System Virginity Verifier

Discussion in 'other anti-trojan software' started by devil's advocate, Oct 11, 2005.

Thread Status:
Not open for further replies.
  1. http://www.invisiblethings.org/tools.html

    How clean are you?
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Correct me if I am wrong but this is for NTFS only :doubt:

    Interesting Power Point display tho.
     
  3. Why aren't you using NTFS?
     
  4. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Ut Oh....have I failed Security 101. I have never had the desire to install 2K as NTFS....personal choice DA o_O

    I only use ZA Free 2.6.362 and a very tight IE....do I fail in that area also :doubt: :p

    Ok....enough of my setup....it'll even bore a dead man. I simply noticed it appeared SVV needed NTFS and I'll assume you confirmed that for me :doubt:
     
  5. Hang tight, there's going to be a FAT version out soon.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Please forgive me but I have to ask: Will this work if your system is no longer a virgin.:D I am sorry but the "devil" made me ask.

    Please all. Take this as light hearted fun.
     
  7. Peter you played with this yet?
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    No I haven't. I just about have my plate full with the apps I am working with, and am content with them. It is going to have to be very special for me to take a look.

    Pete
     
  9. Arup

    Arup Guest

    Interesting title for a program, so it really checks for the Windows hymen and then puts a chastity belt around it. I thought Windows system files were already protected by Window's own system file checker.
     
  10. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi Arup,

    Windows File Protection will not prevent a rootkit install, nor will it help you detect one. The PowerPoint presentation, at the link above, outlines what SVV 1.0 does, and what is planned for future versions.

    Nick
     
  11. Arup

    Arup Guest

    Thanks for the explanation Nick, will try it out, have Samurai doing the rootkit protection so will be interesting how this one fares up.
     
  12. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi Arup,

    Keep in mind that it's a detection tool, and not a prevention tool.

    From a machine (XP SP1) I was cleaning today...

    C:\svv>svv
    System Virginity Verifier 1.0 (public), September 2005
    written by Joanna Rutkowska
    http://invisiblethings.org

    svv <command> [options] [/l <altKernelModuleName>]
    command is one of the following:
    check - check system virginity
    fix - try to fix suspected modifications (disinfection)

    following options are supported:
    /a verify ALL modules (may cause false positives)
    /m show details about modifications
    /c show also clean modules
    /d leave driver after finished
    /t <n> fix to target verdict level = n (valid for fix command)

    C:\svv>svv check /a
    Null.SYS (f8b70000 - f8b71000)... error code = 0x490
    mnmdd.SYS (f8a66000 - f8a68000)... error code = 0x490
    RDPCDD.sys (f8a68000 - f8a6a000)... error code = 0x490
    dump_atapi.sys (f2d6b000 - f2d81000)... Image file not found!
    dump_WMILIB.SYS (f8a7a000 - f8a7c000)... Image file not found!
    mc211.tmp (f8c5a000 - f8c5b000)... Image file not found!
    kernel32.dll (77e60000 - 77f45000)... suspected! (verdict = 5).
    USER32.dll (77d40000 - 77dcd000)... suspected! (verdict = 5).
    klg.dat (5a000000 - 5a018000)... error code = 0x490
    swpg.dat (003a0000 - 003b8000)... error code = 0x490

    SYSTEM INFECTION LEVEL: 5
    0 - BLUE
    1 - GREEN
    2 - YELLOW
    3 - ORANGE
    4 - RED
    --> 5 - DEEPRED
    SUSPECTED modifications detected. System is probably infected!


    Whatever is there keeps disabling McAfee services and Spyware Doctor at startup. Various AV and spyware scans (normal and safe mode) show the system to be clean, but the system is obviously not clean. At this point, I plan on reformating.

    Nick
     
  13. Arup

    Arup Guest

    Thanks again Nick, dont have any resident spyware apps or McAfee, only Avast but I do have Samurai running in root kit block mode.
     
  14. It's not really special. Just a quick check. 5 minutes at best.
     
  15. Like icesword i guess. But like icesword there is a cleaning component.

    Very wise. Since you are planning on formatting , you might as well let svv fix it and see what happens.
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    You answered your own question. "It's not really special" best describes why I am not interested.
     
  17. controler

    controler Guest

    Peter2150

    Deviladvocate has tried SVV and so have I. I don't see many posting on it as I figured would happen.
    I can tell you that IceSword would show the hidden crap, especialy if there is a driver involved.

    I could not get any switches to work on my Shared computer toolkit with SVV.


    Since you have a nice infected drive and are reformatting. You might be surprised at qhat it does find.

    As of present I am guessing the only support you will get for either program will be on a site like this. Not sure what the intentions of either programmer are or if they will come here and post as a registered guest.

    controler
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Hi Controler

    You've either mixed me up with someone else or missed my humor. I didn't say I had an infected computer, I said it wasn't a virgin, and that for sure is true. I would define it being a virgin as it came from the factory. Any resemblance between then and now is purely coincidental. I am using Outpost 2.7,Regdefend,ProcessGuard,Online Armor, Safe'n'Sec, and the latest build of KAV 2006 beta. Something new would have to be very special, before I would spend anymore time on stuff.

    On a final note, thanks for taking the time and posting as you thought I did have a problem. I do appreciate that.

    Pete
     
  19. It doesn't have bells and whistles to play with, that's why it's not special.

    Peter has a nice infected drive? How did that happen?
     
  20. Hey Pete, the special thing about this virginity verifier is that it doesn't blindly check against factory settings. It can tell which types of changes are harmless, because these are ones that have being made by drivers that don't hide.

    For example, I verified that of your list above 4 of them don't have any changes that virginity verifer considers dangerous. The rest I don't use so I can't say but I bet it's ignored too.

    So it's a pretty clever tool.
     
  21. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi DA,

    Interestingly, IceSword shows nothing hidden.

    That was my plan after imaging the drive as it is. It's an older Dell Latitude laptop that someone would like me to magically undo several years of neglect. It will be interesting to see what the image contains.

    Nick
     
  22. controler

    controler Guest

    Pete

    I was refering to Nicks machine he was working on.

    You said IceSword shows nothing?

    Did you look at the SSDTS?
    That is where the drivers are shown.

    controler
     
  23. hp2000

    hp2000 Guest

    So I guess it's safe to say that SVV is really not quite ready for prime time? I mean, only experts who really know their stuff should be using it....right?
     
  24. There is probably no harm using it just for checking. I would refrain from using it to fix any thing though....
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Just for grins I downloaded it. Give it a quickie look, and it wasn't obvious how to even run it. DOS window maybe??
     
Thread Status:
Not open for further replies.