Yes, on version 5.
Nowadays, very important.
There are also several Win32:Agent nasties that use rootkit tech to hide themself.
Tech, by self defense you mean protection from being terminated by malware
Yes.
I’m new here on the boards but have been using Avast(free version) for almost 4 years. I agree that Avast should have the ability to scan for rootkits. Picking them up before they’re installed is even better, Vlk mentioned that Avast does this. But being able to pick them up during a scan after the fact wouldn’t hurt either. I do use AVG Anti Rootkit now and scan once in a blue moon. I’m not too concerned because I don’t do stupid shit. But I think in general a rootkit scanner built into Avast would be a benefit.
As for Avast having self protection i’m glad that version 5 will have this as it is very important IMO.
One question. Why doesn’t Avast have Heuristics? I know the e-mail scanner does but why not the resident scanner? I understand people get trojans through e-mail but getting malware from malicious websites and other places is not rare. The web shield should pick up a good deal of these but what if the signatures miss a few? Personally I visit a few websites on my computer on a daily basis…mostly computer forums…Hardforum, Anandtech, Epic games UT3 forum, and some news sites. I use Firefox with the NoScript extension enabled. Safe computing is a huge factor but some people don’t know better…like old people…lol.
Been reading alot about this “Version 5” is there an ETA on it? also… Back To the rootkit topic… anyone now of a good Anti Rootkit? i know of AVG but i don’t really like it…
Try this blog post for more info on anti-rootkits:
http://radajo.blogspot.com/2007/11/anti-rootkit-windows-tools-searching.html
I posted a request for proper rootkit detection on the wishlist thread a long time ago. It should be possible to have heuristics designed to detect rootkit like behaviour. Hopefully, this will be part of Avast 5 - whenever that may come out!!!
Many of the tools mentioned in this thread so far are tools for searching out rootkits after the fact! The vast majority of users wouldn’t have a clue how to use them or what to do if they done a scan that found something. They need to have a product that stops the rootkits getting a foothold in the first place.
Vlad’s post on blended threats is spot on. Most malware now uses multiple techniques to do its “work” and the old terms to explain the different types of malware appears to be less and less relevant! The most important thing is any layered security solution catches the bad things and / or removes them.
As an aside, a bigger worry than rootkits is the response speed of detecting and dealing with new threats that have been identified and submitted.
As already suggested in my previous post, we’re coming up with an antirootkit tool shortly. The same technology will then be integrated into the main avast product, but I can’t tell when exactly will this take place (for now).
The antirootkit technology we have is quite unique, and you can expect a high-end product (with detection rates & cleaning capatibilities substantially better than the vast majority of the existing AR tools).
Stay tuned.
Thanks,
Vlk
Policy, strategy… they bet on generic signatures. Maybe to avoid that many false positives.
They’re the only ones that could officially post about this… Vlk’s post does not talk about “why not heuristics”…
Trust in layered defense as much as you can. Other tools could give you more protection if you need. Although, Vlk’s post, again, bomb a little this concept, I’m not talking about specialized tools but a firewall with outbound protection (and log), safe surfing, safe email practices, maybe a HIPS or a system monitor tool…
Vlk, can you post your antirootkit tests results?
Maybe in other proper part of the forum… 
Great news!! 
Keep up the good work!
Very good news VLK… will be waiting for it.
I do use a layered approach as I mentioned I use Avast and use Firefox with the NoScript extension enabled. Firefox with NoScript(I also use AdBlockPlus) cuts down on the possibilty of getting spyware or other malware from malicious sites tremendously. I’m also behind a router and I use Sygate 5.6 to monitor outbound connections. I do have A-Squared 3.1 free edition and Spybot installed and I scan with that once in a while as well. I occasionally will scan with a online scanner…Esnet or BitDefender… just to make sure i’m clean. I use Outlook Express for e-mail but I have it set to view all mail as plain text…just that simple little setting itself substantially cuts down on infections from malicious e-mail with HTML and javascript/activeX.
Safe e-mail, browsing, and overall safe computer use is the #1 way to keep yourself from getting infected.
Cool blog…I used to use Blacklight but I thought the trial ended. Nice list of Anti Rootkit tools listed on that site. I will have to try a few that I haven’t tried in the past.
Blacklight is still available, it was reintroduced.
F-Secure Blacklight may not always be available, http://www.f-secure.com/blacklight - Direct line, ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
Hmmm I think this will be for paid (professional) version only (at least I don’t know a free antivirus program with anti-root-kit detection/removal)
Well, avast! might just be the one that will stand out off the crippled crowd with Anti-Rootkit tech also available in free edition…
While we’re waiting for anti-rootkit capability, let me show you all how to find rootkits
First, the idea of rootkits is (in the malware world) to hide the malware by using Windows’ own API’s. So, you will never see the Rtk’s in Windows.
BUT, you can see them in (pure) DOS.
At this stage, you should understand that rootkit detection and removal software work by taking a snapshot of a (presumed) clean instal, then compare that against the current situation. if they are different, you probably have an infection…
BUT… you can do this yourself! :o I dunno how XP and Vista go for access to pure DOS, but on 95, 98 and ME you can run a DOS-box at C:\ with the commands “dir c:\windows >windir.txt” and “dir c:\windows\system >sysdir.txt”. Now reboot into pure DOS (I like to use my rescue floppy), cd to C:\ and run the same commands (but use different names for the text files 8) ).
NOW, all you need is to check the last few lines of each file: if the reported byte-count is different, you have a problem! OK, I get carried away and import them into my 123 spreadsheet and blah blah…
Hope this helps.
Gordon.
Actually anti-rootkit tools work a bit different…
G’day RejZoR -
Actually I’m sure they must: last time I checked out rootkits was March this year, and now I see products which claim to reveal infections “immediately”. >:(
However, I should quote this:
No commercial product exists that can detect and remove rootkits. Various methods exist to scan memory areas to look for hooks caused by rootkits.from Rootkit Online http://www.rootkitonline.com/rootkit-detection.html.However, these are generally not automated tools, and the few that are available look only for specific rootkits. Bizarre or strange behavior on your computer is a possible indication of rootkits.
The fact remains that the only sure way of detecting a rootkit is by snapshot comparison from inside and outside the target OS. It is ironic that Microsoft, a company which reaps vast profits from the most insecure OS’s in history, offers the only OS compatibility which enables such snapshots ??? .
One of the problems – and these are the worst problems ever to beset the WWW – is that almost all OS’s incorporate (of necessity) the very tools needed to detect the detection apps.
While we’re here, do XP and Vista have provision for pure DOS? I mean, is there a DOS version which can read XP/Vista file systems?
Gordon.