PCGuard and RootkitRevealer

Process Guard and RootkitRevealer

Just a quick question: Process Guard does not keep RootkitRevealer in its list of allowed processes. I've run RootkitRevealer with Process Guard in Learning Mode; I've clicked on Remember this action in allowing the process; but every time I run RootkitRevealer, Process Guard wants authorization. Any reason? Thanks.

George75

 

Hi george75, When windows loads it's drivers there is a bit of a race and possibly roortkit revealer is starting first thus PG misses it.
This can change over time as I had a similar thing happeneing with KAV. Not sure what the answer is on that as it is probably an inherent Windows "feature" I just gave KAV the allow fro drivers and services and all is well. on my other PC's PG loads first. I

I suppose in theory that a kernel mode Trojan could do the same but first it would need to be run, with PG active it would have ask to install a service or driver so the likelyhood of that happening is small though a possibility. Then after eboot and providing it won the race PG would not see it and the Trojan would be active

That is why Wilders always reccomends a layered defence.

HTH Pilli

 

Re: Process Guard and RootkitRevealer

Thanks for your answer, Pilli.

However, the problem is that RootkitRevealer is an on-demand program that checks for discrepancies that indicate a possible rootkit installation. Hence, the explanation you give that it's a matter of which loads first can't be correct.

As for layered defence. I am very much interested in layered defence. Elsewhere, if you look for other posts today under my name, you will see that I raise the issue of layered defence in the context of the relationship between Process Guard's protection and Prevx home's protection. I could generalize a little here, although I admit it's not quite on the topic: At the level of adware and antivirus and firewall I have the layers properly set I think. It's at the level of Trojans that I'm ignorant and would like some guidance on proper layering with free programs.

George75

 

george75,
When you see the execution alerts do they show the rootkitrevealer executable name at the top or a semi-random name for the executable ?

 

Well, well, well! You must know something. It shows a random name, viz: uznzbmbwbujoksc.exe. I hope that's not a secret code. What does it all mean?

George75

 

Hi again george, In that case it must be using another method to do it's job, so does it inject a .dll somehow? I am not familiar with rootkit revealer as you can see my lack of knowledge is quite obvious

Pilli

 

Its simple enough once you understand that the rootkit authors were trying to "show themselves" to rootkit revealer and still "hide" from everything else, so called hiding in plain sight

The changing names for the executables simply stop the malware from predicting the executable name and uncloaking, there are other ways that they could detect that it was still rootkit revealer and several of them are plainly shown in the PG alert (some things remain constant even though the filename changes)

It is the random filename change that causes the ProcessGuard execution alert as you have probably figured out for yourself already

Regards

 

Re: Process Guard and RootkitRevealer

Well, yes I finally did figure it out: I went to the website

http://www.sysinternals.com/Utilities/RootkitRevealer.html

and here's what it says in part (I've highlighted the critical passage):

'RootkitRevealer is an advanced patent-pending root kit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all persistent rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender (note: RootkitRevealer is not intended to detect rootkits like Fu that don't attempt to hide their files or registry keys). If you use it to identify the presence of a rootkit please let us know!

'The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer's scan by using its executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version's behavior.'

No, I'm not advertising the product; I just quoted enough for Pilli to understand what it's all about. Thanks. I should have been able to figure it out without a post.

George75

 

Very interesting! a rootkit trying to hide from rootkit revealer, no doubt more of this will happen, the rootkits seem to be popping up everywhere now. Glad to have ProcessGuard blocking rootkits just in case