PG 3.0 installation and Rootkit dectection

Discussion in 'ProcessGuard' started by richrf, Nov 4, 2004.

Thread Status:
Not open for further replies.
  1. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi all,

    Should I check for rootkits before I install PG 3.0 or will PG pick up rootkits anyway? If dectection is suggested which software should I use? If PG will detect rootkits, which is the best way to identify them? ? Thanks.

    BTW, I don't think there are any on my system, I just want to be comprehensive during installation.

    Rich
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Rich, Some rootkits can be detected by AV and AT programs but unfortunately many are not detected as they can be quite easily modified by the crackers.
    A rootkit would normally try to do two things to get on your system, firstly a dropper program would need run such as rootkit.exe, so you would get a request to allow a new .exe to run or more dangerous a warning that a current.exe had changed unexpectently such as SVChost.exe - This would be very suspect unless you have been doing windows updates where such a change maybe expected.
    The next thing the rootkit would need to do is install a service /driver again this should set your RADAR pinging :) So ProcessGuard protects in at least two ways.
    The help file has many examples of the various attacks and how PG deals with them as does the DCS website.

    Cheers. Pilli :)
     
  3. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Pilli,

    Thanks for the detailed explanation. It helps a lot.

    Rich
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Please note that if a rootkit is already on your machine, its a bit hard to protect you. Such types of malware could also cause instability. If its at all possible, we recommend a backup data, format and clean install of all known clean programs, install PG, let it learn.

    Formatting isn't fun, but its worth it now you have PG and possibly have a rootkit already. You won't get another one if you use PG right ;)
     
  5. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Gavin,

    What program or programs would you use to detect rootkits? rkdetector? Are there others that are better? Thanks for the reply.

    Rich
     
  6. We love to hear from security experts on this issue. It is very hard for users (except for experts) to know whether their boxes are free from malicous programs; there are many reasons for that, for example, installing programs downloaded from the internet, using crack version of windows os....
    Is TDS-4 going to be the best to detect and removed most bad things (rootkits, ...) from windows boxes?
    TIA
     
Thread Status:
Not open for further replies.