RKU possible false positive

Discussion in 'other anti-malware software' started by djg05, Dec 24, 2006.

Thread Status:
Not open for further replies.
  1. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    I have run RKU (latest) report scan it has shown up one possible infection as follows:-

    NDIS is a wrapper by MS and fwdrv is part of Kerio 2.1.5.

    I am using Win 2k and SSM

    Any comments please
     
  2. TECHWG

    TECHWG Guest

    Hmm interesting, perhaps you should post this in the other Rk unhooker topic and see if they can help. Here
     
  3. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    I think you misunderstand how anti-rootkit tools work and report findings.

    Then you will realize this is not a f/p but is a very positive detection of a hook by a legitimate software.

    Rootkit detectors do not use signature bases to find their quarry,they look for other events/behaviours to unearth their targets.As such they cannot tell you whether something present is legitimate or bad thing.They report findings and with certain ante RK tools allow for removal.It is upto the end user to make the decision on the data recovered.

    RKU is doing its job very well,more to the point maybe you should ask the question of why do the other tools miss this hook ;)
     
  4. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    NdisMIndicateStatus <- your Firewall hooked NDIS driver function. It is normal behaviour for firewalls.
     
  5. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    Thank you. That is what I thought but just wanted clarification.
     
Loading...
Thread Status:
Not open for further replies.