rootkit driver install not intercepted by CFP?

Damn I deleted the post instead of editing it
Anyway, So, maybe it can be prevented, but not detected after it has been loaded.

 

Looking forward to your results with Dr. Web.

 

No probs aigle on the support data/history of inch.sys but phide_ex write up ...if you mean versus rootrepeal(screenshots of its detections) then they were posted(amended)on the Monday as stated at the time
https://www.wilderssecurity.com/showpost.php?p=1287691&postcount=13

 

Thanks. I missed that. Will try it myself and see the results on my system.

 

lol the case of the vanishing post is solved

Well certainly prevention is far better than cure(this always rings true) and RK's are no different to any malicious code.It is far better to intercept & block at the gates rather than deal with post execution scenario's

 

thanks. in the process of 'copycating' now!


Mike

 

Dr Web cure it versus loaded inch.sys= blind.



I can only conclude that the tool is blind to this driver afterall Dr Web has a classification for the driver file when checked at VirusTotal

 

First, aigle thanks for all your work

I have tested Prosecurity, and it blocks the driver (rootkit driver did not load).
Returnil also works perfectly

 

Thanks for nice screenshots. PS is/ was great in all aspects except only the GUI.

 

Both SSM Pro and NG pass the test, they are both able to stop the driver from loading. I´m surprised that Threatfire and CFP both fail, what´s so special about this malware?

 

CFP bug will be fixed with next release. Not sure about TF.