Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antirootkit Vendors


  • Please log in to reply
2 replies to this topic

#1 USN Vet

USN Vet

  • Members
  • 190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:47 AM

Posted 22 May 2011 - 11:26 AM

Can someone recommend a good antirootkit vendor ?

Edit: Moved topic from All Other Applications to the more appropriate forum. ~ Animal
Feel free to ignore my comment, just another user !

BC AdBot (Login to Remove)

 


#2 USN Vet

USN Vet
  • Topic Starter

  • Members
  • 190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:47 AM

Posted 23 May 2011 - 05:08 AM

got my answers from another forum. thanks anyway.
Feel free to ignore my comment, just another user !

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:47 AM

Posted 23 May 2011 - 06:14 AM

Hello USN Vet. Thank you for your service.

I don't know what information you received but here are some points to keep in mind about using ARK tools.

Not all hidden components detected by anti-rootkit (ARK) scanners and security tools are malicious. It is normal for a Firewall, some anti-virus and anti-malware software (ProcessGuard, Prevx), CD Emulators sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. ARK scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

In most cases further investigation is required after the initial ARK scan by someone trained in rootkit detection or with advanced knowledge of the operating system. Report logs need to be analyzed and detected components identified in order to determined if they are benign, system critical or malevolent before attempted removal. Using an ARK scanner without knowing how to tell the difference between legitimate and malicious entries can be dangerous if a critical component is incorrectly removed.

There are many free anti-rootkit tools but some of them require a certain level of expertise and investigative ability to use. These are a few of the easier ARKS for novice users:Malwarebytes Anti-Malware uses a proprietary low level driver (similar to some ARK detectors) to locate hidden files and special techniques which enable it to detect a wide spectrum of threats including active rootkits. SUPERAntiSpyware Free offers technology to deal with rootkit infections as well.

Before performing an anti-rootkit (ARK) scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware and then you can reconnect to the Internet.

If you are using a CD Emulator (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD, etc) be aware that they use rootkit-like techniques techniques to hide from other applications. When dealing with a malware infection, CD Emulators can interfere with investigative or security tools. This interference can produce misleading or inaccurate scan results, false detection of legitimate files, cause unexpected crashes, BSODs, and general dross. This 'dross' often makes it hard to differentiate between genuine malicious rootkits and the legitimate drivers used by CD Emulators. In some cases, the drivers related to such tools can cause crashes or system hanging when attempting to boot into safe mode. Since this is the case, please follow these instructions to disable CD Emulators until disinfection is completed.

USCG Vet (retired)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users