NOD32 and Rootkits

Discussion in 'NOD32 version 2 Forum' started by izi, Aug 28, 2005.

Thread Status:
Not open for further replies.
  1. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Hello!

    Does NOD32 detect rootkits? Does NOD32 cure infected computers with rootkits? The installation of the rootkit has resulted in system processes being hidden. Files are hidden from Windows API. Does NOD32 detect this hidden files?

    Regards,

    izi
     
    Last edited: Aug 28, 2005
  2. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    Well, we must wait for Happy Bytes or Marcos... ;)
     
  3. jg88swe

    jg88swe Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    181
    Well i think...
    No

    NOD32 does not detect installed Rootkits but it might prevent them from installing if it got signature ;)

    I think this is a must to have detection for them in the next version
     
  4. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Rootkits cannot be detected on-access like other malware (except if there are signatures for it). Thats why all anti-rootkit tools are On-Demand.
    KAV2006 checks for rootkits in specific intervals in on-demand mode (like scheduled task)
     
  5. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    There are some rootkits in NOD's signatures, but I'm unsure if it's just a name of a virus/worm or whatever it is, as some of them are dated back to 2002'ish :)
     

    Attached Files:

  6. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    You can search on our site for rootkit:

    http://nod32usa.com/nod32-updates/

    but it will only show you updates with rootkits, and their generic name - it's not that much help, other than to show that Eset does add them to the signatures.

    hth

    Greg
     
  7. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    If this is true when will ESET add detection (signature or AH) for active Rootkits?

    Regards,

    izi
     
  8. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    FYI One of the trojan I've in my collection was heuristically detected as Probably unknown WIN32 virus (standard heuristic) and that trojan had rootkit as one of its "feature".

     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    We had Nod32 detect and remove a Rootkit on a system that arrived in my shop. I took a screenshot of it, just looking for it now.

    Cheers :D

    EDIT: Added Screenshot.
     

    Attached Files:

    Last edited: Aug 28, 2005
  10. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Well it's good to know that NOD can detect rootkits via heuristics.
    Although I'm pretty sure Eset has added some samples into the signature database too.
     
  11. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    Brian N - you'd know that... given that you probably grabbed the data for SSE in some way, I'd expect you to KNOW that there are rootkits in the definition....
     
  12. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    Wow interesting topic. Good to know fellas. And thanks for the screenshot Blackspear! ;)
     
  13. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Was this file hidden from Windows API?

    Regards,

    izi
     
  14. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    No idea, the drive was slaved off a clean system and then scanned.

    Cheers :D
     
Thread Status:
Not open for further replies.