Rollback Rx is a rootkit?

Discussion in 'sandboxing & virtualization' started by mattbiernat, Aug 23, 2012.

Thread Status:
Not open for further replies.
  1. mattbiernat

    mattbiernat Registered Member

    Joined:
    Aug 17, 2012
    Posts:
    179
    Location:
    U.S.
    Why does HMP report Rollback Rx as a rootkit? I have a fresh installation, so its impossible for me to have rootkit.
     
  2. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    This has been discussed before. Take a look here.

    Rollback Rx does modify the system very similar to MBR boot/rootkits hence its detection by vendors such as HMP. I believe other dedicated rootkit scanners do report this as well. Someone said GMER does this too. It doesn't mean Rollback Rx is a rootkit and is therefore bad; it means the technologies used are similar, and is why some anti-malware programs alert on it.
     
  3. Empath

    Empath Registered Member

    Joined:
    Nov 13, 2002
    Posts:
    178
    You'll need to set HMP disk access to Compatible Disk Access instead of Direct Disk Access.
     
  4. mattbiernat

    mattbiernat Registered Member

    Joined:
    Aug 17, 2012
    Posts:
    179
    Location:
    U.S.
    what's the difference?
     
  5. bgoodman4

    bgoodman4 Registered Member

    Joined:
    Jan 13, 2009
    Posts:
    3,130
    Thank you,,, can I trouble you to explain what the difference is and what it means for the scans?
     
  6. Scott W

    Scott W Registered Member

    Joined:
    Sep 21, 2008
    Posts:
    484
    Location:
    USA
    Hitman's Compatible Disk Access mode uses Windows' API to access the disk (instead of its normal direct disk access) so that it works within Rx's environment. Rx protect's the MBR from programs (safe or malicious) which use Windows' API for disk access, but is vulnerable to programs (especially malware) which use direct disk access. But using Hitman's CDA mode is a two-edge sword because when doing so you also reduce Hitman's ability to detect malicious rootkits!

    Scott
     
    Last edited: Aug 24, 2012
  7. mattbiernat

    mattbiernat Registered Member

    Joined:
    Aug 17, 2012
    Posts:
    179
    Location:
    U.S.
    thanks for explanation!
     
  8. aladdin

    aladdin Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    2,986
    Location:
    Oman
    Very well said Scott! Especially, "But using Hitman's CDA mode is a two-edge sword because when doing so you also reduce Hitman's ability to detect malicious rootkits!"

    Best regards,
     
  9. bgoodman4

    bgoodman4 Registered Member

    Joined:
    Jan 13, 2009
    Posts:
    3,130
    Thank you Scott.

    So would this imply that programs such as Malwarebytes or the AV/AM suite I use as my first line of defence (ESET) are monitoring via normal disk and thus are lax in detecting rootkits? They do not see the RX function as a rootkit. Or is Hitman just more aggressive? In other words is it like setting protection from normal to extreme or from poor to OK?
     
  10. Scott W

    Scott W Registered Member

    Joined:
    Sep 21, 2008
    Posts:
    484
    Location:
    USA
    I suspect that those AV programs do not use Direct Disk Access reads along with its Windows 'API reads', but I really don't know that for certain. For sure though, Hitman is very aggressive in using Direct Disk Access mode in concert with Windows API mode.

    In order to help you better understand what's going on, Rx hides its MBR entry much like a malicious rootkit (it is 'invisible' when reading the MBR via Windows API). So when Hitman sees that an MBR read via Direct Disk Access differs from an MBR read via Windows API it issues a heuristic alert of a likely MBR rootkit, which is precisely what it should do. When opting to use Hitman's CDA mode (i.e., using Windows API only) all appears well to Hitman in that it doesn't see Rx's non-malicious bootkit, but the likelihood of Hitman detecting a malicious rootkit (in CDA mode) is also diminished.

    Scott
     
    Last edited: Aug 25, 2012
  11. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Perhaps,although more likely they've just whitelisted the likes of RollbackRX :doubt:
     
  12. bgoodman4

    bgoodman4 Registered Member

    Joined:
    Jan 13, 2009
    Posts:
    3,130
    Thanks for the info
     
  13. bgoodman4

    bgoodman4 Registered Member

    Joined:
    Jan 13, 2009
    Posts:
    3,130
    I thought that was likely and wonder why Hitman does not do this too. Supposedly "suspicious" files are uploaded for analysis,,,,I would have thought this would have dealt with the issue by now.
     
  14. aladdin

    aladdin Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    2,986
    Location:
    Oman
    Why the onus is on Hitman, why not on HDS the maker of Rollback Rx advising their customer to whitelist their rootkit from the AV and/or Rootkit programs?
     
  15. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    From my experience with HMP,much as I like it,they're very slow to deal with FPs,often you need to report it a few times to get a result.
    Also once they have dealt with it you can guarantee it'll reappear when the application in question is updated.
     
  16. bgoodman4

    bgoodman4 Registered Member

    Joined:
    Jan 13, 2009
    Posts:
    3,130
    In a perfect world I guess the onus would be on both parties but that still does not explain why any of the programs other than Hitman that I have used do not see the code as malicious. Also, there is no way to whitelist anything in Zemana AntiMalware that I was able to find. So now Zemana is in the mix as well making things that much more complicated.

    As an aside,,,,,is anyone using a program other than Hitman that is picking up the code as malicious? It would be good to compile a list for reference.
     
  17. bgoodman4

    bgoodman4 Registered Member

    Joined:
    Jan 13, 2009
    Posts:
    3,130
    Thanks for the info, much appreciated.
     
  18. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,214
    HitmanPro uses several scanners: Emisoft, Bitdefender, Dr.Web, G Data, and Ikarus.
    Emisoft, I tested it myself, is the one that won't accept Rollback Rx as a FP because the same device is used by malware, I suspect Ikarus might as well but I'm not sure. HitmanPro won't change simply because Emisoft won't change.

    I can't see what is the big deal about it, when I tested Emisoft it was clear that its detection was a FP and ignored it, same with Hitman Pro.
     
  19. bgoodman4

    bgoodman4 Registered Member

    Joined:
    Jan 13, 2009
    Posts:
    3,130
    Its not a big deal if you have the knowledge to understand (or find out) that its an FP but it can be a bit of an issue if you just go ahead and tell the program to "fix it" because it said you should. Sure you should check first but not everyone knows enough to do this.
     
  20. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,214
    In principle Rollback should notify users about it and Emisoft shouldn't really flag it as malware. I figure that if someone goes to the trouble of buying and understanding a software like Rollback and then installing HitmanPro (which is really still a tool for people interested in security) one would expect such a user to know of the possibilities of FPs. All AVs can produce FPs, the danger is always there if one doesn't pay attention.
     
  21. bgoodman4

    bgoodman4 Registered Member

    Joined:
    Jan 13, 2009
    Posts:
    3,130
    Good point Osaban, you are 100% correct.
     
Thread Status:
Not open for further replies.