Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Antivirus Tests Show Rootkits Hard to Kill

Posted by timothy on from the malice-evolves dept.

ancientribe writes "Security suites and online Web scanners detect only a little more than half of all rootkits, according to new tests conducted by independent test organization AV-Test.org. Many of today's products struggle to clean up the ones they find. AV-Test.org also found that a few big name AV scanners had serious problems finding and removing active rootkits, such as Microsoft Windows Live OneCare 1.6.2111.32 and McAfee VirusScan 2008 11.2.121."

9 of 178 comments (clear)

  1. Re:Naturally, (on first) by wizardforce · · Score: 3, Informative

    "Security suites and online Web scanners detect only a little more than half of all rootkits
    security suites/online web scanners != antivirus only. as for why

    AV-Test.org also found that a few big name AV scanners had serious problems finding and removing active rootkits
    I would have to say that a lot of scanners that are referred to as being antivirus target several types of malare, viruses especially so but not exclusively. havng to develop separate scanners for each type of malware and actually charging for them would be enormously expensive, not that they won't be doing it soon.
    --
    Sigs are too short to say anything truly profound so read the above post instead.
  2. Re:Bootable antivirus discs? by tsvk · · Score: 4, Informative

    Ah. Lazy me for not searching more closely before asking... just found this as one alternative: http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html.

  3. Re:Not really surpirsed by Hatta · · Score: 5, Informative

    Thanks to all the porn sites my FRIEND goes on, it's not uncommon for my AV to pick up a virus every now and then.

    It's funny, the embarrassing part here isn't that you look at porn, it's that you get infected while doing it. Get NoScript, a bittorrent client, and a clue.

    --
    Give me Classic Slashdot or give me death!
  4. Well, DUH! by Todd+Knarr · · Score: 5, Informative

    First rule of system scanning: if your system is compromised, you can't trust anything running on it including the scanning software. Any malware that's gotten far enough in to be a threat can readily trap the system functions to load programs and read the disk and the system functions used to detect trapping of system functions, allowing it to invisibly return false data to the scanning program. This was standard practice in the late 80s for viruses, see the origin of the term "stealth virus". You can scan incoming files using a scanner running on the main OS but to scan the main OS for infection you need to be running from a different boot image, one that's never been made available in a writable state to the main OS. And no, that doesn't mean a different partition on the hard drive, that's writable by the main OS even if it's not directly available as a drive. The media has to have been physically write-protected or read-only any time it's been in the drive while the main OS is running.

  5. Info - Anti rootkit tools by Fallen+Andy · · Score: 3, Informative
    For your friends, non tech users:

    AVG Free 8.0 (free.grisoft.com) or AVG free antirootkit if they are using 7.5 free.

    Hint: AVG 8 *removes* their old free antirootkit.

    For techie users grab the sysinternals toolkit from majorgeeks etc. (Rootkit revealer). For real techies a copy of "Rootkit Unhooker LE" (rku.nm.ru) but (like Hijack This) hide this one from non techie users so they don't fiddle with it ...

    (oh and beware some versions of daemon tools which use rootkit like functionality to hide their virtual cd driver).

    Andy

  6. Re:Bootable ClamAV CD image... Ubuntu live CD? by ma1wrbu5tr · · Score: 5, Informative

    Steveha..
    http://www.ultimatebootcd.com/
    http://www.ubcd4win.com/
    Both have excellent tools on them, including some UPDATABLE AV kits.

    --
    Why can't we go back to using jumpers to configure slot adapter cards? Why? I say!
  7. Re:Bootable antivirus discs? by houstonbofh · · Score: 3, Informative

    http://www.ubcd4win.com/

    It is not totally burn and go, thanks to Microsoft and the EULA, but very close. I was just updating my images today, as a matter of fact. Several clients have the latest "It burns when I pee" support calls scheduled.

  8. Re:I don't even bother trying to clean them up. by jimicus · · Score: 4, Informative

    What you described sounds similar to how signature/definition-based scanners work. I'm sure a lot of scanners make bootable versions - I know that older versions of McAfee came with a boot floppy.

    Not really.

    Signature-based scanners are a glorified form of grep. They look through every file looking for a string of bytes which is reasonably unique to a virus. It's not possible to have a computer know in advance with 100% certainty whether executing a particular block of code is dangerous - the best you can do is say "this is probably dangerous", so realistically your options are:

    1. Look for things which are known to be bad, delete any we find. Well, 20 years of antivirus should have taught us by now that this is a crappy solution.
    2. Look for things which are known to be good. Anything which isn't known to be good we delete. This is essentially what I described originally.

    The minor issue with this (and indeed with what I described) is that writing a general-purpose application which does this without leaving the system broken beyond real use (who's going to put up with an AV product which deletes every data file they've got because there have been known vulnerabilities in programs which read those files?) is impossible.

    However, they do say an ounce of prevention is worth a pound of cure, and nowhere in IT is it more true than here. Don't allow users to run as admin, filter email for anything even remotely suspicious, configure your desktop PCs to automatically update, run antivirus on your fileserver to slow down the spread of anything, get proper configurable desktop AV software - preferably configurable such that end users can't easily mess with the configuration - and set it up to scan everything on access.

    And while we're at it, abandon any email scanner which filters dodgy attachments on the basis of their file extension. The first virus which comes with text saying "Rename to .exe and run" will sail straight through.

    This sounds like a lot of work, but I've been in the middle of dealing with virus outbreaks before. Once configured, 99.5% of my suggestions can be just left to their own devices and it's a lot less hassle than dealing with a virus outbreak.
  9. Re:Interesting way of putting it by nuckfuts · · Score: 3, Informative

    "in this day and age IMHO it is kind of silly that I can't simply make a list of the two dozen or so programs that I use and have them be the only things that are allowed to run".

    For Windows, what you are describing is Software Restriction Policies. This has been around for some time.