Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Antivirus Tests Show Rootkits Hard to Kill

Posted by timothy on from the malice-evolves dept.

ancientribe writes "Security suites and online Web scanners detect only a little more than half of all rootkits, according to new tests conducted by independent test organization AV-Test.org. Many of today's products struggle to clean up the ones they find. AV-Test.org also found that a few big name AV scanners had serious problems finding and removing active rootkits, such as Microsoft Windows Live OneCare 1.6.2111.32 and McAfee VirusScan 2008 11.2.121."

4 of 178 comments (clear)

  1. In other news... by Oxy+the+moron · · Score: 5, Insightful

    Grass is green, sky is blue, Pope is Catholic, etc...

    When people create these things... isn't the intent to make them hard to detect/kill?

    What this article has highlighted, though, is that a thorough study on how those rootkits got installed in the first place (especially with regard to the level of user interaction required) combined with some basic education provided to end-users within the OS could go a long way. It's the whole ounce of prevention worth a pound of cure thing. Obviously the cure is not yet up to snuff... and potentially never will be.

    --

    Proudly supporting the Libertarian Party.

  2. Re:Interesting way of putting it by mckinnsb · · Score: 5, Insightful

    In other news: half of jokes made on Slashdot are incorrectly interpreted as serious commentary.

  3. AV's actually doing quite well by Conspicuous+Coward · · Score: 5, Insightful

    If you read TFA it says that some products were actually able to detect, though not remove, as many as 29 out of the 30 rootkits tested once they were installed.

    That's far higher than I would have expected. I thought the whole idea of a rootkit is that it modifies/hooks the kernel to make detection from userspace practically impossible, so either they're using poor/outdated rootkits or the antivirus makers are actually doing a pretty good job of detecting them (gasp).

    Personally I run virus scans from a clean windows PE disk on any windows machine I suspect to be infected anyway; partly because some malware is very good at hiding itself from the OS once it's installed, partly because it makes removal much easier, but I wouldn't read these results as being bad for (some of) the antivirus makers concerned, as the summary seems to suggest.

    1. Re:AV's actually doing quite well by Carnildo · · Score: 5, Insightful

      That's far higher than I would have expected. I thought the whole idea of a rootkit is that it modifies/hooks the kernel to make detection from userspace practically impossible, so either they're using poor/outdated rootkits or the antivirus makers are actually doing a pretty good job of detecting them (gasp).


      It's an arms race. Since a rootkit is making the appearance of reality disagree with physical fact, there's always some way to detect the deception: for example, hidden disk usage could be detected by writing data to fill the disk, and then seeing if the amount of data written is equal to the apparently-free disk space. The latest antivirus software will detect these discrepancies; the latest rootkits will patch over whatever techniques the antivirus software is using.
      --
      "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.