Anti Stealth - Am I understanding correctly.......

Discussion in 'NOD32 version 2 Forum' started by Old Monk, Nov 20, 2006.

Thread Status:
Not open for further replies.
  1. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Hi

    Can someone clarify this for me ?

    To determine whether potential rootkit activity is present, I run an on-demand scan with AS off and then another scan with AS on and then see if there is a discrepancy of the number of files scanned. Is that right ?

    If so, scan A shows 133,814 files scanned, Scan B 133815. How can I find the file that is 'hidden' from Scan A - sounds to me like finding a needle in a haystack unless I'm missing something a bit more scientific here :doubt:

    Sophos AntiRootkit finds no hidden files and Rootkit Revealer displays one Prefetch file as 'hidden'.

    Said Prefetch file shows up in both NOD scans- so thats not the discrepancy.

    Any thoughts anyone ?
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Enable "List all files" and then compare both logs.
     
  3. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Hi Marcos

    Sorry, I didn't make myself clear. I had read that advice previously from your good self but are you really saying the only way is to manually compare two logs both with 133,000 plus files in order to find the discrepancy ?

    Hence my comment ' like finding a needle in haystack'
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    I was talking about a trick how to identify a rootkit-like file. It does not mean you have to do this, it's just a kind of assurance for very advanced users.
     
  5. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    anti-stealth is to find active rootkits (rootkits that were detected while inactive now can also be detected when they are active [and hidding themself]).
     
  6. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    If you are needing to compare two files or folders, Beyond Compare from Scooter Software makes it a breeze.

    Cheers :)
     
  7. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    I guess your answer is 'yes' then.

    So if I have a discrepancy in files scanned, I have possible rookit-like activity.

    I'm not worried for myself as I don't believe I have a rootkit and in my limited experience rootkit tools are notorious for FP's.

    Imagine a new customer who latched on to this method via here or your website- found a discrepancy in the 2 scans, got scared witless and THEN found he had to go through 2 logs of 100,000 files to find the discrepancy, and THEN only to find it was a false alarm.
     
    Last edited: Nov 20, 2006
  8. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Thanks for the assist NOD32 user.

    However, I don't plan on spending money to check a couple of logs that I don't think warrant checking but I appreciate your help anyway.
     
  9. Jerry S

    Jerry S Registered Member

    Joined:
    Jul 30, 2006
    Posts:
    10
    Location:
    Las Cruces NM USA
    windows 2K & XP (all flavors) have a command line utility (comp) that will compare 2 files and log the differences. google windows command comp and the first result is the docs for comp. If it were me, I would copy both log files into a temp folder and use comp to find the differences. note the /a option that will log the differences as text. Good luck if you decide to play.
    Jerry
     
  10. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Thanks Jerry - good info.

    I'll play, I'll play :D
     
Thread Status:
Not open for further replies.