AVS AND ROOTKITS

In looking at AV Comparatives I do not see rootkits listed specifically. Are those included in another category?

What AVs are the best at detecting and eliminating rootkits, or does anyone know?
I have UnHackMe which I think detects them. Also Ewido does not list them as a specific category.

Thanks,
Jerry

 

NOD32 detects them by signatures & heuristics.

 

Most "good" AVs, ATs etc do detect rootkits.

 

ewido v4 will have better rootkit detection.

also, one thing to consider, are that rootkits are difficult and possibly costly to remove. usually people will resort to a reformat.

 

The reason for my query was a thread on the Kaspersky forum. I do not understand enough of the discussion to know what conclusion to draw as to KAV 6 ability to detect and remove rootkits. I also do not have any idea how it might compare with other AVs. I was hoping to glean some idea from AV Comparatives, but to no avail.
http://forum.kaspersky.com/index.php?showtopic=4976&st=0

Thanks for the replies.

Jerry

 

Once a rootkit is in the system, it can tell each & every AV that "this file is clean, proceed"... So the key is to detect it before it get's installed on someones system.

 

Thanks, Brian. I am wondering about the effectiveness of the various top AVs and ATs also.
I suppose without some specific tests there is no way to quantify how effective the best AVs detect rootkits. I am wondering if one needs a specific anti-rootkit program? I think I recall a thread some time back that addressed programs that were primarily aimed at rootkits.

Jerry

 

Just get RootKitRevealer 1.7 for now -
http://www.sysinternals.com/Utilities/RootkitRevealer.html

This will work fine in addition to KAV 6

 

Probably HIPS programs if I'm not mistaken. They should popup with a warning that something is trying to install something. Not sure though, sorry.

 

But it wont find any rootkits that is not hidden from the API ...

 

If good enough programmed you can hide the rootkit completely.
API and other crappy injection rootkits i do not even consider as a serious thread. The real pain starts with lowlevel rootkits, such as device driver basis etc. Basically you can always detect such rootkits by hand, but this requires a lot of knownledge and professional expierence. For instance a first step is to debug with a kernel mode debugger (SoftIce is useable here as remote debugger) for Context Swapping Functions. Every Rootkit has to use this. Based on this you can step further. Basically nothing for amateurs or hobby analysts, because you need to know the kernel like your own pocket.

 

Thanks, Inspector. What would be your advice to an average user like me to protect from rootkits? Any specific programs, and do AVs alone give sufficient protection? If not what additional protection should one use in the way of ATs or ??

BTT


Thanks,
Jerry