NEW! Rootkit 'detection' test

Some folks seem to forget this.
If you're going to depend on your AV to detect and clean "live" rootkits, you're playing a risky game. AFAIK, the only reliable signature scanner against rootkits is SUPERAntiSpyware.

 

i'll take my chance

 

Obviously, you don't need to panic Chris, I'm sure that your chances of encountering a rootkit trying to install itself in your system is very very low. But, don't buy the marketing speech (i.e. we detect and remove rootkits in a blink, don't be afraid).
Almost all malware cleaning forums don't use AVs to detect and remove rootkits. There must be a reason behind this behaviour, don't you think?

 

im extremely comfortable with what i have, for protection of rootkits.

there are alot of AVs who claim to do something, that actually dont.

this is not the case, with drweb.

 

I wouldn't be sure of those claims. Informal tests show that few AVs are able to detect and remove completely installed rootkits and this varies from sample to sample.
But DrWeb may have a really good scanning engine to get unadulterated information from the OS. Time will show.

 

informal tests?

 

Tests realized by malware hunters/VXers. The methodology is pretty simple: scan the inactive sample to see if the AV has a signature for that sample, then install it and do a full system scan with that AV and specialized tools (as a control).

 

I wasn't aware of SAS's rootkit detection. I guess I will have to run it more often.

 

cant be trusted. (on any level)

 

SAS 4.0 improvements:

These tests doesn't need huge zoos or statistic precision. You just need some random (working) samples and that's all. If AV xxx detects runtime2.sys archived in a malware folder but doesn't detect it when it's loaded in a real system, then AV xxx doesn't detect that rootkit sample when it's subverting the OS.

 

I am using the free 3.9 version which I can assume doesn't have this capacity. It really doesn't mention it anywhere in this comparison.

I used to run it more often but all it ever detected was cookies. Now I might run it once every two months or so.

 

The 3.9 version is already very good at detecting/removing RKs. SAS 4.0 will be even better (one step ahead of the bad guys)

 

Well that test is the first one I have seen where NOD32 is on the bottom. Explain why AV Comparatives give NOD32 the #1 spot of 2 years.

http://www.av-comparatives.org/

 

Even that isn't a guarantee.

 

What (specific threats) were actually tested in these tests is unknown (to my knowledge), meaning what are the malware and rootkits tested against? Simulators or actual threats? What if the tests were run every week against the latest threats, would the numbers (results) fluctuate?

The bottom line in all of this is that no single product can, or ever will, be able to prevent, detect or remove everything on a given day. Every company has their own methods for dealing with threats, detection and of course rootkits. Some will catch certain theats and others will catch different threats.

You should NOT rely on a single application to protect yourself in today's Internet.

 

Malware
Trojan-Spy.Win32.Goldun.hn
Trojan-Proxy.Win32.Wopla.ag
SpamTool.Win32.Mailbot.bd
Monitor.Win32.EliteKeylogger.21
Rootkit.Win32.Agent.ea
Rootkit.Win32.Podnuha.a

POC
Unreal A 1.0.1
RkDemo v1.2
FuTo
HideToolz

http://www.anti-malware.ru/index.phtml?part=tests&test=antirootkits1

 

Ok, so the rootkits used were demos/simulators, not the actual infections.

 

Does it not make sense to boot up a live cd and scan from there instead if you suspect that you have a rootkit?

 

AVComparatives rates AVs depending on On-Demand detection rate and detection rate of 0-day malware. Also, the in malware in AV-Comparatives has not been executed (which is easier to detect than detecting rootkits which have been executed.)

This test is about detecting live (executed/embedded rootkits) which are harder to detect and remove

 

As far as I can see, it's a mix of both.

 

Contradicted yourself in post 35

Because no AV detects all malware. Scanning you computers for days using different AVs (which may or may not detect the rootkit) is a waist of time if you can do it in a few minutes using specialized removal tools and you're certain it'll be detected and removed if its a no AVs detect.
Also installing lots of AV's will slow down the computer if its not removed properly and lead to more computer troubles

 

I think this says it all... (although some are better overall than others). All these tests still give an indication to show this and aid users to see which protects/detects/removes better.
And one should not use a single test as an indication of what AV's stronger than another... should use many as an indication (as IBK always said)

 

Lool, the test is biassed, russian test, russian nr.1... I´d like to see a test more neutral.. In Germany Gmer is considered Nr.1.

 

The tests are biased because they are Russian, cmon, surely you can't be serious?

 

I dislike tests that don´t include all possibilities, all kind of publicly rootkits and malware available today must be included, not secret pocs. So this test can be in no way objective and all-embracing.
Only a fool can take this serious, still awaiting a neutral all-embracing official test.

Show me a test with at least 20-40 malware/rootkit samples then I will consider it more serious.