P
Paul
Does Windows Defender detect rootkits?
--
Paul
MS Office Pro 2003
XP Home SP3
Dell Inspiron 1501
--
Paul
MS Office Pro 2003
XP Home SP3
Dell Inspiron 1501
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
K
Kayman
Does Windows Defender detect rootkits?
No!
Educational viewing!
Mark Russinovich - Advanced Malware Cleaning
http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359
B
Bill Sanderson
There's room for some debate about this. Windows Defender did detect the
Sony software which Mark Russinovich discovered originally, and which was
essentially a rootkit.
The Malicious Software Removal tool, which I hope everyone here is running
once a month as part of the monthly security patch download, specializes in
some rootkit families.
However, in general, specialized software aimed specifically at rootkits are
best at this job.
--
Sony software which Mark Russinovich discovered originally, and which was
essentially a rootkit.
The Malicious Software Removal tool, which I hope everyone here is running
once a month as part of the monthly security patch download, specializes in
some rootkit families.
However, in general, specialized software aimed specifically at rootkits are
best at this job.
--
K
Kayman
There's room for some debate about this. Windows Defender did detect the
Sony software which Mark Russinovich discovered originally, and which was
essentially a rootkit.
Yes, I know. But this was quite some time ago. Rootkits have evolved and
differentiated. WinDef has evolved in a different direction.
The Malicious Software Removal tool, which I hope everyone here is running
once a month as part of the monthly security patch download, specializes in
some rootkit families.
True. The key is "some rootkit families". Mark Russinovich is recommending
scanning with as many 'specialized' tools as practicable. (WinDef is not
included.)
However, in general, specialized software aimed specifically at rootkits are
best at this job.
Yes, I would've thought that tools like Rootkit Revealer, GMER, ComboFix
etc. are (nowadays) much more suitable for rootkit detection.
K
Kayman
Does Windows Defender detect rootkits?
Avoiding Rootkit Infection.
The rules to avoid rootkit infection are for the most part the same as
avoiding any malware infection however there are some special
considerations:
Because rootkits meddle with the operating system itself they *require*
full Administrator rights to install. Hence infection can be avoided by
running Windows from an account with *lesser* privileges" (LUA in XP and
UAC in Vista).
P
Paul
Reason why I'm asking is that I've been having a lot of slowdowns with two av
programs that claim to detect rootkits--F-Secure and Avast. I'm thinking of
going to freeware av that doesn't claim to detect rootkits (such as AntiVir),
and then doubling up with a more traditional spyware app that would, such as
WinDef. But I see that this wouldn't work.
OK--it sounds like you guys are saying you really have to run a separate
scan with these other rootkit detectors.
Is the real-time protection that such av programs claim to provide against
rootkits actual? or is it hype?
--
Paul
MS Office Pro 2003
XP Home SP3
Dell Inspiron 1501
programs that claim to detect rootkits--F-Secure and Avast. I'm thinking of
going to freeware av that doesn't claim to detect rootkits (such as AntiVir),
and then doubling up with a more traditional spyware app that would, such as
WinDef. But I see that this wouldn't work.
OK--it sounds like you guys are saying you really have to run a separate
scan with these other rootkit detectors.
Is the real-time protection that such av programs claim to provide against
rootkits actual? or is it hype?
--
Paul
MS Office Pro 2003
XP Home SP3
Dell Inspiron 1501
P
Paul
Or do they simply mean that when you do a scan, they can pick it up, without
any real-time protection?
--
Paul
MS Office Pro 2003
XP Home SP3
Dell Inspiron 1501
any real-time protection?
--
Paul
MS Office Pro 2003
XP Home SP3
Dell Inspiron 1501
J
Jo-Anne
For what it's worth, AntiVir will run a rootkit scan separately from its
regular scan. You click on Local Protection, then Rootkit Search ("this
profile checks your system for active rootkits"), then the Start Search icon
above "Local Drives." The initial search is a quick one and includes the
registry. It is then suggested that you scan the system partition, and you
click yes or no.
I have no idea, of course, how good the rootkit scan is.
Jo-Anne
regular scan. You click on Local Protection, then Rootkit Search ("this
profile checks your system for active rootkits"), then the Start Search icon
above "Local Drives." The initial search is a quick one and includes the
registry. It is then suggested that you scan the system partition, and you
click yes or no.
