Does the Avast free version protect against rootkits?

[Bluesman]

As already suggested in my previous post, we're coming up with an antirootkit tool shortly. The same technology will then be integrated into the main avast product, but I can't tell when exactly will this take place (for now).

The antirootkit technology we have is quite unique, and you can expect a high-end product (with detection rates & cleaning capatibilities substantially better than the vast majority of the existing AR tools).

Stay tuned.

Thanks,
Vlk

Great news!!

Keep up the good work!

[Arup]

Very good news VLK......... will be waiting for it.

[street lethal]

One question. Why doesn't Avast have Heuristics? I know the e-mail scanner does but why not the resident scanner?

Policy, strategy... they bet on generic signatures. Maybe to avoid that many false positives.
They're the only ones that could officially post about this... Vlk's post does not talk about "why not heuristics"...

The web shield should pick up a good deal of these but what if the signatures miss a few?

Trust in layered defense as much as you can. Other tools could give you more protection if you need. Although, Vlk's post, again, bomb a little this concept, I'm not talking about specialized tools but a firewall with outbound protection (and log), safe surfing, safe email practices, maybe a HIPS or a system monitor tool...

I do use a layered approach as I mentioned I use Avast and use Firefox with the NoScript extension enabled. Firefox with NoScript(I also use AdBlockPlus) cuts down on the possibilty of getting spyware or other malware from malicious sites tremendously. I'm also behind a router and I use Sygate 5.6 to monitor outbound connections. I do have A-Squared 3.1 free edition and Spybot installed and I scan with that once in a while as well. I occasionally will scan with a online scanner...Esnet or BitDefender... just to make sure i'm clean. I use Outlook Express for e-mail but I have it set to view all mail as plain text...just that simple little setting itself substantially cuts down on infections from malicious e-mail with HTML and javascript/activeX.

Safe e-mail, browsing, and overall safe computer use is the #1 way to keep yourself from getting infected.

[street lethal]

Try this blog post for more info on anti-rootkits:
http://radajo.blogspot.com/2007/11/anti-rootkit-windows-tools-searching.html

Cool blog..I used to use Blacklight but I thought the trial ended. Nice list of Anti Rootkit tools listed on that site. I will have to try a few that I haven't tried in the past.

[DavidR]

Blacklight is still available, it was reintroduced.

F-Secure Blacklight may not always be available, http://www.f-secure.com/blacklight - Direct line, ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe

[Timo Schmidt]

As already suggested in my previous post, we're coming up with an antirootkit tool shortly. The same technology will then be integrated into the main avast product, but I can't tell when exactly will this take place (for now).

The antirootkit technology we have is quite unique, and you can expect a high-end product (with detection rates & cleaning capatibilities substantially better than the vast majority of the existing AR tools).

Stay tuned.

Thanks,
Vlk

Hmmm I think this will be for paid (professional) version only (at least I don't know a free antivirus program with anti-root-kit detection/removal)

[RejZoR]

Well, avast! might just be the one that will stand out off the crippled crowd with Anti-Rootkit tech also available in free edition...

[gordon451]

While we're waiting for anti-rootkit capability, let me show you all how to find rootkits

First, the idea of rootkits is (in the malware world) to hide the malware by using Windows' own API's.  So, you will never see the Rtk's in Windows.

BUT, you can see them in (pure) DOS.

At this stage, you should understand that rootkit detection and removal software work by taking a snapshot of a (presumed) clean instal, then compare that against the current situation.  if they are different, you probably have an infection...

BUT...  you can do this yourself!    I dunno how XP and Vista go for access to pure DOS, but on 95, 98 and ME you can run a DOS-box at C:\ with the commands "dir c:\windows >windir.txt" and "dir c:\windows\system >sysdir.txt".  Now reboot into pure DOS (I like to use my rescue floppy), cd to C:\ and run the same commands (but use different names for the text files  ).

NOW, all you need is to check the last few lines of each file: if the reported byte-count is different, you have a problem!  OK, I get carried away and import them into my 123 spreadsheet and blah blah...

Hope this helps.

Gordon.

[RejZoR]

Actually anti-rootkit tools work a bit different...

