What program do you all consider to be the best anti-rootkit?

Discussion in 'other anti-malware software' started by WilliamP, Dec 3, 2006.

Thread Status:
Not open for further replies.
  1. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    But not available for us, Gmer. So it is pure proof-of-concept movie without real facts, attaching to devices and making filtering - probably you used this technology, so it is out-of-date. More realible "file stealthing"
     
    Last edited: Dec 8, 2006
  2. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    @EP_X0FF

    It's only test - nothing else.
    I hope that you understand why it's not publicly available ?

    If it's "out-of-date" then our detectors are also out-of-date. The only fact that I can see here is that we have work to do ( as always ), but believe me I really think that your ARK is very good and you will improve it.
    Don't waist your time to unnecessary fights.

    The test part two:
    http://www.gmer.net/test2.wmv

    Regards
     
  3. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    @Gmer

    Nice to see that you visiting this place more offen than Sysinternals. I think that any kind of tests rootkits should be available for public. I see no reasons to hide it from all others except AV vendors. But I think that sources of these test rootkits should be unavailable for public. Without available rootkit sample we can't approve or deny it's work.

    We not anymore wasting time in conflict since we get SSM scalp we have nothing more to reach.

    So I keep up your good work and please you also to continue improving your ARK.

    Kind Regards.
     
  4. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    EP_X0FF for you and many other programmers it doesn’t matter if rootkit is avaliable with or without sources.
    Take a Rustock for example - it's most advanced known malware and so many AVs still have problem with it and I think that they will not be able to detect it for months. Maybe they are waiting for Vista :)
    One thing is sure, rootkit technology first appears in malware.
     
  5. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Ok. I know about reverse eng. But could be a sample available for "trusted" people (who is not related to malware) and to ARK testers? For example for some members here and/or on others forums.

    I agree, it is because money always will be a good stimulator for new ideas.
     
  6. controler

    controler Guest

    Hello sara15

    What I mean by all the nessary files for reformating is for example, XP-SP2,
    Any drivers not included with Sp2 for your computer, A list of any software keys, You e-mail addresses, Any other data,pics,movies ect you may want that you are not able to just keep an an external drive. You may want to reflash the BIOS before reformating. Use a good router with SPI & do not connect to the internet untill you at least have SP2 installed.
    Using a bootable Linux distro is pretty cool to use for your online banking also.
    Most Distros include firefox now and a lot of banks accept Firefox.
    Always obtain a small check card for online buying. A card around $ 500.00 is good for mot online purchases. If someone does get your number, they won't get much. If you can get buy with a $ 200.00 card even more the better.

    Linklogger is going to be writing up something on how he is not affraid of malewar after he does his testing with the most nasties he can find. This will be posted over @ DSLReports eventualy.

    controler
     
  7. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Ok. If no reply from Gmer than probably somebody else should create it own rootkit to prove antirootkits hidden files detection bypassing. I guess I know who it will be ;) I think any kind of information should be available, it just a matter of time when somebody else will create something like this. So I see no reasons to hide it from all.

    Just my two cents :)
     
  8. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    EP_X0FF said :
    agree, I would very much like to look at the sample.
     
  9. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,208
    Location:
    Fayetteville, Ga
    There is a couple of things that I would like to say. First, there is not that many people with the knowledge or ability to produce Rootkits or the programs to find the RK's. So you have the bad guys and the good guys. We don't need the good guys squabbling with each other. Second thing EP_XOF, I certainly respect your abilities and your opinions but in regards to SSM I feel that there is a lot of us, less knowledgeable people that have SSM because we feel that it gives us some protection. I would like to be able to run SSM and RKU. If have read what you have written and of course because of my limited computer knowledge I don't understand why you don't like way SSM is set up. I just hope that the good guys will keep up the good work.
     
  10. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Hi, WilliamP.

    I see that everywhere I should answer about SSM. Not me or any of me companions do not start this conflict. It was raised by smart guy with nikname "asterisk" from SSM research team. He throwed challenge and spread lies about us, so we answered on this. Since we proved everything what we said to "asterisk" I see no reasons in further conflict with SSM and as part of it - SSM ban.

    We released new version of Rootkit Unhooker, labeled as RC3. It can be runned with SSM together without any kind of problems. But if you will get BSOD, please understand that it is probably somewhere in SSM internals.
     
  11. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,208
    Location:
    Fayetteville, Ga
    Thank you EP_XOFF.
     
  12. Z0mBiE

    Z0mBiE Registered Member

    Joined:
    Dec 4, 2006
    Posts:
    21
    Rootkit Unhooker the best. I'm using it since v2.0b4. It helps me many times to remove unwanted "software" from my PC and PC's in my network, so for me it is the best.

    p.s. Good to see you here EP_X0FF.
     
  13. Zorra

    Zorra Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    19
    I know this topic hasn't been replied to for a while but ...

    I'd have to say Gmer, DarkSpy and IceSword.
     
  14. EASTER.2010

    EASTER.2010 Guest

    To be perfectly up front and honest to the bone on this matter, there is but only "1", right now, that's right only one, TRUE featured RootKit Detector that i have already and will continue to place my full confidence in, and that is RKUnhooker, now at version 3.20

    I have dumped some pretty severe (home-made) local and publicly available customized Demos, RootKits/Driver/File Hiders that Ice Sword/Modgreper/SVV and others failed miserably to pick up on, IceSword likely because it's not really been updated in what seems like ages now if ever again, who knows

    RKUnhooker team is so right on top of this field right now that it isn't even funny. Now there are some serious ARK developers i yet to see matched in this field so far. Any takers?

