Vba32 AntiRootkit 3.12.* beta

Discussion in 'other anti-malware software' started by sergey ulasen, Sep 14, 2009.

Thread Status:
Not open for further replies.
  1. sergey ulasen
    Offline

    sergey ulasen AV Expert

    VirusBlokAda Ltd. glads to offer you a new version of Vba32 AntiRootkit and invite you to participate in beta testing of our product.
    Links to download:

    ftp://anti-virus.by/beta/Vba32arkit_beta.rar

    ftp://anti-virus.by/beta/Vba32arkit_beta.zip

    ftp://vba.ok.by/vba/beta/Vba32arkit_beta.rar

    ftp://vba.ok.by/vba/beta/Vba32arkit_beta.zip

    The following techniques of kernel-mode rootkit detection are implemented in Vba32 AntiRootkit:
    • searching for SYSENTER hooks;
    • searching for hooks by replacing addresses in SSDT table;
    • searching for hooks by replacing addresses in Shadow SSDT table;
    • searching for hooks by modifying IDT table;
    • searching for export table modifications of main kernel modules (ndis.sys, hal.dll, ntoskrnl.exe);
    • searching for hooks by modifiying machine code (splicing);
    • searching for hooks by replacing addresses of IRP packet handlers;
    • searching for hooks by replacing addresses of FastIO request handlers;
    • searching for kernel modules hidden in the memory. If an object is considered as hidden, it'll be marked as Hidden in memory;
    • searching for processes hidden in memory. If an object is considered as hidden, it'll be marked as Hidden in memory;
    • searching for kernel modules which image on the hard drive doesn't correspond to the image in the memory. Such objects will be marked as Modified image;
    • searching for installed kernel mode notificators.

    Moreover the following additional techniques are implemented:
    • scanning autoruns;
    • scanning drivers and services specified in the registry;
    • scanning all obtained objects (process files, autoruns, loaded drivers/services and kernel modules);
    • checking digital signature of all obtained objects (process files, autoruns, loaded drivers/services and kernel modules);
    • displaying additional information retrievied from file resources.

    The following features are designed for neutralizing rootkits:
    • restoring hooks in SSDT table;
    • restoring hooks in Shadow SSDT table;
    • restoring hooks in IDT table;
    • restoring hooks in main kernel modules (ndis.sys, hal.dll, ntoskrnl.exe);
    • restoring hooks made by machine code modifications;
    • restoring SYSENTER hooks;
    • removing specified objects from autoruns;
    • enabling/disabling drivers/services specified in the registry;
    • copying specified files to the quarantine early in the system boot;
    • deleting specified files early in the system boot;
    • scanning and deleting autorun.inf files;
    • removing installed kernel mode notificators.

    Vba32 AntiRootkit allows user to collect information, which may help in solving problems at user's computer.

    Vba32 AntiRootkit has English help (Vba32ArkitEN.chm file).

    You can send your feedback to beta[at]anti-virus.by or post it here.
    Last edited: Sep 14, 2009
  2. Saraceno
    Offline

    Saraceno Registered Member

  3. Meriadoc
    Offline

    Meriadoc Registered Member

    Re: Vba32 AntiRootkit 3.12.3 beta

    Much more serious ark than from other antivirus houses, trying out now but first impression is good one.
  4. PROROOTECT
    Offline

    PROROOTECT Registered Member

    Re: Vba32 AntiRootkit 3.12.3 beta

    Saraceno, your link is only for antivirus, not for antirootkit.

    Link for antirootkit - come also from this Post #17 (with VBA forum link - by Sergey Ulasen - for this antirootkit software) from the thread: 'ANTI-ROOTKITS: Good, Safe ...' here: http://www.wilderssecurity.com/showpost.php?p=1540086&postcount=17

    Very good tool.

    Thank you Sergey!


    PROROOTECT
  5. Keyboard_Commando
    Offline

    Keyboard_Commando Registered Member

    Re: Vba32 AntiRootkit 3.12.3 beta

    Worked fine XP SP3. Haven't tried installing driver at boot yet.

    ark1.JPG

    ark2.JPG
  6. StevieO
    Offline

    StevieO Registered Member

    Re: Vba32 AntiRootkit 3.12.3 beta

    sergey ulasen

    Thanx

    Your 4th link doesn't work, the f in front of ftp doesn't get resolved ?
  7. sergey ulasen
    Offline

    sergey ulasen AV Expert

    Re: Vba32 AntiRootkit 3.12.3 beta

    Thanks for your post there(http://www.wilderssecurity.com/showpost.php?p=1540086&postcount=17).

    Until now we have discussing only on http://virusinfo.info/showthread.php?t=41137 in Russian. From this time we will get English-speaking audience to testing Vba32 AntiRootkit.

    Product is constantly evolving. We have had four beta-iterations (3.12.3.0, 3.12.3.1, 3.12.3.2, 3.12.3.3) for 7 monthes. You can see it in readme.en.

    Now we are working up a low level disk access.
  8. sergey ulasen
    Offline

    sergey ulasen AV Expert

    Re: Vba32 AntiRootkit 3.12.3 beta

    Thanks :)
  9. Tarnak
    Offline

    Tarnak Registered Member

    Re: Vba32 AntiRootkit 3.12.3 beta

    No problems on XP Pro SP2.

    Attached Files:

  10. sergey ulasen
    Offline

    sergey ulasen AV Expert

  11. Tarnak
    Offline

    Tarnak Registered Member

    Re: Vba32 AntiRootkit 3.12.3 beta

    Just tried to run this latest version, but it says - " couldn't install driver"
    However, I can still run the earlier version with no problem.
    See screenshot attached.

