Rootkit Detection

[meadish_sweetball]

Antivir just informed me that as of the latest update I have the opportunity to install a 'rootkit detection' application. Since I didn't know what rootkits were I did a bit of Googling and came to the conclusion that it was something like 'applications that attempt to hide malware installations' (this may not be entirely correct but that's as far as I got).

So now the question is: should I install the rootkit detection software they are offering? Is the reason they are asking just out of courtesy, or do these things have a high propensity for turning up false positives and blocking legitimate functions?

I am running a legal genuine copy of Windows XP Pro SP2.

[stumonster]

http://en.wikipedia.org/wiki/Rootkit

sysinternals has a freeware program - rootkit revealer

when I first got my laptop I took a snapshot via root kit revealer so I do have something to compare if I suspect I have been rootkitted.

[cdnvic]

A rootkit has an effect like hypnotizing your computer into seeing itself as perfectly fine when it's really not. That's how it hides malware on the system. Rootkit revealer used to be one of the few programs able to detect them but Antivir, nod32 and a few other Antivirus programs now are capable of it as well.

I would go ahead and install it Meadish. I've never had a rootkit detection utility interfere with legit programs.

[Tywais]

I would go ahead and install it Meadish. I've never had a rootkit detection utility interfere with legit programs.

I agree with cdnvic. A rootkit is one of the worse malware apps that can be put put on a system and extremely difficult to remove. My experience has only been with linux systems where I let my guard down once and found one on my server. Fortunately the person wasn't very cleaver and left tracks that allowed me to know it had happened, but the only sure way I had to guarantee all pieces were removed was reformat and a new install. I have now battened down the hatches tightly on the server.

[autonomous_unit]

Like Tywais said, the usual luck is that you encounter a sloppy attack and detect it from within the system. Rootkit scanning is roughly analogous to trying to "sweep your office for listening devices", assuming someone has already broken in, whereas firewalls and antivirus are more like locking your doors and having guards at the perimeter of a secured area. You'd hope your scanner isn't just a placebo with a comforting green light that always comes on after you press the button.

But, because you cannot really inspect the computer without its cooperation, the scanning is more like asking your business partner, "look within yourself, and tell me, can I trust you?" If you cannot, would you expect him to tell you so? The only way to detect a rootkit is to reboot the computer with a trusted medium, such as a physically write-protected hard drive or a CD-ROM and run a comparison of the disk files to a known-good reference copy. (Or remove the suspected drives and inspect them with another trusted computer.) This option would be truly wonderful for those business dealings, wouldn't it? Just vivisect and analyze the guy under a microscope before continuing the transaction... Similarly, the only sane recovery from suspected rootkit incidents is to install a fresh OS and then carefully restore your data from backups (particularly if your data could contain viruses/rootkits itself). To continue the analogy, this is sending your ambiguous business partner to sleep with the fishes, and then carefully training up his replacement. Of course, once the new guy starts having contact with the outer world, you start to wonder whether his training was sufficient... you'd better start preparing his replacement too...

To be honest, I don't bother scanning for rootkits on my Linux machines, because I think I apply due diligence to keeping them updated with security patches and "keeping the doors locked" in the first place. Regular backups protect the data in case I have to sacrafice the computer after an attack. But, I don't trust Windows for all the anti-malware software in the world. I avoid running it at all most of the time, and when I do, I run it in a padded room with no sharp objects or shoe-laces, and then I sacrafice it and replace it with a clone after each use.

[expat_4_life]

Here is a link to a review of 6 rootkit detection/protection products. It also contains alot of information about rootkits in general.

http://www.informationweek.com/news/showAr...cleID=196901062