How is AVG Anti Rootkit???

Discussion in 'other anti-malware software' started by cheater87, Apr 11, 2007.

Thread Status:
Not open for further replies.
  1. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,121
    Location:
    Pennsylvania.
  2. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    It has vastly improved on the last offerings:thumb:

    It detected 4/4 of unique samples i loaded onto my PC and effectively removed 3/4:blink:

    Samples being>>>
    Haxdoor(Poof) Ntio256.sys and Protector.exe(Hidden from WinAPI)
    Rustock B (Lzx32.sys)
    Wincom32....dropped by the *storms* worm
    Trojan injector aka all-in-one

    It choked on Rustock B,it could see the ADS loaded driver but failed to remove it after 5 attempts(detect and reboot to clean).This is still ahuge improvement on its previous incarnation:blink:

    Attached are screenshots of test with RKU used as benchmarking:D
     

    Attached Files:

  3. lu_chin

    lu_chin Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    294
    Thanks fcukdat for the test results. Does it make any difference in terms of detection and removal when the user selects "Perform in-depth search"?
     
  4. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I also tried "AVG Anti Rootkit" and here is my detailed report.

    I ran "Search for rootkits" and it reported only one rootkit : C:\$ISR\0\ISRService.exe
    This file belongs to FirstDefense-ISR.

    Then I ran "Perform in-depth search" on both harddisks (system and data partition) and it reported again
    one rootkit : C:\$ISR\0\ISRService.exe
    This file belongs AGAIN to FirstDefense-ISR

    It's very depressing to see your very best software, reported as a rootkit.

    Well, AVG Anti-Rootkit couldn't find anything, which is normal, because my frozen snapshot removes all rootkits, except the rootkit C:\$ISR\0\ISRService.exe of course :)
    In other words : R.I.P.S. works :D
     
  5. lu_chin

    lu_chin Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    294
    Now I am beginning to see an "user-friendly" anti-rootkit program with reasonable detection capability. Hopefully, similar improvements will be made to other end-user oriented AR programs by different companies too.
     
  6. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Anyone noticed how nice the interface of the new AVG product is? It is in sharp contrast to the old looking interface found on the AVG 7.5 products. I guess Grisoft let Ewido design the interface this time....This means great things for the upcoming AVG 8.0 :)
     
  7. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,121
    Location:
    Pennsylvania.
    Yay I'm clean
     
  8. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    I may have to try it. Right now I have BD Rootkit Uncover, FS Blacklight, and today I downloaded and installed AVira anti-rootkit. All run well, and I have no way to determine which is best, as there have been no rootkits uncovered.

    Is AVG AR intended to remain free and stand-alone?

    Regards,
    Jerry
     
  9. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    FWIW Jerry

    SAS will detect and remove more genre of malware rootkits then any of the ARK tools you have listed.So you have your bases covered to some degree:thumb:
     
  10. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    AVG Anti-Rootkit wasn't very "user-friendly" to me, because it reported a false/positive.
    C:\$ISR\0\ISRService.exe is NOT a rootkit, it's a legitimate file.

    A less-knowledgeable user or even worse would have deleted this false/positive and that would have caused problems in FirstDefense-ISR. So I ditched the freeware and classified it as a 'dangerous' security software for users of a lesser God. :(
     
    Last edited: Apr 12, 2007
  11. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    It doesn't detect anything for me. And if you consider what GMER or RKU will throw at you, this is very good. Not as good as the other two, ok, but usable by anyone. Just google your 1/2 results. Very simple.
    I have this AVG-AR for some time now, and i'll be keeping it. It gets better every edition it seems.
     
  12. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    Thanks for the reply.
    Although I have several good programs, including SAS, I don't really know how to evaluate their effectivness. None ever finds anything.
    How did you determine that SAS is better than the ones I mentioned? I don't doubt it as such, but unless one is doing tests or cleaning machines there isn't much data.

    Regards,
    Jerry
     
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Any malware causes a change on your harddisk, including rootkits.
    My frozen snapshot removes those changes during reboot in less than 2 minutes and without false/positives and without running any AV/AS/AT/AK/AR-scanners.
    Other users have at least 5 main scanners and another minimum of 5 scanners on demand, that makes 10 scanners to run each day and is your computer really clean after that ? Maybe until you run a new scanner, that finds malware on your computer, which was never detected by your other scanners. That's not my idea of security.

