Rootkit detector & 3 Questions

Discussion in 'NOD32 version 2 Forum' started by Dilbert_2, Aug 8, 2006.

Thread Status:
Not open for further replies.
  1. Dilbert_2

    Dilbert_2 Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    15
    BACKGROUND:

    Yesterday I installed a beta rootkit detector acquired from AVG
    -this gnawing fear that I had acquired one (Sony DVD burner and
    all - Sony and their rootkits ...).

    Of course the very nature of such software is that it probably
    looks like malware because of the way it has to work. So none
    of below was a surprise at all:

    a) IMON didn't want to download the file. ESET was _forwarded a
    copy of this file_ during this process. I know curiosity killed
    the cat, but then I temporarily disabled IMON and downloaded the
    file anyway. Re-enabled IMON via the check-mark in the little blue box.

    b) Install rootkit detector: AMON didn't want to install it either
    so I went the same route as above to install it - the unable and
    re-enable procedure.

    c) Ran the root kit detector program - interestingly AMON (enabled)
    had no problem whatever with this program running in both
    shallow and deep modes. The program detected no rootkits.

    d) Ran NOD32 scanner in the mode to flag but not fix issues.
    \WINDOWS\SYSTEM32\DRIVERS\anti_rkt.sys'
    was sent to Eset for analysis.

    btw, NOD32 had this to say: "-probably unknown NewHeur_PE virus"


    3 QUESTIONS (sort of):

    1) - Is there a better (safer) way to do what I did (download
    and install a rootkit detection program)? I am new to
    NOD32 and am not expert in it.
    I made an assumption that the AVG program would not be
    malicious, and accepted the risk of running a beta prog.

    2) - *IF* (big if maybe) this is a useful, non-malicious
    program, would IMON/AMON/NOD32 ever recognise it as
    such, or will it always be flagged as a serious threat?

    3) - Is there a way for me to command IMON/AMON/NOD32 to
    ignore specific files in specific locations and that
    have specific checksums?
    -I see in AMON I can exclude specific files OR specific
    directories but apparently not both together (a specific
    file in a specific place). It looks like pick one
    parameter but not both. Is this a bad idea from
    conception? Why?

    Am still becoming familiar with NOD32, which I've had less than
    a week. Have been reading through this forum bit by bit and
    there is a lot of good information in it, but if above is covered
    I just haven't got to it yet - there is an enormous amount of
    useful information here.

    I like NOD32 very much, and appreciate it more the more I learn.
    I suppose the bottom line on above is that the NOD32 system
    is going to find rootkits on its own and perhaps doesn't need
    help from 3rd-party software.

    Sorry, I didn't mean for this to be so long, but it acquired a
    life of it's own. :cautious:

    Regards. -db2
     
  2. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
    Where did you acquire this program from? I hadn't heard anything about AVG releasing a rootkit detection utility and can't find anything on their pages about it. I'd say post a link to the product so we know what you are talking about, but disable the link by using hxxp:// instead of the usual.

    Someone from ESET will prolly stop in later to give you further instructions regarding this detection.

    -Cov
     
  3. Dilbert_2

    Dilbert_2 Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    15
  4. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
    Hrm... in that case it's prolly a FP. But it's to be expected as a rootkit detector has to do some wonky stuff to actually find that stuff it's looking for. I'd say give the ESET guys some time to work on this and it should be corrected shortly.

    -Cov
     
  5. Dilbert_2

    Dilbert_2 Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    15
    Yes, I kind of assumed that, too. Sort of a Catch-22 thing. And that's why I'm kind of interested in the NOD32 process for addressing these things. Thanks, Cov.
     
  6. Xcurt

    Xcurt Registered Member

    Joined:
    Aug 8, 2006
    Posts:
    12
    I downloaded, installed and ran RootkitRevealer.exe without any problems at all.
    hxxp://www.sysinternals.com/Utilities/RootkitRevealer.html

    Win2K, Outpost PRO 3.51, NOD32 2.5.
     
    Last edited: Aug 8, 2006
  7. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    NOD32's report of a suspect NewHeur_PE virus on the ANTI_RKT.SYS file in the beta test version of Grisoft's AVG Anti-Rootkit v1.0.0.13 is a false positive alarm and will be addressed shortly.


    Regards,

    Aryeh Goretsky
     
  8. Dilbert_2

    Dilbert_2 Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    15
    Wow, no kidding! Follow-up scan this morning did not make the (false) positive. That is very fast.

    Am new to NOD - will be more relaxed in the future. Thanks.
     
Thread Status:
Not open for further replies.