DrWeb's *system kernel protection* VS kernel-mode rootkits

I do have a meaningful question (hopefully), but I need to lay some groundwork before asking it, so please bear with me for a couple of paragraphs.

I attach a screenshot of the settings for SpIDerGuard showing "System Kernel Protection" checkbox at bottom of the right-side column.

DRW's recently-issued Help file says that this box now comes UNchecked by default, because it can block programs that use virus-like technology (i.e. HASP keys). Several months ago I had this happen to me when using an earlier version of Ace Utilities. That conflict has since been eliminated by the Ace folks.

(Ergo, if you want SpIDerGuard to give System Kernel Protection, you need to manually check that block.)

The reason for my sudden interest in this subject is shown in the following quotation. I saved it several weeks ago & didn't record the source. It was a reputable source, I feel quite sure... nevertheless I apologize for this oversight. Here's the quote...

QUESTION: Do you know (or at least hold an OPINION) as to whether or not DrWeb's System Kernel Protection will provide any *significant* degree of protection against a kernel-mode rootkit?

 

cant answer your question, but what kind of version of drweb is that ? cos i dont have those options in my drweb. see screenshot

 

It is only an option in the 98/ME spiderguard.

I believe if DrWeb has the signature for the rootkit, it will detect it and prevent it from executing under 98/ME. Thus you will not need to worry about the payload of the rootkit.

If it does not have the signature for the rootkit, than the rootkit will be allowed to execute, just like any other antivirus would do if it does not have detection.

 

@rerun2 - Thanks for the information, but I'm not sure I fully understand your answer as to DrWeb having a rootkit's signature in light of the following, which is fairly typical of what I have read about rootkits...

Also, I am still seeking information as to WHAT (if anything) DrWeb's "system kernel protection" is actually doing, if it isn't truly protecting against the ability of malware to hook into the system kernel?

 

There are a number of popular fully-working windows rootkits that one can download from a website. The "popular" ones are generally unmodified versions of the rootkit and can be added to a signature of an antivirus. Once again, if the antivirus has a signature for the rootkit and that rootkit makes its way on your system, your antivirus should detect it and not allow its payload to run.

This is generally not how rootkits make their way onto your system though (as your quote and the second part of my first answer suggests). That is why an antivirus should not be viewed as the only defense to rootkits.

 

I *think* I understand and, again, thanks. However, I kinda feel that DrWeb's signature-based scans are NOT the same as DrWeb's "system kernel protection." Such being the case, then I return to my original question which (as far as I can tell) remains unanswered. Namely...

WHAT (if anything) is DrWeb's "system kernel protection" actually doing?

 

I can tell you that the system kernel protection has nothing to do with protection/prevention against kernel mode rootkits. If it was, don't you think it would be enabled by default . This is just simply not possible for an antivirus in Windows 98 because of the way 98 was designed.

I think system kernel protection is a feature used by DrWeb to add "discretion" for its non-signature based detection. You quote the help file as saying it "can block programs that use virus-like technology (i.e. HASP keys)." But what the help file really says is that it "ensures the compatibility of the program with applications using virus-like technology." This is an important difference. Under NT, HASP keys sometimes need administrative priviliges to run and load a driver and write into the registry. In 98 the user can not regulate these actions because everything is run as administrator. If DrWeb's non-signature based detection were to flag all these types of behavior as being "virus-like" there would be a lot more false positives. I think this feature just allows DrWeb to accept certain known legitimate behavior as being safe. Just my opinion.

 

Rerun2, you have led me into the light of day. Many thanks.

As I now understand the matter, System Kernel Protection causes DrWeb to block *certain* types of behavior that often are used by malware for nefarious purposes.

Unfortunately, some NON-malware applications use that same type of behavior for benign purposes. Therefore, in order to prevent false positives, DrWeb ceased checking this box by default. As of now, if a user wants the box checked, the user himself must check it.

DrWeb took this action so as to prevent false positives. However, DrWeb's action also enables TRUE positives to no longer be blocked by "System Kernel Protection." Therefore, I prefer to have this feature *turned on* and have done so -- for much the same reason that I never scold my dog for barking when the Pizza delivery man comes to the door.

By the way, I DO have XP on my new computer. It dual-boots to XP or ME. I almost always boot to ME because many of the programs I use won't run under XP. By the way... DrWeb is installed with ME but not with XP because I have NO idea how such a set-up would work. 2 licenses? 2 versions? Duhhh.

Again, rerun -- thanks for your help, and for your patience with me.

 

You can install Dr.Web in Windows XP to same folder. It’s not violation of licenses agreement.

 

You will have to download the XP version and just use your own key and you'll be flying happily!

Great scanner, also within XP.......I've tried the lot, but just stick with this one.

Good luck !

Putin

 

@ putin & AndreyKa -- Oi vey! So simple. Thanks.

 

And also supports Fast-User switching

As for system kernal protection in non-NT systems;

The Protected mode of Intel processors family (386+) has four privilege levels, which are called rings. In Windows only Ring 0 and Ring 3 are used.

Ring 0 is the level at which the operating system kernel runs (kernel mode). Ring 3 is the level at which user applications are run (user mode).

When a virus switches from Ring 3 to Ring 0, it is then able to hook the file system calls. This is not possible in Ring3, where all users applications are run.

Therefore, one function of SKP in Dr Web on non-NT systems is to stop virii reaching Ring 0.

 

Ahhhh! Yet another reason for users of DrWeb on Win9X OS to activate SKP!

And here is additional information from a post by Blackcat which I saved in my DRW knowledge base back in August 2004 & just now remembered...