Does Norton Anivirus detect rootkits?

  • Thread starter Thread starter psomerson
  • Start date Start date
P

psomerson

Does Norton Anivirus detect rootkits? I heard that rootkits are not
detectable.

thanks
 
Sunny said:
http://securityresponse.symantec.com/avcenter/venc/data/freebsd.rootkit.html
Click to expand...
Note! - that detection is ONLY for the installer Trojan, NOT for the rootkit
itself!

Rootkits are a broad church - strictly, Rootkits are programs which are
designed to be invisible from the OS, and therefore programs running from
the OS can't see them (but may be able to see the results of their actions).
However, the current usage of the term is very much broader, and some things
labelled 'rootkits' can be detected by AV's - but some true root cannot!

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read on how to post messages to NG's
 
This is why I asked the question a week or so back about laplinks new
software PC defense. Does this or KAV, or Nod, or any other work against
this?
mc
 
mc said:
This is why I asked the question a week or so back about laplinks new
software PC defense. Does this or KAV, or Nod, or any other work against
this?
mc
Click to expand...

The protection comes from preventing installation of the rootkit in the
first place - which most AV's can do (and what that Symantec link
demonstrates)
Once a rootkit is in place and running, the machine is not yours!
--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read on how to post messages to NG's
 
Noel said:
The protection comes from preventing installation of the rootkit in the
first place - which most AV's can do (and what that Symantec link
demonstrates)
Once a rootkit is in place and running, the machine is not yours!
Click to expand...

once a stealthkit (or any other malware, really) is in place and running
you need to boot the machine from a known-clean bootable medium in order
to be able to reliably detect anything...
 
Does Norton Anivirus detect rootkits? I heard that rootkits are not
detectable.
Click to expand...

Mainstream antivirus products are probably nearly useless against
installed rootkits while Windows is running. The role of av while
Windows is running is to act as a preventative ... or a aid to
prevention. They can help block malware installations in the first
place. Recognizing (detecting and blocking) known rootkit install
packages is no different from recognizing other malware install
packages. Remember that there are a number of malwares which aren't
rootkits that disable mainstream av and software firewalls.

I qualified my first sentence above with "while Windows is running"
since av products would certainly have a chance at detecting and
removing rootkits when the scan of a drive is done via formal
scanning, which requires the use of a alternate operating system.

Many anti-rootkit products exist as can be seen here:

http://www.antirootkit.com/software.htm

These tools are designed to detect installed rootkits while Windows is
running. It's a unending battle. Rootkits which avoid detection of
known anti-rootkits are continually being developed.

The only way to go is to practice prevention, and it's a good idea to
have a cloned bootable backup hard drive on hand, just in case :)

Art
http://home.epix.net/~artnpeg
 
From: "psomerson" <[email protected]>

| Does Norton Anivirus detect rootkits? I heard that rootkits are not
| detectable.

| thanks


Yes it will detect RootKits such as the Haxdoor and Goldun families. The question is more
like after they are detected, is NAV/SAV able to remove it !

The answer is not well since NAV/SAV doesn't fix alterations to the Registry and will need
manual intervention.
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mainstream antivirus products are probably nearly useless against
installed rootkits while Windows is running.
Click to expand...

NOD32's rootkit-removal abilities may surprise you, I've not come across
many rootkits that it cannot remove, even on a live and infected machine.

It certainly surprised me :-)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iD8DBQFEXz6j7uRVdtPsXDkRAnNJAJ9BN+to5TcfeRYuGK4ADDZLXfAmIQCeJV4g
YMfyJ27I+uyTFxU/ijcQeVM=
=0MUy
-----END PGP SIGNATURE-----
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Real stealth malware? Or just some crap that too many people call
rootkits?
Click to expand...

Well it picks up the crap, of course, but I have done testing with some
"proper" rootkits and it's been able to render them completely inactive.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iD8DBQFEX4OF7uRVdtPsXDkRAgNyAKCNiJpLydJFm3NGj7OJrIjRS07T6gCfTOo4
e5toSd/Y5yyi44sE0aObXd8=
=D5Zy
-----END PGP SIGNATURE-----
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Noel said:
For example????
Click to expand...

AFX and FU I believe, as well as several that were installed by viruses and
spyware. I tried a few other easily-available rootkits that I can't
remember the names of as well. Can you think of any I missed?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iD8DBQFEX5++7uRVdtPsXDkRAu0iAJ9ME/0L5Nc1TyE3+SYHXB+AbuVacQCbB6lo
thbJW2vVIPYRWhtHSU4zSzc=
=qkZw
-----END PGP SIGNATURE-----
 
That brings me back to the Laplink PCdefense software... its supposed to
tell you if something is messing around with the registry. I wonder if it
works?
mc
 
Adam Piggott said:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



AFX and FU I believe, as well as several that were installed by viruses
and
spyware. I tried a few other easily-available rootkits that I can't
remember the names of as well. Can you think of any I missed?
Click to expand...


only a few!
:)

You might find this interesting...
http://research.microsoft.com/rootkit/

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read on how to post messages to NG's
 
Back
Top