theoretical question (HIPS vs already installed rootkit)

Discussion in 'other anti-malware software' started by wutsup, Apr 20, 2010.

Thread Status:
Not open for further replies.
  1. wutsup

    wutsup Registered Member

    Sep 20, 2009
    United States
    hello all, i just thought of something interesting.

    lets say a computer has a rootkit already installed and no signature based antimalware detects it, but you then install a stand alone hips, a hips with firewall, or a behavior blocker such as threatfire or mamutu. would the HIPS or BB alert the user when the rootkit is doing some kind of fishy activity?

    post your thoughts, wutsup
  2. 3x0gR13N

    3x0gR13N Registered Member

    May 1, 2008
    Rootkit installed=complete control. It can do whatever it wants as long as it's programed to do it. That would be the answer to the theoretical question. However, in reality it depends on the rootkit, if it's not too advanced it can be detected post-install.
    Prevention is better either way ;).
  3. _kronos_

    _kronos_ Registered Member

    Dec 8, 2008
    It depends on the hips you installed, the ruleset, and your ability to understand how it works.
    The most of the times, teorically, you have to consider the definition of hips: Host Based Intrusion Prevention System.
    Prevention is different from Cure:)

  4. doktornotor

    doktornotor Registered Member

    Jul 19, 2008
    Well, for me, a rootkit -> game over and reinstall/image restore. That included the Sony rootkit. Simply don't trust such machine any more. As for removal, definitely wouldn't install anything on such box and rely on removal; rescue CD only.
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.