources. That is the only way to be sure against trojans. If you do trip up, and your AV/AT fails to ID it, you are dead, no matter what you run. All the HIPS in the world can't save you.