I have no idea, of course, how good the rootkit scan is.
Jo-Anne
R
robinb
from different newsgroups I frequent it is suppose to be very good
robin
robin
K
Kayman
Reason why I'm asking is that I've been having a lot of slowdowns with two av
programs that claim to detect rootkits--F-Secure and Avast. I'm thinking of
going to freeware av that doesn't claim to detect rootkits (such as AntiVir),
and then doubling up with a more traditional spyware app that would, such as
WinDef. But I see that this wouldn't work.
http://www.free-av.com/en/tools/4/avira_antirootkit_tool.html
OK--it sounds like you guys are saying you really have to run a separate
scan with these other rootkit detectors.
*Educational viewing!!!!*
Mark Russinovich - Advanced Malware Cleaning
http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359
Is the real-time protection that such av programs claim to provide against
rootkits actual? or is it hype?
Avoiding Rootkit Infection.
The rules to avoid rootkit infection are for the most part the same as
avoiding any malware infection however there are some special
considerations:
Because rootkits meddle with the operating system itself they *require*
full Administrator rights to install. Hence infection can be avoided by
running Windows from an account with *lesser* privileges" (LUA in XP and
UAC in Vista).
Running MRT provided monthly by MSFT can be beneficial detecting some
rootkits.
Rootkit Removal applications.
The effectiveness of an individual Rootkit removal application are
wide-ranging and it is recommended utilizing a collection of
detection/removal tools; You are encouraged to try all of them (join
relevant fora for additional support i.e. interpretation of scan results):
ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
http://www.thespykiller.co.uk/index.php?board=3.0
DarkSpy
http://www.antirootkit.com/software/DarkSpy.htm
http://www.antirootkit.com/forums/viewforum.php?f=18
F-Secure BlackLight (Download Trial)
http://www.f-secure.com/blacklight/
http://www.antirootkit.com/forums/viewforum.php?f=13
GMER - is an application that detects and removes rootkits.
http://www.gmer.net/index.php
http://antirootkit.com/forums/index.php?sid=9e746bb696ac0bb38781ffe4361c3a17
IceSword
http://www.antirootkit.com/software/IceSword.htm
http://www.antirootkit.com/forums/index.php
McAfee Rootkit Detective
http://download.nai.com/products/mcafee-avert/McafeeRootkitDetective.zip
Panda Anti Rootkit
http://research.pandasecurity.com/blogs/images/AntiRootkit.zip
RAIDE
http://www.rootkit.com/project.php?id=33
download:
http://www.rootkit.com/vault/petersilberman/RAIDE_BETA_1.zip
http://www.rootkit.com/boardm.php
RootAlyzer
http://forums.spybot.info/showthread.php?t=24185
http://www.spybotupdates.com/files/rootalyz.zip
Rootkit Revealer
http://www.microsoft.com/technet/sysinternals/Utilities/RootkitRevealer.mspx
http://forum.sysinternals.com/forum_topics.asp?FID=15
RootKit Hook Analyzer
http://www.softpedia.com/get/Security/Security-Related/RootKit-Hook-Analyzer.shtml
http://www.antirootkit.com/forums/viewforum.php?f=17
RootKit Hook Analyzer
http://www.resplendence.com/hookanalyzer
http://www.antirootkit.com/forums/viewforum.php?f=17
RootAlyzer
http://forums.spybot.info/showthread.php?t=24185
http://www.spybotupdates.com/files/rootalyz.zip
Sophos Anti-Rootkit - Free tool for rootkit detection and removal
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
Direct link:
http://www.sophos.com/support/cleaners/sarsfx.exe
http://www.techsupportforum.com/net...irewalls/113585-free-sophos-anti-rootkit.html
System Virginity Verifier
http://www.softpedia.com/get/System/System-Info/System-Virginity-Verifier.shtml
http://www.antirootkit.com/forums/viewforum.php?f=25
System Virginity Verifier
http://www.antirootkit.com/software/System-Virginity-Verifier.htm
http://www.antirootkit.com/forums/viewforum.php?f=25
VICE
http://www.rootkit.com/project.php?id=20
download:
http://www.rootkit.com/vault/fuzen_op/vice.zip
http://www.rootkit.com/boardm.php
B
Bill Sanderson
Kayman said:Yes, I know. But this was quite some time ago. Rootkits have evolved and
differentiated. WinDef has evolved in a different direction.
