Discussion in 'other anti-malware software' started by jmonge, Oct 6, 2010.
what will be the best rootkit preventiondetentionblockingetc any coments thanks friends
since signature based AVs are mostly useless against 0 day malwares i think we can only rely on light virtualization (Geswall/Defensewall/Sandboxie) or anti executable apps. (Applocker and the likes)
i think hips also as they protect the whole system
Don't play with malware
Easy: Stay away from questionable websites.
how do we know if this stuff is any good if we only go to safe sites?
Talk to the guy behind the keyboard
Most of the malware which use Rootkit technology come to the system through the exploits in the web browser.If the browsers are sandboxed, then there is no way a malware can enter into the system, as Sandboxie intercepts all the data flow from the browser and stores in its transient storage area.
I will recommend DefenseWall as it can protect you very well against rootkits & other bad stuff. Other option will be Emsisoft Mamutu, as it is also very effective against bad stuff/rootkits/keylogger etc.
If only one, HIPS.
just dont execute anything but trusted and verified by you
so... default-deny or anti execution method is my best answer.
cool very true
I REPEAT THIS FOR THE umpteenth TIME.
Always "Keep" a pair of clean system backups either on external or internal hard drives as an absolute failsafe safety solution against not only rootkit or virus attack but hardware failures too.
You will be so glad that you did one day.
My own personal backup choices remains both Paragon & Drive Snapshot. Without a solid physical backup plan the best laid plans (aka troubled softwares/viruses) can go sadly awrey and ruin your time and data in a single bound..
a strong HIPS should be able to stop (or at least warn you) a rootkit from patching/modifying system files...
As EASTER said, a backup strategy is always mandatory against zero-day stuff....
the problem i have with HIPS is that often their warnings is way too technical for me.
even if i search on the Net about the names shown in the warnings i am left having to chose to Deny or Block something i don't quite fully understand.
for me, it's way too risky to use HIPS, although i like a lot Online Armor Premium.
i just had to stop using it for those reasons.
At this moment 64-bit OS still prevents 95% of the rootkits, next to that I use just my antivirus and nothing else (except for some other OS hardening).
HIPS are only as good as the one who configures it and the security policy it's enforcing. If that policy is default-deny and the HIPS is well configured, rootkits are not a threat.
is there a special rule for hips to make for stoping rootkits?
Yes, just tick Don't Allow
thanks that helps alot
The default-deny security policy is what prevents being rootkitted. The HIPS merely enforces that policy. Rootkits are no different than any other software. It has to install and be made part of the system in order to work. Not allowing an unknown to execute prevents the installation of rootkits.
Any other policy that allows an unknown to run is a calculated risk. That includes behavior blocking, sandboxing, virtualization, etc. These all work on the idea that the software will detect and contain all potentially malicious activity, that they have no flaws.
thanks for the nice explanation man
Quote. The golden rule is: deny for default and allow for exception.
Take heart and be patient as you gradually learn the way HIPS operates on your behalf.
A quality HIPS software will offer even the most novice user relevant enough information to make a safe determination on how to proceed or not.
You will do fine with the proper time spent to study thru any HIPS techniques, alerts, and it's information on to why it aborts executables before handing over control back to it's user again, mainly yourself.
I recommend using a solid performing behavioral blocker, (few that their be right now) such as MAMUTU in a supporting role to your HIPS to give you more confidence and keep your HIPS program honest and on target as to what needs allowed compared to what can be blacklisted.
My question would be:
How many rootkits have you gotten that makes you concerned about best rootkit detection?
or is this just theoretical?
Separate names with a comma.