Discussion in 'NOD32 version 2 Forum' started by xp_1839, Jan 4, 2006.
Can NOD32 protect against rootkit from StarForce?
I am not sure if that really qualifies as a rootkit, since it does show up under the "Hidden Devices --> Non-Plug and Play Drivers" section of the Device Manager. So do lots of other programs. Heck, even NOD32 puts an AMON device in there. Does that qualify it as a rootkit?
It sounds to me like somebody does not like a certain copy protection program, so he decides to call it a rootkit. Now, if you do not like a particular program or driver because it makes your computer unstable, or it opens up a security hole, that is one thing. But it does not make it a rootkit.
Now, if you do want to remove the Star Force drivers, you can go to http://www.star-force.com/protection.phtml?c=70 . That page even links to the same exact page that the glop.org page links to.
I don't know why I didn't spot this thread before? Anyway, here's some facts about Starforce, which a lot of people simply don't know about...
Issues concerning Starforce.
1. They are based in Moscow so exempt from a number of the laws that we in the West rely upon. The 3rd Party Companies that use their copy protection are not exempt.
2. In Windows XP Starforce gives Ring 0 (super user level access) to Ring 3 (Standard users). In normal English this basically means that any third party application such as Trojans or Viruses are given the ability to have full access the both software and hardware.
3. As many of you will be aware XP does have DMA/IDE issue that’s dates back to its creation. In which if packets are lost during the reading or writing of a disk. XP interprets this as an error and steps the IDE speed down. Eventually it will revert to 16bit compatibility mode rendering a CD/DVD writer virtually unusable. In some circumstances certain drives cannot cope with this mode and it results in physical hardware failure (Most commonly in multiformat CD/DVD writer drives). A sure sign of this step down occurring is that the burn speeds will get slower and slower (no matter what speed you select to burn at). Starforce on a regular basis triggers this silent step down. Until it reaches the latter stages most peeps do not even realise it is happening.
Excluding the Hardware failure, the normal way to cure this is to uninstall all the CD/DVD drivers and the Primary/Secondary IDE controllers. (Then reboot). If you did not know about Starforce, you can now be faced with another problem. Normally windows searches and reinstalls the drivers. However with Starforce present this can cause the system to either fail to find the hardware or fail to find the drivers. Creating the illusion that the hardware has failed.
This gets even worse if you have SCSI hardware/virtual drives. SCSI virtual printer driver (basically any SCSI hardware/Virtual drivers present) As these may have to be removed before the other hardware becomes visible.
4. Because Starforce are aware of these issues (Including the Trojan Gateway) this is exempt from the EULA and could be deemed as "Gaining access with malicious intent". Not only would starforce be liable, but also the 3rd party company that endorsed/used that application.
Ugh, things like this put me at precarious positions with some companies. I don't like the way they implement their CD copy protection, but at the same time Safe'n'Sec is a program I happen to actually like. Yeesh, why do companies have to be so confusing?
At the same time, this makes me think... what is an appropriate way to protect content from being copied? There have been major problems with pretty much every schema tried in the past few years, either making discs inaccessible or bj0rking computers' hardware drivers.
By putting your question in such way you indirectly helping to spread false claims.
StarForce is not a root kit.
I encourage you and all people to refrain from making such analogy.
Oh, btw, Mark Russinovich, who has discovered Sony Rootkit also took a look at SF drivers:
Can you provide reliable links to support these claims Brian? I have several Starforce protected games on my PC, including GT Legends and Silent Hunter III and have never experienced any problems from the Starforce drivers.
and upcoming USA office as well. Besides what exactly exemption are you talking about?
2. http://www.star-force.com/protection/protection.phtml?c=91&id=319 (fixed long ago, before year 2003)
Up to date, SF contains no known vulnerabilities.
3. not true, seems to be false claims. 10000$ bucks for evidences of hardware failure as a prize. no one participated.
4. first, read 2.
what about Internet Explorer 'holes' found everyday?
again, issue has happened with many software manufacturers, for example Norton Antivirus:
then, read 2.
Brian, i understand, that you might be upset or dont like SF at all,
But, IMO spreading such unapproved claims is erhm... more than just BAD.
So is Kaspersky Lab.