Hello guys, sorry for my bad English.... to be sure to have not rootkits and keyloggers on your system (which are the threats that I fear most!) is enough run a scan with a good antivirus (ex: Bitdefender, Kaspersky, Avira etc) or anti-rootkit dedicated software are needed??....
Most AVs include rootkit detection but would probably detect only blacklisted rootkits (detected malware). You can still use additional on-demand antirootkit software to check if your AV missed something and to show you possible rootkit activity from legitimate software.
If you always run sandboxed, rootkits wont install in your system. Six years ago, searching about preventing getting infected by one is how I discovered Sandboxie. Bo
I understand! ..... However. which additional on-demand antirootkit software do you recommend?? ....In fact there are many such utilities but sometimes it create problems rather than solve them (ex: Combofix)!
I've used Gmer in past and was happy with it. At the moment I don't use any dedicated anti-rootkit. Of course you have to know what you're doing when making changes. Wrong decisions can make problems and can break your system or legitimate applications.
In spite of their abilities to hide, rootkits are like most any other software that integrates into your system. They have to be installed. On any system that doesn't employ the standard default-permit security policy, that install can be detected, prevented, or confined.
Sorry Minimalist if I make you waste time!... but a friend suggested to me to perform a antiviral scan through a rescue disk (freely downloadable) such as Bitdefender Rescue system or Kasperky rescue disk. In this way, the SO remains totally inactive, then a possible rootkit (or MBR virus) is easily detectable because it will never activated since SO is "off".....and he also said that a rescue disk works better than an additional anti-rootkit software.... What do you think about it? .... the rescue-disk might be the best solution?
Yes the rescue disk has advantage because OS is not loaded and all files are unhidden - visible to AV. If AV detects the file as malicious it can easily remove it. So for removing malicious rootkits rescue cd would be better solution. OTOH, if you would like to check if any legitimate (non-malicious) program is using rootkit technology, than you would have to run anti-rootkit scan from inside loaded OS.
GMER is good but need quite high knowledge to correctly interpret its results. TDSSKiller is more of the signature-based rootkit detector, but still it's quite efficient to detect them and I myself sometimes use it for 2nd opinion scanner. There're still many options you can use, e.g. Norton Power Eraser, aswMBR, MBAR, etc., and of course boot CD scanners. About Keylogger, well, dedicated anti-keylogger can be candidate as well as good AV scanner but whatever many scanner you use, they can't detect hardware keylogger.
Dedicated antirootkit softwares are more sure and powerful than antirootkit features of AVs programs. You can find some other suggestion here: https://www.wilderssecurity.com/threads/antirootkit-for-seven.339027/
Not always, some rootkits can bypass the sandboxs, see for exemple: http://www.computerweekly.com/news/...l-exploits-can-kill-all-security-says-Bromium - http://www.welivesecurity.com/2013/...g-major-european-banks-with-webinject-plugin/
The first link is just about PoC, not about ITW malware. It's just an example that with enough effort, any security can be bypassed. TDL4 could bypass sandbox as it exploited OS kernel, but still attacker have to be aware that the victim use SBIE, and also the rootkit have to be on system for the first place but SBIE block any driver installation. The 2nd actually don't bypass sandbox. Though in the past some rootkit bypassed some virtualization software as they didn't protect MBR, I doubt they could bypass sandbox as sandbox don't accept driver installation from the beginning.
I mean this. And I said generally about sandboxing - and virtualization - softwares. And there is, as you know, all a kind of hardware rootkits that play in RAM, BIOS... And i wonder if sandbox can defende by new very sophisticated rootkit as - only an exemple too ! - Stuxnet or TDL-4.
Hi Blacknight, I think it would be more interesting if you could come up with at least one real world example of a rootkit that has escaped Sandboxies sandbox. Sandboxie has been around since 2004, that's plenty time to fail at least once, find one. The OP poster fears rootkits, Sandboxie is a great tool for preventing getting infected by one. Sandboxie wont detect anything but for protecting yourself against a rootkit infection, it doesn't get much better than SBIE. http://www.sandboxie.com/index.php?SBIE2103 Sandboxies version 4 is even more restricted than before. In version 3, you could set the sandbox to allow sandboxed programs to load drivers into the operating system (Block Drivers setting), now not even that can be done anymore as the setting has been done away with. Bo
May be I wasn't clear . My previous posts were not about Sandboxie in particular. They were about sandboxing and virtualization programs in general. I don't believe that any sandboxing software can be the final defense against rootkit, simply because no one security software is final, and in the fight between attackers - malicious - programs and security softwares winners and losers always alternate.
Both of my posts in this thread, including the one that you quoted earlier were about Sandboxie in particular. In its over 10 years of existence, Sandboxie has always come out as a winner in preventing infections, when and if that changes, I ll take it from there. I don't ponder about things that probably will never happen only because there is a remote chance of ever taking place. Bo
I can relate to it as I also don't put 100% trust on any product. But it is also true that most common malware we can come across are not such sophisticated one and thus we won't see actual bypass at least in a foreseeable future.