True. The key is "some rootkit families". Mark Russinovich is recommending
scanning with as many 'specialized' tools as practicable. (WinDef is not
included.)
Yes, I would've thought that tools like Rootkit Revealer, GMER, ComboFix
etc. are (nowadays) much more suitable for rootkit detection.
Agreed. the caveat being that few of these tools are suitable for the
average end user, or even network admin who isn't accustomed to dealing
directly with malware.
I believe F-secure's blacklight application is still available--this is one
that is usable by anyone, and has actually found a rootkit for me, anyway.
http://www.f-secure.com/security_center/
(next to the bottom link)
Rootkit Revealer is an excellent app, but the results require some
interpretation, and I still see scans in which the large numbers of items
found make it difficult to see whether any of it is "real."
B
Bill Sanderson
I don't know this answer. I don't have any experience with actual
detections of rootkits by standard antimalware software.
My suspicion is that they look for signatures for existing known rootkits,
rather than looking at behavior, which the more specialized stuff is
essentially doing.
The last rootkit I saw was several years back, and it had disabled the
antimalware software on the machine which was a primary clue to its
presence!
I'd tend to be skeptical about the value of signature based detection of
rootkits. That said, I really don't know what the vendors you mention are
doing, so I should probably shut up and do some reading about it.
detections of rootkits by standard antimalware software.
My suspicion is that they look for signatures for existing known rootkits,
rather than looking at behavior, which the more specialized stuff is
essentially doing.
The last rootkit I saw was several years back, and it had disabled the
antimalware software on the machine which was a primary clue to its
presence!
I'd tend to be skeptical about the value of signature based detection of
rootkits. That said, I really don't know what the vendors you mention are
doing, so I should probably shut up and do some reading about it.
B
Bill Sanderson
Thanks!
I didn't read all the way down on your earlier post--that's a very nice list
indeed, and I've not used all of those tools, although I have used many of
them.
I will say that in my work, the recent experience I have where a machine was
unresponsive, and seemed to have the CPU pegged, and I couldn't find the
process easily with taskmanager: in at least three such situations, the
cause turned out to be a Hewlett Packard printer driver related process..
(that knowledge may save some time in looking at the antirootkit tools!)
I didn't read all the way down on your earlier post--that's a very nice list
indeed, and I've not used all of those tools, although I have used many of
them.
I will say that in my work, the recent experience I have where a machine was
unresponsive, and seemed to have the CPU pegged, and I couldn't find the
process easily with taskmanager: in at least three such situations, the
cause turned out to be a Hewlett Packard printer driver related process..
(that knowledge may save some time in looking at the antirootkit tools!)
K
Kayman
Agreed. the caveat being that few of these tools are suitable for the
average end user, or even network admin who isn't accustomed to dealing
directly with malware.
I believe F-secure's blacklight application is still available--this is one
that is usable by anyone, and has actually found a rootkit for me, anyway.
http://www.f-secure.com/security_center/
(next to the bottom link)
Rootkit Revealer is an excellent app, but the results require some
interpretation, and I still see scans in which the large numbers of items
found make it difficult to see whether any of it is "real."
Frankly, I have a hard time to interpret the results. That's why I included
this caveat to my post:
"...(join relevant fora for additional support i.e. interpretation of scan
results):..."
G
gene
Kayman said:*Educational viewing!!!!*
Mark Russinovich - Advanced Malware Cleaning
http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359
Nice list. The problem for most of us, or at least me, is in
interpreting the findings. For example, with Rootkit Unhooker I barely
have a clue what to do with the results. Failing that, I run Comodo's
resident anti-rootkit utility, BOC (free), for what it's worth.
Gene
K
Kayman
"...(join relevant fora for additional support i.e. interpretation of scanNice list. The problem for most of us, or at least me, is in
interpreting the findings. For example, with Rootkit Unhooker I barely
have a clue what to do with the results. Failing that, I run Comodo's
resident anti-rootkit utility, BOC (free), for what it's worth.
results):..."