theoretical question (HIPS vs already installed rootkit)

Discussion in 'other anti-malware software' started by wutsup, Apr 20, 2010.

Thread Status:
Not open for further replies.
  1. wutsup

    wutsup Registered Member

    Joined:
    Sep 20, 2009
    Posts:
    630
    Location:
    United States
    hello all, i just thought of something interesting.

    lets say a computer has a rootkit already installed and no signature based antimalware detects it, but you then install a stand alone hips, a hips with firewall, or a behavior blocker such as threatfire or mamutu. would the HIPS or BB alert the user when the rootkit is doing some kind of fishy activity?

    post your thoughts, wutsup
     
  2. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    Rootkit installed=complete control. It can do whatever it wants as long as it's programed to do it. That would be the answer to the theoretical question. However, in reality it depends on the rootkit, if it's not too advanced it can be detected post-install.
    Prevention is better either way ;).
     
  3. _kronos_

    _kronos_ Registered Member

    Joined:
    Dec 8, 2008
    Posts:
    126
    It depends on the hips you installed, the ruleset, and your ability to understand how it works.
    The most of the times, teorically, you have to consider the definition of hips: Host Based Intrusion Prevention System.
    Prevention is different from Cure:)

    Regards
     
  4. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, for me, a rootkit -> game over and reinstall/image restore. That included the Sony rootkit. Simply don't trust such machine any more. As for removal, definitely wouldn't install anything on such box and rely on removal; rescue CD only.
     
Loading...
Thread Status:
Not open for further replies.