AVS AND ROOTKITS

Discussion in 'other anti-virus software' started by JerryM, Apr 12, 2006.

Thread Status:
Not open for further replies.
  1. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    In looking at AV Comparatives I do not see rootkits listed specifically. Are those included in another category?

    What AVs are the best at detecting and eliminating rootkits, or does anyone know?
    I have UnHackMe which I think detects them. Also Ewido does not list them as a specific category.

    Thanks,
    Jerry
     
  2. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
  3. .....

    ..... Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    312
    Most "good" AVs, ATs etc do detect rootkits.
     
  4. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    ewido v4 will have better rootkit detection.

    also, one thing to consider, are that rootkits are difficult and possibly costly to remove. usually people will resort to a reformat.
     
  5. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    The reason for my query was a thread on the Kaspersky forum. I do not understand enough of the discussion to know what conclusion to draw as to KAV 6 ability to detect and remove rootkits. I also do not have any idea how it might compare with other AVs. I was hoping to glean some idea from AV Comparatives, but to no avail.
    http://forum.kaspersky.com/index.php?showtopic=4976&st=0

    Thanks for the replies.

    Jerry
     
  6. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Once a rootkit is in the system, it can tell each & every AV that "this file is clean, proceed"... So the key is to detect it before it get's installed on someones system.
     
  7. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    Thanks, Brian. I am wondering about the effectiveness of the various top AVs and ATs also.
    I suppose without some specific tests there is no way to quantify how effective the best AVs detect rootkits. I am wondering if one needs a specific anti-rootkit program? I think I recall a thread some time back that addressed programs that were primarily aimed at rootkits.

    Jerry
     
  8. Mem

    Mem Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    292
  9. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Probably HIPS programs if I'm not mistaken. They should popup with a warning that something is trying to install something. Not sure though, sorry.
     
  10. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
  11. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    If good enough programmed you can hide the rootkit completely.
    API and other crappy injection rootkits i do not even consider as a serious thread. The real pain starts with lowlevel rootkits, such as device driver basis etc. Basically you can always detect such rootkits by hand, but this requires a lot of knownledge and professional expierence. For instance a first step is to debug with a kernel mode debugger (SoftIce is useable here as remote debugger) for Context Swapping Functions. Every Rootkit has to use this. Based on this you can step further. Basically nothing for amateurs or hobby analysts, because you need to know the kernel like your own pocket.
     
  12. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    Thanks, Inspector. What would be your advice to an average user like me to protect from rootkits? Any specific programs, and do AVs alone give sufficient protection? If not what additional protection should one use in the way of ATs or ??

    BTT


    Thanks,
    Jerry
     
    Last edited: Apr 14, 2006
Loading...
Thread Status:
Not open for further replies.