RKU possible false positive

I have run RKU (latest) report scan it has shown up one possible infection as follows:-

NDIS is a wrapper by MS and fwdrv is part of Kerio 2.1.5.

I am using Win 2k and SSM

Any comments please

 

Hmm interesting, perhaps you should post this in the other Rk unhooker topic and see if they can help. Here

 

I think you misunderstand how anti-rootkit tools work and report findings.

Then you will realize this is not a f/p but is a very positive detection of a hook by a legitimate software.

Rootkit detectors do not use signature bases to find their quarry,they look for other events/behaviours to unearth their targets.As such they cannot tell you whether something present is legitimate or bad thing.They report findings and with certain ante RK tools allow for removal.It is upto the end user to make the decision on the data recovered.

RKU is doing its job very well,more to the point maybe you should ask the question of why do the other tools miss this hook

 

NdisMIndicateStatus <- your Firewall hooked NDIS driver function. It is normal behaviour for firewalls.

 

Thank you. That is what I thought but just wanted clarification.