    Sorry to mention gmer again, but if he happens to climb out of that self-induced exile long enough to read and post here again, perhaps he would finally consider releasing a version that this time will be completely stable on XP Pro SP1 for a change instead of the previous versions for Windows 98/Me. :D
    Come on Gmer, you have to know something about how to stop your're program from flickering, jumping and just not functioning correctly on some other Service packs except SP2 maybe? right?
     
  15. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    Hi EASTER

    Thank you for responding. Feel free to email me or post here any bugs you found. If you have any minidump or drwtsn32.log please send it to me. I also would like to know what is your box configuration and what other security programs are installed .

    Thanks
    -Gmer
     
  16. EASTER.2010

    EASTER.2010 Guest

    Coming your way gmer

    I am thrilled as pink to hear anything from you after all my efforts to expect the program to function as expected but refuses not, and so you have to know i would not make such this much continued fuss over this if it wasn't so obvious or disturbing and i know you can remedy or discover reasons for the erratic behavior i find so oftens.
    Maybe now some positive outcome to this finally.

    Will download the latest version and then send it thru paces and forward what discrepencies it shows along with other details you're requesting.

    Thnx for response.

    edit:::

    Gmer man, it's worse than i previously thought. Its bad man. I have to strain my hand to click the mouse button several times just to remove a single checkmark from the first list. It's virtually nearly total unresponsive. Then on any scan you don't even know if the button you just pressed SCAN is doing anything or not untill i get CPU Usage surging like fire to 100% untill it freezes the whole screen for several seconds while i desparately press 3 keys hoping that Task Manager can rescue me from this. The report screen in disabled completely. The Auto-Start screen is UnResponsive. Man i know i'm not seeing things, this is just the same behaviour i experienced with this all along and is driving me nuts.
    These are "ACTIVE" selections positioned to the SDT Table if it help to compare gmer functions issue:

    procguard.sys=ProcGuard
    safemon.sys=SSM
    guard.sys=AVG 7.5
    klif.sys=KIS6

    Windows Xp Professional SP1

    How can you do this? The gmer progam doesn't force drwatso32 to pop up and no BSOD so where can you add up something to a minidump report?

    It's as i mention so many times, is as the program freezing to stall out and buttons/tabs just look at you.
     
    Last edited by a moderator: Feb 17, 2007
  17. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    @Gmer

    No need minidumps and logs. Simple start your program - all is here ))))
     
  18. EASTER.2010

    EASTER.2010 Guest

    @ gmer

    May i be so bold as to offer a suggest that YOU could post

    because i may not be currently developing apps in #C, Delphi, Borland etc. but i been at this long enough to determine when any program is failing due to malfunctioning code and is abruptly and continuously exhibiting erratic behaviors.

    Is anyone else experiencing such problems with this like i am describing?

    Also to gmer, have you any interest in releasing additional versions with some form of different changes to code that might accommadate away from these type reactions? Bahhh!! Arg!!!

    Your gmer version 1.0.12.12027 = 560 kb
     
    Last edited by a moderator: Feb 17, 2007
  19. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
  20. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    I see Trend Micros 'RootkitBuster,' gotta love that name :rolleyes:, has removed the option to scan for hidden operating system service hooks, updated sort of from 1.6 to umm 1.6.
     
  21. Huwge

    Huwge Registered Member

    Joined:
    Oct 21, 2004
    Posts:
    424
    Location:
    UK
    So, is there a definative answer to the original post o_O
     
  22. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Gmer runs fine here. Just fine. XP SP2. It's probably a conflict Easter. SSM alone can cause problems. In the settings, i'm logging too. I don't tick anything else, if you do, that also could be the problem:doubt:

    GMER is a fine program:thumb:
    I'm over my head, but i can't see how it could be called bad- in any way. On the contrary: when there's a test, the report is "caught by gmer and...". If it isn't caught, it probably isn't caught by any other, exception to RKU.

    1 cent
     
  23. Zorra

    Zorra Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    19
    I am not having any problems running gmer at all. Both the rootkit and autostart scans function properly and quickly. I like the fact that it detects ADS. Maybe Easter has interfering program(s) or HIPs that is make it function that way.

    I think rootkit detectors should have a registry function, either autostart or a reg browser to be totally effective. Anyway, running more than one ARK is essential and I like quite a few, so what one lacks another has. I still think IceSword is great with its many functions and I consider it the Grand Dame of ARKs. I have to try Rootkit Unhooker since the test study rates it highly. The independent developer ARKs definitely surpass the AV vendor ARKs by a longshot.
     
  24. CReal

    CReal Registered Member

    Joined:
    Feb 17, 2007
    Posts:
    42
    Regardless of what is the best in detection,there is also the fact that this forum doesn't represent the average PC user.I ran RKU a few minutes ago and i got the possible rootkit message.It was DSA hooking everything that caused this.
    A normal person would panic.So,although RKU or IceSword (which helps a bit highlighting in red some items) are among the best in detection right now,if rootkit detection were to become necessary for everyone,the future is with the more "simple" approach,like Sophos,Trend Micro and Blacklight,where the user is simply told whether there is something bad in his PC or not.
     
  25. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    They are sleeping very well with real rootkits, friend :)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.