[gordon451]

G'day RejZoR -

Actually I'm sure they must: last time I checked out rootkits was March this year, and now I see products which claim to reveal infections "immediately".     

However, I should quote this:

No commercial product exists that can detect and remove rootkits. Various methods exist to scan memory areas to look for hooks caused by rootkits.

However, these are generally not automated tools, and the few that are available look only for specific rootkits. Bizarre or strange behavior on your computer is a possible indication of rootkits.

from Rootkit Online http://www.rootkitonline.com/rootkit-detection.html.

The fact remains that the only sure way of detecting a rootkit is by snapshot comparison from inside and outside the target OS.  It is ironic that Microsoft, a company which reaps vast profits from the most insecure OS's in history, offers the only OS compatibility which enables such snapshots  .

One of the problems -- and these are the worst problems ever to beset the WWW -- is that almost all OS's incorporate (of necessity) the very tools needed to detect the detection apps.

While we're here, do XP and Vista have provision for pure DOS?  I mean, is there a DOS version which can read XP/Vista file systems?

Gordon.

[igor]

There's no DOS on NT-based systems you could boot into. I guess you could create some special diskettes with 3rd party tools to read NTFS, but the whole method is rather slow (and unreliable - it's not just about files, but also registry entries, processes, ...)

[oldman]

I think Dos 7.1 and up will view NTFS partions, but not sure if it will show a file in an ADS or the increase in size. Windows won't and the original file size remains the same.

But a Igor said, there is more than just the file name.

[gordon451]

But a Igor said, there is more than just the file name.

Quite agree!  On the other hand, while I could almost certainly build a malware file with the same size and dates, there's no way anybody can build one with the same CRC or whatever.  And there's no way a cracked file will even have the same size!  The rootkit will use the system API's to report the original size, but you can't do that in DOS.

Also, I suspect that any decent rootkit would be able to use the system API's to hide registry entries -- but OTH (at least in DOS/W9x) I can look at the registry in DOS which will instantly (OK, OK...) show the truth.

Look, I don't want anybody to think I'm saying simple inspections is the only answer.  There is no magic bullet!.  What I am saying is that detection -- all by itself, don't yet worry about repair/elimination -- is very difficult, inconvenient, time-consuming and a royal pain in the klacker.  I offered (and stand by) a simple method of roughly inspecting a W9x system which will reveal many of the less well-constructed rootkits.

And I note that many authorities state categorically that the only way of absolutely removing a rootkit is to reinstall the OS -- and in my book that means formatting the C:\ drive!

Gordon.

[oldman]

That may be true of pre NTFS. But like I said, with NTFS, it is possible to hide a file inside of another file and windows will neither see the file or report the size increase. A simple text command will execute the hidden file. I don't know if NTFS capale DOS will see that file.

And I note that many authorities state categorically that the only way of absolutely removing a rootkit is to reinstall the OS -- and in my book that means formatting the C:\ drive!

I think that depends on the rootkit. True there a few which are very near impossible to find. In that case, a format is the only cure. I've removed rootkits and the computers are doing fine. I've also witnessed some very stubborn rootkits removed, not only on this forum but others. There are detection tools that go very, very deep into the system. New ones are being developed all the time, the newest kid on the block is AVZ.

[gordon451]

That may be true of pre NTFS. But like I said, with NTFS, it is possible to hide a file inside of another file and windows will neither see the file or report the size increase. A simple text command will execute the hidden file. I don't know if NTFS capale DOS will see that file.

Yah.  Superficially, NTFS is a much better system than other older Windows systems, but it's ironic that the better capabilities are now working against us.

Dunno if this is old news, but CastleCops have a couple of excellent articles at http://www.castlecops.com/a6342-Windows_Security_Checklist_Part_31_Rootkit_Revelations.html and http://www.castlecops.com/a6355-Windows_Security_Checklist_Part_32_More_Rootkit_Revelations.html.

The joke is that I'm preparing to go over to a Linux OS...    (When the newer more grunty machine arrives )  Haven't decided which one yet, something along the lines of Mandriva, maybe PCLinuxOS.  So I'll be waiting very eagerly for something that offers generic rootkit detection!!!

Gordon.