    I simply don't have the time to run all these security applications, so I looked for another solution.
    After trying AVG AR, I didn't even have to uninstall it, it was gone when I rebooted the next morning. :)
     
  14. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Erik,
    Remember that rootkits aren't malware per se. They are tools designed to hide files/services/reg keys in Windows-based systems. A good amount of legitimate software use rootkit-like techniques, FirstDefense-ISR being one of them.
    Rootkit scanners are forensic tools (like Hijackthis) . They report their finds and it's up to the user to decide what to do with the findings. Run RkR (Rootkit Revealer), GMER, IceSword and RkU(Rootkit Unhooker) and you'll see why AVG Antirootkit is labeled "user-friendly".
    fcukdat has tested SAS against the nastiest malware (CWS, Vundo, Gromzon, Rustock, etc) with great success. He used RkU as a reference.
     
  15. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi lu_chin

    I used deepscan only,its a bit confusing why there is option for 2 tier scan and what the lesser of the 2 purpose iso_O

    IMO Only the one option should be there and it being the full scan period:thumb:
     
  16. jawadde

    jawadde Registered Member

    Joined:
    Mar 7, 2007
    Posts:
    18
    panda has also a new one (no beta). And you dont have to install the program, i like that ;)
     
  17. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Quite streight forward Jerry:D

    I collect malware and hunt new emerging threats out in the wild of WWW daily(total addict *puppy* ).
    As such i have daily wrestling match's removing malware from my system for recovery and submission with which i have encountered a large percentage of malwares out there.
    SAS free is my principal malware killing tool after i have recovered malicious files for distribution so i know what it is capable of seeing&removing when it comes down to rootkit malware.
    FWIW not one of the paid big 3(CS,SD,SS) or any other free ASW can hold a candle to its raw disk reading of data and subsequent detection and removal of rootkit trojans.
    C'mon to think of it Nod32,Kaspersky and BOC are in current builds incapable of seeing loaded Rustock driver to remove it;)
     
  18. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Its still's a file hidden in an ADS stream,the software is correct in reporting it.Lucky enough it dose'nt auto-clean and you have to check box's and select cleanup before it would exorcise the *hidden* file;)
     
  19. eBBox

    eBBox Registered Member

    Joined:
    Aug 10, 2006
    Posts:
    482
    Location:
    Aalborg, Denmark
    Any screens?! Ive been looking forward for ages for a new avg interface :cool:
     
  20. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221

    Thanks, and that seems to be as well as one can do at this time.:thumb:
    I have read several times that a rootkit cannot be removes except to reformat. Have you found that to be the case/

    Regards,
    Jerry
     
  21. lu_chin

    lu_chin Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    294
    I agree with what lucas1985 had said. Also, as some experts on this forum had voiced before, anti-rootkit programs would have false positives just like other security programs. And due to the nature of what their scanners did, they would tend to yield more "findings" that were left to the user to decide.

     
  22. lu_chin

    lu_chin Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    294
    Some folks will probably choose to do a full disk image or snapshot restore instead of a format to get rid of a root-kit. I think FD-ISR, Shadow Protect, Acronis & Paragon's backup programs can do the job too.

     
  23. yeow

    yeow Registered Member

    Joined:
    Dec 11, 2006
    Posts:
    225
    Sorry to interrupt but I'd like to ask:

    Recently my uncle's PC was infected with Rustock.B (and many other malware), which caused PC to restart 1-2 minutes after loading to desktop, so couldn't run scans in Normal Mode.

    Ran SAS Free (& others) at max scanner setting in Safe Mode, but Rustock.B was not detected. Is it because Rustock.B processes are not loaded in Safe Mode?

    [Luckily the PC restart symptom during Normal Mode gave away the presence of lzx32.sys driver when I disabled Auto Restart, or I wouldn't know to look for it]

    Thanks,
    yeow
     
  24. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
  25. yeow

    yeow Registered Member

    Joined:
    Dec 11, 2006
    Posts:
    225
    Oh, I forgot to clarify that was about 1 month ago. When I installed SAS on my uncle's PC in Safe Mode, it did update successfully to same engine & signature version as what I had on my own PC -> so it was current at that time. I eventually removed Rustock using RegRun's reanimator.exe.

    Edit: Wait, can't recall now if I installed in Normal or Safe Mode, but I did update to current. Scanning could only be completed in Safe Mode.
     
Loading...
Thread Status:
Not open for further replies.