NOD32 Rootkit Detection

Discussion in 'NOD32 version 2 Forum' started by Whoknowstbh, Jan 17, 2006.

Thread Status:
Not open for further replies.
  1. Whoknowstbh

    Whoknowstbh Guest

    http://www.eset.com/about/press.htm#rootkit

    "Rootkit protection is available immediately to current NOD32 license holders, and will be automatically installed to computers configured to receive automatic program component updates. To download a free trial copy of NOD32, please visit www.eset.com."

    I was wondering how I can check that I have this update.
    NOD32 is set to download/install program component updates automatically, and offer a reboot if necessary, but my NOD32 version is still on 2.50.45 (as it's been for a while, before this news item).

    If anyone could tell me how I can confirm that my NOD32 downloaded this program update that would be great
    Thanks.
     
  2. zashita

    zashita Registered Member

    Joined:
    May 17, 2005
    Posts:
    309
    The rootkit detection was added in the 1.024 vesion of the AH module.
    You can see the version you are using in the Information pannel of NOD32
     

    Attached Files:

  3. Whoknowstbh

    Whoknowstbh Guest

    Thanks mate.

    Got the same version as you in the screenshot :)
     
  4. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Hi all,

    Is this rootkit scan generic or specific to individual rootkits?
     
  5. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Should be generic from what I've read
     
  6. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    When will ESET add protection for active rootkits (hidden from Windows API)?

    izi
     
  7. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Oh...well. I guess after the fact protection is better than none at all...

    The claims are that Antivirus scanners cant see rootkit files due to Compression and encryptions... I thought kernel mode embedding with commands to hide specific files are what actually cloaks the files and not the encryptions or compression algorithms they use. Which in most kernal mode cloaking cases would proves almost irrelevant to rootkit interception...

    This said shouldnt Kernel mode AV Sheild be developed to prohibit code injection in the first place?
     
  8. ross232

    ross232 Guest

    Kernel mode A/V is the only reliable way to detect rootkit threats. Just look at Kaspersky AV 6.0, which is almost out of beta. I've tested it against Hacker Defender and other NT rookits- it's able to remove them even after they have been executed on a machine... NOD32 fails to do that at this stage.

    Though I am pleased the Eset team is looking at the situation with more vigour.
     
  9. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    I would be a bit slower in recomending Kapersky as an Anti Root kit until they have clarified a few things...
    Apperently they are also using rootkits themselves and got in trouble over it. I have attached the link to an article about the issue. Which to me appears rather benign but still a bit worrisome.

    Security Bytes: AV firms accused of rootkit use
    http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1158976,00.html

    I am also a bit concerned about A/V's utilisations NTFS Alternate Data Streams used to conceal information since it is verry difficult to control who and how that data is used afterwards...

    Just a thought...
     
  10. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    No rootkit in Kaspersky Anti-Virus

    http://www.viruslist.com/en/weblog?weblogid=177727537
     
  11. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Right. This is no Rootkit.

    However I still have issues on NTFS Alternate DAta Streams. It is primarily used by law inforcement agencies looking for doctored tags. I am glad Kapersky is planning an alternate method to scope file modifications...
     
  12. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Don't worry (be happy ;) ) about ADS!!! :D ;) :)
     
  13. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    :D I am happy!:thumb:
     
  14. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Kav6 doesn't use this technology
     
  15. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Ladies and gents,

    Please stay on topic. Kaspersky isn't - so discussions about Kaspersky are welcome over on the "other antiviruses" forum. This thread is about NOD32 Rootkit Detection, no more, no less.

    regards,

    paul
     
  16. ross232

    ross232 Guest

    Sorry Paul. That wasnt my intention. What I'm interested in here is Eset's future strategy against Rootkits. I'm really impressed with the heuristic additions they've made- but there's still progress to be made!

    I dont know if the Eset team will answer this, but I'm going to ask anyway.

    Will NOD32 3.0 work on a kernel level?
    Will it utilize 'cloaking' (see KAV rootkit article) technology?
    Will it be able to actively remove rootkits already loaded in memory?
     
  17. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Nod32 it is...

    I am curious to know why Nod32 and all the various other Anti virus technology have not used kernel mode sheilds in the past since it seems like a rather large oversight if not an obvious method of preventing hostile code injection...
     
  18. ross232

    ross232 Guest

    Hermescomputers, I fully agree. I also believe it's dangerous for media organisations to label antivirus products utilising kernel level modifications as a 'rootkit' because this implies malicious and/or bad intent. In reality, malware is becoming more sophisticated in their use of attack vectors and it's necessary for A/V products to become more proactive for proper defense.

    Funnily enough, I have a feeling that provided all files and processes are visible to the end user, most people would happily accept kernel level modifications without question. It's only when they hear that files are being 'cloaked' / processes being hidden that they begin to worry.

    I'm hoping ESET is going to move the functionality of 'nod32krn' into a kernel mode (Ring 0) driver, which could then protect the process rights of the usermode GUI as necessary- e.g. by hooking TerminateProcess() and preventing it from being called on the protected list of PID's.

    I'm still hoping the ESET team will respond (even if you are unable to answer any information pertaining to this discussion- a simple, 'we're considering it' would suffice!).
     
  19. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello,

    can we know more about this new "rootkit detection" feature ?
    I did not find any details about what it does exactly.

    Does it detect by signature a sleeping rootkit file before it has any chance to install ? (standard scanner functionality).
    Or does it do far more, such as detecting running rootkit, or even programs trying to install a driver ?

    Regards,
    gkweb.
     
  20. piktor

    piktor Registered Member

    Joined:
    Feb 4, 2005
    Posts:
    45
    Location:
    Germany
    Eset did a great job, when they introduced HTTP-filtering with IMOM :thumb:

    And I'll think they will do it as well with Rootkit-detection :cool:

    And they won't give a preliminary report, because they surley don't want to tell the other A/V-componies how to do. ;)

    So let's wait for the main course and the cookies ... they will serve it certainly right out of the oven :D :p

    -piktor-
     
  21. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    I'm not sure, but I believe the update was done in form of an update to the Advanced Heuristics system. So I would guess Heuristic / Signature detection from file scanner :)
     
  22. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Surely if we are discussing an aspect of Nod,which gets compared to a feature in a different AV that should be allowed:paul I think your being a little 'picky' on this one
     
  23. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Please read back - as it is many posts jump in merely regarding another AV. The topic from this thread is plain and simple: NOD32 Rootkit Detection. Let's stick to that. No offense intended.

    regards,

    paul
     
  24. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    I like your xp theme zashita ;) ;) :p :D
     
  25. stnien

    stnien Registered Member

    Joined:
    Dec 15, 2005
    Posts:
    34
    Excute me.. gkweb's question:

    Does it detect by signature a sleeping rootkit file before it has any chance to install ? (standard scanner functionality).
    Or does it do far more, such as detecting running rootkit, or even programs trying to install a driver ?

    What is the answer? NOD32 detect sleeping rootkit or running rootkit? o_O

    Thanks.
     
Thread Status:
Not open for further replies.