    Attached Files:

  12. markusg
    Offline

    markusg Registered Member

    Re: Vba32 AntiRootkit 3.12.3 beta

    can you ad keyboard support? i can not navigate whith tab and can not select the options.
  13. sergey ulasen
    Offline

    sergey ulasen AV Expert

    Re: Vba32 AntiRootkit 3.12.3 beta

    May be problem is connected with DefenseWall. Please, add vba32arkit.exe in "white list" and try again.
  14. Ilya Rabinovich
    Offline

    Ilya Rabinovich Developer

    Re: Vba32 AntiRootkit 3.12.3 beta

    Because you tried to install as untrusted. Run installation file as trusted.
  15. Tarnak
    Offline

    Tarnak Registered Member

    Re: Vba32 AntiRootkit 3.12.3 beta

    I tried this, but it didn't work.

    I don't why had so much trouble this time around, but I deleted everything and started over.

    I extracted the rar file to the unzipped folder as trusted, and this time it worked.

    See a copy of the Dw_log.txt for informational purposes, showing the unsuccessful attempts.

    Attached Files:

  16. Ilya Rabinovich
    Offline

    Ilya Rabinovich Developer

    Re: Vba32 AntiRootkit 3.12.3 beta

    "module C:\unzipped\vba\Vba32arkit.exe, Loading untrusted/untrusted created module C:\unzipped\vba\Vba32ar.dll. Process is untrusted now". That's the reason of the issue.

    Just totally remove "vba" folder and unrar as trusted. Or, another solution- select the "vba" folder and run "change status to trusted".
  17. sergey ulasen
    Offline

    sergey ulasen AV Expert

    Re: Vba32 AntiRootkit 3.12.3 beta

    Thanks to Ilya Rabinovich

    We know about problem. But I can't promise that we'll fix it in the nearest future.
  18. sergey ulasen
    Offline

    sergey ulasen AV Expert

    Re: Vba32 AntiRootkit 3.12.3 beta

    Vba32 AntiRootkit 3.12.4.0 release:

    http://anti-virus.by/en/vba32arkit.html

    Vba32 AntiRootkit advantages:
    • Does not require installation
    • Can be used with any antivirus software installed on your computer
    • Uses a unique feature of the detection of "clean" files
    • Can be used in several modes
    • Supports the maintenance of a system status report in html format
    • Treatment of the system may be done using a scripting language
    • Supports Windows 7
    • Help files in Russian and English languages
  19. Durad
    Offline

    Durad Registered Member

    Re: Vba32 AntiRootkit 3.12.3 beta

    Can you give some more informations of how this works:


    thanks
  20. sergey ulasen
    Offline

    sergey ulasen AV Expert

    Re: Vba32 AntiRootkit 3.12.3 beta

    Following operations are available: deleting files, copying files to the quarantine. To do this, select the File - Run Script menu item.

    Example:

    Code:
    Brs_Start(); 
    Brs_QtnFile("c:\x.exe"); 
    Brs_DelFile("c:\x.exe"); 
    RebootSystem();
    All information about scripts is available in Vba32arkitEn.chm file in Additional Features/Running Scripts chapter.
  21. Durad
    Offline

    Durad Registered Member

    Re: Vba32 AntiRootkit 3.12.3 beta

    Does it have OnBootClean like AVZ?
  22. sergey ulasen
    Offline

    sergey ulasen AV Expert

    Re: Vba32 AntiRootkit 3.12.3 beta

    Yes, it does
  23. sergey ulasen
    Offline

    sergey ulasen AV Expert

    Vba32 AntiRootkit 3.12.5.0 beta

    Vba32 AntiRootKit 3.12.5.0 beta:

    ftp://anti-virus.by/beta/Vba32arkit_beta.rar

    ftp://anti-virus.by/beta/Vba32arkit_beta.zip

    ftp://vba.ok.by/vba/beta/Vba32arkit_beta.rar

    ftp://vba.ok.by/vba/beta/Vba32arkit_beta.zip

    + Added direct disk access mechanism. NTFS and FAT 12/16/32 are supported. Low-level file verification is performed in all existed windows / checks

    + Added Low-Level Disk Access Tool windows. View, Copy, Delete and Wipe (with purging from windows file cache) operations were implemented at a low level. Hidden, locked and forged files can be optionally highlighted. NTFS Alternate Data Streams and symbolic links are also supported

    + Vba32 Defender prevents executable file startup and driver loading during the antirootkit operation time

    + Search hidden drivers was improved, Windows driver stack analysis was added

    + Search of hidden processes was improved (were added handle search in csrss.exe, PspCidTable parsing and etc.)

    + Section attributes verification for all kernel-mode modules was added

    + Search of hidden IRP handlers was added

    * Possibility to exclude user mode images in kernel modules window was added

    * Prosess window was improved, EPROCESS address and short name were added to user view

    * Interaction between GUI and antirootkit driver was improved

    * Hook detection mechanism was revised. Checking of EAT and code sections of all kernel mode modules was implemented

    * Help in Russian was improved
  24. CloneRanger
    Offline

    CloneRanger Registered Member

    Re: Vba32 AntiRootkit 3.12.3 beta

    Thank you :thumb:
  25. jmonge
    Offline

    jmonge Registered Member

    Re: Vba32 AntiRootkit 3.12.3 beta

    i am trying this one now;)
Thread Status:
Not open for further replies.