What it is GMER? -Yes, your REAL-TIME Protection against rootkits. All Settings here

Discussion in 'other anti-malware software' started by PROROOTECT, Feb 17, 2009.

Thread Status:
Not open for further replies.
  1. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    GMER - our Real-Time Protection against rootkits; also detection and removal of MBR rootkits.

    Your last version 1.0.14 here: http://www.gmer.net/index.php Click on gmer.zip or 1.0.14 links.

    All Settings (all boxes to notch):

    System protection and tracing
    Processes
    Save created processes to the log
    Drivers
    Save loaded drivers to the log

    User's application protection and tracing
    Processes
    Save created processes to the log
    Libraries
    Drivers
    Prompt before loading drivers
    Save loading drivers to the log
    Files and folders
    Prompt before creating executable files in the system folders
    Registry
    Prompt before modification of autorun-like keys

    Network
    Prompt before unauthorized connection attemps
    Save connections to the log

    Internet Explorer Browser
    Allow defaut IE connexions only
    Prompt before creating new processes
    Prompt before creating executable file

    Microsoft Outlook and Outlook Express
    Allow default mail connexions only
    Prompt before creating new processes
    Prompt before creating executable file

    ... and more ....

    ... Log ... AV Scanner ...

    ... if you search above all: Real-Time Protection ...

    Look also: https://www.wilderssecurity.com/showthread.php?t=229197&highlight=GMER

    Your System PROROOTECT ... and more:thumb:
     
  2. demonon

    demonon Guest

    Wow, I never knew GMER was real-time.
    But then again I never put much attention to it, I just know what Avast! uses GMER anti-rootkit.
     
  3. Swordfish_

    Swordfish_ Registered Member

    Joined:
    Aug 1, 2008
    Posts:
    63
    This is a well-known tool. Some rootkits even block GMER homepage.

    Funny however, that it detected the following as malware:

    GMER 1.0.14.14536 - http://www.gmer.net
    Rootkit scan 2009-02-17 17:18:31
    Windows 5.1.2600 Service Pack 2


    ---- Devices - GMER 1.0.14 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
    AttachedDevice \FileSystem\Fastfat \Fat TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
    AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

    ---- EOF - GMER 1.0.14 ----

    On the other hand, it would be interesting to see if such tools are able to detect Hypervisor Mode Rootkits.

    Regards :)
     
  4. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Hi Demonon,

    No, Demonon, Avast has only little rootkit detector: catchme.exe ... ONLY.

    Yes, his developer is this same Mr Gmerek.

    PS. To detect/remove MBR rootkit, use GMER or very tiny: mbr.exe, at the bottom of the page: http://www2.gmer.net/mbr/

    PROROOTECT
     
  5. BrendanAdams

    BrendanAdams Registered Member

    Joined:
    Jan 2, 2009
    Posts:
    137
    Location:
    France
    I used gmer regularly on my previous laptop, and I found it great. Unfortunately, it keeps crashing on my new one :(
     
  6. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    Please refrain from commenting things you don't know.

    What you said is not true.


    Thanks
    Vlk
     
  7. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Hi Vlk,

    Avast anti-rootkit is 'based on GMER technology' - but this is NOT the GMER, of course.

    For technical details - ask the developer.

    PS. catchme - it is also based ...

    Sleep tight.

    PROROOTECT:thumb::isay:
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Did GMER report those in red color? If not, then is just letting you know there are hidden objects. Not exactly malware.

    Regards
     
  9. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
  10. Swordfish_

    Swordfish_ Registered Member

    Joined:
    Aug 1, 2008
    Posts:
    63
    No, it was'n in red, however it was under Rootkit/Malware tab. Of course, I know it's not a malware. Anyway, thanks for your comment.

    Best regards.
     
  11. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Are you referring to the so called blue pill malware? If so there's much debate over how undetectable they may or may not be.:doubt:
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    How long is it been since Gmer was updated?

    Anyone hold aN ACCURATE time line or review on that?

    EASTER
     
  13. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    I would rather be more worried about kernel mode rootkits, which are the real threat and most of them are easily bypassing all major antirootkit softwares ;)
     
  14. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK

    Agreed there is stuff currently in the wild that flattens GMER....fake the SSDT and it bypassed:eek:

    As we know any ARK to stay effective needs to be updated to counter newly emerging POC's or laterly appearing ITW RK's utilizing those tricks.

    The arms race goes on...
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    Those LINE OF replies answered my question, thanks.

    EASTER
     
  16. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    The same here. Prev versions worked on Vista, but the last two just crash :(
     
  17. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    Can someone who knows how to use GMER help me understand it? Am I looking only for red entries? I understand that if the entries are not red then they are hidden...not necessarily malware. Does it NEED to be red in order for it to be malware?

    I'm confused o_O

    Also, on the first page of this thread it says GMER protecs in real-time...how so? Does this mean it actively prevents rootkits?

    Sorry for the dumb questions...I've just always wanted to know how this program works.

    Thanks,
    Toby
     
  18. dell boy

    dell boy Registered Member

    Joined:
    Apr 13, 2009
    Posts:
    240
    Location:
    uk, england
    yes the red ones are malware, make sure you scan with no other programs open because it can have disastrous results, it said firefox was a bad rootkit, at the time i didnt know i had to close everything.
     
  19. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Toby75

    Actually, RED ones " might " be Malware. Not absolutely 100% RK's or Malware, but could be.

    Lots of legitimate Apps hook the Kernel, such as HIPS etc. For example, Online Armor shows quite a number of RED entries.

    If you delete etc any RED entries that are safe, you may end up in serious doo doo.

    If you don't immediately recognise entries, RED or otherwise, then use a search engine to research further on them.

    If you're not certain what you're doing, it's probably best not to tinker.

    You could also cross reference with other ARK's. Here's a short list of some of the better ones.

    Rootkit Unhooker, Radix, kx-Ray, RootRepeal, IceSword

    Also it might be a good idea to have a look on here http://forum.sysinternals.com and ask there for advice too.


    Real-time protection has been removed from the later version of GMER.
     
  20. thathagat

    thathagat Guest

  21. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
  22. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480

    Thanks man.

    I have no RED entries..so this means I have no rootkits right?
     
  23. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Toby75

    " I have no RED entries..so this means I have no rootkits right? "


    Not necessarily ! GMER is a very useful tool, but some of the others i listed earlier can show more info. Also each ARK analyses the system in slightly different ways, and some are capable of more indepth probing etc.

    That's why, as i suggested previously, it would be a good idea to use those other ARK's too, and cross reference any results/discrepancies etc.

    As a point of interest, do you think you might have an RK in your PC, or are you just experimenting ?


    http://www.antirootkit.com/software/index.htm hasn't been updated for quite some time, but it's still very useful as a reference, as is http://forum.sysinternals.com/forum_posts.asp?TID=962
     
  24. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480

    Thanks for the info. Yes, I should have mentioned that I am just playing around with different ARK's. I'll try out the ones you mentioned above.

    Thanks again,

    Toby
     
  25. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    I like the look of these features.

    • Prompt before loading drivers
    • Prompt before creating executable files in the system folders
    • Prompt before modification of autorun-like keys
    • Prompt before unauthorized connection attemps

    I'm looking for something to replace Threatfire as it used to crash occasionally and Outpost didn't install properly.

    Looks good.

    EDIT :
    Where are these setting in the GMER GUI ? I can't see them ?
     
    Last edited: Aug 7, 2009
Loading...
Thread Status:
Not open for further replies.