Can't load Rootkit revealer

Discussion in 'ProcessGuard' started by Joliet Jake, Nov 23, 2005.

Thread Status:
Not open for further replies.
  1. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    from sysinternals.
    PG is blocking this with a different .exe being blocked each time.
    Is there a way to enable this prog?

    Thanks in advance...

    JJ
     
  2. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Version 1.56 will give these problems. Version 1.0 will run fine. I don't know if 1.0 is still available. I got it in February. I got 1.56 in October and cannot use it with PG. I get that driver helper error and enabling driver installation in PG's protection tab doesn't help. 1.0 doesn't need driver installation permission. So, I just use it.
     
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    You have to totally dis-able PG by un-checking "Protection Enabled" on the "Main" tab of Process Guard.

    (If you're also running RegDefend, you'll have to "Allow" a few alerts from it, also, if you're trying to run RKR). HTH Pete
     

    Attached Files:

  4. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    Thanks guys, got it running.
     
  5. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    You're quite welcome. Needless to say, don't forget to put the checkmark back in to the "Protection Enabled" box when you're finished to re-enable PG's protection. Pete
     
  6. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii

    There is NO need to totally disable PG! Just use version 1.0 like I said.

    There should be NO reason to need to disable version 1.56 either. I'd like to know why you think that is acceptable solution. Disabling PG is NOT acceptable! Could someone from Diamond CS explain why version 1 runs fine, and all you need to do is allow the exe, whereas, version 1.56 won't run without totally disabling PG? Obviously something is wrong here and your answer is a potentially dangerous bandaid.
     
  7. dog

    dog Guest

    I believe the issue with Rootkit Revealer is that it generates a random named exe to execute as a security measure. RR works by identifying various discrepancies, as it basically scans from within and outside the windows OS and highlights any 'hidden' differences. It generates random name to do so, because rootkits essentially won't lie to Rootkit Revealer ... so there won't be any discrepancies found, using a random named exe, prevents this. So PG will have to be disabled to run it ... because if you ran it the first time and granted the service install ... when you re-run it won't run with the same exe. So what Pete described above is the only work around, ;) and as you can see from the above there isn't any point of running an older version of RR ... as today's bunch of Rootkits will avoid detection by simply not lying to it. ;)

    HTH;

    Steve
     
  8. dog

    dog Guest

    Just to help further with the explanation as the above isn't as clear as it could be ... here's a further attempt. ;)

    Basically; Rootkit Revealer runs scans from two different perspectives - one from with in the OS and one from outside the windows OS in it's own mini environment. It compares the results and reports the differences.

    Basically a Rootkit intercepts calls and will lie to the OS ... hiding the fact it's there and remaining hidden. When Rootkit Revealer runs from it's sudo environment it's basically scanning from outside the Windows OS and the Rootkit can't intercept the calls or lie to it. So if there is a Rootkit present there will be discrepancies, which Rootkit Revealer will flag. Now a days Rootkits are smart enough not to hide itself from Rootkit Revealer, and by doing so, RR won't find any differences - there for the Rootkit would remain in stealth. Rootkit Revealer originally ran as (as an example = rootkit_revealer.exe) and then as a countermeasure rootkits were coded not to lie to this process. Now as a countermeasure RR generates random names to prevent this action ... hence the difficultly with PG.

    HTH;

    Steve

    I hope that helps to make better sense. :doubt:
     
  9. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    Thanks Dog, that's what I was noticing in PG's alerts tab, Rootkit Revealer would have two entries and they would be different every time I tried to start it.
    PG only needs to have the protection off for less than a minute to run RR so I'm happy with that.


    JJ
     
  10. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Yes, if you're going to be using v.1.56 of RKR (which the OP most definitely is) and you're running PG v.3.150 - you must do so.

    Unfortunately, the course you've chosen there simply leaves you vulnerable to the various rootkits' adjustment to RKR's existence - by not using the latest version, you leave yourself open (at least as far as relying on an old version of RKR goes).

    No one ever mentioned disabling v1.56 of RKR. You seem somewhat confused.

    Because it's the only solution if you're trying to use RKR v1.56 and PG v.3.150, perhaps?

    Really? I disable PG frequently and haven't noticed my computer vanishing in a puff of smoke. The truly paranoid could dis-connect their modem while running an RKR check, I suppose (I never do - it simply doesn't take that long. The odds of anything happening during that short a time-period would be truly astronomical - especially since everything else is supposed to be shut down during an RKR scan).

    I believe dog did an excellent job of explaining that.

    I don't give out "potentially dangerous bandaid's" as advice. Unlike some people, I've learned it's better to remain silent unless I'm absolutley sure of an answer - including the fact that the advice itself won't be dangerous.

    Happy Thanksgiving, all. Pete
     
  11. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    If you disable protection then run RR, the protection can be enabled again as SOON as you see the RR window appear. It has loaded, its driver is running and re-enabling protection won't cause any problems.

    Total PG downtime, 2 seconds ? :)
     
  12. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    Thanks Gavin, didn't think of that. :)
     
  13. xmen

    xmen Guest

    You don't actually have to turn PG off completely, just the "block rootkit/service/driver" option.

    I'm not too worried really, because I have regdefend watching the registry for service installs as well.

    It would be nice though if Processguard moved towards a system closer to Appdefend, where you are prompted and given a choice to allow or disallow.
    This would fix the problem here without the need to disable PG as well as prevent blotched installs.
     
  14. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    xmen - Here, simply un-checking "Block Rootkit/Driver/Service Installation" doesn't work because I also always run PG with "Block New and Changed Applications" check-marked (IOW, I got the little "The handle is invalid" message from PG when I attempted to run RKR like that).

    After I un-checked that, I still got two more alerts from PG ("Application has changed since you last allowed it" and another asking if I wanted to allow whatever funny-named exec that RKR had chosen).

    Thus, it's quicker, simpler and less aggravating to simply disable PG entirely (at least A.F.A.I.C), as well as ultimately safer - since you don't have to remember to re-check but one thing the way I do it.

    Your mileage may vary. :D Pete
     
  15. xman

    xman Guest

    I don't have "Block new and changed application" checked. I'm not that paranoid.


    Well I don't think 2 extra clicks are that much, espically if you want some protection . But as you said you are not paranod in lowering your defense 100% for 2 seconds, it doesn't matter.
     
  16. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    https://www.wilderssecurity.com/showpost.php?p=616150&postcount=5

    True. It's just basically a case of "different strokes for different folks" - I was simply explaining why I did it the way I do. Pete
     
Thread Status:
Not open for further replies.