New Antivirus Tests Show Rootkits Hard to Kill

ancientribe writes "Security suites and online Web scanners detect only a little more than half of all rootkits, according to new tests conducted by independent test organization AV-Test.org. Many of today's products struggle to clean up the ones they find. AV-Test.org also found that a few big name AV scanners had serious problems finding and removing active rootkits, such as Microsoft Windows Live OneCare 1.6.2111.32 and McAfee VirusScan 2008 11.2.121."

Re:Not really surpirsed

[Hatta]

Thanks to all the porn sites my FRIEND goes on, it's not uncommon for my AV to pick up a virus every now and then.

It's funny, the embarrassing part here isn't that you look at porn, it's that you get infected while doing it. Get NoScript, a bittorrent client, and a clue.

Well, DUH!

[Todd+Knarr]

First rule of system scanning: if your system is compromised, you can't trust anything running on it including the scanning software. Any malware that's gotten far enough in to be a threat can readily trap the system functions to load programs and read the disk and the system functions used to detect trapping of system functions, allowing it to invisibly return false data to the scanning program. This was standard practice in the late 80s for viruses, see the origin of the term "stealth virus". You can scan incoming files using a scanner running on the main OS but to scan the main OS for infection you need to be running from a different boot image, one that's never been made available in a writable state to the main OS. And no, that doesn't mean a different partition on the hard drive, that's writable by the main OS even if it's not directly available as a drive. The media has to have been physically write-protected or read-only any time it's been in the drive while the main OS is running.

Re:Bootable ClamAV CD image... Ubuntu live CD?

[ma1wrbu5tr]

Steveha..
http://www.ultimatebootcd.com/
http://www.ubcd4win.com/
Both have excellent tools on them, including some UPDATABLE AV kits.