OneCare 2.0 & rootkits

The thing to remember about rootkits is that once it's active and running, the compromised machine cannot be trusted anymore. No tool is completely reliable against active rootkits, even though they may be able to detect the rootkit in its inactive form - not DrWeb, not Blacklight, IceSword, GMER or anything else. At some point or other the anti-rootkit tool needs to obtain information from the OS in order to work. Most anti-rootkit scanners will try to request information from the lowest level of the OS as they can in an attempt to obtain data that has not been modified by the rootkit, but the trouble is that you do not know what parts of the OS the rootkit has compromised.

Kind of like espionage within an intelligence agency; once you know there's a mole in there somewhere, you don't know who to trust anymore.

The only reliable method to be sure an active rootkit has been purged is to reformat, and the only reliable defense against them is to prevent the rootkit driver from loading in the first place; i.e. the scanner should be able to detect the rootkit driver before it gains ring0 privileges, or you have some behavioral-based software to prevent unauthorized device drivers or such similar low-level system access. Any antivirus scanners that advertise to be able to detect active rootkits may provide you with peace of mind - they may be really able to detect some older, more primitive rootkits - but not necessarily any actual defense against today's sophisticated ones once they're loaded and active.

 

Microsoft isn't lying. Detecting "inactive" (i.e. file samples) or "about to install" rootkits in rather easy, provided that you have the signature for it. Detecting active/loaded/live rootkits is a completely different thing.

Norton has some technology from Veritas, which is somewhat advanced compared to the "average" AV. But it isn't enough against the advanced rootkits of today. AFAIK, the most advanced scanner (i.e. who dives deeper in the OS) is SAS.

 

Well, I don't think it matters anymore personally. I managed to give KIS another go on my machine, ObjectID stuff notwithstanding. Once 8 comes out, I'll reformat which will resolve the problem (as the objectID stuff doesn't follow on a DVD).

Its really the only thing that's ever made me feel "safe", and there's something to be said for that, great test results or no.

 

I wound up with KAV. Best buy had it for 20 bucks, so out with onecare...