Discussion in 'NOD32 version 2 Forum' started by ashishtx, Oct 19, 2005.
what is nod32 policy for rootkit malware?
I saw in their updates they are detecting a lot of rootkits.
Hi ashishtx, welcome to Wilders.
Nod32 does detect rootkits, we have seen a couple detected, here's one
If your computer is infected with rootkits and this rootkits are hidden from Windows API, NOD32 will not detect this rootkits, even if rootkit is detected with signatures. Rootkits can hide processes, files (backdoors,...) & folders, registry keys & values, services, TCP/UDP Sockets, Systray Icons...
Only AV that detects rootkits is KAV 2006 (beta).
You can use on demand scanners like F-Secure Blacklight (Beta) or RootkitRevealer (free).
A safe mode scan should detect them I think. They would not be loaded. Also NOD should pick them up before they arae installed. Most AV's will have difficulty with installed root kits, but NOD and KAV handle them the best as far as I know apart from dedicated root kit scanners as you mentioned.
The drive was slaved of a clean system with a fully up-to-date Nod32.
No, NOD32 will not detect rootkits even in safe mode if rootkit is hidden from Windows API.
If rootkits is detected with signatures or AH. You can find on web a lot samples (rootkits) that NOD32 doesn't detect. You can buy undetected rootkits on web.
Rootkits was obviously not hidden from Windows API. Lucky you.
More like, lucky my client
As far as I know, thats the only time you can catch a rootkit with AV(antivirus) if its the kind that goes stealth after it successfully installs. Some of the posts here give me the impression that they can be detected by antivirus software once they've hidden themselves. Correct me if I'm wrong, but once they manage to successfully hide, they can't be detect by AV. Thats where something like Rootkit Revealer, Black Light or UnHackMe is used.
Yes you are wrong. KAV 6.0 (still beta) detect hidden rootkits. Look here: http://www.viruslist.com/en/analysis?pubid=168740859.
I'm sure the guys putting rootkits together will figure out a way to not be detected again... in time.
Fsecure 2006 includes backlight so should detect some
Separate names with a comma.