Rootkit Detection

Discussion in 'other anti-virus software' started by Diver, May 15, 2008.

Thread Status:
Not open for further replies.
  1. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
  2. tesk

    tesk Registered Member

    Joined:
    Aug 9, 2007
    Posts:
    100
    This is a very interesting test!

    But how can bitdefender and bullguard get diffrent results? Bullguard uses the bitdefender engine?
     
  3. kinwolf

    kinwolf Registered Member

    Joined:
    Oct 19, 2006
    Posts:
    271
    Yes but the driver is important here, not just the engine. Bullguard licensed the engine but have to develop their own driver.
     
  4. harlan4096

    harlan4096 Registered Member

    Joined:
    May 6, 2008
    Posts:
    113
    Location:
    Almería (Spain)
  5. kinwolf

    kinwolf Registered Member

    Joined:
    Oct 19, 2006
    Posts:
    271
    If you'd read the paper and not just looked at the table you'd know that the first part of the test was done for a german magazine in oct. 2007. The text also explains why they wrote the paper with that data.
     
  6. harlan4096

    harlan4096 Registered Member

    Joined:
    May 6, 2008
    Posts:
    113
    Location:
    Almería (Spain)
    Ando_O' I know it! but You can't publish now that test after almost 7 months with obsolete info I think ...

    Regards.
     
  7. kinwolf

    kinwolf Registered Member

    Joined:
    Oct 19, 2006
    Posts:
    271
    Again, the reason of why they publish that info now is explained in the report itself.
     
  8. Ximi

    Ximi Infrequent Poster

    Joined:
    May 12, 2008
    Posts:
    40
    Location:
    Estern
    Avira + Bitdefender seem to do a very good job, and those 2 anti-virus seem to be the best in this test.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Avira,s cleaning is poor atleast in this test.
     
  10. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    A step in the right direction could be to focus on providing
    bootable rescue media, too: this might be the product
    installation CD or a CD or disk that a user can create and
    update himself. When the system is started from
    this media, the rootkit cannot be activated on the system,
    so a scanner would be able to see all fi les and registry
    entries which would usually be hidden. This way, the
    scanner could detect and delete all rootkit and malware
    components as long as the signature database is up to date
    and comprehensive.

    That might be the crux of this review

    AVG antirootkit now incorporated into commercial release
    Trend Micro tool still available ( fast scanner)
     
    Last edited: May 16, 2008
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    If my sworn to secrecy private ARKD builds can't cut it, i use ERD Commader load the affected O/S system into it for in-depth search and reviews as well as removals.

    I really don't know don't any other way to penetrate a deeply affected system other then this method.

    EASTER
     
  12. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Just because the tester didn't do it properly. ;)
    See that the stand-alone Avira rootkit detector BETA has very good cleaning capacities.
    Avira v7 and v8 use the same engine as in that stand-alone app.

    In AntiVir there is also the option to do a quick search before a normal scan, and also to do the Full search from the scanner page (tab as it was in v7).

    Here's a quote from Avira Help file:
    So, obviously the tester used only the quick search option instead of the full rootkit scanning profile and that is why they got this result.
    Maybe if Andreas Marx can be contacted or read this forum will correct the test.
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    To me it appears as a minimal rootkit scan before any on-demand scan( even for a file or few files). How can he use this option? He must have used complete system scan/ rootkit scan.
     
  14. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Then how do you explain it ? o_O There is the same engine used in Avira 7 or 8 and in avira rootkit detector also.
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I don,t know really. But no way I can think that he did not use complete scan or rootkit scan. So obvious, even a beginner will not do like that.

    Infact I don,t understand ur mini rootkit scan at all, how can one do it. To me this option means that a minimal rootkit scan will be done before any on-demand scan, for a file/ files. Obviously no such scan can be used for active rootkits.
     
  16. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
  17. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
  18. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Here's another test done by students of Epitech, a french engineer school: in english and en francais.

    The main limit of these tests is the restricted number of samples and ARK tested.

    NB: GData provides rootkit detection via a boot CD.

    Regarding rootkits, antivirus can't be trusted.
    Rootkits exist since 20 years on Unix systems, and officially since 2000 (NTRootkit by Hoglund) on Windows.
    And since 25006, there's an escalation of rootkit literature and tools from av companies.
    Bravo! great! super! fantastico!
    But seriously, just a question: what have they done before?
    One of the key of security is reactivity: 6 years, isn't it a strange approach of reactivitty?
    Unproffesional? business strategy (less R'n D= more cash flow), or sign of conspiracy (law enforcement door for security agencies like NSA)?
    The silence and taboo related to this question is already an avowal of guilt.
    The discovery of the spambot Rustock c and its related botnet is a prove of av inefficiency against rootkits.
    And by experience i'm often quite sceptical about av marketing speech: i've verified myself the inefficiency of kav 6 against rustock b.
    More over, there's still many rootkits unknown (no patter file) from av labs (i have for instance 2 russian rootkits not detected by DR WEB AND KAV).
    The key against rootkits is prevention (always better than cure): like some people i've done some efforts on this area to promote the need of HIPS: products like Process Guard, Viguard, Abtrusion protector, SSM provide rootkit protection since 2003/2004.

    Detection of rootkits is large subject, but as often the song is the same: more knowledge and experience= less av dependency.

    regards
     
  19. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    Gmer & SafetyCheck passed successfully the tests :thumb:
     
  20. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    hi kareldjag,
    have you sent the samples to all major vendors?
     
  21. Dwarden

    Dwarden Registered Member

    Joined:
    Apr 11, 2003
    Posts:
    176
    Location:
    Czech Republic
    i would like to see rootkit test including latest Avast! and Alwil antirootkit (tho it utilizes GMER as base it someties does bit better)
     
  22. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    This link purports to give the opinion of the author of Rootkit Unhooker LE regarding the merits of other anti-rootkit software, as of several years ago. The word 'useless' is mentioned often. Rootkit Unhooker LE was the only program that had perfect detection rates in the XP tests mention in post #1.
     
  23. dw2108

    dw2108 Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    480
    To prevent the NTFS and FAT 32 rootkits, I did this. Using DOS FDISK, I split a drive a -- a FAT 16 on each partition. Next, I loaded Win 98 SE on a partition, and then I loaded WIN XP SP3 as a separate, clean install on the SAME partition containing the 98 SE choosing the option to leave unchanged the FAT 16 as well as keeping the 98 SE OS in tact as to have a dual boot system on the same partition. Most of the 98 SE works, and XP also works. While using a rootkit test file, the test file stopped responding.

    Dave
     
  24. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    I thought it was Sunday, April 8, 2007, so wouldn't it be one year?

    But the writer seemed to think that every single anti-rootkit was bad, saying "However, all (without exception) can be avoided."
    So according to him anti-rootkits are useless?

    Thanks
     
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Well said.

    Rooters & hiders have to go deep for maximum concealment, the same is required by their nemisis patrolers too. AV's already have a full plate with blacklists and adding to their bulk just to examine some of these deep sea divers.

    btw, any thoughts to static hardening apps that attempt to position themselves in a chain from the SSDT Table to other entry zones?

    Regards as always

    EASTER
     
Loading...
Thread Status:
Not open for further replies.